case study to understand the importance of risk management and mitigation of risk

• Business Essentials
• Leadership & Management
• Credential of Leadership, Impact, and Management in Business (CLIMB)
• Entrepreneurship & Innovation
• Digital Transformation
• Finance & Accounting
• Business in Society
• For Organizations
• Support Portal
• Media Coverage
• Founding Donors
• Leadership Team

• Harvard Business School →
• HBS Online →
• Business Insights →

Business Insights

Harvard Business School Online's Business Insights Blog provides the career insights you need to achieve your goals and gain confidence in your business skills.

• Career Development
• Communication
• Decision-Making
• Earning Your MBA
• Negotiation
• News & Events
• Productivity
• Staff Spotlight
• Student Profiles
• Work-Life Balance
• AI Essentials for Business
• Alternative Investments
• Business Analytics
• Business Strategy
• Business and Climate Change
• Design Thinking and Innovation
• Digital Marketing Strategy
• Disruptive Strategy
• Economics for Managers
• Entrepreneurship Essentials
• Financial Accounting
• Global Business
• Launching Tech Ventures
• Leadership Principles
• Leadership, Ethics, and Corporate Accountability
• Leading Change and Organizational Renewal
• Leading with Finance
• Management Essentials
• Negotiation Mastery
• Organizational Leadership
• Power and Influence for Positive Impact
• Strategy Execution
• Sustainable Business Strategy
• Sustainable Investing
• Winning with Digital Platforms

What Is Risk Management & Why Is It Important?

• 24 Oct 2023

Businesses can’t operate without risk. Economic, technological, environmental, and competitive factors introduce obstacles that companies must not only manage but overcome.

According to PwC’s Global Risk Survey , organizations that embrace strategic risk management are five times more likely to deliver stakeholder confidence and better business outcomes and two times more likely to expect faster revenue growth.

If you want to enhance your job performance and identify and mitigate risk more effectively, here’s a breakdown of what risk management is and why it’s important.

Access your free e-book today.

What Is Risk Management?

Risk management is the systematic process of identifying, assessing, and mitigating threats or uncertainties that can affect your organization. It involves analyzing risks’ likelihood and impact, developing strategies to minimize harm, and monitoring measures’ effectiveness.

“Competing successfully in any industry involves some level of risk,” says Harvard Business School Professor Robert Simons, who teaches the online course Strategy Execution . “But high-performing businesses with high-pressure cultures are especially vulnerable. As a manager, you need to know how and why these risks arise and how to avoid them.”

According to Strategy Execution , strategic risk has three main causes:

• Pressures due to growth: This is often caused by an accelerated rate of expansion that makes staffing or industry knowledge gaps more harmful to your business.
• Pressures due to culture: While entrepreneurial risk-taking can come with rewards, executive resistance and internal competition can cause problems.
• Pressures due to information management: Since information is key to effective leadership , gaps in performance measures can result in decentralized decision-making.

These pressures can lead to several types of risk that you must manage or mitigate to avoid reputational, financial, or strategic failures. However, risks aren’t always obvious.

“I think one of the challenges firms face is the ability to properly identify their risks,” says HBS Professor Eugene Soltes in Strategy Execution .

Therefore, it’s crucial to pinpoint unexpected events or conditions that could significantly impede your organization’s business strategy .

Related: Business Strategy vs. Strategy Execution: Which Course Is Right for Me?

According to Strategy Execution , strategic risk comprises:

• Operations risk: This occurs when internal operational errors interrupt your products or services’ flow. For example, shipping tainted products can negatively affect food distribution companies.
• Asset impairment risk: When your company’s assets lose a significant portion of their current value because of a decreased likelihood of receiving future cash flows . For instance, losing property assets, like a manufacturing plant, due to a natural disaster.
• Competitive risk: Changes in the competitive environment can interrupt your organization’s ability to create value and differentiate its offerings—eventually leading to a significant loss in revenue.
• Franchise risk: When your organization’s value erodes because stakeholders lose confidence in its objectives. This primarily results from failing to control any of the strategic risk sources listed above.

Understanding these risks is essential to ensuring your organization’s long-term success. Here’s a deeper dive into why risk management is important.

4 Reasons Why Risk Management Is Important

1. protects organization’s reputation.

In many cases, effective risk management proactively protects your organization from incidents that can affect its reputation.

“Franchise risk is a concern for all businesses,“ Simons says in Strategy Execution . “However, it's especially pressing for businesses whose reputations depend on the trust of key constituents.”

For example, airlines are particularly susceptible to franchise risk because of unforeseen events, such as flight delays and cancellations caused by weather or mechanical failure. While such incidents are considered operational risks, they can be incredibly damaging.

In 2016, Delta Airlines experienced a national computer outage, resulting in over 2,000 flight cancellations. Delta not only lost an estimated $150 million but took a hit to its reputation as a reliable airline that prided itself on “canceling cancellations.”

While Delta bounced back, the incident illustrates how mitigating operational errors can make or break your organization.

2. Minimizes Losses

Most businesses create risk management teams to avoid major financial losses. Yet, various risks can still impact their bottom lines.

A Vault Platform study found that dealing with workplace misconduct cost U.S. businesses over $20 billion in 2021. In addition, Soltes says in Strategy Execution that corporate fines for misconduct have risen 40-fold in the U.S. over the last 20 years.

One way to mitigate financial losses related to employee misconduct is by implementing internal controls. According to Strategy Execution , internal controls are the policies and procedures designed to ensure reliable accounting information and safeguard company assets.

“Managers use internal controls to limit the opportunities employees have to expose the business to risk,” Simons says in the course.

One company that could have benefited from implementing internal controls is Volkswagen (VW). In 2015, VW whistle-blowers revealed that the company’s engineers deliberately manipulated diesel vehicles’ emissions data to make them appear more environmentally friendly.

This led to severe consequences, including regulatory penalties, expensive vehicle recalls, and legal settlements—all of which resulted in significant financial losses. By 2018, U.S. authorities had extracted $25 billion in fines, penalties, civil damages, and restitution from the company.

Had VW maintained more rigorous internal controls to ensure transparency, compliance, and proper oversight of its engineering practices, perhaps it could have detected—or even averted—the situation.

Related: What Are Business Ethics & Why Are They Important?

3. Encourages Innovation and Growth

Risk management isn’t just about avoiding negative outcomes. It can also be the catalyst that drives your organization’s innovation and growth.

“Risks may not be pleasant to think about, but they’re inevitable if you want to push your business to innovate and remain competitive,” Simons says in Strategy Execution .

According to PwC , 83 percent of companies’ business strategies focus on growth, despite risks and mixed economic signals. In Strategy Execution , Simons notes that competitive risk is a challenge you must constantly monitor and address.

“Any firm operating in a competitive market must focus its attention on changes in the external environment that could impair its ability to create value for its customers,” Simons says.

This requires incorporating boundary systems —explicit statements that define and communicate risks to avoid—to ensure internal controls don’t extinguish innovation.

“Boundary systems are essential levers in businesses to give people freedom,” Simons says. “In such circumstances, you don’t want to stifle innovation or entrepreneurial behavior by telling people how to do their jobs. And if you want to remain competitive, you’ll need to innovate and adapt.”

Netflix is an example of how risk management can inspire innovation. In the early 2000s, the company was primarily known for its DVD-by-mail rental service. With growing competition from video rental stores, Netflix went against the grain and introduced its streaming service. This changed the market, resulting in a booming industry nearly a decade later.

Netflix’s innovation didn’t stop there. Once the steaming services market became highly competitive, the company shifted once again to gain a competitive edge. It ventured into producing original content, which ultimately helped differentiate its platform and attract additional subscribers.

By offering more freedom within internal controls, you can encourage innovation and constant growth.

4. Enhances Decision-Making

Risk management also provides a structured framework for decision-making. This can be beneficial if your business is inclined toward risks that are difficult to manage.

By pulling data from existing control systems to develop hypothetical scenarios, you can discuss and debate strategies’ efficacy before executing them.

“Interactive control systems are the formal information systems managers use to personally involve themselves in the decision activities of subordinates,” Simons says in Strategy Execution . “Decision activities that relate to and impact strategic uncertainties.”

JPMorgan Chase, one of the most prominent financial institutions in the world, is particularly susceptible to cyber risks because it compiles vast amounts of sensitive customer data . According to PwC , cybersecurity is the number one business risk on managers’ minds, with 78 percent worried about more frequent or broader cyber attacks.

Using data science techniques like machine learning algorithms enables JPMorgan Chase’s leadership not only to detect and prevent cyber attacks but address and mitigate risk.

Start Managing Your Organization's Risk

Risk management is essential to business. While some risk is inevitable, your ability to identify and mitigate it can benefit your organization.

But you can’t plan for everything. According to the Harvard Business Review , some risks are so remote that no one could have imagined them. Some result from a perfect storm of incidents, while others materialize rapidly and on enormous scales.

By taking an online strategy course , you can build the knowledge and skills to identify strategic risks and ensure they don’t undermine your business. For example, through an interactive learning experience, Strategy Execution enables you to draw insights from real-world business examples and better understand how to approach risk management.

Do you want to mitigate your organization’s risks? Explore Strategy Execution —one of our online strategy courses —and download our free strategy e-book to gain the insights to build a successful strategy.

About the Author

Information

• Author Services

Initiatives

You are accessing a machine-readable page. In order to be human-readable, please install an RSS reader.

All articles published by MDPI are made immediately available worldwide under an open access license. No special permission is required to reuse all or part of the article published by MDPI, including figures and tables. For articles published under an open access Creative Common CC BY license, any part of the article may be reused without permission provided that the original article is clearly cited. For more information, please refer to https://www.mdpi.com/openaccess .

Feature papers represent the most advanced research with significant potential for high impact in the field. A Feature Paper should be a substantial original Article that involves several techniques or approaches, provides an outlook for future research directions and describes possible research applications.

Feature papers are submitted upon individual invitation or recommendation by the scientific editors and must receive positive feedback from the reviewers.

Editor’s Choice articles are based on recommendations by the scientific editors of MDPI journals from around the world. Editors select a small number of articles recently published in the journal that they believe will be particularly interesting to readers, or important in the respective research area. The aim is to provide a snapshot of some of the most exciting work published in the various research areas of the journal.

Original Submission Date Received: .

• Active Journals
• Find a Journal
• Proceedings Series
• For Authors
• For Reviewers
• For Editors
• For Librarians
• For Publishers
• For Societies
• For Conference Organizers
• Open Access Policy
• Institutional Open Access Program
• Special Issues Guidelines
• Editorial Process
• Research and Publication Ethics
• Article Processing Charges
• Testimonials
• Preprints.org
• SciProfiles
• Encyclopedia

Article Menu

• Subscribe SciFeed
• Recommended Articles
• Google Scholar
• on Google Scholar
• Table of Contents

Find support for a specific problem in the support section of our website.

Please let us know what you think of our products and services.

Visit our dedicated information section to learn more about MDPI.

JSmol Viewer

Triangulating risk profile and risk assessment: a case study of implementing enterprise risk management system.

1. Introduction

2. background on the firm, 3. erm literature review, 4. sample and questionnaire data, 5. risk profile and risk assessment, 6. mitigation strategies, 7. conclusions, 8. case requirements.

• Using the average coded responses to selected questions in each of the five risk areas in Table 7 , provide a 500-word summary of the firm’s risk profile.
• Complete the risk matrix in Table A1 , below, by using the input measures from Table 8 : average of likelihood, impact on annual revenue growth, and level of control, along with variance of the expected impact and average control.
• rank the ten risk categories by (i) their expected impact, (ii) by an equally weighted index of expected impact and average control, and (iii) by an equally weighted index of three indices: expected impact, opinion convergence on expected impact, and opinion convergence on control.
• create an equally weighted consolidated ranking of the above three rankings and re-rank the ten risk categories.
• Develop a risk map of all ten risks identified for the firm.
• Using the input in Table 1 , the questionnaire results, and quantitative risk metrics in Table 7 and Table 8 , along with the discussion on key sources and drivers of risk in Section 6 , propose mitigation strategies for the top six risks selected by the board.

Author Contributions

Data availability statement, conflicts of interest, appendix a. instructor’s notes, appendix a.1. background and introduction, appendix a.2. case requirements: implementation.

• Aabo, Tom, John Fraser, and Betty Simkins. 2005. The Rise and Evolution of the Chief Risk Officer: Enterprise Risk Management at Hydro One. Journal of Applied Corporate Finance 17: 62–75. [ Google Scholar ] [ CrossRef ]
• Beasley, Mark, Richard Clune, and Dana Hermanson. 2005. Enterprise Risk Management: An Empirical Analysis of Factors Associated with the Extent of Implementation. Journal of Accounting and Public Policy 24: 521–31. [ Google Scholar ] [ CrossRef ]
• Fabrigar, Leandre, Duane Wegener, Robert MacCallum, and Erin Strahan. 1999. Evaluating the use of exploratory factor analysis in psychological research. Psychological Methods 4: 272–99. [ Google Scholar ] [ CrossRef ]
• Farrell, Mark, and Ronan Gallagher. 2014. The Valuation Implications of Enterprise Risk Management Maturity. The Journal of Risk and Insurance 82: 625–67. [ Google Scholar ] [ CrossRef ]
• Fraser, J., and B. Simkins. 2010. Enterprise Risk Management . Hoboken: John Wiley and Sons. ISBN 9780470499085. [ Google Scholar ]
• Fraser, John, Betty Simkins, and Kristina Narvaez. 2014. Implementing Enterprise Risk Management: Case Studies and Best Practices . Hoboken: John Wiley and Sons. [ Google Scholar ]
• Froot, Kenneth, David Scharfstein, and Jeremy Stein. 1993. Risk Management: Coordinating Investment and Financing Policies. Journal of Finance 48: 1629–58. [ Google Scholar ] [ CrossRef ]
• Grace, Martin, J. Tyler Leverty, Richard Phillips, and Prakash Shimpy. 2014. The Value of Investing in Enterprise Risk Management. The Journal of Risk and Insurance 82: 289–316. [ Google Scholar ] [ CrossRef ]
• Harrington, Scott, Greg Niehaus, and Kenneth J. Risko. 2002. Enterprise Risk Management: The Case of United Grain Growers. Journal of Applied Corporate Finance 14: 71–81. [ Google Scholar ] [ CrossRef ]
• Hoyt, Robert E., and Andre P. Liebenberg. 2011. The Value of Enterprise Risk Management. Journal of Risk and Insurance 78: 795–822. [ Google Scholar ] [ CrossRef ]
• Hristov, Ivo, Riccardo Camilli, Antonio Chirico, and Alessandro Mechelli. 2022. The Integration between Enterprise Risk Management and Performance Management System: Managerial Analysis and Conceptual Model to Support Strategic Decision-Making Process. Production Planning & Control , 1–14. [ Google Scholar ] [ CrossRef ]
• Jalilvand, Abol, and John W. Kostolansky. 2016. Le Beau Footwear: A Business Valuation Case for a Privately Held Firm. Issues in Accounting Education 31: 439–47. [ Google Scholar ] [ CrossRef ]
• Jalilvand, Abol, and Sidharth Moorthy. 2022. Enterprise Risk Management (ERM) Maturity: A Clinical Study of a U.S. Multinational Nonprofit Firm” (with S. Moorthy). Journal of Accounting, Auditing, and Finance . [ Google Scholar ] [ CrossRef ]
• Jensen, Michael C., and William H. Meckling. 1976. Theory of the Firm: Managerial Behavior, Agency Costs and Ownership Structure. Journal of Financial Economics 3: 305–60. [ Google Scholar ] [ CrossRef ]
• Kraus, Alan, and Robert Litzenberger. 1973. A State Preference Model of Optimal Financial Leverage. Journal of Finance 28: 911–22. [ Google Scholar ]
• Leland, Hayne E., and David H. Pyle. 1977. Informational Asymmetries, Financial Structure, and Financial Intermediation. Journal of Finance 32: 371–88. [ Google Scholar ] [ CrossRef ]
• Lindberg, Deborah L., and Deborah L. Seifert. 2011. A Comparison of U.S. Auditing Standards with International Standards on Auditing. The CPA Journal 81: 17–21. [ Google Scholar ]
• McShane, Michael K., Anil Nair, and Elzotbek Rustambekov. 2011. Does Enterprise Risk Management Increase Firm Value? Journal of Accounting, Auditing and Finance 26: 641–58. [ Google Scholar ] [ CrossRef ]
• Miller, Merton. 1977. Debt and Taxes. Journal of Finance 32: 261–75. [ Google Scholar ]
• Miller, Merton H., and Franco Modigliani. 1958. The Cost of Capital, Corporation Finance and the Theory of Investment. American Economic Review 48: 261–97. [ Google Scholar ]
• Miller, Merton H., and Franco Modigliani. 1963. Corporate Income Taxes and the Cost of Capital: A Correction. American Economic Review 53: 433–43. [ Google Scholar ]
• Nocco, Brian W., and René M. Stulz. 2006. Enterprise Risk Management: Theory and Practice. Journal of Applied Corporate Finance 18: 8–20. [ Google Scholar ] [ CrossRef ]
• Rosenburg, Joshua V., and Til Schuermann. 2006. A General Approach to Integrated Risk Management with Skewed, Fat-Tailed Risks. Journal of Financial Economics 79: 569–614. [ Google Scholar ] [ CrossRef ]
• Ross, Stephen A. 1977. The Determination of Financial Structure: The Incentive Signaling Approach. Bell Journal of Economics 8: 23–40. [ Google Scholar ] [ CrossRef ]
• Samanta, P., T. Azarchs, and J. Martinez. 2004. The PIM Approach to Assessing the TRM Practices of Financial Institutions . New York: Standard and Poor’s/McGraw-Hill. [ Google Scholar ]
• Shad, Muhammad Kashif, Fong-Woon Lai, Amjad Shamin, Michael McShane, and Sheikh Muhammad Zahid. 2022. The relationship between enterprise risk management and cost of capital. Asian Academy of Management Journal 27: 79–103. [ Google Scholar ]

Share and Cite

Jalilvand, A.; Moorthy, S. Triangulating Risk Profile and Risk Assessment: A Case Study of Implementing Enterprise Risk Management System. J. Risk Financial Manag. 2023 , 16 , 473. https://doi.org/10.3390/jrfm16110473

Jalilvand A, Moorthy S. Triangulating Risk Profile and Risk Assessment: A Case Study of Implementing Enterprise Risk Management System. Journal of Risk and Financial Management . 2023; 16(11):473. https://doi.org/10.3390/jrfm16110473

Jalilvand, Abol, and Sidharth Moorthy. 2023. "Triangulating Risk Profile and Risk Assessment: A Case Study of Implementing Enterprise Risk Management System" Journal of Risk and Financial Management 16, no. 11: 473. https://doi.org/10.3390/jrfm16110473

Article Metrics

Article access statistics, further information, mdpi initiatives, follow mdpi.

Subscribe to receive issue release notifications and newsletters from MDPI journals

• SUGGESTED TOPICS
• The Magazine
• Newsletters
• Managing Yourself
• Managing Teams
• Work-life Balance
• The Big Idea
• Data & Visuals
• Reading Lists
• Case Selections
• HBR Learning
• Topic Feeds
• Account Settings
• Email Preferences

Managing Risks: A New Framework

• Robert S. Kaplan
• Anette Mikes

Risk management is too often treated as a compliance issue that can be solved by drawing up lots of rules and making sure that all employees follow them. Many such rules, of course, are sensible and do reduce some risks that could severely damage a company. But rules-based risk management will not diminish either the likelihood or the impact of a disaster such as Deepwater Horizon, just as it did not prevent the failure of many financial institutions during the 2007–2008 credit crisis.

In this article, Robert S. Kaplan and Anette Mikes present a categorization of risk that allows executives to understand the qualitative distinctions between the types of risks that organizations face. Preventable risks, arising from within the organization, are controllable and ought to be eliminated or avoided. Examples are the risks from employees’ and managers’ unauthorized, unethical, or inappropriate actions and the risks from breakdowns in routine operational processes. Strategy risks are those a company voluntarily assumes in order to generate superior returns from its strategy. External risks arise from events outside the company and are beyond its influence or control. Sources of these risks include natural and political disasters and major macroeconomic shifts. Risk events from any category can be fatal to a company’s strategy and even to its survival.

Companies should tailor their risk management processes to these different risk categories. A rules-based approach is effective for managing preventable risks, whereas strategy risks require a fundamentally different approach based on open and explicit risk discussions. To anticipate and mitigate the impact of major external risks, companies can call on tools such as war-gaming and scenario analysis.

Smart companies match their approach to the nature of the threats they face.

Editors’ note: Since this issue of HBR went to press, JP Morgan, whose risk management practices are highlighted in this article, revealed significant trading losses at one of its units. The authors provide their commentary on this turn of events in their contribution to HBR’s Insight Center on Managing Risky Behavior.

• Robert S. Kaplan is a senior fellow and the Marvin Bower Professor of Leadership Development emeritus at Harvard Business School. He coauthored the McKinsey Award–winning HBR article “ Accounting for Climate Change ” (November–December 2021).
• Anette Mikes is a fellow at Hertford College, Oxford University, and an associate professor at Oxford’s Saïd Business School.

Partner Center

An official website of the United States government

The .gov means it’s official. Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

The site is secure. The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

• Publications
• Account settings

Preview improvements coming to the PMC website in October 2024. Learn More or Try it out now .

• Advanced Search
• Journal List
• Risk Manag Healthc Policy

Risk Management in Executive Levels of Healthcare Organizations: Insights from a Scoping Review (2018)

Masoud ferdosi.

1 Health Management and Economics Research Center, Department of Health Services Management, School of Management and Medical Information Sciences, Isfahan University of Medical Sciences, Isfahan, Iran

Reza Rezayatmand

2 Health Management and Economics Research Center, Isfahan University of Medical Sciences, Isfahan, Iran

Yasamin Molavi Taleghani

3 Department of Health Services Management, School of Management and Medical Information Sciences, Isfahan University of Medical Sciences, Isfahan, Iran

This study attempted to present a framework and appropriate techniques for implementing risk management (RM) in executive levels of healthcare organizations (HCOs) and grasping new future research opportunities in this field.

A scoping review was conducted of all English language studies, from January 2000 to October 2018 in the main bibliographic databases. Review selection and characterization were performed by two independent reviewers using pretested forms.

Following a keyword search and an assessment of fit for this review, 37 studies were analyzed. Based on the findings and considering the ISO31000 model, a comprehensive yet simple framework of risk management is developed for the executive levels of HCOs. It includes five main phases: establishing the context, risk assessment, risk treatment, monitoring and review, and communication and consultation. A set of tools and techniques were also suggested for use at each phase. Also, the status of risk management in the executive levels of HCOs was determined based on the proposed framework.

The framework can be used as a training tool to guide in effective risk assessment as well as a tool to assess non-clinical risks of healthcare organizations. Managers of healthcare organizations who seek to ensure high quality should use a range of risk management methods and tools in their organizations, based on their need, and not assume that each tool is comprehensive.

Introduction

Given the World Health Report (2000), the significance of healthcare organizations(HCOs) has grown in global health discourse. 1 However, in the last decade, HCOs have faced two contradictions: first, healthcare costs have increased due to population aging, the introduction of advanced technologies, and increased medical errors. 2 , 3 On the other hand, HCOs have become more complicated due to such factors as efficient customers, biomedical developments, the complexity of services and an increasing number of healthcare users. 2 , 3 Therefore, demand for healthcare is significantly higher than the human capacity and resources available in healthcare departments. 4 Corresponding to these limits, three interventional approaches have been developed at various levels of the HCOs: (i) quality management, (ii) risk management, and (iii) patient safety. 5

In particular, risk management (RM) is a process-oriented method providing a structured framework for identifying, assessing, and reducing risk at appropriate times for HCOs. 6 RM approach protects healthcare providers against unfavorable incidents. 7 This way, RM plays a major role in shrinking uncertainties and enhancing rich opportunities for different areas of the health system. 8 Development of RM helps HCOs and providers to reduce damage due to the probable occurrence of defective processes through identifying error, rooting, and strategy development. 9 Implementing RM in HCOs improves allocation of health resources, 10 process management, decision-making, reduced organizational losses, 11 patient safety, 11 continuous quality improvement, 2 customer satisfaction, 2 organizational performance, 12 hospital reputation, 11 and better community creation. 2

A general framework for RM needs to be identified before implementing the risk process. This framework determines the strategy of organization for identifying risk, risk assessment, and risk reduction. 13 This strategy outlines how the RM process should be implemented in the organization. It determines the resources that are needed, the key roles and responsibilities for that, the ways risk needs to be identified. It shows how the decision-making process looks like while using those strategies. 13 The available evidence suggests that despite the existence of a large number of RM techniques, a few of them have been employed so far in the HCOs. 14 – 16

Risk management is one of the emerging areas in management systems; there are several reports that have provided an overview of risk management inHCOs; however, it is difficult to find studies that have systematically synthesized risk management models at the executive levels of healthcare organizations. 17 – 19 This sector is far behind the rest of the industry in terms of using these techniques. Nowadays, there is a consensus in the healthcare sectors that the knowledge, experience, and expertise of other industries in RM can improve the quality of services provided in the healthcare sectors. 3 Therefore, reviewing the selection of RM techniques seems indispensable. These instruments need to be tailored to the complexities of the healthcare system and the causes affecting incidents in this sector. 20 , 21

The organizational structure of the healthcare system has been classified into executive, administrative and operational, each of which is exposed to some risks. 22 This limited study aims to identify those risks that happen in executive levels. The study would not consider those risks that may happen in the operational levels of healthcare organizations and can be considered as a clinical risk. Mention should be made that the executive levels of healthcare organizations are the headquarters and deputies of the HCOs that provides counseling and control over healthcare delivery units. 22 Therefore, the aim of this review is to scope published different organizational RM models, identify the strengths and weaknesses of each model, and this way, propose a framework for implementing RM in the executive levels of HCOs.

The applied purpose of this study was to integrate existing research on the various areas of RM cycle (risk identification, risk assessment, & risk management) and ultimately provide a centralized knowledge base for future research in the executive levels of HCOs. It is of note that the executive levels of HCOs are the headquarters and deputies of the HCOs that provides counseling and control over healthcare delivery units.

The methodological framework of the scope review described below was guided by such methodologies, which have been published elsewhere. 23 , 24

Scoping Review Question

The first phase was represented by the definition of the scope of the study in compliance with the objectives and the underlying research hypotheses.

Based on preliminary studies, the research questions developed for scoping review are as follows:

• RQ1: How are organizational risks identified and categorized within the executive levels of HCOs?
• RQ2: What is the proposed framework for organizational risk management in the executive levels of HCOs? Also, what is the status of risk management in the executive levels of HCOs based on the proposed framework?
• RQ3: What techniques and tools are available for implementing organizational risk management in the executive levels of HCOs?

Inclusion and Exclusion Criteria

To obtain and include relevant and important documents to concentrate on, a series of inclusion and exclusion criteria should be defined. The selection of the studies was done according to the following inclusion criteria:

(i) Studies on organizational RM and assessment techniques and framework in healthcare organizations or related organizations appropriate for imitation in the healthcare organization; (ii) articles in English; (iii) 2000 to October 2018.

The following studies were excluded: (i) in the format of letters, editorials, news, professional commentaries, and reviews; (ii) without available abstracts or full text or references; (v) Models that cannot be imitated in healthcare organizations; (vi) Published in languages other than English.

Identifying Locating Sources and Relevant Articles

This study was conducted in October 2018 through consulting such databases as Pub Med, ISI, Emerald, Scopus, IEEE, Springer, ProQuest, Cochrane, and Wiley from 2000 to May 2018. The search strategy was the same for all the databases.

The identification of the keywords related to the subjects and the objectives of the study are as follows: initially, keywords were identified by the authors through a brainstorming process. The identified keywords were refined and validated by a team composed of two university academic members and two healthcare managers. The search strategy was formulated using Boolean operators. The formula was searched in the field of title and abstract in online databases. The search strings used are shown in Table 1 , a search for each research question was performed. Also, the search was repeated two times with the following search string. In addition, the references were retrieved from the studies included in the first iteration. The keywords of references that matched with the search keywords were chosen.

Search Strings for Research Questions and Studies

Study Selection and Data Abstraction

The two authors (YMT and MF) independently performed level 1 (titles and abstracts) and level 2 (full article texts) screening forms. All screening and extraction were completed in duplicate. Disagreements were discussed between the two reviewers and a third-party reviewer (R R) was contacted if disagreements could not be resolved. After independent reading of the full texts, the content analyzed and selected the articles that answer the respective research questions. Study quality was not assessed during the scoping review as the objective of a scoping review is to identify gaps in the literature and highlight future areas for systematic review. 23 , 24 The required information extracted based on the research questions and placed in the designed templates.

Three thousand five hundred and seventy-four studies were screened, excluded 761 duplicates, 1556 on title review, 1081 on abstract review and 144 in a full-text review. In total, leaving 37 papers (32 papers first iteration on the database and five studies from hand searching) search for critical appraisal. Table 2 shows the flowchart for the study selection.

Paper Selection Process

Note: Each study may answer several research questions.

Characteristics of Articles Reviewed

Bibliographical information about the 36 articles included in this review can be obtained from Table 3 .

Bibliographical Sources of the Studies Included in the Literature Review

Notes: *Type of study included 1) Empirical quantitative; 2) Empirical qualitative 3) Conceptual/theoretical 4) mixed method. Data collection methods included 1) Survey (questionnaires or checklists); 2) Database, Documents & Records; 3) Interviews; 4) observation; 5) Focus Groups; 6) Ethnographies, Oral History, & Case Studies.

According to Table 3 , 11 articles (14.3%) were used to answer the first research question, 30 articles (38.9%) were used to answer questions 2, and finally, 36 articles (46.8%) were used to answer research question 3. (Total papers >36 because each paper may be classified into two or more study types, or may address two or more review questions.) Also, it could be recognized that all but four articles were published in 2009 or later, this is due to the complexity of environment and type of services provided by organizations and, consequently, use of the RM and risk assessment process as a tool for reducing errors and incidents in recent years.

As can be seen in Table 3 , based on the setting of the studies, Europe had the most study with (59.5%) of the authors affiliated with European universities and institutions. Asia was the next one with (21.6%) of the studies, followed by America (13.5%), Oceania (2.7%), and Africa with 2.7%. Also, most of the studies examined in developed countries. Thus, at this point, we can already identify a need for more research into risk management in developing countries.

As for design, 2(5.4%) studies were empirical quantitative, 5 (13.5%) empirical qualitative, 12 (32.4%) conceptual/theoretical and 18 (48.7%) mix method.

How are Organizational Risks Identified and Categorized Within Executive Levels of Healthcare Organizations?

Risk identification is usually a necessary condition for later risk management. 25 Given dynamic and complex healthcare organizations, different risk sources can trigger hazardous situations, potentially harming the organization. 36 It is therefore essential to consider as many risk sources as possible within a classification to help participants familiarize themselves with the given system and potential risk sources. 36 Although the study strategy did not focus on risk types of healthcare organizations (see methods), the reviewed studies placed significant emphasis on identifying and discussing a variety of typical risks in similar organizations with healthcare organizations.

According to the results of Simsekler et al, risk identification Framework (RID Framework) used to identify risks of the health organizations. 36 The risk identification framework includes a spectrum of inputs (System familiarization), processes (Identification of risks), and outputs (Presentation of the risks) in its structure. 36

Results of the studies, a functional framework for identifying and classifying risks in executive levels of HCOs are presented in Table 4 .

Identification and Classification of Risks in Executive Levels of Healthcare Organization

According to Table 4 , risk sources are classified into two categories (internal and external), and risk identification tools classified into two categories (retrospective-prospective and intra-organizational – inter-organizational).

Which Organization RM Framework and Techniques are Used in Executive Levels of Healthcare Organizations?

A stringent risk management process may enable executive levels of HCOs to cope with the risks presented in the previous section. Once risks have been identified, a number of techniques and actions can be selected to address them.

Various models have been used by organizations to assess and manage risk, the results are which are shown in Table 5 . Based on the findings in Table 5 , the risk management framework that are applicable to the executive levels of HCOs are classified into basic models and combined models. In addition, risk management models are divided by cost, time, and complexity. The approaches of risk management models are also divided into qualitative or quantitative, systemic or individual, retrospective or retrospective, and holistic or partial.

Characteristics of Organization RM and Risk Analysis Techniques

Notes: In output and information item, the status of risk management in organization was determined based on each of the phases of proposed framework. (Y: Fully performed, S: Somewhat performed, N: Not implemented).

According to the studies’ results, a simple and comprehensive framework for RM in executive levels of HCOs was suggested. The proposed framework of the present study consists of five phases that its main phases are adapted from the ISO13000 framework. The following is a suggested framework and techniques that can be used to implement risk management processes in executive levels of HCOs. Finally, in Table 5 examines the extent to which risk management based on the key phases of the proposed framework is established in healthcare organizations.

• Establishing the context,
• Risk assessment (risk identification, risk analysis, and risk evaluation),
• Risk treatment (strategy determination, designing measures and decision-making, planning, and implementation),
• Communication and consultation, and
• Monitoring and reviews.

In the following, RM framework and techniques in executive levels of HCOs for each organization were mentioned.

Establishing the Context (Initiation and Preparations)

The first phase in the risk management process is establishing the context. The context establishment primarily paves the way for the organizational nature of the company such as the project objective and management style or organization culture. In this step, issues such as healthcare organization background, who should conduct the RM process, Identify interested parties, formulate problems, set the objective(s) of RM and Select appropriate methods for RM are reviewed. 43 , 59

The organizational RM team should be multidisciplinary and comprised of various specializations, in particular, managers, process owner experts, and RM experts (consultants and facilitators). 25 , 33 Also, the number of team members depends on the complexity of organizational issues. 33 , 40 , 43

Risk Assessment

The second phase in the risk management process is risk assessment, which involves measuring or estimating the potential frequency of losses and the potential impact of a risk on the organizations' health care. Subsequently, the risks can be ranked according to its importance for the HCOs. In general, the following three steps (risk identification, risk analysis, and risk evaluation) proposed for risk assessment in executive levels of HCOs:

Risk Identification

Describing the process and system definition.

According to the results, there were several methods for outlining risky processes that executive levels of HCOs can use depending on their needs: Textual system description, 8 , 41 , 53 , 59 activity breakdown structure (ABS), 8 radar charts, 34 flow charts, 3 , 25 , 28 , 30 , 38 , 45 , 50 , 56 , 62 process diagrams, 34 , 38 , 45 , 56 , 58 system diagram, 8 , 34 , 62 integration definition (IDEF), 35 and hierarchical task analysis Diagram (HTA) or task diagram, 26 , 28 , 35 , 42 , 57 , 62 communication diagram, 56 , 62 information diagram, 35 , 56 , 62 , 63 organizational diagram, 35 , 56 , 62 , 63 stakeholder diagrams, 56 swim lane activity diagram, 56 state transition diagram, 56 sequence diagram, 56 and data flow diagram. 56

In general, process description tools are divided into two categories of descriptive tools and process tools. Radar charts, also called Kiviat diagrams, were built in order to visualize initial and residual risks for each kind process. 34 ABS is process-oriented instead of being product-oriented, moreover, this method lacks time dimension. 8 Also, a task diagram is used for describing the hierarchy of operations and plans, system mapping for how data is transmitted through activities, Information diagrams for describing information hierarchies, organizational diagrams for describing organizational roles hierarchy and Communication diagrams for displaying information flows between individuals and Business processes and IDEF for linking between inputs and outputs in organizational activities and resources, and Sequence diagrams for interacting information between stakeholders.

According to Cagliano et al, the flow chart included the name or code of both process phase and activity at issue, actors performing the activity; inputs (information, materials, preliminary actions, orders, etc.); a detailed description of operations required by the activity; duration and frequency; controls to monitor activity progress; tools necessary to perform both the activity and related controls and outputs (other activities, information, and data). 8 Moreover, in Parand et al’s study, activities in flow chart classified based on action, retrieval, checking, selection and information, and communication. 28 In general, as the describing the process be stronger, the results of the risk assessment can be more effective.

According to Simsekler et al 36 and Jun et al. 56 Studies, specific types of diagrams were selected by stakeholders as more useful than others in identifying different sources of risks within the given system. In general, employees’ perception, the ease of use and usefulness are the main variables for choosing the most optimal system modeling tool.

After drawing the process flowchart, at this stage, organizational risks or organizational process risks are determined. The applied frameworks for identifying risks in executive levels of HCOs presented in Table 4 .

Cause Identification

Based on some risk assessment models, the effective causes and the root causes of the errors are identified at this stage. Based on the Eindhoven model, the classes of causes error classified into two main categories of latent errors (technical and organizational) and active errors (human errors and other factors). 25 Furthermore, based on the results of some studies, the causes of errors classified in the Institutional context factors, organizational and management factors, work environment factors, team factors, communication factors, individual (staff) factors, training and education factors, equipment factors, task factors, and patient factors. 35 , 36 In addition, based on the results of some studies, the Ishikawa cause-effect diagram can be used to determine the sources of errors. 37 , 45 , 48

Risk Analysis

At this stage, it is possible to estimate the risk, qualitatively, semi-qualitatively or quantitatively according to the probability of the risk. The following steps considered for risk analysis in executive levels of HCOs.

Risk Estimation (Severity and Consequences and Likelihood Estimation)

At this stage, it is possible to risk estimation according to the probability and severity of risk. There are numerous qualitative, semi-quantitative and quantitative methods that try to estimate individual components of risk for a result to better reflect the reality.

Using verbal descriptors (low, medium, or high), 26 risk weights, 25 , 34 , 38 , 49 , 59 , 61 encoding, 30 , 40 , 52 , 60 , 61 scoring tables, 25 – 27 , 30 , 32 , 37 Bayesian methods, 46 Monte Carlo method, 46 , 60 and historical data, 49 suggested for estimating the severity and probability of risk in executive levels of HCOs.

In quantitative risk estimation methods (Monte Carlo and Bayesian), activities find a probabilistic form and a distribution function is specified for them. 46 , 60 In qualitative risk estimation methods, risks are prioritized based on their potential impacts on project objectives based on qualitative variables. Qualitative methods of risk estimation can either lead to further analysis in quantitative risk estimation or directly to risk response planning. 30 , 60

Interview with experts, 32 , 53 questionnaire design, 32 , 61 Delphi method or expert, 60 and focus group, 38 , 44 , 46 , 49 - 51 , 53 identified an applied method for risk estimation in executive levels of HCOs.

Risk Presentation

Present-estimated risks based on risk presentation formats, included a single number index (e.g. 1/100,000), 27 , 37 use failure space vs success space, 54 fuzzy numbers scales, 30 , 32 , 40 , 41 , 52 , 61 tables (e.g. sizes or bands of fatalities are 1–10, 11–100, and 101–1000), 30 , 40 risk matrix, 25 , 33 , 43 , 52 , 53 , 57 graphs or diagrams (e.g. Frequency-Number (F-N) curve), 35 , 46 and maps (e.g. risk contour plot). 45

In sensitivity analysis, the management index (Risk Index x Sensitivity) provided further ranking for those risks that have equivalent Risk Indexes. Given its scope, this analysis may not necessarily constitute an integrated step of risk analysis. 49

Synthesize information about the main risk elements included risks and their causes and contributing causes, frequency or probability, consequences due to risk, and estimated risks. 49

Risk Evaluation

Risk evaluation is the process of comparing the results of the risk analysis with the risk evaluation criteria defined during the context establishment to determine whether the cyber-risks are acceptable. In this step, the following steps considered for risk evaluation in executive levels of HCOs.

Select Risk Evaluation Criteria

There was a wide range of qualitative and quantitative risk criteria or standards for evaluation of various types of errors in executive levels of HCOs. Selection of risk criteria may also depend on the results of the risk analysis and how risks are estimated. 60

Compare Estimated Risks Against the Risk Criteria and Prioritize or Rank Risks

This step concerned with making decisions about prioritization and comparison of risks to be managed, based on the outcomes of risk analysis. 27

A simple method for risk filtering was a Pareto analysis. 26 , 30 , 58 , 60 Moreover, in some studies, decision tree, 25 , 28 , 49 , 57 priority matrix, 25 , 30 , 35 criticality matrix, 34 , 44 Criticality scale, 34 , 38 , 49 , 60 and risk prioritization grid used to determine acceptable and unacceptable risks. 27 Furthermore, simple additive weighting (SAW), 32 and hazard totem pole (HTP) 60 methods can be used as practical and quantitative methods for risk evaluation. SAW was a simple and most applicable multi-attribute decision method which is known as a weighted linear combination or scoring technique. 32

Risk Treatment

This phase involved defining and implementing actions for mitigating the determined risk level and verifying that the residual risk level is acceptable. 27

Determine Organization RM Strategies

The four common organization RM strategies options:

• Avoid: elimination involves elimination of risks at the source.
• Reduce: The strategy of risk reduction involves reduction, but not a complete elimination, of the frequency of occurrence of undesirable risks and/or the severity of their consequences. 53 , 60

These comprise two fundamental approaches to risk reduction, which were:

• SHARE (spread or transfers): sharing the risk to another entity and/or function. Risk sharing is carried out in different ways, including risk sharing by insurance and contract, risk transfer and physical transfer.
• Accept: Risk can be retained in cases where it cannot be avoided or transferred. 25 , 44 , 45 , 53 , 60

Moreover, theory of problem-solving by an inventive method, 25 Generating Options for Active Risk Control (GO-ARC) Technique 64 and dynamic systems development method (DSDM) 50 used to redesign the process and improve strategies.

In the GO-ARC Technique, risk control options are divided into 5 categories (elimination, design controls, administrative controls, detection/situational awareness, and preparedness). The first three consist of the 3-tiered hierarchy of risk controls. The remaining two, detection/situational awareness and preparedness help users consider risk controls to reduce the severity of harm or prevent harm in the midst of an on-going systems breakdown; they are aimed at promoting resilience, as opposed to focusing solely on preventing systems breakdowns in the first place. In general, GO-ARC improves the trend of producing risk control options. Use of the Generating Options for Active Risk Control (GO-ARC) Technique can lead to more robust risk control options.

On the other hand, the DSDM framework is complicated to become a general framework for solving task problems. At DSDM, the primary effort is to provide software that is good enough to meet the needs of the business and that it can progress to the next iteration. 50

Additionally, the SWOT matrix with four strategy areas, SO (maxi-maxi) and ST (maxi-mini) and WO (mini-maxi) and WT (mini-mini), was used to determine strategies and corrective actions. 31

RM Measures and Decision-Making

RM strategies and measures were often difficult to compare and evaluate executive levels of HCOs. The best decision is the one that yields the greatest expected value. The interventions prioritized according to two criteria of their ability to reduce the root causes (interventional power) and perception of their implementation based on what is anticipated (reliability of intervention). 26 , 30

The best performance measures can be selected based on criteria such as safety, profitability, quality, efficiency, effectiveness, time, cost, available resources, performance, environmental conditions, and satisfaction. 41 , 42 , 45 , 46 , 59 In one study, AHP/ANP and BOCR (benefits, opportunities, costs, and risks) used to select the best RM strategies. 41

Planning and Implementation

Finally, a plan also defined risk ownership, roles and responsibilities, and time frames to implement mitigation strategies. 45 Risk governance structure was a useful tool for risk assessment planning. In this method, the roles and responsibilities of each employee determined in the RM plans. 39 , 40 , 45 Moreover, using the pilot study method 43 , 59 and simulation, 41 , 49 suggested before the implementation in a wide range.

These steps are typically performed as iterative cycles that controlled and triggered by two continuously running activities: risk review and monitoring, communication, and consultation.

Communication and Consultation

Communication and consultation with internal and external stakeholders needed to keep them informed of process outputs and let them provide inputs. 27

Risk-related information should be shared based on appropriate access levels in the exchange organization or between decision-makers and other stakeholders. These should address the issues related to risk itself, its causes, its consequences (if there is information about them), and the measures taken to deal with it.

Communication and consulting with project stakeholders can be a key factor in a favorable execution of risk management and in achieving better results. In practice, regular reporting is of important components of communication that helps senior managers identify the risks they are faced with. Summary reports prepared from risks, in fact reflect the status of the responding guidelines and the trend index of risk occurrence. 59

Work sessions, 29 , 59 intranet-based calendars, 59 reports and gatherings, 59 wiki page, 45 and PMBOOK software, 46 are suggested as tools for information exchange in executive levels of HCOs.

Monitoring and Review: (Re-Assessment – a Continuous and Cyclic Process)

Effective risk management requires a reporting and reviewing structure in order to ensure that risks are effectively identified and evaluated and responses and controls are in a timely manner. In this phase, policies and following of standards should be regularly verified and the performance of standards should be reviewed to identify improvement opportunities. 27

Various methods such as risk compliance readiness template, 45 risk project update template, 45 data management system, 60 variance analysis, 46 risk reassessment, 46 Wiki page as collaborative workspace, 45 control chart, 43 trend analysis, 46 risk auditing, 39 , 46 visual process control, 43 and communication plan 43 recognized to monitor and evaluate the effective and efficient RM cycle in executive levels of HCOs.

By conducting continuous monitoring and reviewing of risk, it is ensured that new risks are being identified and managed, and executive programs are effectively implemented and developed. 46

Given different and dynamic nature of organizations, various frameworks and techniques are used in managing and accessing organization risks. Therefore, recognizing organization RM framework is an important step in RM in executive levels of HCOs. In this study, based on a review of studies, frameworks and tools that can be used to implement organizational risk management in the executive level of HCOs are proposed.

According to the first question of this study, healthcare organizations may be faced with risks that may prevent the mission and achievement of the organization’s objectives, so at the first step of risk management, risk resources should be identified with optimal tools. 17 In the present study, using an innovative approach, a framework for identifying and classifying risks in the executive levels of HCOs was proposed. The proposed framework included three steps of input, process, and output.

Input phases considered a spectrum of inputs to help increase understanding of the system, and awareness of potential organization risks that can occur in complex and changeable healthcare systems. 36 Input phases consist of (Risk Sources, 8 , 36 Nature of Hazards, 36 and Time). 36 At the process stage, the tools that can be used as intra- or inter-organization and retrospective-prospective in the executive levels of healthcare organizations are determined. 55 Finally, in the presence of the risk stage (output stage), the identified risks were clearly registered in executive levels of HCOs. 8

Using this framework is a helpful guide for managers to identify potential error in the executive levels of HCOs. Based on the results of the study by Pott et al 57 and Similker et al, 17 different approaches should be used to identify risks in organizations, and data from different resources should be integrated to gain a general view into the risks of a system.

We have no standard answer as to which one of the risk identification tools is a more optimal tool. Each tool is used to identify a range of risks, so the best approach to identify all risks is to integrate retrospective and prospective analysis to understand a broader scope of the risks.

Based on the results of the studies, organizational risks, 8 , 26 , 31 , 45 , 59 technological supports, 8 , 31 , 34 , 40 , 45 , 60 and information and communication, 8 , 31 , 34 , 40 , 55 , 59 were identified as the most important resources of risk in most studies, so treatment of these risks is of high importance in the executive levels of HCOs.

In today’s world, when being faced with healthcare organization risks, managers have realized the need to develop a risk management framework at the organization level. According to the second and third questions of this study provides a state of the art based on the review of studies and it tried to propose a framework for risk management and techniques applicable to each of the stages of risk management and risk assessment in executive levels of HCOs. The term “framework” has a broader scope than the term “technique.” The risk management framework includes guidelines for analyzing, assessing, and managing risks in healthcare organizations. In contrast, management, and risk assessment techniques considered as analytical tools for analyzing data and risk information.

In general, the risk management framework has required stability, but there is no strong and complete risk assessment and risk management techniques that can be applied completely for risk management in organizations, and managers of healthcare organizations must make the decisions necessary to determine the optimal tool for risk management and assessment at each time and based on specific conditions and position of the organization. Therefore, Table 5 presents limitations, strengths and weaknesses and factors influencing the selection of each of the models for risk management and risk assessment in executive levels of HCOs. Therefore, the content of this table can help risk analysts, healthcare managers and other stakeholders to make rational decisions about identifying risk management and risk assessment models in executive levels of HCOs.

According to the results of the studies, there was a wide range of well-known and successful tools for single and combined risk assessment and a hierarchy of risk analysis models suggested for executive levels of HCOs.

Hierarchy of risk analysis and risk assessment models divided:

High-level tools: At this level, risk assessment tools cover a wide range of risk scenarios and provide various information for the organization based on risk scenarios. However, such tools should not be used when the details need to be emphasized in risk assessment. Some risk assessment tools employed at this level are All the combined models presented in Table 5 for analysis and risk assessment, 30 , 35 , 38 , 40 , 42 , 43 , 45 , 50 , 52 Six Sigma, 43 , 45 IRMAS, 59 CREA (Clinical Risk and Error Analysis). 35

Mid-level tools: Implementing risk assessment tools at this level makes it possible to provide the modest information and details for the organization considering risk scenarios. Some risk assessment tools employed at this level are Health failure mode and effect analysis (HFMEA), 25 , 42 , 50 HFMEA/FMEA/FMECA, 8 , 25 , 26 , 28 , 30 , 37 , 38 , 49 root cause analysis (RCA), 38 , 43 , 50 bow-tie model, 48 , 51 hazard and operability analysis (HAZOP). 35

Low-level tools: At this level, risk assessment tools evaluate the limited range of risk scenarios, but with more details for the organization. Some risk assessment tools employed at this level are: Preliminary risk analysis method (PRA), 34 fault tree analysis (FTA), 54 change risk assessment model (CRAMS), 46 change analysis (CHA), 46 human reliability assessment (HRA), 8 Pareto analysis (PA), 26 , 30 relative ranking/risk indexing (RI), 32 , 60 5 whys technique, 8 , 36 hazard checklists (HCl), 35 change analysis (CA), 28 strategic risk analysis (SRA). 31

Optimal implementation of the risk management process is nothing but the adoption of the most appropriate techniques and tools available in each phase. However, there is no strong and complete risk assessment and risk management techniques that can be applied completely for risk management in organizations, and managers of healthcare organizations must make the decisions necessary to determine the optimal tool for risk management and assessment at each time and based on scope of risk analysis, legal requirements, results/information needed data, resources and time available, complexity and size of risk analysis and type of activity or system and concerning issues. As a general rule, the best risk management tool is to overcome the participants’ mental judgment.

Most of the models extracted from the results of the study were somewhat similar and presented the same components. The three main factors that were found in all risk management models included measurement, management, and monitoring. Therefore, based on the results of the studies and the nature of healthcare organizations, the risk management process had one primary phase and four main phases. In the primary phase, the objectives and prerequisites for risk management are set out for execution. The main phases are as follows: Risk assessment (identifying potential risks, determining the likelihood and consequence of the identified risk and determining the level of the risk), risk treatment (how to reduce the impact of unacceptable risks and selecting appropriate responses to them), monitoring and reviewing (effectiveness of measures) and the latest activity of the process of communication and consultation with the stakeholders on the trend have been carried out.

The proposed framework of this study is very similar to the iso13000 framework, with the difference that more details are provided in the framework of the present study. The ISO13000 approach describes the organization’s risk management in a comprehensive, strategic, and holistic way. 45

Also, the model developed in the present study has several specific features compared with the previous models: 1) In the present research it was tried that the research literature be integrated in the field of risk management and provide a framework that is more comprehensive; 2) According to the search strategy, all risk management frameworks of healthcare organizations and organizations adaptable with healthcare organizations were examined and there was no particular dependence on the specific industry and from this perspective, they have more advantages compared to some frameworks that were established regarding a specific industry; 3) The proposed framework is provided based on the internal and external flows dominant on healthcare organization. Managers of healthcare organizations today need a structured and coherent approach to identify, analyze, and manage risk across a range of intra- and inter-organizational activities; 4) With the establishment of the proposed model in the organization, the basic assumptions dominant on healthcare organizations are examined in specific time periods and, if necessary, continuous improvement in healthcare organizations is done in a dynamic cycle.

Regarding the status of healthcare organizations in establishing each of the main phases of the proposed risk management framework, studies have identified and evaluated the risk, and the treatment phase and risk monitoring were neglected in most studies. However, risk management should be done throughout the life of the organization. New risks need to be identified and managed at every stage of the organization’s life. Also, based on Table 5 , most studies were not done at the phase of risk assessment, process mapping, and cause identification. While many system mapping approaches have been widely used in various industries, healthcare organizations have only used a limited number of them to process mapping. 62 Each process mapping tool has a specific application, and managers and professionals should use the most useful of them to identify sources of risk in healthcare organizations. The most important phase, guiding the risk management process, and determines the main policies in risk management is the phase of planning and setting objectives, which is done incompletely in most studies. Risk managers should pay great attention to risk planning; obviously, if this is not done in a fully transparent manner, the execution of risk management will be subject to some uncertainty. 43 , 46

Based on the results of Table 5, in most studies (89.6% of studies), risk management attitude was prospective and in few studies, each of prospective and retrospective risk management approaches was emphasized. Whereas, based on the results of the Kessele-Habraken et al study, the integration of prospective and retrospective analysis is important in improving the safety and optimization of organizational processes. 58

As we proposed, information about incidents and their retrospectively reported frequencies could be used as a reference point in the prospective analyses, which might facilitate frontline staff in the risk assessment. Conversely, prospectively developed failure scenarios could be used as guideline for retrospective.

Further Research Avenues and Limits

In this study, a framework for the execution of risk management in the executive levels of HCOs was proposed. Like any other management framework, successful implementation of the organization RM framework in executive levels of HCOs necessitate organizational commitment, establishing a stimulating culture, accurate planning, stakeholder engagement, strong and effective management, and use of available resources to implement the stages. Based on the results, it can be suggested that studies of risk management are increasing over time; however, there are still new cases that need further investigation and researches, some of which are mentioned below.

• Studies evaluating the effectiveness of risk management frameworks were very scarce and the effectiveness of risk management models should be examined in the future.
• The amount of outcome studies was not significant with respect to the investigated period (2000–2018). The outcome of most studies was also partial and lacks the necessary comprehensiveness. In most studies, the identification and assessment of risk were dealt with, and the phases of risk treatment and monitoring was neglected. Future studies, therefore, need to be implemented with a holistic view of the risk management process in healthcare organizations.
• In most studies, the sample size was very small, and risk management was performed at a micro level in the healthcare organization and organizations adaptable with the terms of healthcare. Therefore, the risk management needs to become dominant in a more comprehensive way and in larger-scales in the healthcare organization.
• Based on the results, various tools have been identified to achieve the risk management framework at different phases. The variety of the materials collected, together with the limited evidence for each topic, make it difficult to come to general conclusions, so it is necessary to conduct a cost-benefit analysis of risk assessment techniques.
• In this study, risk sources have been identified theoretically and for staff areas of healthcare organizations and some risks may not have been identified, although maybe a significant threat to the health system. Therefore, we cannot claim that this framework can be extended to other organizations in the health system.
• The volumes of the most studies of risk management in healthcare organizations are related to risk assessment, so it is recommended that all future phases of risk management in healthcare organizations be established.
• For some phases of organization risk management, there were only conceptual studies; therefore, a feasibility study is needed to effectively implement various phases of RM in organizations.
• Development of the organization RM framework for other areas of healthcare, development of advanced technological solutions to facilitate risk assessment, development of tools or criteria for effective and efficient implementation of organization RM frameworks, managers’ perceptions of organization RM frameworks are factors which should be considered for further research.

One limitation of this study was that the number of findings in the systemic review was dependent on the selection of keywords and input/output criteria. Therefore, more models can be extracted for organizational risk management. Also, non-English studies were not included and there may, therefore, be a bias towards inclusion of studies performed in English-speaking countries. In addition, articles were exclusively selected from journals, hence, other parts of literature, such as books, book sections, and gray literature were excluded from the process as journal articles are readily available in journal databases and are usually used as a mean of scientific communication.

Despite these limitations, this study has several strengths. First, all models of risk management and evaluation in healthcare organizations and organizations that could be modeled for the executive levels of the HCOs were examined in this study. Second, this paper contributes to the field of risk management research in healthcare. Third, the tools and techniques for risk assessment and management that are applicable to staff areas of healthcare organizations are mentioned.

Based on the findings and considering the ISO31000 model, a comprehensive yet simple framework for risk management is developed for the executive levels of HCOs. It includes five main phases: establishing the context, risk assessment (risk identification, risk analysis, and risk evaluation), risk treatment (strategy determination, designing corrective actions, planning, and implementation), Monitoring, and review, and communication and consultation.

Tools and techniques were also suggested for use at each phase of the proposed risk management framework. These techniques have been selected to best apply to non-clinical risks in healthcare organizations. Managers of healthcare organizations who seek to ensure high quality should use a range of risk management methods and tools in their organizations, based on their need, and not assume that each tool are comprehensive.

Acknowledgments

We would like to thank all the staff members who assisted with our research.

The authors report no conflicts of interest in this work.

To read this content please select one of the options below:

Please note you do not have access to teaching notes, leadership, governance and the mitigation of risk: a case study.

Managerial Auditing Journal

ISSN : 0268-6902

Article publication date: 2 February 2015

The purpose of this study is to examine how managers in financial institutions satisfy themselves of the effectiveness of risk mitigation strategy and management control. It studies the co-opting of accounting tools within a single financial institution case study, examining the recursive and emergent characteristics of risk management practice.

Design/methodology/approach

Adopting a field study approach within the strategy-as-practice perspective, the paper provides insights into the role of actor perceptions of risk and accounting as a calculative practice in the adaptive enactment of risk strategy.

Results highlight the interactions between risk management strategy, management controls and actor interests at Lehman Brothers. The actions and reactions of risk management decision-makers such as Executive Committee and Board members are examined to better understand the role of accounting and leadership.

Research limitations/implications

Results of this study may not be generalised beyond this single case study.

Practical implications

The paper emphasises that concern for the social relations and the performative interests of actors in a risk management network needs to be understood and considered in accounting research. It is argued that the market prices of tradable financial asset will continue to be opaque without these insights.

Originality/value

This study explores an under-researched topic in the accounting literature in examining how management controls are affected by and, in turn, affect risk strategising.

• Financial markets
• Risk management
• Strategy as practice
• Lehman Brothers
• Management control

Rooney, J. and Cuganesan, S. (2015), "Leadership, governance and the mitigation of risk: a case study", Managerial Auditing Journal , Vol. 30 No. 2, pp. 132-159. https://doi.org/10.1108/MAJ-08-2014-1078

Emerald Group Publishing Limited

Copyright © 2015, Emerald Group Publishing Limited

Related articles

We’re listening — tell us what you think, something didn’t work….

Report bugs here

All feedback is valuable

Please share your general feedback

Join us on our journey

Platform update page.

Visit emeraldpublishing.com/platformupdate to discover the latest news and updates

Questions & More Information

Answers to the most commonly asked questions here

Open Access is an initiative that aims to make scientific research freely available to all. To date our community has made over 100 million downloads. It’s based on principles of collaboration, unobstructed discovery, and, most importantly, scientific progression. As PhD students, we found it difficult to access the research we needed, so we decided to create a new Open Access publisher that levels the playing field for scientists across the world. How? By making research easy to access, and puts the academic needs of the researchers before the business interests of publishers.

We are a community of more than 103,000 authors and editors from 3,291 institutions spanning 160 countries, including Nobel Prize winners and some of the world’s most-cited researchers. Publishing on IntechOpen allows authors to earn citations and find new collaborators, meaning more people see your work not only from your own field of study, but from other related fields too.

Brief introduction to this section that descibes Open Access especially from an IntechOpen perspective

Want to get in touch? Contact our London head office or media team here

Our team is growing all the time, so we’re always on the lookout for smart people who want to help us reshape the world of scientific publishing.

Home > Books > Risk Management - Current Issues and Challenges

Importance of Risk Analysis and Management – The Case of Australian Real Estate Market

Submitted: 18 April 2012 Published: 12 September 2012

DOI: 10.5772/50669

Cite this chapter

There are two ways to cite this chapter:

From the Edited Volume

Risk Management - Current Issues and Challenges

Edited by Nerija Banaitiene

To purchase hard copies of this book, please contact the representative in India: CBS Publishers & Distributors Pvt. Ltd. www.cbspd.com | [email protected]

Chapter metrics overview

7,950 Chapter Downloads

Impact of this chapter

Total Chapter Downloads on intechopen.com

Total Chapter Views on intechopen.com

Overall attention for this chapters

Author Information

Gurudeo anand tularam, gowri sameera attili.

*Address all correspondence to:

1. Introduction

Life is full of risks for example risk is involved in simple things like turning on the gas at home or when dealing with life threatening medical emergency decisions. Risk plays an important role in the way we manage our economy, organization or our family. Risk can be rather complex when household money is involved; such as for individuals or families – for example, mums and dads stand to either gain or lose large sums of money. The types of risks involved influence decisions on how to manage or invest money in shares, bonds or property. When faced with risks, the challenge is how well prepared are we to overcome risks. Risk awareness may be limited in which case there is a high likelihood of risk turning into hazard -leading to disastrous outcomes. Successful businesses make constant efforts to change or update their in house administrative polices and frameworks to allow for possible risks in their business requirements. Some decisions that are likely to have been factored into the component of risk are: rigid corporate governance requirement, human resource planning, succession planning, training and development, merger and acquisitions, adapting to different cultures, foregoing or discontinuing some existing products, outsourcing, new market development etc. No matter how important a decision is made, strategic alignment is critical in business decision making. New ideas should be implemented according to the business needs a company. The introducing of novel ideas should involve all personnel particularly during the decision making processes of development and setting of targets. A well-managed business is also well prepared one and thus able to confront challenges of the modern dynamic business environments.

Yet managing risk is rather challenging for the world is mostly unpredictable. The processes are continuously changing and evolving in terms of resources that are available - technology, innovation, human resources and time to name a few. In order to adequately address an impending risk, it is important to gather as much factual information as possible for analysis to help manage and thus minimize risk.

Risk can be classified into both voluntary and involuntary [ 1 ]. This classification depends on how an individual or an organization judges the situation. For example, a person with a habit of smoking or drinking fails to associate the habits as involving risks; yet often the habit becomes hazardous and they can significantly affect a person’s quality life. Involuntary risk places a person or the organization in a state of ambiguity, where the people involved in the decision making process have not been exposed to a particular circumstance or they lack knowledge and awareness of the particular risk situation. The ability to deal with such risks is a crucial factor in determining successful outcomes irrespective of the stature of an individual or an organization.

For some individuals, the ability to deal with risk appears to be built in their character but for the rest of us it seems, it is knowledge that can be acquired through training. In order to gain the skill set required so that one to deal with risk, it is important to step out of one’s comfort zone and be willing to change, learn, develop new skills, or be challenged to manage risk. Risk management is a methodical approach that could be taught and learnt by most. The general process and steps involved is presented in Figure 1 .

The process of risk management

This paper is organized in the following manner: In the next few sections risk is defined and risk management explored focusing on types of risks associated with real estate market. The Australian real estate market is then reviewed and possible risks involved are explored in some depth particularly in terms the global financial crisis. The paper compares the market with the rest of the world and summaries investor risks and rewards in Australian real estate market.

1.1. Definition of risk

In the international context, the ISO 31000/ISO Guide 73: 2009 [ 2 ] defines risk as the “effect of uncertainty on objectives” (p. 1). When there is a lack of knowledge or exposure to a certain event then such a situation can be termed uncertain. Taking decision on an uncertain event or situation may or may not be successful, which is what risk is about. Many definitions of risk exist in common usage [ 3 - 4 ]; however the ISO definition of risk was developed by an international committee representing over 30 countries and is based on the input of several thousand subject matter experts.

Risk is defined in Australia by the Australia/New Zealand standard for risk management [ 2 ] as “the possibility of something happening that impacts on your objectives. It is the chance to either make a gain or a loss. It is measured in terms of likelihood and consequence…” (p. 2). Risk can also be defined as the uncertainty of future events that might influence the achievement of one or more objectives such as an organization’s strategic, operational and financial objectives [ 3 ]. Risk management may produce positive opportunities for developers although the negative aspects of risk are usually the once that are emphasized [ 4 ].

Likelihood of risk occurring varies from industry to industry and how complex a job maybe. Some areas where there is a high chance of risk are construction, transport, mining, health care, sports, finance and banking, insurance and superannuation.

Risk can be broadly understood and explained in three different scenarios [ 5 ]: risk versus probability; risk versus threat; and all outcomes versus negative outcomes. It is believed that any risk can be managed through the engagement of a proper risk management process.

1.2. Risk management

There seems to be an increasing demand of organizations to meet and exceed the financial expectations of shareholders. In the pursuit of growth, many organizations (for example: Toyota) have adapted and responded to expectations of the shareholders by becoming lean and efficient. It is always easy to think that risks and their potential consequences could have been predicted and managed. This is clearly not true when it comes to success in a business. Business success usually requires some acceptance of risk and, as such any risky strategy undertaken may lead to a failure.

In large organizations and corporations there are designated personnel; namely, risk managers. Hillson [ 6 ] argued that risk is mostly managed “continuously, both consciously an unconsciously, though rarely systematically” (p. 240). Risk manager’s main role is to be aware of the market, collect data and predict forthcoming threats so that a company can manage the risks in a successful manner. Risk manager duties include developing and communicating risk polices and process, building risk models involving market, conducting credit and operational risk analysis, coordinating with concerned stakeholders involved in the process and creating a risk awareness culture in the organization.

Risk management not only prevents organizations from entering a dangerous and uncertain territory, which could lead to a catastrophic failures, but also ensure the development and growth of the business. The depth and clarity with which a risk is defined is critical for risk management. In an event where an organization has a low risk situation at hand and decides to postpone rather than resolve the issue involved for financial or other reasons, the risk may eventually become a threat of moderate to high level and this could prove to be disastrous for management. Ignoring the risks that apply to the business activities or the events that have been planned could impact on the following:

customer and public confidence in the organization;

credibility, reputation and status;

equipment and the environment;

financial position of the concerned; and

health and safety of employees, customers, volunteers and participants.

A systematic approach to managing risk is now regarded as best management practice. The approach taken almost always benefits the organization irrespective of type of risk involved. Once the risk is identified it is documented in detail; subsequently the concerned stakeholders undertake possible risk management and mitigation processes. A comprehensive review of the situation and critical feedback are usually required that may ultimately lead to changes in the organizational polices and structures; particularly in case of a major events.

Organizations that thrive to be successful constantly monitor themselves and willfully undertake only calculated risks. In doing so, they enjoy a competitive advantage in addition to meeting their business objectives. In era of globalization, companies are often expanding their business opportunities and in the process, they may undertake challenging and ambitious projects. In most cases, they need to take a number of risks. In this regard, businesses such as Microsoft, Google, and Wal-Mart appear to have been successful global players mainly because they were able to manage risk in a timely manner.

Risk management decisions should be a part of business objectives. Every new project, policy or invention should include all the possible anticipated risks that one may possibly confront. Decision making process needs to consider threats identified, its impact and reaction on the business. By making a careful analysis, companies will have fewer surprises and thus may in the end spend less time recovering from the losses that may be inevitable at times. When companies do not have “a keen eye on the kind of risk”, risk retention can become a legitimate way of managing the risk. Figure 2 shows the six steps involved in the risk management process: establish the context, identify the risk, analyze the risk, evaluate the risk, and manage and review the risk.

1.3. The steps involved in managing risk

The steps in risk management

1.3.1. Establish goals and context

To establish context and define goals is an important step. Once the context is established it is critical that the risk is defined and the objectives are set. Also important is to know the limitations of the risk strategies proposed. An effective risk management team understands the needs of the organization and the way it operates. Once the goal is defined there is a need to identify the scope of the context. In general, these factors can be classified into strategic and operational risks. Strategic risk management includes economic, social, environmental, political, legal and public issues; while operational risk management includes technological, human resource, financial, reputation and other relevant strategic issues. Clearly, management may not be able to totally control the many factors but the risks posed by them could indeed be minimized.

The process of risk management has to be simple, precise and effective. For it to be effective, organizations should consider strength, weakness, opportunities and threats (SWOT) type analysis of the situation. By conducting SWOT analysis, the management can identify and analyze different situations [ 7 ]. Once threats are identified, appropriate measures and decisions may then be taken to convert the threat into an opportunity. The organizational context provides an understanding of the organization, its capability and goals, objectives and strategies. In establishing the context the identification of stakeholders is critical; these are individuals who may affect, or be affected by decisions made by the risk management team. For example, stakeholders may be employees, volunteers, visitors, insurance organizations, government agencies or suppliers etc. Each stakeholder will have different needs, concerns and opinions; therefore it is important to communicate with the stakeholders involved in the process of addressing risks.

1.3.2. Identify risks

Identification of risk involves a systematic process of examining situations and finding solutions. The process includes stages such as group discussions and brainstorming sessions to generate a variety of ideas. While all the ideas or issues generated may or may not be relevant, it is important to document all problems, possible impacts and solutions identified. There are four primary areas in which risk can occur in a general business environment:

financial: this could mean loss of funding, insurance costs, fraud, theft, fees etc.;

physical: this involves physical assets of the organization, personal injuries and environmental;

ethical or moral: involves a perpetuated, actual or potential harm to the reputation or beliefs of an individual or organization; and

legal: this includes responsibilities and adherence to the law, rules and regulations of governing bodies such as the federal, state or local governments.

Risks can be identified by examining records of previous activities or events. Other ways in which risks could be identified are results from past experiences (personal, local or overseas) [ 8 ], through conduction interviews of stakeholders (example: Susilawati and Armitage [ 8 ]) or by analyzing specific real life or generated scenarios.

1.3.3. Analyse risks

This step determines and addresses the impact of threats that have been documented. Threats identified are rated according to the likelihood of occurrence. The potential of an identified risk can be estimated by the effect it has on financial and other resources. When analyzing a risk, one decides on the relationship between the likelihood of a risk occurring and the consequences of the risk identified. The level of risk is then defined and management of it is then explored. Managing risk can be done in several ways such as contingency planning, using existing assets or making an investment in new resources. The levels of the risks can be classified into

extreme: an extreme risk requires immediate action as the potential could be devastating to the enterprise;

high: a high level of risk requires action, as it has the potential to be damaging to the enterprise;

moderate: allocate specific responsibility to a moderate risk and implement monitoring or response procedures; and

low: can manage a low level of risk with routine procedures.

The tools most commonly employed to measure risks include qualitative techniques [ 10 ]. Melton [ 11 ] described the tools as probability and impact analysis tools and Webb [ 4 ] called these likelihood and consequences tools. A risk matrix presentation tool (qualitative technique) can provide better insights to the nature of a risk. Risk matrix is often used as a tool to display different risks once they have been analyzed. It allows an organization to mark a threshold above which risks will not be tolerated; or will receive additional treatment from the board or delegated staff. In Figure 3 the threshold is set at risks score of 5 or above. It is then important to ask the following questions in relation to each of the identified risks:

What is the likelihood of the risk occurring?

Are there any controls currently in place to manage the risk - if yes then, are there any remaining risks?

What are the consequences if the risk should occur? and

What is the level of the risk?

Risk matrix Source: adapted from Austrac

1.3.4. Evaluate risks

In this step the tolerance of the risk is determined; that is, whether the identified risk is acceptable or unacceptable. The evaluation takes into account the following:

importance of risk management and possible outcomes of a risky activity;

potential and actual losses that may arise from the risk;

benefits and opportunities presented by the risk; and

degree of control one has over the risk.

An acceptable risk is a type of risk that that a business can tolerate; a loss for example- the risk does not have major impact on business. An acceptable risk has to be constantly monitored, reviewed and documented so that it remains tolerable. A risk is deemed to be an acceptable risk because of following reasons:

risk level is low and the benefits presented by the risk outweigh the cost of managing it;

risk level is so low that it does not warrant spending time and money to manage it; and

risk presents opportunities that are much greater than the threats posed by it.

A unacceptable risk is when a business is bound to experience significant losses and such losses cannot be tolerated. In such an event it is important to address and treat the risk in an appropriate manner.

1.3.5. Treatments of risks

Risks may be dealt with in several ways; it can be avoided, reduced, shared or retained. Risk is avoided when appropriate decisions are taken to eliminate all possible pitfalls thereby preventing the situation from occurrence. In most decision making processes, calculations are made and ideas are contemplated to strike a balance between the cost and effect. In such situations calculated risks are accepted and a high risk situation may be reduced by:

identifying options to treat the risk;

selecting the best treatment option;

preparing a risk treatment plan; and

implementing a risk treatment plan.

In other cases, risk is shared between the stake holders in terms of how profits and losses are shared. This is done mainly to share the impact of a risky event when it occurs. For example, in the era of globalization it is challenging for the companies to enter new markets and countries. In order to minimize uncertainty and exploit business situations that may exist, companies often decide to share risk; careful consideration and research undertaken by the companies often suggest risk sharing. Risk sharing develops opportunities while engaging all partners in achieving strategic goals and the gains and loss are then shared accordingly. The nature of strategies to mitigate risk often depends on the experience of the risk manager who may consider one or more of the following [ 3 ]:

avoid the risk by deciding not to proceed with the activity or choosing another way to achieve the same outcome;

control the risk by reducing the likelihood of the risk occurring, the consequences of the risk or both;

transfer the risk by shifting all or part of the responsibility of the risk to another party who is best able to control it; and

retain the risk after accepting that the risk cannot be avoided, controlled or transferred.

It seems the simplest of all methods of addressing a risk is by retaining an identified risk that may not potentially impact upon the operations of a business. It is important to continuously monitor such risks for in the absence of careful monitoring, the risks may become threats in due time.

A dedication towards risk management often projects a wiser professional image to the community. In doing so, the stake holders recognize the fact that the concerned organization has a keen interest in safeguarding its assets as well as that of its employees, visitors and volunteers among others. In the process of identifying, analyzing and evaluating risks an organization improves its management team’s ability to make educated decisions.

1.3.6. Monitor and report effectiveness of risk treatments

Every organization irrespective of size clearly strives to reduce the risks involved. In order to reduce risk organizations have to align their policies and structures in a consistent manner and constantly monitor business activities. Also, there is a need to allocate resources (financial, human resource, technology etc.) efficiently to improve performance and to win the approval of all stake holders. It is also important to ensure personnel working at different levels in the organization report to the appropriate authorities when a risk is identified. Such a culture enables an organization to document and then undertake suitable and timely measures to avert risks. In the risk management process, data capture and reporting can provide valuable insights into the risk management process. A sample risk management planning template is shown in Table 1 . As discussed, risk management team play a vital role in identifying and addressing risks.

Risk management planning template

It is necessary to constantly monitor and evaluate the strategies that are employed to manage risks. This is because risks do not remain the same - new risks are created, existing risks are increased or decreased, some risks may no longer exist and previous or existing risk management strategies may no longer be effective. In the end risks can originate from accidents, legal liabilities, natural causes and disasters, uncertainty in financial markets, credit risk, project failures (at any phase in design, development, production, or sustainment life-cycles), or events of unpredictable root-cause. Several risk management standards exist including those from the Project Management Institute, National Institute of Science and Technology, Actuarial Societies, and ISO standards. The risk management definitions, methods and goals vary widely according to the context of project management, security, engineering, industrial processes, financial portfolios, actuarial assessments, public health and safety and real estate.

An important aim of the paper is to study and review the real estate market in Australia to identify risk and rewards as well as compare the Australian market conditions and performance with the rest of the world. Therefore, the focus of the next section is on risks in the real estate market.

1.4. Types of risk associated real estate market

Types of risk in real estate market

As is the case with every other industry, there are several risks in the real estate market. For example, there exists a risk factor in land procurement; housing development; asset management; property management; tenancy management to name a few [ 13 ]. The risks may be classified as internal or external risks ( Figure 4 ). In turn, the internal and external risks can be divided into various other risk categories shown in Figure 5 and Figure 6 [ 14 ]. Builders, project managers, owners and investors who plan to make an investment or hold an investment in the property market may need to consider one or more of the following risks and then implement appropriate strategies for their projects to be successful.

1.4.1. Internal risk

Internal risk can be divided into financial management, human resources, property management, legislative compliance, corporate governance and housing management as shown in Figure 5 .

Financial management: A detailed analysis of any proposed or existing projects need to be conducted for project viability. It is also important to plan the cash flow and management of the same. A poor cost control may lead to a budget over shoot and the project may run into un-chartered territories. When it comes to servicing the debt due care needs to be given to income streams - to take into account either reduction or loss of future income streams. In this regard, banking organisations need to be diligent in testing the capacity to repay the loans that are being offered. Fraud often occurs in real estate market mainly involving the use of false documents regarding number of properties, outgoing fees or rates, income streams and so on.

Internal risk Source: adapted from Sheryl and Adam [ 14 ]

Insurance also plays a vital role in financial management of a project or investment. Adequate insurance is needed to cover the various risks that may be involved such as the type of property, its location, exposure to natural calamities etc. to name a few. Insurance also need to be updated with the changes in conditions.

Property management of a construction project: During the construction of a new project the builders needs to plan their inventory and keep control of their stocks irrespective of the size of the project. Stock control starts from buying goods to using and maintaining them, and also reusing or reordering as required. Quality of the stock also plays a vital role in real estate business. To maintained quality several techniques are adapted. Just in time technique (where items are ordered when necessary and used immediately), minimum stock level technique and stock review technique.

Contractors play an important role in success of a construction project. They are responsible for recruitment and supervision of employees working on the project. Contractors are also responsible for material management coordinating with suppliers thus acquiring necessary goods in time for the construction phases. Poor response from the contractors or failure to perform their duties will delay the project and overshoot budgets.

Legislation compliance: Often a property holder has to disclose his personal and financial information to third party. Protecting information plays a key issue in this business. Once all the parties are ready to proceed it is necessary to have a privacy act is in place so that all information is secure. The corporation act provides the guidelines for conflicts or issues arising in construction or maintenance of a property. There are several agencies that provide comprehensive legal services to better understand the litigations involved. Anti-discrimination law and disability service act also play an important role in real-estate. Property owners are liable for any discriminatory acts.

Occupational health and safety (OH&S) also arises in real-estate and a number of OH&S compliance officers are usually assigned to monitor the safety and health; for example, conditions provided to the workers at construction sites. OH&S officer duties include inspecting construction sites and providing support to internal clients. It is important to report any hazard or incident and all incidents should be attended to and documented for future reference.

Corporate governance: Corporate governance plays an important role in risk management in the real estate industry. It is important to properly align the ideas, interests and decisions of managers to the interests of both internal and external shareholders. For example, failure to recruit appropriate personnel may lead to conflicts of interest. If the conflicts are not managed effectively they may have a substantial impact on the company bottom line. It is required and expected of the managements or boards of construction companies always carefully analyze performance in terms of the market so that they are able to keep track of their company’s performance and progress in a dynamic environment. It is also expected that the managements re-inspect and update their policies and procedures to meet the market trends and demands of all concerned stakeholders.

Housing management: A holistic management of the investment made in real estate can be defined as housing management. Housing management includes keeping track of maintenance and financial arrangements. As a common and popular practice the management of an investment property is outsourced to property management companies who appoint property managers to manage and oversee duties as required. Property managers on a daily basis are responsible for taking maintenance requests, collecting rent, dues or other fees and are responsible for the overall upkeep of the property. They also perform routine property inspections and organize inspections for the owners. Poor performance of the property managers leads to more grievances for the tenants as well as the owners.

1.4.2. External risk

External risk depends on a number of factors such as economic risk, funding, regulation, environment, reputation, competition, partnerships and natural disasters ( Figure 2 .6). Each of the factors noted are discussed briefly in turn.

Eternal risks Source: adapted from Sheryl V and Adam W, 2008

Funding: The availability of funding depends on a number of aspects such as the economic situation in general, market performance, and credit based upon any future cash flow. Some factors that influence economic performance are: change in political regime, rise in the price of raw materials, emergence of a new competitor and disruptions in production process. Market performance usually depends on changes in interest rates, changes in laws, and political and financial market factors. The risk of loss of principal or loss of a financial reward stemming from a borrower's failure to repay a loan or otherwise meet a contractual obligation falls under the funding risk. It is important to take into consideration as many of the previously mentioned factors while undertaking an investment decision, even when one already has an investment portfolio. Investors often anticipate future cash flow situations while borrowing money to pay a current debt. The failure of the anticipated cash flow leads to credit risk. However credit risk can be considered less likely since most often the investors are compensated by way of interest payments made by the borrower in end.

Regulatory environment: Investors in real estate projects should be aware of the local, state and federal laws and regulations. These laws depend on economic, credit and market risk as explained above. Failure to comply with the rules and regulation often leads to delays or in the worst case - complete scrapping of the project; all of which may lead to a complete or partial loss of capital invested.

Reputation: The reputation of a project developer often attracts investor attention and also provides favorable environment for investments. Joint ventures and partnerships are possible if the reputations are well known and have been built over time - providing partners the opportunities to win potentially new clients and investors, as well greater opportunities for new investments. An investor has to study the “people” perception of the organization and the credit history and rating of the project developer. An investment made into a company with poor credit history may end up losses of the principle amount invested. It could also be wise for an investor to know the value of the tangible and intangible assets and the market value of the organization into which an investment is being planned.

Competition: Property market plays an important role in the economy. There are several players in the market who usually try to attract investors. While a healthy competition is good for growth in the industry, it is important for the investors to research exactly what they are being offered because the agents often utilize high pressure selling strategies to gain client’s cash. It is possible that in the process the investors may receive inappropriate financial advice. For example, consumers may not be aware of non-disclosed information pertaining to advice they receive.

Partnership: Partnership plays an important role in investing, as it reduces the impact of potential risk on the individual or company investment. For an investor to be successful in a real-estate partnership it is important to know the partner well and therefore trust plays a vital role. The role of each partner does need to be well defined and documented. Having a clear legal document will protect the interest of all partners. It also important to plan and document an exit strategy for all involved, because personal situations may change over time. Clearly, before a partnership agreement is made it is necessary to conduct a detail research to become self-confident about the deal.

Natural disasters: In the real real-estate market, location plays an important factor in the investment decision. A property purchased at an appropriate location is expected to provide a good return on the investment. One of the main factors affecting location is the potential exposure to natural calamities such as bushfires, floods, sea level raise and erosion to name a few. If the location has a history or is likely to be exposed to a natural disaster it can be expected that the property prices will eventually be exposed to the risk. Therefore, it is wise to not be enticed into such toxic locations. Other factors that need to be accounted for are the costs of maintenance of properties and the nature and level of insurance required for risky locations, if chosen.

1.5. Risk and reward

The nature of risk definition and management process is such that it should be integrated into “the philosophies, practices and business plans” of any individual investor or large organization’s culture (Hillson [ 5 ], p.240). It is certain that there are many risks involved in real-estate market as mentioned. While real-estate provides variety of investment options every investor has to find their comfort level upon taking risks involved. It is not easy to decide if a selected property for investment is appropriate, but the decision should be made based on the consideration of all the factors discussed earlier. In the end however, the willingness to take risks largely depends upon individual preferences and circumstances.

The elements that usually determine the scale of risk or reward are the amount of money that is invested, length of time investment, rate of return or property appreciation, depreciation, fees, taxes, inflation etc. While it is natural for the individual and organizations to invest and expect returns it is important the investors make the informed choice to reduce the odds of losing the principle invested. The potential risks and rewards in investing in the Australian real estate market are investigated next.

2. Real estate scenario in Australia

The speculation about Australian housing market has been intense since 2003. First it was the international monitory fund (IMF) which warned of the housing bubble in Australia “would bust” [ 15 ]. In mid-2008, IMF stated that the Australian property market was overvalued by about 25% [ 16 ]. In more recent times (April 2010), “The Economist” house price indicators estimated Australian house prices were the most overpriced in the world (56.1% overpriced - against long-run average of price to rents ratio) [ 17 ]. The US based analysts Jeremy Grantham (Boston-based hedge fund GMO analysts co-founder) and Heather Hagerty (Fidelity Investments), were also speculating whether or not the Australian residential market is experienced a housing bubble, after the US housing crisis. According to Edward Chancellor [ 18 ], a US-based investment strategist and financial author, Australia was "in the midst of an unsustainable housing bubble that could burst at any time" and the "house prices are more than 50% above their fair value - a once in 40-year event." (p.1). In 2011 Morgan Stanley’s global strategist Gerard Minack said that "we've had 20 years where the Australian consumers have been willing to borrow more to buy an asset that they believe always goes up in value. The classic sign of an asset bubble." and that "home prices are 30 to 40% above fair value [p.1, 19].

The house price-to-income ratio has been the main focus in Australia. The house price-to-income ratio is comparatively high when compared to other countries. Also, the price-to-income ratio in Australia since has been more than 40% higher than the long term average. In the next sections a discussion of the fundamentals that govern the house prices in Australian residential housing market is examined. Also, the potential risks and rewards to the investors are explored in terms of the risk analysis framework presented earlier.

2.1. Introduction: How Australian real estate compares to the rest of the world.

Since the U.S. housing crisis, analysts have been speculating about the potential housing bubble in the Australian residential property market. A report by Real Estate Institute of Australia (REIA) argued that analysts primarily focused their attention on the higher house price-to-income ratio in Australia as compared to other countries (REIA 2010). Moreover, it is observed that the house price-to-income ratio levels are at levels that are similar to that in the US before the housing market there crashed in 2008. The raise in the price-to-income ratio in Australia since 2003 by over 40% higher than the long term average adds fuels the speculation. However, it is important to analyze the fundamentals that govern Australian residential market price growth against the rest of world.

2.1.1. Some aspects of the residential finance system in the U.S. and Australia

In the US, the residential finance system played a significant role in the housing bubble of 2008. The regulation, residential finance institutional arrangements, and mortgage characteristics aided the excessive demand for housing finance. Housing finance was available and offered to borrowers with poor borrowing capacities. Consequently, excessive borrowing led to the housing bubble and the collapse of the financial system in the U.S in 2008. There are some fundamental differences in the lending practice in Australia when compared to the US [ 21 ].

In Australia the lending process is highly regulated by the institutional arrangement. The lending practices enforce the regulatory provisions on financial institutions forcing them to avoid excessive risk taking behavior. Table 2 outlines the characteristics of housing loans both in the U.S and in Australia. The table highlights the systemic susceptibility to riskier mortgages in the US and that availability of such funds to finance the mortgages were more common than in Australia.

Mortgage characteristics of Australia as compared to US

In the US, the non-conforming housing loans represent 13% compared to 1% in Australia [ 21 ]. Negative amortization loans are common in the US but no such loans existed in Australia at the time of the crisis. In Australia the mortgages are “full recourse” lenders and hence the incentive that is offered to households to take out loans they cannot repay is reduced. This is also deters financial institutions from offering risky loans. These primary differences stand out to support and contribute to a relatively strong performance of the housing loans in Australia when compared to the US. It is important to note that the share of non-performing loans in Australia were less than 1.5% even during the financial crisis.

Another fundamental difference is that there is no government sponsored enterprise (GSE) in Australia while they exist in the US. The GSE in the US holds a guarantee of the loans that are offered. This potentially provides an impression that bad loans offered to borrowers with poor repayment capacity would be covered by the Federal Government [ 23 ]. This is not so in Australia where commercial banks provide 90% of all housing loans. The commercial banks are mainly funded by the bank deposits, short term and long-term wholesale debt [ 24 ]. The absence of the so called Federal guarantee restricts Australian banks from any excessive risk taking behavior. In 2007, at the beginning of the financial crisis, GSE’s possessed 90% of these securities. The shadow banking system in which the financial institutions have a greater participation and the GSE’s can be said to have led the excessive risk taking behavior and practices in the US [ 21 ]. In addition, according to the RBA [ 21 ], the regulation level of financial institutions in Australia is about 80% while in the US only 50% of all the financial institutions are regulated [ 21 ].

Non-performing housing loans Source: Real estate Institute of Housing America

The Loan to Value Ratio (LVR) refers to the amount of money borrowed against the total value of the property in a home equity loan. For example, a $50,000 loan against a home worth $200,000 has a Loan to Value Ratio of 25%. In Australia, loans with an LVR exceeding 80% require mortgage insurance - the risk of the borrower defaulting is far too great for the lender. The value of the property is determined by the lender and is often significantly less than the purchase price, which often surprise first-time borrowers. Typically, the amount that lenders have been prepared to lend for housing has been restricted by one or both of the following:

scheduled repayments should not exceed some fixed share of the borrower’s income – the repayment-to-income, or serviceability, constraint; and

the loan should not exceed a certain proportion, most commonly 80% [ 21 ] of the property’s purchase price – the LVR constraint.

2.2. Australian real estate market compared to the rest of the world

The analysis presented in the previous section shows that Australia is fundamentally different to the US when it comes to the residential housing market. But, how does Australia compare to the other countries in the world? New research conducted by Lloyds TSB [ 27 ] - International Global Housing Market Review, shows that Australia just made it into the top 10 list of countries with the highest house price increases over the past decade ( Table 3) . Four of the six top performing housing markets since 2001 were in the emerging economies of the world. India with a booming real estate market tops the list - house prices rise by 284% over the last decade; Russia coming second - house price increase of 209% over the same period. China faired only marginally when compared to other major economies - ranked 14th with a 47% growth rate since 2001.

Real house price changes – A global comparison.

According to the findings of the report Australian house prices increased by 76% and had the ninth fastest growing house prices during 2001-2011. During the same period house price declines were seen in the world’s largest economies such as Germany, Japan and the United States. Japan registered the largest house prices fall of 30%, while house prices in Germany and US were down 17% and 2% respectively during the same time. Other major findings of the research include:

housing markets have typically risen fastest in countries with the fastest growing economies. On average, the countries with the biggest rises in house prices since 2001 have seen GDP increase by more than 100%. Countries that had large rises in pre-crisis times lost the most after the GFC affected their economies; and

house prices within countries that form part of the Euro have climbed an average of 23 percent since 2001. France saw the largest increase with 82%, Belgium rose 69%, Spain 26% and Italy was up 31%. But Spain has seen a major decline in 2012.

The performance of the established house prices in Australian housing market provided by the Australian Bureau of Statistics (ABS) is presented in Figure 8 . The Australian housing over the past five years has seen some corrections. The period can be divided into pre-global financial crisis (GFC), during GFC and post GFC. Prior to GFC, there has been a considerable growth in the established housing prices. This growth pattern however changed course and reached the worst levels in August 2008 when the GFC was setting in. However, the prices of established homes climbed steeply during the peak of the GFC when markets around the world were playing havoc. This defiance could be mainly attributed to the management initiatives taken by the RBA [ 21 ] and government of Australia. The RBA drastically reduced the interest rates to a record low of 3.25% supported by the federal government incentives such as economic stimulus plan, which included substantial increase in first home grants among others.

This financial incentive was “too good to miss” for anyone considering their first home purchase. This led to flood of first home buyers entering the market that drove the prices up against all odds. Since the time the incentives have been wound back, and the market and investor sentiment took over. This led to a fall in the growth when compared to the preceding three years and has been mostly in the low sentiment in the past two years. Therefore, although Australian market prices are influenced by the global events, a collapse similar to that seen in markets elsewhere seems appears a distant possibility. This can be attributed to the underlying government incentives to manage the risks during the crisis. Other micro-economics aspects also helped manage the downturn.

2.6. Australian house prices and the fundamental influences

Australian housing demand has been strong and can be also attributed to the following:

strong overseas migration from 2004 to 2007;

housing shortages due to a rapidly growing population;

Australian household sizes are shrinking;

lending standards stricter than most advanced economies including the US; and

interest rates at record lows.

Australian annual house price change in the last decade

2.6.1. Trend of net population increase and net overseas migration increase

House prices have been underpinned by a chronic housing shortage in Australia. This was brought about by an ever increasing population and constraints placed on housing supply over time. Figure 9 shows the increase in population growth from both natural growth and migration since 2006. From 2006 to September 2010 natural population growth has only seen a marginal increase, but during the same period the net overseas migration growth has been substantial.

Trend of natural population increase and net overseas migration

Figure 10 shows that there has been an increase in the total population by about 1.6 million people 2006–2010. During the same period, the Net Overseas Migration (NOM) accounted for 1.02 million people compared to only 600 000 increase in natural population. However, given that there has been a large influx of people into Australia, the question was whether there was enough housing infrastructure in place.

Net overseas migration and components of population change

2.7. Trend in the number of dwellings commenced and population

Figure 11 shows the trend in the population and dwellings commenced from January 2007 to October 2010. As shown earlier, the population growth showed an upward trend over the entire period. The number of dwellings commenced shows a rather distressing trend. Figure 11 shows the commencement of new dwellings significantly fell short and did not keep pace with the rapid growth in population. For an addition of 1.25 million people during this period only about 235 000 new homes were built demonstrating a significant shortage in the housing market. Interestingly, this situation presents a case for more property investment as people search for a place to live.

2.8. Demand and supply scenario

Historically, Australia has been behind in the demand versus supply of residential dwellings, but more so in the last decade than any time earlier. Figure 12 shows the dwelling gap in the previous decade. Australia continues to run large annual deficits in housing supply - the underlying demand for dwellings and the completion of dwellings has not matched. In view of this it can be expected that in the longer term Australia’s housing market is underpinned by insufficient supply in addition to robust underlying demand.

Trend in the number of dwellings commenced and population

Estimated dwelling gap in the last decade

National housing supply council (NHSC) estimates a demand versus supply gap of approximately 640 000 houses in 2030; and an increase in the gap from 250 000 in 2012. Figure 13 shows the projections in the supply gap to 2030. The figure shows an increase over time till 2015, and indeed a higher rate of increase predicted from 2015 till 2030.

Supply and demand gap projections to 2030

To examine whether the situation is the same throughout Australia or mainly confined to a few states, data from all the states are explored in more depth. Figure 12 and Figure 14 both show that not all states have an acute shortage of housing such as South Australia (SA), Tasmania (Tas) and Australian Commonwealth Territory (ACT). Their data runs against the trend for the last decade but more so during 2009-2010. The larger states of New South Wales (NSW), Victoria (Vic), Queensland (Qld) and Western Australia (WA) all continue to have high deficits year after year and the deficit is increasing – however, Victoria being an exception in 2009-2010 where it managed to go against the trend temporarily ( Figure 14) . To further understand the nature of the differences between states, the net population increase in the demand across states needs to be compared. Figure 15 shows the state by state net change in population as well as housing issues. The states with a high influx of population showed higher dwelling demand.

Not surprisingly, the high demand has led to a rather strong rental market particularly in the larger states and this has provided an impetus for higher rental returns and an ideal time for new investors to consider for the longer term. With recent housing approvals declining, this demand supply gap can only be expected to widen. Clearly, the population increase cannot only be driving the market. Therefore, other aspects need investigation such as house price to income ratio; and house hold debt to income ratio.

Housing demand and supply by states

Net population change - state by state over 2000-2011

2.9. House price-to-income ratio

The house price-to-income ratio is generally calculated using average income of the whole population. This method of calculating house price may not be appropriate in that a set of buyers whose incomes are above the average income of the wider population, and have the ability to service the loans tend to bid in the auctions there by inflating house prices [ 28 ]. Such competition is visible across all capital cities but more so in Sydney, Melbourne, Perth and Canberra than other cities. Figure 16 shows the median change in the house prices across eight capital cities since 2007.

Figure 16 shows that the increase in house prices in the major capital cities have been greater than those of other cities. This suggests the increase in house prices in Australia over the past five years was driven mostly by house prices in the most expensive cities, where home buyers tend to be higher income earners. The house price-to-income ratio does not seem to pick up the distributional differences. The household debt to disposable income ratio can provide valuable insights while assessing the vulnerabilities. Therefore, disposable incomes of people need to be considered when assessing the vulnerability of an average mum and dad investor.

Dwelling prices in capital cities in Australia Source: ABS

2.10. Owner- Occupier debt

Figure 17 shows the distribution of debt to income since 2006. The data indicates that the debt to income ratios has been fairly high – but consistent around 160% for the total debt, of which close to 140% is towards the mortgage. An indication to the scale of vulnerability can become salient when the house hold income to debt and the annual change in established home price are compared. Figure 18 shows that there has been a somewhat volatile situation in the housing market in all capital cities during 2006-2011; yet, during the same period, the debt to income ratio seem to be approximately constant over time. The comparison shows the average households are not so vulnerable to at least a change in their income situation given there was volatility in house price changes over time.

Owner occupier debt Source: RBA

Annual change in established home prices Source: ABS

3. Conclusion

The aim of this paper was to define risk and risk management in terms of real estate investment thus demonstrating the in depth nature and complexity of the process. Another aim was to conduct risk analysis of the Australian real estate market in particular, in terms of the global financial crisis – pre GFC, during GFC and post GFC. The review shows that risk analysis involves a number of steps with each step in turn involving another set of procedures. Risk analysis is a process that it is often ignored by investors particularly by the individual or smaller investors who tend to be more vulnerable. Similarly, risk management involves a number of processes and stages with steps and these have been outlined in the paper. A risk analysis is conducted here for investors in Australia real estate market. The results are rather interesting in that several conditional differences exist between Australia and the rest of the world. The factors identified that influence Australia’s house price are different from the rest of the world; including for example the rather stricter and well regulated lending practices of Australia’s financial institutions. A tight financial system regulation in Australia means a highly disciplined financial sector. The tougher regulation of the industry therefore prevents financial institutions from taking on excessive risks, contrary to the US counterparts. In fact, increasing house prices was identified in Australia after the crises of 2007-8; and this was associated with the changes in mortgage lending rates, rising family income, increasing overseas migration demand, government incentives to name a few. Together the market situation suggests that Australia is unlikely to face a US style housing bubble. The results of the risk analysis show that:

rising incomes and population growth ensure the demand for housing outpaces current supply, thereby increasing the prices;

high capital growth in larger cities where there has been large population migration such as Perth, Sydney and Melbourne;

high demand still exists for residential and commercial real estate to accommodate growing expatriate working community;

increased property prices has to many Australians increasingly seeking rental accommodation, making housing investment a healthy growth area for investors;

higher growth rate in property investment in Australia - superior to most OECD countries, including the UK, Spain and the US; and

foreign exchange rate changes have been favorable, making property purchase in Australia a valuable option; that in turn driving property prices higher. This has changed in 2011-12 when the higher Australian dollar has posed interesting challenges for the Australian investments.

The findings are in line and relate to that of the Australian housing and urban research institute’s findings [ 29 ], which further suggest:

investors are motivated to invest in the private rental market for a number of reasons such as financial factors, personal goals (retirement or future home for children at university), and household circumstances (proximity to their own dwelling);

investors use their own measures of quality and personal preference when selecting a dwelling even though they will not be living in the property;

investors perceive property as a long-term, safe and stable investment that is low risk and will produce guaranteed returns;

investors largely expect capital gains from investing rather that rental yield only and this is how success is measured; and

informality characterizes investor approaches to the housing market where property is considered familiar, relatively easy to invest in when compared to other investments.

In summary, Australian housing industry continues to experience significant housing shortages in major cities due to a rapidly growing population; in particular, the growth has been fueled by strong overseas migration during 2004-2007, but the Australian current government immigration laws suggest that the strong levels of immigration will continue for some time due to the lack of skills in the labor market. The housing demand is further supported by the fact that the size of the Australian household appears to be shrinking adding to the pressure on housing both in rental and investment. The demand of rental housing together with somewhat lower house prices in recent times (buyer marker) has lured many new investors in the market. This aspect, the negative gearing benefits, and the first home ownership schemes supported by significantly lower interest rates have all led to a favorable and stronger real estate market in Australia. All of this has occurred within a framework of a stronger, tightly regulated financial sector that has been more-stricter than most advanced economies including the US. Such a regulated real estate market appears to have kept the mortgage repayment failure and housing related bad debts at a minimum in Australia.

• 2. Standards Australia/Standards New Zealand. AS/NZS Risk management. 3rd ed. Sydney: Standards Australia International Ltd and Standards New Zealand. 2004
• 3. International Standard Organization. Guide 73: Risk management- Vocabulary. 2009 cited 2012 March 4] [about 24 screens] Available from: http://pqm-online.com/assets/files/standards/iso_iec_guide_ 73 2009 .pdf
• 4. Comcover Insurance & Risk Management. The Introduction of AS/NZS/ISO 31000 2009 2009 Risk Management Principles and Guidelines. 32 cited 2012 March 17] [about 2 screens] Available from: http://finance.gov.au/comcover/docs/IB_Issue32_Oct09.pdf
• 9. ACT Insurance Authority. Guide to Risk Management. 2004 February; [cited 2012 March 10] [about 10 screens] Available from: http://treasury.act.gov.au/actia/guide.doc
• 16. http://pandora.nla.gov.au/pan/105045/20090903-1455/www.nchf.org.au/downloads/risk_management_summary.pdf
• 18. ABC [homepage on the internet]. ABC Materials; [updated 2003 Apr 13; cited 2012 March 8]. IMF predicts Australia housing bust; [about 3 screens]. Available from: http://abc.net.au/news/2003-04-13/imf-predicts-aust-housing-bust/1835644
• 19. Smart Company [homepage on the internet]. Smart Company.com.au Pty Ltd; [updated 2008 Apr 4; cited 2012 February 28]. Australian property bubble could be about to burst: IMF; [about 3 screens]. Available from: http://smartcompany.com.au/
• 20. The Economist [homepage on the internet]. London: The Economist Newspaper Ltd; [updated 2010 Apr 15; cited 2012 March 25].You can’t keep ‘em down; [about 3 screens]. Available from: http://economist.com/node/15911113?story_id=15911113
• 21. The Australian [homepage on the internet]. News Pty Ltd [updated 2010 May 3; cited 2012 March 15]. Housing tipped for price implosion; [about 4 screens]. Available from: http://theaustralian.com.au/archive/business-old/housing-tipped-for-price-implosion/story-e6frg9gx-1225861304871?from=public_rss
• 22. ABC [homepage on the internet]. ABC Materials [updated 2011 Mar 11; cited 2012 March 8]. Australian house prices 56 per cent over valued: The Economist; Available from: http://abc.net.au/pm/content/2011/s3155728.htm
• 23. Real Estate Institute of Australia. Australian house prices: bursting the bubble myth. 2010 cited 2012 April 5]. Available from: http://reia.com.au/search-result.php
• 24. Reserve Bank of Australia [homepage on the Internet]. Reserve Bank of Australia C 2001 2012 cited 2012 March 7]. Available from: http://rba.gov.au/
• 25. Research Institute of Housing America [homepage on the Internet]. Washington: mortgage bankers association; c 2008 2012 updated 2011 March 30; cited 2012 March 12]. Available from: http://housingamerica.org/default.htm
• 28. Reserve Bank of Australia. Financial Stability Review. 2010 September 29.
• 29. Reserve Bank of Australia. Recent Developments in Margin Lending in Australia. Bulletin. 2009 December: 11 17
• 30. Lloyds banking group [homepage on the internet]. Lloyds banking group plc [cited 2012 March 15]. Emerging markets top global house price league over the past decade. Available from: http://lloydsbankinggroup.com/media/pdfs/LTSB/2012/1703_global.pdf
• 31. OECD. Recent house price developments: the role of fundamentals. OECD economic outlook. 2006 Jan 19; 2005 2 123 154

© 2012 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution 3.0 License , which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Continue reading from the same book

Risk management.

Published: 12 September 2012

By Jordi Botet

7110 downloads

By Pedro Maria-Sanchez

7240 downloads

By Nerija Banaitiene and Audrius Banaitis

104914 downloads

Case Study: Companies Excelling in Risk Management

In this article

In the modern business landscape, navigating uncertainties and pitfalls is essential for sustainable growth and longevity. Effective risk management emerges as a shield against potential threats – and it also unlocks opportunities for innovation and advancement. In this article, we will explore risk management and its significance and criteria for excellence. We will also examine case studies of two companies that have excelled in this domain. Through these insights, we aim to glean valuable lessons and best practices. As such, businesses across diverse industries can fortify their risk management frameworks.

The Significance of Risk Management

Risk management is vital for the sustenance and prosperity of companies, regardless of their size or industry. At its core, it is the identification, assessment and mitigation of potential risks that may impede organisational objectives or lead to adverse outcomes. Having a robust risk management approach means businesses can safeguard their assets, reputation and bottom line. 

The statistics are somewhat alarming. According to research , 69% of executives are not confident with their current risk management policies and practices. What’s more, only 36% of organisations have a formal enterprise risk management (ERM) programme. 

Proactive risk management isn’t just a defensive measure; rather, it is necessary for sustainability and growth. With 62% of organisations experiencing a critical risk event in the last three years, it is important to be proactive. By identifying and addressing potential risks, organisations can become more resilient to external shocks and internal disruptions. This means they’re better able to survive through difficult times and maintain operational continuity. Moreover, a proactive stance enables companies to seize strategic advantages. It allows them to innovate, expand into new markets and capitalise on emerging trends with confidence.

Criteria for Excellence in Risk Management

Achieving excellence in risk management means adhering to several key criteria:  

• Ability to Identify Risks: Exceptional risk management begins with identifying potential risks comprehensively. This involves a thorough understanding of both internal and external factors that could impact the organisation. It includes market volatility, regulatory changes, cybersecurity threats and operational vulnerabilities.
• Assessment of Risks: Once identified, risks must be assessed to gauge their potential impact and likelihood of occurrence. This involves using risk assessment methodologies like quantitative analysis, scenario planning and risk heat mapping, to prioritise risks based on their severity and urgency.
• Mitigation Strategies and Control Measures: Effective risk management relies on proactive mitigation strategies to minimise the likelihood of risk occurrence and mitigate its potential impact. This may involve implementing control measures, diversifying risk exposure, investing in risk transfer mechanisms such as insurance and enhancing resilience through business continuity planning.
• Adaptability to Change: Organisations need to be ready to adapt to emerging risks and changing circumstances. This requires a culture of continuous learning and improvement. This means lessons are learned from past experiences to enhance risk management practices and anticipate future challenges.
• Leadership Commitment: Effective leaders demonstrate a clear understanding of the importance of risk management. They know how to allocate adequate resources, support and incentives to prioritise risk management initiatives.
• Strong Risk Culture: A strong risk culture permeates every level of the organisation. This involves a mindset where risk management is viewed as everyone’s responsibility.
• Robust Risk Management Frameworks: Finally, excellence in risk management requires robust frameworks and processes to guide risk identification, assessment and mitigation efforts. This includes defining clear roles and responsibilities, implementing effective governance structures and leveraging technology and data analytics to enhance risk visibility and decision-making.

Company A: Case Study in Risk Management Excellence

Now, let’s take a look at a case study that highlights risk management excellence in practice.

ApexTech Solutions is a company known for its exemplary risk management practices. Founded in 2005 by visionary entrepreneur Sarah Lawson, ApexTech began as a small start-up in the tech industry. It specialises in software development and IT consulting services. 

Over the years, under Lawson’s leadership, the company expanded its offerings and diversified into various sectors, including cybersecurity solutions, cloud computing and artificial intelligence. Today, ApexTech is a prominent player in the global technology market, serving clients ranging from small businesses to Fortune 500 companies.

Risk management strategies and successes

ApexTech’s journey to risk management excellence can be attributed to several key strategies and initiatives:

• Comprehensive Risk Assessment: ApexTech conducts regular and thorough risk assessments to identify potential threats and vulnerabilities across its operations.
• Investment in Technology and Innovation: ApexTech prioritises investments in cutting-edge technologies such as AI-driven analytics, predictive modelling and threat intelligence solutions.
• Customer-Centric Approach: ApexTech tailors its risk management solutions to meet specific needs and preferences. This fosters trust and long-term partnerships.
• Cybersecurity Measures: ApexTech has made cybersecurity a top priority. The company employs a multi-layered approach to cybersecurity to mitigate the risk of cyberattacks.
• Continual Improvement and Adaptation: ApexTech fosters a culture of continual improvement and adaptation. The company encourages feedback and collaboration among employees at all levels so they can identify areas for improvement and implement solutions to mitigate risks effectively.

By proactively identifying and addressing operational risks, such as supply chain disruptions and regulatory compliance challenges, ApexTech has maintained operational continuity and minimised potential disruptions to its business operations.

ApexTech Solutions serves as a compelling example of a company that has excelled in risk management excellence by embracing proactive strategies, leveraging advanced technologies and fostering a culture of innovation and adaptation. 

Company B: Case Study in Risk Management Excellence

TerraSafe Pharmaceuticals is a renowned company in the pharmaceutical industry, dedicated to developing and manufacturing innovative medications to improve global health outcomes. Established in 1998 by Dr Elena Chen, TerraSafe initially focused on the production of generic drugs to address critical healthcare needs. 

Over the years, the company has expanded its portfolio to include novel biopharmaceuticals and speciality medications.

TerraSafe Pharmaceuticals has a holistic approach to identifying, assessing and mitigating risks across its operations:

• Rigorous Quality Assurance Standards: TerraSafe prioritises stringent quality assurance measures throughout the drug development and manufacturing process. This ensures product safety, efficacy and compliance with regulatory requirements.
• Investment in Research and Development (R&D): TerraSafe allocates significant resources to research and development initiatives. These are aimed at advancing scientific knowledge and discovering breakthrough therapies. With its culture of innovation and collaboration, the company mitigates the risk of product obsolescence.
• Regulatory Compliance and Risk Monitoring: TerraSafe maintains a dedicated regulatory affairs department. This team stays abreast of evolving regulatory requirements and industry standards. They monitor regulatory changes proactively and engage with regulatory authorities to ensure timely compliance with applicable laws and standards. This reduces the risk of non-compliance penalties and legal disputes.
• Supply Chain Resilience: TerraSafe works closely with its suppliers and logistics partners to assess and mitigate supply chain risks like raw material shortages, transportation disruptions and geopolitical instability. It implements contingency planning and diversification of sourcing strategies.
• Focus on Patient Safety and Ethical Practices: The company adheres to stringent ethical guidelines and clinical trial protocols to protect patient welfare and maintain public trust in its products and services.

By investing in R&D and adhering to rigorous quality assurance standards, TerraSafe has successfully developed and commercialised several breakthrough medications that address unmet medical needs and improve patient outcomes. What’s more, the company’s proactive approach to regulatory compliance has facilitated the timely approval and market authorisation of its products in key global markets. This has enabled the company to expand its geographic footprint and reach new patient populations.

Key Takeaways and Best Practices

Despite being in different industries, both companies share similarities. Both ApexTech and TerraSafe Pharmaceuticals know the importance of proactive risk management. They have procedures in place that work to identify, assess and mitigate risks before they escalate. What’s more, both companies are led by visionary leaders who set the tone for decision-making. They prioritise building a strong risk culture with all employees knowing their role in risk management.

Best practices and strategies employed

• Conducting Regular Risk Assessments: Both companies conduct regular and comprehensive risk assessments to identify potential threats and vulnerabilities across their operations.
• Investing in Training and Education: Both invest in training and education programmes so that employees are equipped with the knowledge and skills necessary to identify and manage risks effectively. Employees at all levels contribute to risk management efforts.
• Collaboration and Communication: Both companies know the importance of collaboration and communication in risk management. They create channels for open dialogue and information sharing. Stakeholders collaborate on risk identification, assessment and mitigation efforts.
• Continual Improvement: Both companies have a culture of continual improvement. They encourage feedback and innovation to adapt to changing circumstances and emerging risks.
• Tailored Risk Management Approaches: Both companies develop customised risk management frameworks and strategies that align with their objectives and priorities.

Emerging Trends in Risk Management

One of the most prominent trends in risk management is the increasing integration of technology into risk management processes. Advanced technologies such as artificial intelligence (AI), machine learning and automation are revolutionising risk assessment, prediction and mitigation. These technologies mean companies can analyse vast amounts of data in real time. This allows them to identify patterns and trends and predict potential risks more accurately.

Data analytics is another key trend reshaping risk management practices. Companies are leveraging big data analytics tools and techniques to gain deeper insights. By analysing historical data and real-time information, they can identify emerging risks, detect anomalies and make more informed risk management decisions.

Cybersecurity risks have become a major concern. Threats such as data breaches, ransomware attacks and phishing scams pose significant risks to companies’ data, operation and reputation. Companies are investing heavily in cybersecurity measures and adopting proactive approaches to protect their digital assets and mitigate cyber risks.

Companies are integrating global risk management into their overall risk management strategy too. They are monitoring global developments, assessing the impact of global risks on their business operations and developing contingency plans.

The Role of Leadership

Leadership plays a pivotal role in shaping organisational culture and driving initiatives that promote risk management excellence. Effective leaders recognise the importance of risk management but also actively champion its integration into the fabric of the organisation. Effective leaders:

• Set the Tone: Leaders set the tone by articulating a clear vision and commitment to risk management from the top down.
• Lead by Example: Leaders demonstrate their own commitment to risk management through their actions and decisions.
• Empower Employees: Leaders empower employees at all levels to actively participate in risk management efforts. They encourage employees to voice their concerns and contribute.
• Provide Resources and Support: Effective leaders invest in training and development programmes to enhance employees’ risk management skills and knowledge.
• Encourage Innovation: Leaders encourage employees to think creatively and experiment with new approaches to risk management.
• Promote Continuous Improvement: Leaders create opportunities for reflection and evaluation to identify areas for improvement and drive learning.

Encouraging a Risk-Aware Culture

For organisations to identify, assess and mitigate risks at all levels effectively, they need to encourage a risk-aware culture. Here are some tips for encouraging a risk-aware culture:

Communication and transparency:

• Encourage open communication channels where employees feel comfortable discussing risks and raising concerns.
• Provide regular updates on the organisation’s risk landscape, including emerging risks and mitigation strategies.
• Foster transparency in decision-making processes, particularly regarding risk-related decisions.

Education and training:

• Provide comprehensive training programmes on risk management principles, processes and tools for employees at all levels.
• Offer specialised training sessions on specific risk areas relevant to employees’ roles and responsibilities.
• Incorporate real-life case studies and examples to illustrate the importance of risk awareness and effective risk management.

Empowerment and ownership:

• Empower employees to take ownership of risk management within their respective areas of expertise.
• Encourage employees to identify and assess risks in their day-to-day activities and propose mitigation strategies.
• Recognise and reward employees who demonstrate proactive risk awareness and contribute to effective risk management practices.

Integration into performance management:

• Include risk management objectives and key performance indicators (KPIs) in employee performance evaluations.
• Link performance bonuses or incentives to successful risk management outcomes and adherence to risk management protocols.
• Provide feedback and coaching to employees on their risk management performance, highlighting areas for improvement and best practices.

Challenges in Risk Management

Challenges in risk management are inevitable, even for companies excelling in this domain. Despite their proactive efforts, all organisations encounter obstacles that can impede their risk management practices. Here are some common challenges and strategies for addressing them:

Complexity and interconnectedness:

• Challenge: The modern business environment is increasingly complex and interconnected, making it challenging for organisations to anticipate and mitigate all potential risks comprehensively.
• Strategy: Implement a holistic risk management approach that considers both internal and external factors impacting the organisation. Create cross-functional collaboration and information sharing to gain a comprehensive understanding of risks across departments and business units.

Rapidly evolving risks:

• Challenge: Risks are constantly evolving due to technological advancements, regulatory changes and global events such as pandemics or geopolitical shifts. Organisations may struggle to keep pace with emerging risks and adapt their risk management strategies accordingly.
• Strategy: Stay informed about emerging trends and developments that may impact the organisation’s risk landscape. Maintain flexibility and agility in risk management processes to respond promptly to new challenges.

Resource constraints:

• Challenge: Limited resources, including budgetary constraints and staffing limitations, can hinder organisations’ ability to invest adequately in risk management initiatives and tools.
• Strategy: Prioritise risk management activities based on their potential impact on organisational objectives and allocate resources accordingly. Leverage technology and automation to streamline risk management processes and maximise efficiency.

Compliance and regulatory burden:

• Challenge: Meeting regulatory requirements and compliance standards can be burdensome and complex.
• Strategy: Stay abreast of regulatory developments and ensure compliance with applicable laws and regulations. Implement robust governance frameworks and internal controls to demonstrate regulatory compliance and mitigate legal and reputational risks. Invest in compliance training and education for employees.

Human factors and behavioural biases:

• Challenge: Human factors such as cognitive biases, organisational politics and resistance to change can undermine effective risk management practices, leading to decision-making errors and oversight of critical risks.
• Strategy: Raise awareness about common cognitive biases and behavioural tendencies that may influence risk perception and decision-making. Create a culture of psychological safety where employees feel comfortable challenging assumptions and raising concerns about potential risks.

Conclusion: Striving for Excellence

In this article, we have explored the importance of effective risk management for businesses. We have delved into the criteria for excellence in risk management, showcasing companies such as ApexTech Solutions and TerraSafe Pharmaceuticals that exemplify these principles through their proactive strategies and robust frameworks.

From embracing technology and fostering a culture of innovation to prioritising regulatory compliance and empowering employees, these companies have demonstrated remarkable achievements in navigating complex risk landscapes and achieving sustainable success.

However, it’s essential to recognise that even companies excelling in risk management face challenges. By acknowledging these and implementing strategies to address them, organisations can enhance their resilience and effectiveness in managing risks over the long term.

Assessing Risk

Study online and gain a full CPD certificate posted out to you the very next working day.

Take a look at this course

About the author

Louise Woffindin

Louise is a writer and translator from Sheffield. Before turning to writing, she worked as a secondary school language teacher. Outside of work, she is a keen runner and also enjoys reading and walking her dog Chaos.

Similar posts

Navigating Difficult Conversations in Health and Social Care

Patient Rights in Medication Administration

Case Study: Health Institutions Exemplifying Outstanding Customer Service

Strategies for Continual Improvement in Customer Service

Celebrating our clients and partners.

Privacy Overview

• Predict! Software Suite
• Training and Coaching
• Predict! Risk Controller
• Rapid Deployment
• Predict! Risk Analyser
• Predict! Risk Reporter
• Predict! Risk Visualiser
• Predict! Cloud Hosting
• BOOK A DEMO
• Risk Vision
• Win Proposals with Risk Analysis
• Case Studies
• Video Gallery
• White Papers
• Upcoming Events
• Past Events

Fehmarnbelt case study

. . . . . learn more

Lend Lease case study

ASC case study

Tornado IPT case study

LLW Repository case study

OHL case study

Babcock case study

HUMS case study

UK Chinook case study

• EMEA: +44 (0) 1865 987 466
• Americas: +1 (0) 437 269 0697
• APAC: +61 499 520 456

Subscribe for Updates

Copyright © 2024 risk decisions. All rights reserved.

• Privacy Policy
• Cookie Policy
• Terms and Conditions
• Company Registration No: 01878114

Powered by The Communications Group

The Impact of Fintech Startups on Financial Institutions’ Performance and Default Risk

• International Journal of Advanced Research in Science Communication and Technology
• This person is not on ResearchGate, or hasn't claimed this research yet.

Discover the world's research

• 25+ million members
• 160+ million publication pages
• 2.3+ billion citations

No full-text available

To read the full-text of this research, you can request a copy directly from the author.

• Recruit researchers
• Join for free
• Login Email Tip: Most researchers use their institutional email address as their ResearchGate login Password Forgot password? Keep me logged in Log in or Continue with Google Welcome back! Please log in. Email · Hint Tip: Most researchers use their institutional email address as their ResearchGate login Password Forgot password? Keep me logged in Log in or Continue with Google No account? Sign up

Efficient Strategies for Supply Chain Risk Management

Supply chain risk management is an increasingly critical function within businesses that aims to identify, evaluate, and mitigate risks along the supply chain to ensure reliability and continuity of supply. In a globalized economy, an organization's supply chain can span multiple countries and involve various interdependent processes making it susceptible to a plethora of risks.

This article will explore the multi-faceted approach to managing these risks efficiently, underpinning the importance of robust strategies to maintain competitiveness and deliver value to customers.

Definition of Supply Chain Risk Management

Defined succinctly, supply chain risk management (SCRM) is the implementation of strategies designed to oversee and manage potential risks within the supply chain, including but not limited to inventory issues, supplier problems, logistic errors, and environmental factors that could interrupt or delay the flow of goods and services.

This process entails the proactive identification of potential risks, assessment of their possible impact, and development of strategies geared toward their mitigation. Effective SCRM is pivotal to ensuring smooth operational flow and upholding the integrity of a company's supply chain network.

Importance of Supply Chain Risk Management

In the dynamic and interconnected world of global trade, the importance of supply chain risk management cannot be overstated. Businesses face an array of challenges, from natural disasters disrupting transportation routes to cyber-attacks compromising data integrity.

These uncertainties necessitate a comprehensive understanding of potential vulnerabilities and the formation of robust SCRM strategies. The integration of logistics courses online and online certification courses greatly contributes to enhancing the knowledge and skills of professionals in this arena, equipping them with the expertise to cope with the complexities of supply chain risk.

Understanding the Risks in Supply Chain Management

Comprehending the myriad of risks pertinent to the supply chain is crucial in devising effective risk management strategies. These risks can broadly be classified into several types, each with the potential to adversely affect supply chain operations and compromise business performance.

Overview of the types of risks in the Supply Chain

Logistics and supply chain professionals often categorize risks into three main types: operational risks, disruption risks, and systemic risks. Operational risks are associated with the day-to-day management of the supply chain and can include vendor shortages, transportation delays, or inventory mismanagement.

On the other hand, disruption risks encompass unforeseen events like natural disasters, political instability, or labor strikes that can abruptly halt supply chain operations. Systemic risks cover macro-level events such as economic recessions or significant technological changes, which may require a complete rethink of supply chain strategy.

Operational risks

Disruption risks

Systemic risks

Examples highlighting the impact of unmanaged supply chain risks

The repercussions of ignoring supply chain risks can be severe. For instance, a key supplier's failure to deliver an essential component due to financial instability can cause a production standstill. Similarly, a retailer may face significant revenue loss in the occurrence of a cyber-attack that disrupts its distribution system. These examples underscore the absolute necessity for preemptive risk management measures in safeguarding supply chain operations.

Strategies for effective Supply Chain Risk Management

Addressing the challenges posited by potential risks requires strategic planning and action. Companies can develop an array of approaches to anticipate, prepare for, and neutralize supply chain risks.

Risk Identification and Assessment

The initial step of supply chain risk management is identifying and evaluating the potential risks that could affect the supply chain operations. This phase involves the use of predictive analytics for risk identification, wherein historical data, market trends, and current events are analyzed to forecast potential disruptions. Subsequently, organizations conduct an assessment of the impact and likelihood of identified risks to prioritize their attention and resources accordingly.

Predictive analytics for risk identification

Impact and likelihood assessment of risks

Risk Mitigation and Prevention Strategies

Upon assessing the risks, developing mitigation and prevention strategies is instrumental for risk management. Contingency planning plays a significant role in this, where alternative plans are in place in the event of supply chain disruptions. Moreover, prioritizing supplier diversity is vital to spread the risk and avoid over-dependence on a single source which can be a critical vulnerability.

The role of contingency planning

The importance of supplier diversity in risk reduction

Supply Chain Resilience Building

Building resilience into the supply chain is about creating a robust setup that can withstand and recover from unexpected disruptions. Replicating supply chains across different regions can mitigate risks associated with geographical limitations. Furthermore, proactive disruption management ensures swift reactive measures in response to supply chain threats, which minimizes impacts and accelerates recovery time.

Replicating supply chains for risk mitigation

Proactive disruption management

Role of Technology in Supply Chain Risk Management

The rapid advancement of digital tools has provided businesses with innovative opportunities to strengthen their supply chain risk management tactics. Utilizing cutting-edge technologies can significantly enhance the capability of organizations to predict, manage and mitigate risks more efficiently.

Advancement of Digital tools and techniques

Technological innovations such as Artificial Intelligence (AI) and Blockchain are revolutionizing supply chain risk management. AI algorithms can help predict potential disruptions before they occur, allowing for proactive measures to be implemented. Blockchain technology introduces a layer of transparency and security to supply chain transactions, which serves to build trust and traceability across the entire network.

Artificial Intelligence in supply chain risk management

Usage of Blockchain for Supply Chain transparency

Case Studies showing implementation of technology for risk management

An examination of case studies where companies successfully incorporated technology to manage their supply chain risks can offer valuable insights. These practical examples showcase the effectiveness of digital tools in real-world applications, reinforcing the argument for their wider adoption in SCRM strategies.

The field of supply chain risk management remains paramount to the success and resilience of organizations worldwide. The continuous evolution of risks makes it imperative for businesses to stay vigilant, be adaptive, and incorporate robust risk management processes into their supply chain operations.

Recap of the importance of managing risks in supply chains

It is crystal clear that the significance of identifying, evaluating, and mitigating risks cannot be understated. The employment of practices like engaging in logistics courses online and obtaining online certification courses invigorates the knowledge base and skill set of those overseeing and managing supply chains, equipping them to handle potential risks successfully.

Future trends and challenges in Supply Chain Risk Management

Looking forward, the domain of SCRM is set to encounter new challenges and trends such as the growing significance of sustainability, digitization, and geopolitical shifts. Companies need to remain proactive and innovative in crafting their risk management strategies to stay ahead of these evolving dynamics.

Optimizing supply chain risk management is a strategic imperative that transcends operational efficiency and encompasses the broader scope of sustaining business growth and customer satisfaction. By embracing comprehensive risk management practices, including the augmentation of professional capabilities through continued learning and the adoption of advanced technologies, companies can fortify their supply chains against an unpredictable future.

What are the most efficient strategies for identifying and evaluating potential risks in a supply chain?

Identifying potential risks.

Supply chains face myriad risks. These range from supplier insolvency to natural disasters. Sound risk management begins with rigorous identification. Here are several strategies to pinpoint those risks effectively.

Map the Supply Chain

First, create a visual map. This chart should detail each step in the chain. It helps pinpoint where risks might arise.

Use Qualitative Assessments

Next, engage with your team. Conduct brainstorming sessions. Identify risks via expert input. This often reveals unforeseen threats.

Conduct a SWOT Analysis

Perform a SWOT analysis. Assess Strengths , Weaknesses , Opportunities , and Threats . This frames risks concerning your competitive position.

Review Historical Data

Historical data is invaluable. It shows where past issues occurred. Use this to predict and prepare for future risks.

Collect External Intelligence

Keep an eye on the market. Monitor news, trends, and reports. This will point to external risks quickly.

Evaluating Supply Chain Risks

Once identification is complete, evaluation follows. The goal is to measure each risk's potential impact.

Categorize the Risks

Begin by categorizing risks. Common groups are operational, financial, strategic, and compliance-related. This organizes risks by nature.

Assign Probability and Impact

Every risk has a chance of occurrence. Assess this probability. Also, estimate each risk's impact if it materializes.

Use Risk Matrices

Risk matrices are a simple tool. Place each risk within a matrix based on its score. This shows clear priorities.

Perform a Cost-Benefit Analysis

Consider the costs. Weigh them against the benefits of mitigation. This illuminates which risks justify investment.

Carry Out Scenario Planning

Plan for various outcomes. Simulate different scenarios. How does each risk affect your operation? This will prepare you for different eventualities.

Regularly Review and Update

Risks change. Review your assessments often. Update them to reflect new information. This ensures your risk profile remains current.

Map the supply chain

Use qualitative assessments

Conduct a SWOT analysis

Review historical data

Collect external intelligence

In short, efficient supply chain risk identification and evaluation call for a structured approach. Map out the chain, assess qualitatively and quantitatively, and keep your information updated. Use tools such as risk matrices and scenario planning to keep a clear focus on where to direct your mitigation efforts. With these strategies, businesses can better prepare for the unpredictable and mitigate risks in their supply chains.

How can technological advancements contribute to enhancing risk management in a supply chain?

The interplay of technology and risk management in supply chains.

In today's fast-paced market, managing supply chain risk is vital. Companies face numerous uncertainties. Technological advancements provide tools to mitigate these risks. Key benefits stem from technology's role in supply chain oversight.

Technology as a Predictor

Advanced analytics aid risk forecasting. They help identify patterns and predict disruptions. Machine learning algorithms process vast datasets. This analysis discerns potential problems early. It thereby supports proactive measures. Risk prediction turns more precise over time. The tech learns from each event, enhancing future responses.

Real-time Visibility Aids Swift Action

Real-time tracking is critical. It allows for immediate response to disruptions. Sensors and GPS generate live data flows. Companies monitor shipments around the clock. Any deviation triggers alerts. Thus, stakeholders can take quick, informed action. Real-time visibility also means enhanced transparency across the chain.

Automation Improves Efficiency and Accuracy

Automation streamlines operations. It reduces human error risk in routine tasks. Automated systems handle order processing and inventory updates. They provide accurate data for decision-making. Better data means better risk management. Time-sensitive decisions benefit from automation's speed.

Enhanced Communication through Technology

Effective communication underpins risk mitigation. Digital platforms enable instant data sharing. Stakeholders remain aware of any changes or issues. Collaboration tools facilitate rapid strategy adjustments. Partners synchronize their response efforts. Instant communication is crucial in crisis scenarios.

Cybersecurity Protects Critical Data

Amidst technological reliance, data breaches pose significant risks. Robust cybersecurity measures are indispensable. They protect sensitive information integral to supply chains. Secure data transmission and storage are priorities. Cybersecurity efforts safeguard against costly data-related disruptions.

The Impact of Blockchain for Transparency

Blockchain technology offers unparalleled transparency. It creates secure, immutable records. Each transaction adds a new 'block' to the 'chain.' Every party can access this unalterable ledger. Blockchain prevents fraud and errors. It thus fosters trust among trade partners. Blockchain makes verifying authenticity simpler. It further ensures that all participants follow agreed-upon protocols.

The Role of Internet of Things (IoT)

IoT devices collect crucial operation data. They monitor goods and equipment condition. IoT sensors can track temperature, movement, and more. Alerts notify managers of deviations from norms. Managers can then take preventive action. This minimizes the impact of potential issues. The IoT also facilitates predictive maintenance. It reduces the risk of machinery breakdowns.

Cloud Computing Centralizes Information

Cloud computing centralizes data storage. It grants access from anywhere, anytime. Supply chain parties can retrieve vital information on demand. Decision-making becomes more informed and timely. Cloud computing supports scalability and collaboration. It offers robust backup solutions. These are crucial in disaster recovery scenarios.

AI and Machine Learning Refine Risk Assessment

AI and Machine Learning enhance risk assessment. They can model complex risk scenarios. These technologies offer insights into potential impact. Firms can assess various risk strategies efficiently. AI-powered tools also assist in supplier evaluation. They can predict supplier reliability and performance.

Drones and Autonomous Vehicles for Safer Logistics

Drones and autonomous vehicles promise safer logistics. Drones inspect hard-to-reach areas. They can check for hazards without endangering workers. Autonomous vehicles can reduce accidents caused by human error. They promise to make the transportation of goods safer.

Technology is reshaping supply chain risk management. Firms that adopt these advancements may gain competitive edges. They do so through enhanced efficiency, accuracy, and responsiveness. Technology's role will only grow. It will keep transforming risk management and supply chains.

How critical is the role of communication in implementing efficient supply chain risk management strategies?

Understanding supply chain risk management.

Supply chain risk management (SCRM) involves handling disruptions. It is crucial for business sustainability. Risks can occur at any moment. They can emerge from various sources. These include natural disasters, economic shifts, or technological failures. Efficient SCRM mitigates the impact of these disruptions. It ensures continuity and resilience.

Communication's Role in SCRM

Communication drives successful SCRM. It does so by facilitating information flow. Stakeholders stay informed through clear communication. It enables quick response to risks. Information must be precise. It must also be timely.

Effective communication promotes collaboration. Different departments must work together. Suppliers, logistics, and retailers also need to coordinate. Good communication makes this possible. It breaks down silos within organizations.

Transparency is essential in communication. It builds trust among partners. It allows for shared risk perception. Understanding risks becomes easier. So does finding solutions.

Implementation of Communication Strategies

Implementing communication strategies involves several steps. These steps ensure that communication is efficient and effective. Here are some critical considerations:

Establish Protocols: Define clear communication channels. This ensures that messages reach the right people.

Regular Updates: Keep all parties informed with frequent updates. It ensures that everyone is on the same page.

Train Employees: Teach staff how to communicate during disruptions. Prepared teams manage risks better.

Technology Utilization: Use technology to enhance communication. Digital tools can provide real-time data sharing.

Challenges to Communication

Several barriers can impede communication. These challenges include:

Cultural Differences: Global supply chains face this. It can lead to misunderstandings.

Information Overload: Too much information can confuse stakeholders. Distill it to what is necessary.

Resistance to Change: Some may resist new communication methods. They need convincing of the benefits.

Leadership commitment is important for overcoming these challenges. Leaders must champion open communication. They inspire their organizations. They guide them toward efficient SCRM.

Communication is not just critical. It is the backbone of SCRM. It empowers organizations to face uncertainties. It builds resilient supply chains. It should, therefore, receive the attention it deserves. Continuous improvement is key. Organizations must strive for better communication to manage their supply chain risks effectively.

Yu Payne is an American professional who believes in personal growth. After studying The Art & Science of Transformational from Erickson College, she continuously seeks out new trainings to improve herself. She has been producing content for the IIENSTITU Blog since 2021. Her work has been featured on various platforms, including but not limited to: ThriveGlobal, TinyBuddha, and Addicted2Success. Yu aspires to help others reach their full potential and live their best lives.

Reducing Inventory for Profit Maximization

Maximizing Inbound Logistics: Benefits, Challenges & Strategies

Decision Support For Production & Distribution Planning

Customer Order Fulfilment Reliability

Developing a Risk Management Framework and Risk Assessment for Non-profit Organizations: A Case Study

• First Online: 20 December 2016

Cite this chapter

• Elif Karakaya 3 &
• Gencay Karakaya 4  

Part of the book series: Contributions to Management Science ((MANAGEMENT SC.))

2281 Accesses

Risks in the rapidly increasing global business environment began to receive more attention among both researchers and practitioners illuminating the delicate balance between enterprise efficiencies and risk economies. However, Risk Management, in recent years, are becoming more complex to analyze and more challenging to manage and optimize.

Besides that, risk and uncertainty concept have always been a significant concern not only for private sectors and public sectors but also for non-profit organizations (NPOs) sector. In this chapter, the potential risks and their drivers are identified, assessed and ranked for a wide spread and most effective for a non-profit organization which aims to bring together native and foreign students for creating a bridge of humanity and education. After investigating the key control measures of major sources of risk, risk management processes and strategies were developed. To provide analytical results, Analytic Hierarchy Process (AHP) used by utilizing the questionnaire technique.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

• Available as PDF
• Read on any device
• Instant download
• Own it forever
• Available as EPUB and PDF
• Compact, lightweight edition
• Dispatched in 3 to 5 business days
• Free shipping worldwide - see info
• Durable hardcover edition

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Beasley M (2011) Increasing risk awareness for mission critical objectives of not-for-profit organizations. American Institute of Certified Public Accountants, Durham

Google Scholar  

Boas K (2012) Building capacity in NGO risk management. Retrieved from http://www.thesustainablengo.org/

Carter TS, Demczur JM (2013) Legal risk management checklist for non- for-profit organizations. Carters Professional Corporation, Ottawa, Toronto

Chen L (2010) Risk management for nonprofit organizations. Oregon State University, Corvallis

Chopra S, Sodhi MS (2004) Managing risk to avoid supply-chain breakdown. MIT Sloan Manag Rev 46(1):53–62

Christopher M, Peck H (2004) Building the resilient supply chain. Int J Logist Manag 2:1–13

Article   Google Scholar  

Gaudenzi B, Borghesi A (2006) Managing risks in the supply chain using the AHP method. Int J Logist Manag 17(1):114–136

Harper TJ (2012) Agent based modeling and simulation framework for supply chain risk management. Dissertation, Air Force Institute of Technology

INCOSE (2002) What is “Risk”. Risk Management Working group, Hall, DC

Jackson P (2006) Nonprofit risk management and contingency planning. Wiley, New Jersey

Matan R, Hartnett B (2011) How nonprofit organizations manage risk. Sobel & Co, Livingston

Mohammed KM (2007) Managing risk: a case study of a non-governmental organization that provides long- term care and support service for people with mental, intellectual and physical disabilities. Massey University, Palmerston North

Park K (2011) Flexible and redundant supply chain practices to build strategic supply chain resilience: contingent and resource-based perspectives. Dissertation, The University of Toledo

Pehlivanli D (2012) Kâr Amacı Gütmeyen Kuruluslarda Kurumsal Risk Yönetimi ve Risk Çalıstayı Vaka Çalısması. Muhasebe ve Finasman Dergisi:117–128

Ritchie B, Brindley C (2007) Supply chain risk management and performance: a guiding framework for future development. Int J Oper Prod Manag 27(3):303–322

Saaty TL (1980) The analytic hierarchy process. St. Louis ua, New York

Sitkin SB, Pablo AL (1992) Reconceptualizing the determinants of risk behavior. Acad Manag Rev 17(1):9–38

Tang C, Tomlin B (2008) The power of flexibility for mitigating supply chain risks. Int J Prod Econ 116(1):12–27

Trivunovic M, Johnsøn J, Mathisen H (2011) Developing an NGO corruption risk management system: considerations for donors. U4 Issue, 2011(9)

Wilson‐Grau R (2003) The risk approach to strategic management in development NGOs. Dev Pract 13(5):533–536

Wilson-Grau R (2004) Strategic risk management for development NGOs: the case of a grant-maker. Seton Hall J Dipl and Int’l Rel. 5:125

Young DR (2009) How nonprofit organizations manage risk. In: Musella SD (ed) Paid and unpaid labour in the social economy. Georgia State University, Georgia

Download references

Author information

Authors and affiliations.

Logistics Program, Vocational School of Social Science, Istanbul Medipol University, Kavacik Campus, Beykoz, 34810, Istanbul, Turkey

Elif Karakaya

Department of International Trade, Istanbul Commercial University, Sutluce Campus, Beyoglu, 34445, Istanbul, Turkey

Gencay Karakaya

You can also search for this author in PubMed   Google Scholar

Corresponding author

Correspondence to Elif Karakaya .

Editor information

Editors and affiliations.

Istanbul Medipol University , Eyup, Istanbul, Turkey

Hasan Dinçer

Istanbul Medipol University , Beylikduzu, Istanbul, Turkey

Ümit Hacioğlu

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this chapter

Karakaya, E., Karakaya, G. (2017). Developing a Risk Management Framework and Risk Assessment for Non-profit Organizations: A Case Study. In: Dinçer, H., Hacioğlu, Ü. (eds) Risk Management, Strategic Thinking and Leadership in the Financial Services Industry . Contributions to Management Science. Springer, Cham. https://doi.org/10.1007/978-3-319-47172-3_20

Download citation

DOI : https://doi.org/10.1007/978-3-319-47172-3_20

Published : 20 December 2016

Publisher Name : Springer, Cham

Print ISBN : 978-3-319-47171-6

Online ISBN : 978-3-319-47172-3

eBook Packages : Economics and Finance Economics and Finance (R0)

Share this chapter

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

• Publish with us

Policies and ethics

• Find a journal
• Track your research

The state of AI in early 2024: Gen AI adoption spikes and starts to generate value

If 2023 was the year the world discovered generative AI (gen AI) , 2024 is the year organizations truly began using—and deriving business value from—this new technology. In the latest McKinsey Global Survey  on AI, 65 percent of respondents report that their organizations are regularly using gen AI, nearly double the percentage from our previous survey just ten months ago. Respondents’ expectations for gen AI’s impact remain as high as they were last year , with three-quarters predicting that gen AI will lead to significant or disruptive change in their industries in the years ahead.

About the authors

This article is a collaborative effort by Alex Singla , Alexander Sukharevsky , Lareina Yee , and Michael Chui , with Bryce Hall , representing views from QuantumBlack, AI by McKinsey, and McKinsey Digital.

Organizations are already seeing material benefits from gen AI use, reporting both cost decreases and revenue jumps in the business units deploying the technology. The survey also provides insights into the kinds of risks presented by gen AI—most notably, inaccuracy—as well as the emerging practices of top performers to mitigate those challenges and capture value.

AI adoption surges

Interest in generative AI has also brightened the spotlight on a broader set of AI capabilities. For the past six years, AI adoption by respondents’ organizations has hovered at about 50 percent. This year, the survey finds that adoption has jumped to 72 percent (Exhibit 1). And the interest is truly global in scope. Our 2023 survey found that AI adoption did not reach 66 percent in any region; however, this year more than two-thirds of respondents in nearly every region say their organizations are using AI. 1 Organizations based in Central and South America are the exception, with 58 percent of respondents working for organizations based in Central and South America reporting AI adoption. Looking by industry, the biggest increase in adoption can be found in professional services. 2 Includes respondents working for organizations focused on human resources, legal services, management consulting, market research, R&D, tax preparation, and training.

Also, responses suggest that companies are now using AI in more parts of the business. Half of respondents say their organizations have adopted AI in two or more business functions, up from less than a third of respondents in 2023 (Exhibit 2).

Gen AI adoption is most common in the functions where it can create the most value

Most respondents now report that their organizations—and they as individuals—are using gen AI. Sixty-five percent of respondents say their organizations are regularly using gen AI in at least one business function, up from one-third last year. The average organization using gen AI is doing so in two functions, most often in marketing and sales and in product and service development—two functions in which previous research  determined that gen AI adoption could generate the most value 3 “ The economic potential of generative AI: The next productivity frontier ,” McKinsey, June 14, 2023. —as well as in IT (Exhibit 3). The biggest increase from 2023 is found in marketing and sales, where reported adoption has more than doubled. Yet across functions, only two use cases, both within marketing and sales, are reported by 15 percent or more of respondents.

Gen AI also is weaving its way into respondents’ personal lives. Compared with 2023, respondents are much more likely to be using gen AI at work and even more likely to be using gen AI both at work and in their personal lives (Exhibit 4). The survey finds upticks in gen AI use across all regions, with the largest increases in Asia–Pacific and Greater China. Respondents at the highest seniority levels, meanwhile, show larger jumps in the use of gen Al tools for work and outside of work compared with their midlevel-management peers. Looking at specific industries, respondents working in energy and materials and in professional services report the largest increase in gen AI use.

Investments in gen AI and analytical AI are beginning to create value

The latest survey also shows how different industries are budgeting for gen AI. Responses suggest that, in many industries, organizations are about equally as likely to be investing more than 5 percent of their digital budgets in gen AI as they are in nongenerative, analytical-AI solutions (Exhibit 5). Yet in most industries, larger shares of respondents report that their organizations spend more than 20 percent on analytical AI than on gen AI. Looking ahead, most respondents—67 percent—expect their organizations to invest more in AI over the next three years.

Where are those investments paying off? For the first time, our latest survey explored the value created by gen AI use by business function. The function in which the largest share of respondents report seeing cost decreases is human resources. Respondents most commonly report meaningful revenue increases (of more than 5 percent) in supply chain and inventory management (Exhibit 6). For analytical AI, respondents most often report seeing cost benefits in service operations—in line with what we found last year —as well as meaningful revenue increases from AI use in marketing and sales.

Inaccuracy: The most recognized and experienced risk of gen AI use

As businesses begin to see the benefits of gen AI, they’re also recognizing the diverse risks associated with the technology. These can range from data management risks such as data privacy, bias, or intellectual property (IP) infringement to model management risks, which tend to focus on inaccurate output or lack of explainability. A third big risk category is security and incorrect use.

Respondents to the latest survey are more likely than they were last year to say their organizations consider inaccuracy and IP infringement to be relevant to their use of gen AI, and about half continue to view cybersecurity as a risk (Exhibit 7).

Conversely, respondents are less likely than they were last year to say their organizations consider workforce and labor displacement to be relevant risks and are not increasing efforts to mitigate them.

In fact, inaccuracy— which can affect use cases across the gen AI value chain , ranging from customer journeys and summarization to coding and creative content—is the only risk that respondents are significantly more likely than last year to say their organizations are actively working to mitigate.

Some organizations have already experienced negative consequences from the use of gen AI, with 44 percent of respondents saying their organizations have experienced at least one consequence (Exhibit 8). Respondents most often report inaccuracy as a risk that has affected their organizations, followed by cybersecurity and explainability.

Our previous research has found that there are several elements of governance that can help in scaling gen AI use responsibly, yet few respondents report having these risk-related practices in place. 4 “ Implementing generative AI with speed and safety ,” McKinsey Quarterly , March 13, 2024. For example, just 18 percent say their organizations have an enterprise-wide council or board with the authority to make decisions involving responsible AI governance, and only one-third say gen AI risk awareness and risk mitigation controls are required skill sets for technical talent.

Bringing gen AI capabilities to bear

The latest survey also sought to understand how, and how quickly, organizations are deploying these new gen AI tools. We have found three archetypes for implementing gen AI solutions : takers use off-the-shelf, publicly available solutions; shapers customize those tools with proprietary data and systems; and makers develop their own foundation models from scratch. 5 “ Technology’s generational moment with generative AI: A CIO and CTO guide ,” McKinsey, July 11, 2023. Across most industries, the survey results suggest that organizations are finding off-the-shelf offerings applicable to their business needs—though many are pursuing opportunities to customize models or even develop their own (Exhibit 9). About half of reported gen AI uses within respondents’ business functions are utilizing off-the-shelf, publicly available models or tools, with little or no customization. Respondents in energy and materials, technology, and media and telecommunications are more likely to report significant customization or tuning of publicly available models or developing their own proprietary models to address specific business needs.

Respondents most often report that their organizations required one to four months from the start of a project to put gen AI into production, though the time it takes varies by business function (Exhibit 10). It also depends upon the approach for acquiring those capabilities. Not surprisingly, reported uses of highly customized or proprietary models are 1.5 times more likely than off-the-shelf, publicly available models to take five months or more to implement.

Gen AI high performers are excelling despite facing challenges

Gen AI is a new technology, and organizations are still early in the journey of pursuing its opportunities and scaling it across functions. So it’s little surprise that only a small subset of respondents (46 out of 876) report that a meaningful share of their organizations’ EBIT can be attributed to their deployment of gen AI. Still, these gen AI leaders are worth examining closely. These, after all, are the early movers, who already attribute more than 10 percent of their organizations’ EBIT to their use of gen AI. Forty-two percent of these high performers say more than 20 percent of their EBIT is attributable to their use of nongenerative, analytical AI, and they span industries and regions—though most are at organizations with less than $1 billion in annual revenue. The AI-related practices at these organizations can offer guidance to those looking to create value from gen AI adoption at their own organizations.

To start, gen AI high performers are using gen AI in more business functions—an average of three functions, while others average two. They, like other organizations, are most likely to use gen AI in marketing and sales and product or service development, but they’re much more likely than others to use gen AI solutions in risk, legal, and compliance; in strategy and corporate finance; and in supply chain and inventory management. They’re more than three times as likely as others to be using gen AI in activities ranging from processing of accounting documents and risk assessment to R&D testing and pricing and promotions. While, overall, about half of reported gen AI applications within business functions are utilizing publicly available models or tools, gen AI high performers are less likely to use those off-the-shelf options than to either implement significantly customized versions of those tools or to develop their own proprietary foundation models.

What else are these high performers doing differently? For one thing, they are paying more attention to gen-AI-related risks. Perhaps because they are further along on their journeys, they are more likely than others to say their organizations have experienced every negative consequence from gen AI we asked about, from cybersecurity and personal privacy to explainability and IP infringement. Given that, they are more likely than others to report that their organizations consider those risks, as well as regulatory compliance, environmental impacts, and political stability, to be relevant to their gen AI use, and they say they take steps to mitigate more risks than others do.

Gen AI high performers are also much more likely to say their organizations follow a set of risk-related best practices (Exhibit 11). For example, they are nearly twice as likely as others to involve the legal function and embed risk reviews early on in the development of gen AI solutions—that is, to “ shift left .” They’re also much more likely than others to employ a wide range of other best practices, from strategy-related practices to those related to scaling.

In addition to experiencing the risks of gen AI adoption, high performers have encountered other challenges that can serve as warnings to others (Exhibit 12). Seventy percent say they have experienced difficulties with data, including defining processes for data governance, developing the ability to quickly integrate data into AI models, and an insufficient amount of training data, highlighting the essential role that data play in capturing value. High performers are also more likely than others to report experiencing challenges with their operating models, such as implementing agile ways of working and effective sprint performance management.

About the research

The online survey was in the field from February 22 to March 5, 2024, and garnered responses from 1,363 participants representing the full range of regions, industries, company sizes, functional specialties, and tenures. Of those respondents, 981 said their organizations had adopted AI in at least one business function, and 878 said their organizations were regularly using gen AI in at least one function. To adjust for differences in response rates, the data are weighted by the contribution of each respondent’s nation to global GDP.

Alex Singla and Alexander Sukharevsky  are global coleaders of QuantumBlack, AI by McKinsey, and senior partners in McKinsey’s Chicago and London offices, respectively; Lareina Yee  is a senior partner in the Bay Area office, where Michael Chui , a McKinsey Global Institute partner, is a partner; and Bryce Hall  is an associate partner in the Washington, DC, office.

They wish to thank Kaitlin Noe, Larry Kanter, Mallika Jhamb, and Shinjini Srivastava for their contributions to this work.

This article was edited by Heather Hanselman, a senior editor in McKinsey’s Atlanta office.

Explore a career with us

Related articles.

Moving past gen AI’s honeymoon phase: Seven hard truths for CIOs to get from pilot to scale

A generative AI reset: Rewiring to turn potential into value in 2024

Implementing generative AI with speed and safety

Official websites use .gov

A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS

A lock ( ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

How to Protect Yourself and Others

CDC’s Respiratory Virus Guidance  provides strategies you can use to help protect yourself and others from health risks caused by COVID-19 and other respiratory viruses. These actions can help you lower the risk of COVID-19 transmission (spreading or catching COVID-19) and lower the risk of severe illness if you get sick.

Core Prevention Strategies

CDC recommends that all people use core prevention strategies to protect themselves and others from COVID-19:

• Although vaccinated people sometimes get infected with the virus that causes COVID-19, staying up to date on COVID-19 vaccines significantly lowers the risk of getting very sick, being hospitalized, or dying from COVID-19.
• Practice good hygiene  (practices that improve cleanliness)
• Take steps for cleaner air

When you are sick:

• Learn when you can go back to your normal activities .
• Seek health care promptly for testing and/or treatment if you have risk factors for severe illness . Treatment may help lower your risk of severe illness, but it needs to be started within a few days of when your symptoms begin.

Additional Prevention Strategies

In addition, there are other prevention strategies that you can choose to further protect yourself and others.

• Wearing a mask and putting distance between yourself and others  can help lower the risk of COVID-19 transmission.
• Testing for COVID-19 can help you decide what to do next, like getting treatment to reduce your risk of severe illness and taking steps  to lower your chances of spreading COVID-19 to others.

Key Times for Prevention

Using these prevention strategies can be especially helpful when:

• Respiratory viruses, such as COVID-19, flu, and RSV, are causing a lot of illness in your community
• You or those around you have risk factors  for severe illness
• You or those around you were recently exposed to a respiratory virus, are sick, or are recovering

Check Your Community

Find out if respiratory viruses are causing a lot of illness in your community. Data updated weekly.

Learn more about all three of these respiratory viruses, who is most at risk, and how they are affecting your state right now. You can use some of the same strategies to protect yourself from all three viruses.

Get the Latest on COVID-19, Flu, and RSV

• COVID-19 Testing
• COVID-19 Vaccines
• COVID-19 Treatments and Medications
• Preventing Respiratory Viruses
• Protect Yourself from COVID-19, Flu, and RSV

Additional Resources

• Respirators and Masks
• Improving Ventilation in Your Home
• Improving Ventilation In Buildings

Search for and find historical COVID-19 pages and files. Please note the content on these pages and files is no longer being updated and may be out of date.

• Visit archive.cdc.gov for a historical snapshot of the COVID-19 website, capturing the end of the Federal Public Health Emergency on June 28, 2023.
• Visit the dynamic COVID-19 collection  to search the COVID-19 website as far back as July 30, 2021.

To receive email updates about COVID-19, enter your email address:

Exit Notification / Disclaimer Policy

• The Centers for Disease Control and Prevention (CDC) cannot attest to the accuracy of a non-federal website.
• Linking to a non-federal website does not constitute an endorsement by CDC or any of its employees of the sponsors or the information and products presented on the website.
• You will be subject to the destination website's privacy policy when you follow the link.
• CDC is not responsible for Section 508 compliance (accessibility) on other federal or private website.

Risk Management: Understanding the Basics and Importance

In a business environment filled with uncertainties, how can business leaders steer their organizations toward sustainable success while navigating through the maze of potential risks?

One example of effective risk management in action is the case of Johnson & Johnson during the Tylenol crisis in 1982 . Faced with the crisis where cyanide-laced Tylenol capsules resulted in several deaths, Johnson & Johnson swiftly and decisively recalled all Tylenol products from the market, despite the financial implications. 

This move, driven by a commitment to consumer safety and ethical responsibility, not only managed the immediate risk but also rebuilt public trust in the brand. This incident is a classic example of how risk management extends beyond financial and operational risks to encompass ethical considerations and consumer trust.

The answer often lies at the executive level, where understanding and implementing effective risk management becomes a pivotal aspect of strategic decision-making. This process is crucial for day-to-day operations and shaping long-term business strategies and policies at the C-suite and board levels.

Risk management is the systematic process of identifying, assessing, and prioritizing potential risks and implementing strategies to minimize or mitigate their impact. 

It involves analyzing uncertainties and making informed decisions to protect organizations from potential harm or loss. Risk management is a critical component of effective decision-making and essential for the long-term success and sustainability of businesses and industries.

In today’s era, risk management strategies are increasingly influenced by the dig ital transformation of businesses. The rise of cyber risks, data privacy concerns, and the need for digital resilience are reshaping the risk landscape. Organizations are adopting digital tools and analytics, not only to comply with technological advancements but also to predict and mitigate risks more effectively.

We’ll explore the importance of risk management and how to implement an effective plan in the contemporary business landscape, especially from a strategic executive perspective.

• What types of risks are there?

Importance of risk management

Risk management process.

• Enterprise risk management (ERM)

How to create an effective risk management plan

Embrace a culture of continuous learning and adaptation in risk management, types of risks.

In the business realm, myriad risks are categorized based on their nature and source. Here’s an insight into some types of risks:

• Operational risk . Arises from internal processes, people, and systems.
• Financial risk . Related to financial operations and transactions.
• Strategic risk. Stems from business strategies and industry changes.
• Compliance risk. Due to legal and regulatory requirements.
• Reputational risk. Impacts public perception and brand reputation.
• Market risk. From market dynamics like price and demand fluctuations.
• Credit risk. Due to potential default on financial obligations.
• Technology risk. Such as cybersecurity threats and system failures.

Understanding these risks is the steppingstone to developing a robust risk management framework, ensuring business longevity amidst a landscape of uncertainties.

Risk management plays a vital role in various industries, as it helps organizations anticipate and address potential threats and uncertainties. By proactively managing risks, businesses can minimize financial losses, protect their reputation, and ensure the safety and well-being of their employees and stakeholders. 

Moreover, risk management enables organizations to seize opportunities and make informed decisions, leading to improved performance and competitive advantage. 

IMD’s Boards and Risks program provides board members with the opportunity to hone their risk oversight capabilities and ensure they’re well-equipped to guide their organizations through the complex landscape of contemporary business risks.

• Finance. In the financial sector, risk management is crucial for banks, insurance companies, and investment firms. These institutions face a wide range of risks, including credit risk, market risk, operational risk, and liquidity risk. Effective risk management practices in the financial industry help ensure stability and prevent financial crises, as demonstrated by the global financial crisis of 2008 .
• Health care. The health care industry relies heavily on risk management to ensure patient safety and quality of care. Health care organizations face risks related to medical errors, patient privacy breaches, and regulatory compliance. By implementing robust risk management strategies, providers can identify and mitigate potential risks, leading to improved patient outcomes and reduced legal liabilities.
• Project management. Risk management is equally important in project management, where uncertainties and potential risks can significantly impact project success. By incorporating risk management into project planning and execution, project managers can identify potential obstacles, allocate resources effectively, and implement contingency plans to minimize project delays and cost overruns.
• Information technology. Information technology (IT) is another sector where risk management is of utmost importance. With the increasing reliance on digital systems and the rise of cyberthreats , organizations must implement robust risk management practices to protect sensitive data, maintain system integrity, and ensure business continuity. Cybersecurity risks, such as data breaches and malware attacks, can have severe consequences, including financial losses and reputational damage.
• Supply chain management. Supply chain management is yet another area where effective risk management is critical. Supply chains are vulnerable to various risks, such as disruptions in logistics, supplier failures, and natural disasters. By implementing risk management strategies, organizations can identify potential vulnerabilities, establish alternative supply sources, and develop contingency plans to minimize the impact of supply chain disruptions.

The risk management process is a structured approach that enables organizations to identify, assess, mitigate, and monitor risks. Implementing a thorough risk management process is crucial for understanding and preparing for the potential risks that come with operating in any industry. 

Adopting standard risk management practices, like those outlined by the International Organization for Standardization (ISO), can benefit businesses by providing a framework to manage risks effectively. 

Risk identification

Risk identification is the initial step in the risk management process. It involves recognizing and listing all possible risks that might affect the organization, whether they’re operational, financial, technological, reputational, or otherwise. For example, a retail company might identify the risk of data breaches that could potentially expose sensitive customer information.

Various tools and techniques can be used for risk identification including SWOT analysis, historical data analysis, stakeholder interviews, and expert consultations.

Risk assessment

Once risks have been identified, the next step is to assess them based on their likelihood of occurrence and the potential impact they could have on the organization. 

As an example, a financial institution might assess the potential financial and reputational impact of fraud risks and determine the likelihood of occurrence is high due to inadequate fraud detection systems.

Risk assessment allows for a better understanding of the risks and aids in prioritizing them. This stage often involves the creation of a risk matrix and a risk register to visualize the severity and priority of each risk.

Alongside traditional methods, a data-driven approach is revolutionizing risk assessment. Advanced data analytics, AI, and machine learning are now pivotal tools in identifying and evaluating risks. 

These technologies enable organizations to process vast amounts of data, recognize patterns, and predict potential risks with unprecedented accuracy. By leveraging these tools, businesses can gain deeper insights into potential threats, leading to more informed decision-making.

Risk mitigation

Risk mitigation involves developing and implementing strategies to address the identified risks. The aim is to reduce the likelihood of the risks or lessen their impact should they occur. 

For example, a health care organization might implement stricter data security measures and train staff on cybersecurity best practices to mitigate the risk of cyberattacks .

Common risk mitigation strategies include risk avoidance, risk reduction, risk transfer, risk treatment, and implementing risk controls to ensure a balanced approach. It’s crucial to align mitigation strategies with organizational objectives to ensure a balanced approach.

Risk monitoring

Risk monitoring is the ongoing process of tracking and reviewing the identified risks and the effectiveness of the mitigation strategies put in place. Continuous monitoring ensures the organization is well-prepared to respond to changes in the risk profile over time. 

Effective risk monitoring includes regular reporting, reviewing, and updating the risk management plan to ensure it remains relevant and effective in the current business environment.

Enterprise risk management ( ERM )

Enterprise risk management (ERM) embodies a comprehensive approach to risk management that extends beyond traditional methods to encompass a broader range of business risks. 

Unlike conventional risk management, which may focus on isolated domains such as operational, financial, or technological risks, ERM integrates risks from various facets of a business and offers a unified view. This consolidated perspective is particularly beneficial for C-suite leaders and board members, as it facilitates strategic decision-making. 

By understanding the interdependencies and cumulative impact of different risks on overall business objectives, executives can align risk management with their strategic planning, enhancing their organization’s resilience and adaptability.

For example, consider how Apple has implemented ERM to manage its complex global operations. Apple’s ERM framework encompasses various risks, including supply chain disruptions, intellectual property issues, and market volatility. 

By integrating this broad range of risks, Apple can make strategic decisions that balance innovation with risk, such as diversifying its supplier base and investing in robust cybersecurity measures. This approach has helped Apple not only to mitigate risks but also to seize growth opportunities in the fast-evolving tech industry.

This comprehensive analysis and assessment of potential risks aid in devising robust business continuity plans, ensuring the organization remains operational and continues to meet its objectives even in the face of adversities.

For example, a hospital system implementing ERM could identify potential risks related to natural disasters and infectious disease outbreaks. By aligning its ERM findings with its business continuity plans, the hospital is better prepared to maintain operations during a pandemic and provide continuous care for patients.

Furthermore, ERM contributes to achieving business benchmarks by fostering a culture of informed decision-making. Identifying and analyzing risk events in a structured manner provides valuable insights that aid in setting realistic and attainable benchmarks. 

It also offers a clear pathway for monitoring progress toward achieving these benchmarks and makes sure the risk management initiatives are aligned with overall business success.  An illustration of these benefits can be seen in a financial services firm employing ERM to align its risk management strategies with its business benchmarks in customer satisfaction, regulatory compliance, and financial performance. Through continuous monitoring and adjustment of its risk management practices, the firm can achieve and exceed its set benchmarks, showcasing the value of a holistic risk management approach.

Creating an effective risk management plan is pivotal for business leaders who want to safeguard the organization against unforeseen adversities. Here’s a step-by-step guide to aid leaders in developing a robust plan.

1. Identify risks

Begin with a thorough identification process to list down all possible risks that could affect your organization. Use tools like SWOT analysis, brainstorming sessions, and historical data analysis to uncover potential risks. Engage different departments to ensure a comprehensive identification process.

2. Assess risks

Assess the identified risks based on their likelihood and potential impact on the organization. Utilize risk assessment matrices to prioritize risks and understand their implications better. This step should provide a clear insight into which risks need immediate attention.

3. Develop mitigation strategies

Formulate strategies aimed at mitigating risks and the impact of identified risks. Each strategy should correspond to a specific risk and might range from risk avoidance to risk acceptance. Additionally, consider investing in insurance policies to transfer certain risks.

4. Allocate resources

Allocate necessary resources like finances, personnel, and technology to support the implementation of your risk mitigation strategies. Ensure there are clear budgets and responsible persons assigned to each strategy.

5. Communicate and train

Communicate the risk management plan to all stakeholders and train relevant personnel on their roles within the plan. Effective communication and training ensure everyone is aligned and equipped to manage risks effectively.

6. Implement the plan

Put the plan into action by implementing the formulated risk mitigation strategies. Monitor the implementation process to confirm it aligns with the plan, and make adjustments as necessary to address any challenges that arise.

7. Monitor and review

Continuously monitor the effectiveness of the risk management plan and the evolving risk landscape. Regular reviews help identify any gaps in the plan, so leaders can make necessary updates..

8. Establish a feedback loop

Create a feedback mechanism to gather insights from the implementation process. Encourage stakeholders to report on the effectiveness of risk mitigation strategies, and use this feedback to improve the response plan.

9. Consult experts

Engage risk management experts or enroll in specialized programs like IMD’s Boards and Risks program , which can help board members upgrade their risk oversight capabilities by offering a structured approach toward understanding and managing various business risks

10. Foster continuous improvement

Promote a culture of continuous improvement by learning from the successes and failures of the risk management process. Analyze performance data, stay updated on evolving best practices, and strive for continuous enhancement of your risk management plan to ensure it remains robust and relevant.

Throughout this exploration, we’ve underscored the pivotal role of risk management in steering organizations through the myriad of uncertainties inherent in today’s business landscape. 

From understanding the risk management process to the broader perspective offered by enterprise risk management (ERM), the journey toward effective risk governance is both a necessity and an opportunity for organizational resilience and sustainable success.

As the business ecosystem evolves, embracing a culture of continuous learning and adaptation in risk management is imperative. Engage with IMD’s Board at Risk learning journey to further enhance your risk management acumen and prepare your organization to not only withstand adversities but to thrive amidst them.

To quote O. Sarl Simonton, “In the face of uncertainty, there is nothing wrong with hope.” Coupling hope with a robust risk management strategy is the blueprint for enduring success in an unpredictable world.

Subscribe for more great leadership content 💌

Subscribe now for exclusive content from imd.

Leadership is crucial to the success of individuals, teams, and organizations. It encompasses diverse skills, qualities, and approaches that empower individuals to guide and inspire others toward achieving common goals. As the business environment continues to evolve, so will the concept of leadership — adapting to meet the demands and challenges of a dynamic world. […]

Imagine navigating a ship through uncharted waters in the dark, with each crew member holding a piece of the map. That’s the challenge of leadership in today’s dynamic, ever-evolving business landscape. How do you, as a leader, unite these diverse pieces to chart a successful course? The answer lies in inclusive leadership. In a world […]

What if you could supercharge your leadership development in a way that’s tailored specifically to you? Today’s business leaders are under immense pressure to deliver. It’s not just about achieving quarterly targets; it’s about being a visionary, a strategic thinker, and a great manager.  That’s where executive coaching comes in. Far from being a sign […]

Do you believe each team member has a unique strength that can fuel innovation and solve complex challenges? If your answer is yes, you might want to explore the landscape of laissez-faire leadership. Laissez-faire leadership, a term many have heard but few completely understand, is growing more relevant in today’s ever-changing, complex work environments. It […]