And RQ3
The two authors (YMT and MF) independently performed level 1 (titles and abstracts) and level 2 (full article texts) screening forms. All screening and extraction were completed in duplicate. Disagreements were discussed between the two reviewers and a third-party reviewer (R R) was contacted if disagreements could not be resolved. After independent reading of the full texts, the content analyzed and selected the articles that answer the respective research questions. Study quality was not assessed during the scoping review as the objective of a scoping review is to identify gaps in the literature and highlight future areas for systematic review. 23 , 24 The required information extracted based on the research questions and placed in the designed templates.
Three thousand five hundred and seventy-four studies were screened, excluded 761 duplicates, 1556 on title review, 1081 on abstract review and 144 in a full-text review. In total, leaving 37 papers (32 papers first iteration on the database and five studies from hand searching) search for critical appraisal. Table 2 shows the flowchart for the study selection.
Paper Selection Process
Phase | Number of Imported | Number of Excluded | Exclusion Criteria | |
---|---|---|---|---|
Identification | First iteration on data base Question 1: 1287 (36.1%) Question 2, 3: 2287 (63.9%) | 3574 | – | R0: Disproportionate to the goals and research questions R1: letters, editorials, news, professional commentaries, and reviews R2: No outcome reported R3: Poor study design R4: No abstract or full text available R5: Unclear description R6: Not applicable for healthcare organizations. R7: No systematic approach to error |
Screening | Duplicate citations | – | 761 | |
Title screening Reason excluding papers on the basis of titles: R0: 998 (64.1%) R1: 198(12.7%) R6: 286(18.3%) R8:74(4.7%) | 2813 | 1556 | ||
Abstract screening Reason excluding papers on the basis of abstract: R0: 450 (41.6%) R1: 127 (11.7%) R2: 42 (3.9%) R3: 39 (3.6%) R4: 36 (3.3%) R5: 25 (2.3%) R6: 309 (28.6%) R8: 53 (4.9%) | 1257 | 1081 | ||
Eligibility | Full-text eligibility (Agreement rate: 85%). Reason excluding papers on the basis of full text: R0: 39(27.4%) R1: 8(5.6%) R2: 10(6.94%) R3: 18(12.5%) R4: 7(4.9%) R5: 6 (4.2%) R6: 27(19%) R7: 29(20.4%) | 176 | 144 | |
Included | Relevant papers found from the search on database Responsiveness rate of studied divided by each research question: Question 1: 10(14.7%) Question 2: 27(39.7%) Question 3: 31(45.6%) | 32 | - | |
Relevant references on references of relevant papers Responsiveness rate of studied divided by each research question: Question 1: 1(20%) Question 2: 3 (30%) Question 3: 5 (50%) | 5 | - | ||
Achieving the relevant papers Responsiveness rate of studied divided by each research question: Question 1: 11(14.3%) Question 2: 30(38.9%) Question 3: 36(46.8%) | 37 | - |
Note: Each study may answer several research questions.
Bibliographical information about the 36 articles included in this review can be obtained from Table 3 .
Bibliographical Sources of the Studies Included in the Literature Review
1 | Molavi Taleghani | 2016 | 4 | 1,2,3,4,5 | Iran | Emergency surgery ward in hospital | 2,3 |
2 | Gervais | 2012 | 3 | 2,4,5 | Ireland | Pharmaceutical manufacturing environment | 2,3 |
3 | Bernardini | 2013 | 3 | 2 | Italy | Complex and mission-critical systems | 2,3 |
4 | Cagliano | 2011 | 3 | 6 | Italy | Pharmacy department in a large hospital | 2,3,1 |
5 | Parand | 2017 | 4 | 1,4,5 | England+ Italy | Medication administration within homecare | 1,2,3 |
6 | Sendlhofer | 2015 | 3 | 2,6 | Austria | Large university hospital | 2,3 |
7 | Lopez | 2010 | 4 | 2,3 | USA | Clinical cell therapy in regenerative medicine | 2,3 |
8 | Emblemsvag | 2002 | 3 | 6,2 | Norway | Manufacturing environment | 1,2,3 |
9 | Jaberidoost | 2015 | 4 | 1,2,3,5 | Iran | Pharmaceutical industry | 2,3 |
10 | Wierenga | 2009 | 3 | 5,3 | Netherlands | Two hospital | 2,3 |
11 | Niel-Laine | 2011 | 2 | 2,5 | France | A central sterile supply department | 2,3,1 |
12 | Trucco | 2006 | 2 | 1,2,4,3 | Italy | Drug therapy management process | 2,3 |
13 | Emre Simsekler | 2018 | 4 | 1,2,6 | England | Gastroenterology Unit in Hospitals | 1,3 |
14 | Bonnabry | 2005 | 4 | 5 | Switzerland | Pediatric parenteral nutrition process | 2,3 |
15 | Rezaei | 2018 | 4 | 2,5,1,3 | IRAN | Surgery ward in hospital | 2,3 |
16 | Domanski | 2016 | 3 | 1,2,3 | Poland | Nonprofit Organizations | 1,2,3 |
17 | Ramkumar | 2016 | 4 | 2,5,6 | India | E-procurement systems | 1,2,3 |
18 | Beauchamp-Akatova | 2013 | 3 | 2,3,6 | Netherlands | Air transport systems | 2,3 |
19 | Faiella | 2017 | 4 | 2,3,6 | Uk | Administration of medication in the home setting | 2,3 |
20 | Usman Tariq | 2013 | 3 | 6,2 | Saudi Arabia | Iodine development industry | 1,2,3 |
21 | Famiyeh | 2015 | 4 | 3,1,5,4 | Ghana | Mining organization | 2,3 |
22 | Choo | 2015 | 4 | 6,1,3,4,5 | USA | Business unit within a large high-tech organization | 1,2,3 |
23 | Apostolopoulos | 2016 | 4 | 3,5,6 | UK | Various industries | 1,2,3 |
24 | Delcea | 2016 | 1 | 2,6 | Romania | Clinical Emergency County Hospital | 1,3 |
25 | Abdi | 2016 | 4 | 6,4,3,5 | Iran | Intensive care unit | 2,3 |
26 | Chu | 2014 | 4 | 5,6 | Taiwan | E-healthcare architecture and syndrome test | 2,3 |
27 | Prijatelj | 2012 | 3 | 5,3 | Slovenia | Selected clinical departments | 2,3 |
28 | Kerckhoffs | 2013 | 2 | 1,5 | Netherlands | Intensive Care Unit of in hospital | 2,3 |
29 | Vahidnia | 2017 | 2 | 1,3,6,2,4 | Turkey | Small software company in a University | 2,3 |
30 | Leung | 2008 | 3 | 1,2,3,5 | Canada | Public sector research | 2,3 |
31 | Zeng | 2013 | 3 | 2 | USA | Enterprise resource planning (ERP) systems | 2,3 |
32 | MC Emre Simsekl | 2015 | 4 | 1,2,4 | UK | University Hospitals Foundation Trust | 1,3 |
33 | M. C. Emre Simsekler | 2018 | 2 | 3,1 | UK | Health-care Foundation Trust | 3 |
34 | Jun | 2010 | 4 | 2,6,3,1 | UK | Health service | 3 |
35 | Card | 2014 | 1 | 5,1 | USA | Healthcare organization | 3 |
36 | Potts | 2014 | 4 | 1,5,3,2,4 | UK | Community-based anticoagulation clinic | 2,3 |
37 | Kessels-Habraken | 2009 | 4 | 1,2,4,5 | Netherlands | General hospital | 2,3 |
Notes: *Type of study included 1) Empirical quantitative; 2) Empirical qualitative 3) Conceptual/theoretical 4) mixed method. Data collection methods included 1) Survey (questionnaires or checklists); 2) Database, Documents & Records; 3) Interviews; 4) observation; 5) Focus Groups; 6) Ethnographies, Oral History, & Case Studies.
According to Table 3 , 11 articles (14.3%) were used to answer the first research question, 30 articles (38.9%) were used to answer questions 2, and finally, 36 articles (46.8%) were used to answer research question 3. (Total papers >36 because each paper may be classified into two or more study types, or may address two or more review questions.) Also, it could be recognized that all but four articles were published in 2009 or later, this is due to the complexity of environment and type of services provided by organizations and, consequently, use of the RM and risk assessment process as a tool for reducing errors and incidents in recent years.
As can be seen in Table 3 , based on the setting of the studies, Europe had the most study with (59.5%) of the authors affiliated with European universities and institutions. Asia was the next one with (21.6%) of the studies, followed by America (13.5%), Oceania (2.7%), and Africa with 2.7%. Also, most of the studies examined in developed countries. Thus, at this point, we can already identify a need for more research into risk management in developing countries.
As for design, 2(5.4%) studies were empirical quantitative, 5 (13.5%) empirical qualitative, 12 (32.4%) conceptual/theoretical and 18 (48.7%) mix method.
Risk identification is usually a necessary condition for later risk management. 25 Given dynamic and complex healthcare organizations, different risk sources can trigger hazardous situations, potentially harming the organization. 36 It is therefore essential to consider as many risk sources as possible within a classification to help participants familiarize themselves with the given system and potential risk sources. 36 Although the study strategy did not focus on risk types of healthcare organizations (see methods), the reviewed studies placed significant emphasis on identifying and discussing a variety of typical risks in similar organizations with healthcare organizations.
According to the results of Simsekler et al, risk identification Framework (RID Framework) used to identify risks of the health organizations. 36 The risk identification framework includes a spectrum of inputs (System familiarization), processes (Identification of risks), and outputs (Presentation of the risks) in its structure. 36
Results of the studies, a functional framework for identifying and classifying risks in executive levels of HCOs are presented in Table 4 .
Identification and Classification of Risks in Executive Levels of Healthcare Organization
Input | Process | Output |
---|---|---|
Customers and stakeholders demands (patients, providers, suppliers, and buyers) | All organizational processes (clinical and non-clinical processes, technology processes, etc.) | Customer perceptions, costs, functions and health status |
Source of risk | Intra-organizational | Risk |
1- Internal: 1–1 Organization or Operational: Organization structure, process, organization culture , , , , 1–2 Physical structure and technological supports: Used by resources to perform their activities and all the tools necessary to support processes within a healthcare delivery system. (information system, information security, Technology selection and implementation related) , , , , , 1–3 Communication/information: As the basis of the relationships among resources and between them and technological supports. (Information exchanges, communicating variations and decisions). , , , , , 1–4 Human or personnel resource , , , 1–5 Financial: Form of financing, evaluation, return. , , 1–6 Organization conditions or location , 1–7 Customer 1–8 Administrative or task , 1–9 Knowledge and skill 1–10 Material and equipment: displays/integrity/positioning/usability , 1–11 Collaboration and team 2- External: 2–1 Supplying , , 2–2 Financing , 2–3 Environment and ecological 2–4 Regulation and Legal , 2–5 Logistics: Manufacturing, disruption and transportation, inventory, storage , , 2–6 Commercial 2–7 Revenue: demand, toll/tariff, development , 2–8 Capacity 2–9 Social 2–10 Volunteers 2–11 Political and government | A: Expert opinion(focus groups-brainstorming- Delphi technique) , , , , , , B: Results of examination of documents, reports and other records of visits , , C: Observation | Hazard: what can go wrong? Cause: why/how it could go wrong? Effect: who/what is at risk? |
Extra-organizational | ||
A: Literature , , B: Stakeholder analysis C: Results of reports of higher organizations D: External audit , | ||
Retrospective | ||
A: Expert opinion , , B: Interviews , , C: Risk Breakdown Structure(RBS) , D: Survey results , , , E: Critical incident F: Reporting system G: Historical and Previous data , H: Quality function deployment(QFD) I: Triangle method J: Cause and effect analysis (CEA) K: Event or fault tree analysis , , L: Checklists or check sheet M: SWOT analysis N: PESTEL analysis O: Direct observation | ||
Nature of hazards , | Prospective | |
A: Obvious hazard: Is apparent to the senses B: Concealed hazard: Is not apparent to the senses C: Developing hazard: Cannot be recognized immediately, and develops over time 4: Transient hazard: An intermittent or temporary hazard | A: Level of probability B: Failure mode and effect analysis (FMEA) C: Imagery D: Modeling E: Grey systems theory F: Hierarchical holographic modeling (HHM) | |
Time , | ||
A: Past: what has gone wrong the past? B: Present: what could go wrong currently? C: Future: what can go wrong due to change? |
According to Table 4 , risk sources are classified into two categories (internal and external), and risk identification tools classified into two categories (retrospective-prospective and intra-organizational – inter-organizational).
A stringent risk management process may enable executive levels of HCOs to cope with the risks presented in the previous section. Once risks have been identified, a number of techniques and actions can be selected to address them.
Various models have been used by organizations to assess and manage risk, the results are which are shown in Table 5 . Based on the findings in Table 5 , the risk management framework that are applicable to the executive levels of HCOs are classified into basic models and combined models. In addition, risk management models are divided by cost, time, and complexity. The approaches of risk management models are also divided into qualitative or quantitative, systemic or individual, retrospective or retrospective, and holistic or partial.
Characteristics of Organization RM and Risk Analysis Techniques
Model Name | Steps | Characteristics | Output and Information | Attitude to the Risk | Applicable Type of Environment | Cost | Time | Complexity | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Establish the Context | Risk Identification | Risk Analysis | Risk Evaluation | Risk Treatment | Monitoring | |||||||||
1- Risk Analysis Phases | ||||||||||||||
1-1- Base models | ||||||||||||||
Strategic risk analysis approach (SRA) | 1 - Define objectives, 2 -Brainstorm risk, and characteristics according to the SWOT axis; 3 - Calculate possibilities and consequence of the risks; 4 - Combine risks with characteristics. | Weakness: It does not express the relationship between risks and its nature. Strength: It interrelates the organization strategic risks and organizational characteristics. | N | S | Y | Y | N | N | *Qualitative *Systemic *Prospective *Holistic | Particularly risks associated with the mission and objectives of the organization | Low-medium | Low-medium | Low-medium | |
Preliminary Risk Analysis method (PRA) | 1. PRA team; 2. Elaborating hazardous situations mapping and priority; 3. Elaboration of potential risks scenario. | Strength: An effective tool for identifying high-risk dangers Weakness: Error details are not mentioned | Y | S | Y | Y | Y | Y | *Holistic *Systemic *Prospective *Qualitative | All, especially the early stages of a project | Low-medium | Low-medium | Low-medium | |
Healthcare Failure Mode and Effect Analysis | 1. Selection of a high-risk process; 2. Assembling the team; 3. Graphically describing the processes; 4. Conducting hazard analysis; 5. Actions and outcome measures. | Weakness: 1. Use qualitative and subjective approaches to calculate error. 2. Interaction between errors is ignored. 3. Effectiveness of measures is not estimated. | Y | Y | Y | Y | S | N | *Systemic *Narrow *Prospective *Qualitative | All, especially for well-defined systems | Medium | Medium | Medium | |
Criticality analysis (FMECA) | 1. Team formation, 2. Process mapping, 3. Risk identification, 4. Determination of error roots, 5. Criticality, 6. Analysis, 7. Determine corrective actions. | Weakness: 1. Use qualitative and subjective approaches to calculate error. 2. Interaction between errors is ignored. 3. Effectiveness of measures is not estimated. | Y | Y | Y | Y | S | N | *Systemic *Narrow *Prospective *Qualitative | All, especially for well-defined systems | Medium | Medium | Medium | |
Change Risk Assessment Model (CRAMS) | 1. Risk Identification; 2. Risk Assessment; 3. Risk Monitoring & Control CRAM’s Node Hierarchy. | Weakness: Depend on the expert judgment. Strength: A method for analyzing system changes | Y | S | Y | Y | Y | Y | *Prospective *Qualitative *Systemic *Narrow | All, especially for the analysis of recent changes in systems | Low-medium | Low-medium | Low-medium | |
Using a GRPN-Based FMEA Model | 1. Select a procedure/sub procedure for study; 2. Assemble a team; 3. Make a diagram of the procedure/subprocedure; 4. Identify the failure modes; 5. Use historical data of risk factors 6-Give α and risk weights; 6. Suggest threshold; 7. Create an FMEA worksheet; 8. Sort the failure modes; 9. Take corrective action. | Strength: Using quantitative parameters to estimate and prioritize errors Weakness: The effectiveness of measurable is not estimated. 2-Variables values are homogeneous for calculating SOD. | Y | S | Y | Y | Y | N | *Systemic *Narrow *Prospective *Qualitative-quantitative | All, especially for well-defined systems and critical parameters | Medium | Medium | Medium | |
Bow-Tie Model | 1. Selection of hazards; 2. Description of the team formation; 3. Identify hazard; 4-Identify critical event; 5. Identify treat; 6. Identify consequence ;7-Identify barrier; 8. Identify escalation factor; 9. Determining recommendation and implemented. , , | Weaknesses: 1. Uses qualitative and subjective approaches in calculating errors. 2. Team members should have high knowledge of their system details. 3. The effectiveness of measures cannot be estimated. | S | S | Y | Y | Y | N | *Prospective *Qualitative *Systemic *Narrow | All, especially for project in a larger safety improvement plan | medium | medium | medium | |
1-2 Combined Models | ||||||||||||||
Analytic hierarchy process and simple additive weighting (SAW) methods | 1. Risk identification; 2. Risk analysis included 2-1. Scoring hazards; 2-2. Scoring probability; 2. 3Prioritize function; 2-4. Pilot study; 2–5. Risk analysis matrix; 3. Risk evaluation included 3-1. Risk calculation; 3-2. Risk ranking. | Strength: 1. Use of quantitative approaches to risk estimation | Y | S | Y | Y | N | N | *Qualitative-quantitative *Systemic *Prospective *Holistic | All | Medium | Medium | Medium | |
Evidence-based methodology | Be used by three methods: A - (HFMEA): 1. Topic definition; 2. Assemble the team; 3. Graphical process; 4. Failure mode identification; 5. Failure moderating; 6. Identification of critical factor; 7. Cause analysis; 8. Identify actions and outcome measures B - Systematic Human Error Reduction and Prediction Analysis (SHERPA):1-HTA diagram; 2- Human error identification;3Consequence analysis and check of severity scores; 4-Recovery analysis; 5-Remedy analysis C- Systems-Theoretic Accident Model and Processes (STAMP) 1-Control structure; 2-Controls and communication problem examination. | Strength: Combined model Weakness: uses qualitative and subjective approaches to calculate error | Y | Y | Y | Y | Y | Y | *Prospective *Systemic-humanistic *Qualitative-quantitative *Narrow | All, specially system accidents | Medium-high | High | High | |
Human Reliability Assessment (HRA) and FMEA | 1. Context analysis; 2. Process mapping; 3. Risk identification and assessment; 4. Failure modes and waste analysis; 5. Suggested improvement actions and degree of success of already taken measures. | Strength: Combined model Weakness: The validity of results depends on the collected data. | Y | Y | Y | N | S | N | *Systemic-humanistic *Prospective *Narrow *Qualitative-quantitative | All | Medium-high | Medium-high | Medium-high | |
(FMEA/FMECA) | 1. Selection of the process to be studied; 2. Establishment of the team; 3. Training; 4. Process modeling flowchart; 5. Identification of potential failure mode; 6. Identification of possible consequences; 7. Identification of possible causes; 8. Estimation S, O, D; 9. Calculation of risk priority; 10. Decision; 11. Approval. | Strength: Combined model Weakness: 1-Evaluation of external effects is limited.2. Interaction between errors is ignored | S | Y | Y | Y | Y | N | *Systemic *Narrow *Prospective *Qualitative-quantitative | All, especially for well-defined systems and critical parameters | Medium-high | Medium-high | Medium-high | |
CREA (Clinical Risk and Error Analysis method) | 1. Activities Identification; 2. Activities; 3. Identification of error modes based HUMAN HAZOP; 4. Risk Evaluation based risk diagram; 5. Organizational Causes Analysis based VINCENT’S FRAMEWORK. | Strength: The decision support tool is for process reengineering Weakness: 1. Is based on personal judgment. 2. requires strong documentation | N | Y | Y | Y | N | N | *Holistic (Emphasis on work procedures) *Systemic- humanistic *Prospective *quantitative | All, especially Identify possible deviations and sequential operations or procedures | High | High | High | |
Multiple models | Be used by three methods: A - FMEA: 1. Identify failure modes; 2. Identify severity, likelihood, and detection;3. Define failure causes B - Hierarchical holographic modeling (HHM): 1. Define the key risk issue; 2. Decompose the risk issue into different, appropriate perspectives; 3. Further decompose the head topics into a hierarchy of subtopics; 4. Crosscheck; 5. Walkthrough each topic and sub-topic to identify risk scenarios for further analysis. C- Technique for human error rate prediction (THERP): 1. Definition; 2. Screening; 3. Qualitative analysis; 4. Representation; 5. Impact assessment; 6. Quantification; 7. Documentation. | Strength: Combined model Weakness: It analyzes all failures equally, regardless of their importance, and has difficulty dealing with data redundancies,2- expensive,3- time-consuming for complex systems,4-failure modes are considered one-at-a-time, meaning it is unable to detect common cause failures and design failures. | Y | S | Y | Y | S | Y | *Narrow *Systemic-humanistic *Prospective *Qualitative-quantitative | All | High | High | High | |
integrating FMEA and RCA | 1. Initial framework development; 2. Forming FDG group; 3. Selecting a process; 4. Mapping of selected process; 5. Implementation of the FMEA 6. RCA model included 6-1. Determine AE resulted from failures after 3 months of RPN calculation; 6-2. Benchmark ability of improved RPN to prioritize failure mode. | Strength: Combined model Weakness: 1. Is based on personal judgment. | Y | S | Y | Y | S | Y | *Narrow *Systemic *Qualitative-quantitative *Retrospective- Prospective | All, especially for well-defined systems and critical parameters | Medium-high | Medium-high | Medium-high | |
Modified ANP and Fuzzy Inference System risk assessment | 1. Construction of risk assessment group; 2. Determine risk factors; 3. Measurement of Factor index; 4. Measurement of Ringer-saline (RS) or Ringer-lactate (RL); 5. Fuzzy inference phase; 6. Defused phase; 7. Output phase. | Strength: 1-Combined model 2. Integration of possible risk factors for more accurate decision making | Y | S | Y | Y | S | N | *Retrospective- Prospective *Systemic *Qualitative-quantitative *Narrow | All | Medium-high | Medium-high | Medium-high | |
a fuzzy method based tool the risk assessment analysis | 1. Risk Factors, Scales and Data; 2. Identify Risk score; 3. Risk evaluation included 3-1. Risk matrix; 3-2. A decision matrix; 3-3. Obtained values as a vector of fuzzy numbers. | Strength: is suitable for small business organizations with limited resources. 2- Combined model | S | Y | Y | Y | S | N | *Qualitative-quantitative *Prospective *Systemic *Narrow | All, specially at project bid, initiation phases and acceptance decisions | Medium | Medium | Medium | |
HFMEA and Structured What If Technique (SWIFT) | Be used by two methods: SWIFT method: 1. determine a hierarchical task analysis diagram; 2. a series of questions was asked at each step of the task analysis designed; 3. Identify severity HFMEA: 1. Assembling the team; 2. Graphically describing the processes; 3. Conducting hazard analysis; 4. Actions and outcome measures. | Strength: 1-Combined model | Y | Y | Y | Y | Y | N | *Narrow *Systemic *Qualitative-quantitative * Prospective | All, especially for well-defined systems | Medium | Medium | Medium | |
Prospective risk analyses and retrospective incident reporting and analysis | Prospective risk analyses: 1. Assembling the team; 2. constructed flowcharts of the selected processes; 3. identified and assessed possible risks for each process step retrospective incident reporting: 1. define occurrence of reported incidents; 2. report any deviation from normal; 3. analyzed the reported incidents | Strength: 1. Combined model 2. Integration of possible risk factors for more accurate decision making | Y | Y | Y | Y | S | N | *Narrow *Systemic *Qualitative-quantitative *Retrospective- Prospective | All | Medium | Medium | Medium | |
2- Risk Management Phases | ||||||||||||||
2-1- Base models | ||||||||||||||
Systemic Risk Management’ (SYRMA) | 1. defining and managing event and recording threats and vulnerabilities; 2. tracking identified risks in a risk register; 3. performing risk assessment and risk evaluation; 4. providing the capability of registering statistical or benchmark data; 5. setting risk priorities; 6. defining and tracking risk treatment activities. | Strength:1-address both managerial and operative staff support requirements.2-Allows users to personalize their view of the system | S | Y | Y | Y | Y | Y | *Qualitative-quantitative *Prospective *Systemic *Holistic | All, especially for healthcare sector and case of complex and mission critical systems | Medium-high | Medium-high | Medium-high | |
Clinical risk management (CRM) | 1. Identify risks; 2. Analysis risks; 3. Assess risks; 4. Manage risks. | Weakness: is based on subjective and intrinsic judgment | S | S | Y | N | S | Y | *Qualitative *Prospective *Systemic *Holistic | All, specially for healthcare | Medium-high | Medium-high | Medium-high | |
Strategic Risk Management (SRM) | 1. Defining the context; 2. Risk assessment; 3. Making and Communicating the decision and Action; 4. Monitoring and course correcting. | Weakness: is based on subjective and intrinsic judgment | Y | S | Y | Y | S | Y | *Qualitative *Prospective *Systemic *Holistic | All, specially for project management | Medium-high | Medium-high | Medium-high | |
System risk evaluation and management | 1. Define the objectives and performance measures; 2. Workshop together; 3. Evaluate and priorities consequences for each alternative; 4. Evaluate system consequences and choose the best risk treatment; 5. Implement; 6. Monitor. | Strength: 1 - Can understand new risks and their consequences. 2. Establish interaction between different stakeholders. | Y | S | Y | Y | Y | Y | *Systemic *Holistic (Emphasis on problem solving variables) *Prospective *Qualitative | All, specially for dynamic and changing organization | Medium-high | Medium-high | Medium-high | |
ISO 31000 | 1. Establish the context; 2. Identify risk; 3. Analysis risk; 4. Evaluate risks; 5. Treat risks; 6. Monitor and review; 7. Communication and consult. | Weakness: is based on subjective and intrinsic judgment | Y | Y | Y | Y | Y | Y | *Qualitative *Prospective *Holistic *Systemic | All | Medium-high | Medium-high | Medium-high | |
ERM(enterprise risk management) | 1. Establish the context; 2. -Identify risks within this context; 3. Assess risks included: 3-1. analyze risks; 3-2. Evaluate risks; 4. Develop risk treatment included 4-1. Risk mitigation; 4-2. Implement mitigation strategies. | Weakness: The relative risk assessment matrix is used instead of a precise measurement for risk rating. | Y | Y | Y | Y | Y | N | *Qualitative *Prospective *Narrow *Systemic | All | Medium-high | Medium-high | Medium-high | |
ERP by fault tree analysis | 1. Context analysis; 2-Risk identification; 3. Risk analysis; 4. Risk evaluation included 4-1. Enterprise resource planning decomposition and specification; 4-2. Fault tree analysis; 5. Risk Response & Treatment; 6. Risk Review, monitoring & controlling. | Weakness: 1-We can only check one event at a specific time | Y | Y | Y | *Qualitative-quantitative *Systemic *Prospective *Narrow | All | Medium-high | Medium-high | Medium-high | ||||
2-2: Combined models | ||||||||||||||
The combined approach(HFMEA, SHERPA) and (STAMP-STPA) | 1. Graphical process included 1-1. Box and arrow diagram; 1–2. HTA Diagram; 1–3. Representation of the control loop; 2. Hazard analysis included 2–1. Failures identification; 2–2. Human error classification; 2–3. Failure scoring; 2–4. Consequence Analysis; 2–5. Check the coherence of severity scores; 2–6. Hazard score calculation; 2–7. Recovery Analysis; 2–8. Selection of the critical failures; 2–9. List of the existing control measures; 3. Cause analysis;4-Identification of prevention measures and controls. | Weakness: The validity and reliability of the combined model have not been measured. Strength: 1-Combined model | S | Y | Y | Y | S | Y | *Qualitative *Prospective *Systemic-humanistic *Holistic with emphasis on duties | All, specially for health care | Medium-high | High | High | |
Problem-solving strategy with embedded Six Sigma methodology | 1. Trained RM team; 2. The define phase; 3. Identify, classify and prioritize risk; 4. RCA; 5-Measures process capability; 6. Prioritize, implement, control and monitor. | Strength: The validity of the model is proven. | Y | S | Y | Y | Y | Y | *Qualitative-quantitative *Systemic *Prospective *Holistic | All | High | High | High | |
Adaptation of the ISO 31000:2009: Six Sigma DMAIC approach to enterprise RM (ERM) | 1. Define phase(Mandate and commitment); 2. Measure phase included identify risk; 3. Analyze phase included risk analysis; 4. Improve phase including risk mitigation; 5. Control phase including 5-1. The recommended improvement action plan be documented; 5–2. Monitor and review; 6. Communicate and consult. | Strength: 1. Provides a more accurate decision for the organization. 2. Creates value for the stakeholders of the organization. | Y | Y | Y | Y | Y | Y | *Qualitative-quantitative *Systemic *Prospective *Holistic | All | High | High | High | |
Error prevention methods: (HFMEA- RCA- Structured Analysis-Dynamic systems development method (DSDM) | 1. Defining a Topic; 2. Assembling a Team; 3. Describing a process; 4. Analyzing hazards included 4-1. To identify and assess potential vulnerabilities; 4-2. The HFMEA Decision Tree; 4-3. Identified causes of errors; 5. Identifying Actions and Expected Outcomes; 6. Build Iteration; and Implementation; 7. Renovating process. | Strength: Is an effective way to prevent errors in organizations. | Y | Y | Y | Y | Y | Y | *Qualitative-quantitative *Systemic *Prospective *Holistic | All, special for health care | High | High | High |
Notes: In output and information item, the status of risk management in organization was determined based on each of the phases of proposed framework. (Y: Fully performed, S: Somewhat performed, N: Not implemented).
According to the studies’ results, a simple and comprehensive framework for RM in executive levels of HCOs was suggested. The proposed framework of the present study consists of five phases that its main phases are adapted from the ISO13000 framework. The following is a suggested framework and techniques that can be used to implement risk management processes in executive levels of HCOs. Finally, in Table 5 examines the extent to which risk management based on the key phases of the proposed framework is established in healthcare organizations.
In the following, RM framework and techniques in executive levels of HCOs for each organization were mentioned.
The first phase in the risk management process is establishing the context. The context establishment primarily paves the way for the organizational nature of the company such as the project objective and management style or organization culture. In this step, issues such as healthcare organization background, who should conduct the RM process, Identify interested parties, formulate problems, set the objective(s) of RM and Select appropriate methods for RM are reviewed. 43 , 59
The organizational RM team should be multidisciplinary and comprised of various specializations, in particular, managers, process owner experts, and RM experts (consultants and facilitators). 25 , 33 Also, the number of team members depends on the complexity of organizational issues. 33 , 40 , 43
The second phase in the risk management process is risk assessment, which involves measuring or estimating the potential frequency of losses and the potential impact of a risk on the organizations' health care. Subsequently, the risks can be ranked according to its importance for the HCOs. In general, the following three steps (risk identification, risk analysis, and risk evaluation) proposed for risk assessment in executive levels of HCOs:
Describing the process and system definition.
According to the results, there were several methods for outlining risky processes that executive levels of HCOs can use depending on their needs: Textual system description, 8 , 41 , 53 , 59 activity breakdown structure (ABS), 8 radar charts, 34 flow charts, 3 , 25 , 28 , 30 , 38 , 45 , 50 , 56 , 62 process diagrams, 34 , 38 , 45 , 56 , 58 system diagram, 8 , 34 , 62 integration definition (IDEF), 35 and hierarchical task analysis Diagram (HTA) or task diagram, 26 , 28 , 35 , 42 , 57 , 62 communication diagram, 56 , 62 information diagram, 35 , 56 , 62 , 63 organizational diagram, 35 , 56 , 62 , 63 stakeholder diagrams, 56 swim lane activity diagram, 56 state transition diagram, 56 sequence diagram, 56 and data flow diagram. 56
In general, process description tools are divided into two categories of descriptive tools and process tools. Radar charts, also called Kiviat diagrams, were built in order to visualize initial and residual risks for each kind process. 34 ABS is process-oriented instead of being product-oriented, moreover, this method lacks time dimension. 8 Also, a task diagram is used for describing the hierarchy of operations and plans, system mapping for how data is transmitted through activities, Information diagrams for describing information hierarchies, organizational diagrams for describing organizational roles hierarchy and Communication diagrams for displaying information flows between individuals and Business processes and IDEF for linking between inputs and outputs in organizational activities and resources, and Sequence diagrams for interacting information between stakeholders.
According to Cagliano et al, the flow chart included the name or code of both process phase and activity at issue, actors performing the activity; inputs (information, materials, preliminary actions, orders, etc.); a detailed description of operations required by the activity; duration and frequency; controls to monitor activity progress; tools necessary to perform both the activity and related controls and outputs (other activities, information, and data). 8 Moreover, in Parand et al’s study, activities in flow chart classified based on action, retrieval, checking, selection and information, and communication. 28 In general, as the describing the process be stronger, the results of the risk assessment can be more effective.
According to Simsekler et al 36 and Jun et al. 56 Studies, specific types of diagrams were selected by stakeholders as more useful than others in identifying different sources of risks within the given system. In general, employees’ perception, the ease of use and usefulness are the main variables for choosing the most optimal system modeling tool.
After drawing the process flowchart, at this stage, organizational risks or organizational process risks are determined. The applied frameworks for identifying risks in executive levels of HCOs presented in Table 4 .
Based on some risk assessment models, the effective causes and the root causes of the errors are identified at this stage. Based on the Eindhoven model, the classes of causes error classified into two main categories of latent errors (technical and organizational) and active errors (human errors and other factors). 25 Furthermore, based on the results of some studies, the causes of errors classified in the Institutional context factors, organizational and management factors, work environment factors, team factors, communication factors, individual (staff) factors, training and education factors, equipment factors, task factors, and patient factors. 35 , 36 In addition, based on the results of some studies, the Ishikawa cause-effect diagram can be used to determine the sources of errors. 37 , 45 , 48
At this stage, it is possible to estimate the risk, qualitatively, semi-qualitatively or quantitatively according to the probability of the risk. The following steps considered for risk analysis in executive levels of HCOs.
At this stage, it is possible to risk estimation according to the probability and severity of risk. There are numerous qualitative, semi-quantitative and quantitative methods that try to estimate individual components of risk for a result to better reflect the reality.
Using verbal descriptors (low, medium, or high), 26 risk weights, 25 , 34 , 38 , 49 , 59 , 61 encoding, 30 , 40 , 52 , 60 , 61 scoring tables, 25 – 27 , 30 , 32 , 37 Bayesian methods, 46 Monte Carlo method, 46 , 60 and historical data, 49 suggested for estimating the severity and probability of risk in executive levels of HCOs.
In quantitative risk estimation methods (Monte Carlo and Bayesian), activities find a probabilistic form and a distribution function is specified for them. 46 , 60 In qualitative risk estimation methods, risks are prioritized based on their potential impacts on project objectives based on qualitative variables. Qualitative methods of risk estimation can either lead to further analysis in quantitative risk estimation or directly to risk response planning. 30 , 60
Interview with experts, 32 , 53 questionnaire design, 32 , 61 Delphi method or expert, 60 and focus group, 38 , 44 , 46 , 49 - 51 , 53 identified an applied method for risk estimation in executive levels of HCOs.
Present-estimated risks based on risk presentation formats, included a single number index (e.g. 1/100,000), 27 , 37 use failure space vs success space, 54 fuzzy numbers scales, 30 , 32 , 40 , 41 , 52 , 61 tables (e.g. sizes or bands of fatalities are 1–10, 11–100, and 101–1000), 30 , 40 risk matrix, 25 , 33 , 43 , 52 , 53 , 57 graphs or diagrams (e.g. Frequency-Number (F-N) curve), 35 , 46 and maps (e.g. risk contour plot). 45
In sensitivity analysis, the management index (Risk Index x Sensitivity) provided further ranking for those risks that have equivalent Risk Indexes. Given its scope, this analysis may not necessarily constitute an integrated step of risk analysis. 49
Synthesize information about the main risk elements included risks and their causes and contributing causes, frequency or probability, consequences due to risk, and estimated risks. 49
Risk evaluation is the process of comparing the results of the risk analysis with the risk evaluation criteria defined during the context establishment to determine whether the cyber-risks are acceptable. In this step, the following steps considered for risk evaluation in executive levels of HCOs.
There was a wide range of qualitative and quantitative risk criteria or standards for evaluation of various types of errors in executive levels of HCOs. Selection of risk criteria may also depend on the results of the risk analysis and how risks are estimated. 60
This step concerned with making decisions about prioritization and comparison of risks to be managed, based on the outcomes of risk analysis. 27
A simple method for risk filtering was a Pareto analysis. 26 , 30 , 58 , 60 Moreover, in some studies, decision tree, 25 , 28 , 49 , 57 priority matrix, 25 , 30 , 35 criticality matrix, 34 , 44 Criticality scale, 34 , 38 , 49 , 60 and risk prioritization grid used to determine acceptable and unacceptable risks. 27 Furthermore, simple additive weighting (SAW), 32 and hazard totem pole (HTP) 60 methods can be used as practical and quantitative methods for risk evaluation. SAW was a simple and most applicable multi-attribute decision method which is known as a weighted linear combination or scoring technique. 32
This phase involved defining and implementing actions for mitigating the determined risk level and verifying that the residual risk level is acceptable. 27
The four common organization RM strategies options:
These comprise two fundamental approaches to risk reduction, which were:
Moreover, theory of problem-solving by an inventive method, 25 Generating Options for Active Risk Control (GO-ARC) Technique 64 and dynamic systems development method (DSDM) 50 used to redesign the process and improve strategies.
In the GO-ARC Technique, risk control options are divided into 5 categories (elimination, design controls, administrative controls, detection/situational awareness, and preparedness). The first three consist of the 3-tiered hierarchy of risk controls. The remaining two, detection/situational awareness and preparedness help users consider risk controls to reduce the severity of harm or prevent harm in the midst of an on-going systems breakdown; they are aimed at promoting resilience, as opposed to focusing solely on preventing systems breakdowns in the first place. In general, GO-ARC improves the trend of producing risk control options. Use of the Generating Options for Active Risk Control (GO-ARC) Technique can lead to more robust risk control options.
On the other hand, the DSDM framework is complicated to become a general framework for solving task problems. At DSDM, the primary effort is to provide software that is good enough to meet the needs of the business and that it can progress to the next iteration. 50
Additionally, the SWOT matrix with four strategy areas, SO (maxi-maxi) and ST (maxi-mini) and WO (mini-maxi) and WT (mini-mini), was used to determine strategies and corrective actions. 31
RM strategies and measures were often difficult to compare and evaluate executive levels of HCOs. The best decision is the one that yields the greatest expected value. The interventions prioritized according to two criteria of their ability to reduce the root causes (interventional power) and perception of their implementation based on what is anticipated (reliability of intervention). 26 , 30
The best performance measures can be selected based on criteria such as safety, profitability, quality, efficiency, effectiveness, time, cost, available resources, performance, environmental conditions, and satisfaction. 41 , 42 , 45 , 46 , 59 In one study, AHP/ANP and BOCR (benefits, opportunities, costs, and risks) used to select the best RM strategies. 41
Finally, a plan also defined risk ownership, roles and responsibilities, and time frames to implement mitigation strategies. 45 Risk governance structure was a useful tool for risk assessment planning. In this method, the roles and responsibilities of each employee determined in the RM plans. 39 , 40 , 45 Moreover, using the pilot study method 43 , 59 and simulation, 41 , 49 suggested before the implementation in a wide range.
These steps are typically performed as iterative cycles that controlled and triggered by two continuously running activities: risk review and monitoring, communication, and consultation.
Communication and consultation with internal and external stakeholders needed to keep them informed of process outputs and let them provide inputs. 27
Risk-related information should be shared based on appropriate access levels in the exchange organization or between decision-makers and other stakeholders. These should address the issues related to risk itself, its causes, its consequences (if there is information about them), and the measures taken to deal with it.
Communication and consulting with project stakeholders can be a key factor in a favorable execution of risk management and in achieving better results. In practice, regular reporting is of important components of communication that helps senior managers identify the risks they are faced with. Summary reports prepared from risks, in fact reflect the status of the responding guidelines and the trend index of risk occurrence. 59
Work sessions, 29 , 59 intranet-based calendars, 59 reports and gatherings, 59 wiki page, 45 and PMBOOK software, 46 are suggested as tools for information exchange in executive levels of HCOs.
Effective risk management requires a reporting and reviewing structure in order to ensure that risks are effectively identified and evaluated and responses and controls are in a timely manner. In this phase, policies and following of standards should be regularly verified and the performance of standards should be reviewed to identify improvement opportunities. 27
Various methods such as risk compliance readiness template, 45 risk project update template, 45 data management system, 60 variance analysis, 46 risk reassessment, 46 Wiki page as collaborative workspace, 45 control chart, 43 trend analysis, 46 risk auditing, 39 , 46 visual process control, 43 and communication plan 43 recognized to monitor and evaluate the effective and efficient RM cycle in executive levels of HCOs.
By conducting continuous monitoring and reviewing of risk, it is ensured that new risks are being identified and managed, and executive programs are effectively implemented and developed. 46
Given different and dynamic nature of organizations, various frameworks and techniques are used in managing and accessing organization risks. Therefore, recognizing organization RM framework is an important step in RM in executive levels of HCOs. In this study, based on a review of studies, frameworks and tools that can be used to implement organizational risk management in the executive level of HCOs are proposed.
According to the first question of this study, healthcare organizations may be faced with risks that may prevent the mission and achievement of the organization’s objectives, so at the first step of risk management, risk resources should be identified with optimal tools. 17 In the present study, using an innovative approach, a framework for identifying and classifying risks in the executive levels of HCOs was proposed. The proposed framework included three steps of input, process, and output.
Input phases considered a spectrum of inputs to help increase understanding of the system, and awareness of potential organization risks that can occur in complex and changeable healthcare systems. 36 Input phases consist of (Risk Sources, 8 , 36 Nature of Hazards, 36 and Time). 36 At the process stage, the tools that can be used as intra- or inter-organization and retrospective-prospective in the executive levels of healthcare organizations are determined. 55 Finally, in the presence of the risk stage (output stage), the identified risks were clearly registered in executive levels of HCOs. 8
Using this framework is a helpful guide for managers to identify potential error in the executive levels of HCOs. Based on the results of the study by Pott et al 57 and Similker et al, 17 different approaches should be used to identify risks in organizations, and data from different resources should be integrated to gain a general view into the risks of a system.
We have no standard answer as to which one of the risk identification tools is a more optimal tool. Each tool is used to identify a range of risks, so the best approach to identify all risks is to integrate retrospective and prospective analysis to understand a broader scope of the risks.
Based on the results of the studies, organizational risks, 8 , 26 , 31 , 45 , 59 technological supports, 8 , 31 , 34 , 40 , 45 , 60 and information and communication, 8 , 31 , 34 , 40 , 55 , 59 were identified as the most important resources of risk in most studies, so treatment of these risks is of high importance in the executive levels of HCOs.
In today’s world, when being faced with healthcare organization risks, managers have realized the need to develop a risk management framework at the organization level. According to the second and third questions of this study provides a state of the art based on the review of studies and it tried to propose a framework for risk management and techniques applicable to each of the stages of risk management and risk assessment in executive levels of HCOs. The term “framework” has a broader scope than the term “technique.” The risk management framework includes guidelines for analyzing, assessing, and managing risks in healthcare organizations. In contrast, management, and risk assessment techniques considered as analytical tools for analyzing data and risk information.
In general, the risk management framework has required stability, but there is no strong and complete risk assessment and risk management techniques that can be applied completely for risk management in organizations, and managers of healthcare organizations must make the decisions necessary to determine the optimal tool for risk management and assessment at each time and based on specific conditions and position of the organization. Therefore, Table 5 presents limitations, strengths and weaknesses and factors influencing the selection of each of the models for risk management and risk assessment in executive levels of HCOs. Therefore, the content of this table can help risk analysts, healthcare managers and other stakeholders to make rational decisions about identifying risk management and risk assessment models in executive levels of HCOs.
According to the results of the studies, there was a wide range of well-known and successful tools for single and combined risk assessment and a hierarchy of risk analysis models suggested for executive levels of HCOs.
Hierarchy of risk analysis and risk assessment models divided:
High-level tools: At this level, risk assessment tools cover a wide range of risk scenarios and provide various information for the organization based on risk scenarios. However, such tools should not be used when the details need to be emphasized in risk assessment. Some risk assessment tools employed at this level are All the combined models presented in Table 5 for analysis and risk assessment, 30 , 35 , 38 , 40 , 42 , 43 , 45 , 50 , 52 Six Sigma, 43 , 45 IRMAS, 59 CREA (Clinical Risk and Error Analysis). 35
Mid-level tools: Implementing risk assessment tools at this level makes it possible to provide the modest information and details for the organization considering risk scenarios. Some risk assessment tools employed at this level are Health failure mode and effect analysis (HFMEA), 25 , 42 , 50 HFMEA/FMEA/FMECA, 8 , 25 , 26 , 28 , 30 , 37 , 38 , 49 root cause analysis (RCA), 38 , 43 , 50 bow-tie model, 48 , 51 hazard and operability analysis (HAZOP). 35
Low-level tools: At this level, risk assessment tools evaluate the limited range of risk scenarios, but with more details for the organization. Some risk assessment tools employed at this level are: Preliminary risk analysis method (PRA), 34 fault tree analysis (FTA), 54 change risk assessment model (CRAMS), 46 change analysis (CHA), 46 human reliability assessment (HRA), 8 Pareto analysis (PA), 26 , 30 relative ranking/risk indexing (RI), 32 , 60 5 whys technique, 8 , 36 hazard checklists (HCl), 35 change analysis (CA), 28 strategic risk analysis (SRA). 31
Optimal implementation of the risk management process is nothing but the adoption of the most appropriate techniques and tools available in each phase. However, there is no strong and complete risk assessment and risk management techniques that can be applied completely for risk management in organizations, and managers of healthcare organizations must make the decisions necessary to determine the optimal tool for risk management and assessment at each time and based on scope of risk analysis, legal requirements, results/information needed data, resources and time available, complexity and size of risk analysis and type of activity or system and concerning issues. As a general rule, the best risk management tool is to overcome the participants’ mental judgment.
Most of the models extracted from the results of the study were somewhat similar and presented the same components. The three main factors that were found in all risk management models included measurement, management, and monitoring. Therefore, based on the results of the studies and the nature of healthcare organizations, the risk management process had one primary phase and four main phases. In the primary phase, the objectives and prerequisites for risk management are set out for execution. The main phases are as follows: Risk assessment (identifying potential risks, determining the likelihood and consequence of the identified risk and determining the level of the risk), risk treatment (how to reduce the impact of unacceptable risks and selecting appropriate responses to them), monitoring and reviewing (effectiveness of measures) and the latest activity of the process of communication and consultation with the stakeholders on the trend have been carried out.
The proposed framework of this study is very similar to the iso13000 framework, with the difference that more details are provided in the framework of the present study. The ISO13000 approach describes the organization’s risk management in a comprehensive, strategic, and holistic way. 45
Also, the model developed in the present study has several specific features compared with the previous models: 1) In the present research it was tried that the research literature be integrated in the field of risk management and provide a framework that is more comprehensive; 2) According to the search strategy, all risk management frameworks of healthcare organizations and organizations adaptable with healthcare organizations were examined and there was no particular dependence on the specific industry and from this perspective, they have more advantages compared to some frameworks that were established regarding a specific industry; 3) The proposed framework is provided based on the internal and external flows dominant on healthcare organization. Managers of healthcare organizations today need a structured and coherent approach to identify, analyze, and manage risk across a range of intra- and inter-organizational activities; 4) With the establishment of the proposed model in the organization, the basic assumptions dominant on healthcare organizations are examined in specific time periods and, if necessary, continuous improvement in healthcare organizations is done in a dynamic cycle.
Regarding the status of healthcare organizations in establishing each of the main phases of the proposed risk management framework, studies have identified and evaluated the risk, and the treatment phase and risk monitoring were neglected in most studies. However, risk management should be done throughout the life of the organization. New risks need to be identified and managed at every stage of the organization’s life. Also, based on Table 5 , most studies were not done at the phase of risk assessment, process mapping, and cause identification. While many system mapping approaches have been widely used in various industries, healthcare organizations have only used a limited number of them to process mapping. 62 Each process mapping tool has a specific application, and managers and professionals should use the most useful of them to identify sources of risk in healthcare organizations. The most important phase, guiding the risk management process, and determines the main policies in risk management is the phase of planning and setting objectives, which is done incompletely in most studies. Risk managers should pay great attention to risk planning; obviously, if this is not done in a fully transparent manner, the execution of risk management will be subject to some uncertainty. 43 , 46
Based on the results of Table 5, in most studies (89.6% of studies), risk management attitude was prospective and in few studies, each of prospective and retrospective risk management approaches was emphasized. Whereas, based on the results of the Kessele-Habraken et al study, the integration of prospective and retrospective analysis is important in improving the safety and optimization of organizational processes. 58
As we proposed, information about incidents and their retrospectively reported frequencies could be used as a reference point in the prospective analyses, which might facilitate frontline staff in the risk assessment. Conversely, prospectively developed failure scenarios could be used as guideline for retrospective.
In this study, a framework for the execution of risk management in the executive levels of HCOs was proposed. Like any other management framework, successful implementation of the organization RM framework in executive levels of HCOs necessitate organizational commitment, establishing a stimulating culture, accurate planning, stakeholder engagement, strong and effective management, and use of available resources to implement the stages. Based on the results, it can be suggested that studies of risk management are increasing over time; however, there are still new cases that need further investigation and researches, some of which are mentioned below.
One limitation of this study was that the number of findings in the systemic review was dependent on the selection of keywords and input/output criteria. Therefore, more models can be extracted for organizational risk management. Also, non-English studies were not included and there may, therefore, be a bias towards inclusion of studies performed in English-speaking countries. In addition, articles were exclusively selected from journals, hence, other parts of literature, such as books, book sections, and gray literature were excluded from the process as journal articles are readily available in journal databases and are usually used as a mean of scientific communication.
Despite these limitations, this study has several strengths. First, all models of risk management and evaluation in healthcare organizations and organizations that could be modeled for the executive levels of the HCOs were examined in this study. Second, this paper contributes to the field of risk management research in healthcare. Third, the tools and techniques for risk assessment and management that are applicable to staff areas of healthcare organizations are mentioned.
Based on the findings and considering the ISO31000 model, a comprehensive yet simple framework for risk management is developed for the executive levels of HCOs. It includes five main phases: establishing the context, risk assessment (risk identification, risk analysis, and risk evaluation), risk treatment (strategy determination, designing corrective actions, planning, and implementation), Monitoring, and review, and communication and consultation.
Tools and techniques were also suggested for use at each phase of the proposed risk management framework. These techniques have been selected to best apply to non-clinical risks in healthcare organizations. Managers of healthcare organizations who seek to ensure high quality should use a range of risk management methods and tools in their organizations, based on their need, and not assume that each tool are comprehensive.
We would like to thank all the staff members who assisted with our research.
The authors report no conflicts of interest in this work.
Please note you do not have access to teaching notes, leadership, governance and the mitigation of risk: a case study.
Managerial Auditing Journal
ISSN : 0268-6902
Article publication date: 2 February 2015
The purpose of this study is to examine how managers in financial institutions satisfy themselves of the effectiveness of risk mitigation strategy and management control. It studies the co-opting of accounting tools within a single financial institution case study, examining the recursive and emergent characteristics of risk management practice.
Adopting a field study approach within the strategy-as-practice perspective, the paper provides insights into the role of actor perceptions of risk and accounting as a calculative practice in the adaptive enactment of risk strategy.
Results highlight the interactions between risk management strategy, management controls and actor interests at Lehman Brothers. The actions and reactions of risk management decision-makers such as Executive Committee and Board members are examined to better understand the role of accounting and leadership.
Results of this study may not be generalised beyond this single case study.
The paper emphasises that concern for the social relations and the performative interests of actors in a risk management network needs to be understood and considered in accounting research. It is argued that the market prices of tradable financial asset will continue to be opaque without these insights.
This study explores an under-researched topic in the accounting literature in examining how management controls are affected by and, in turn, affect risk strategising.
Rooney, J. and Cuganesan, S. (2015), "Leadership, governance and the mitigation of risk: a case study", Managerial Auditing Journal , Vol. 30 No. 2, pp. 132-159. https://doi.org/10.1108/MAJ-08-2014-1078
Emerald Group Publishing Limited
Copyright © 2015, Emerald Group Publishing Limited
We’re listening — tell us what you think, something didn’t work….
Report bugs here
Please share your general feedback
Platform update page.
Visit emeraldpublishing.com/platformupdate to discover the latest news and updates
Answers to the most commonly asked questions here
Open Access is an initiative that aims to make scientific research freely available to all. To date our community has made over 100 million downloads. It’s based on principles of collaboration, unobstructed discovery, and, most importantly, scientific progression. As PhD students, we found it difficult to access the research we needed, so we decided to create a new Open Access publisher that levels the playing field for scientists across the world. How? By making research easy to access, and puts the academic needs of the researchers before the business interests of publishers.
We are a community of more than 103,000 authors and editors from 3,291 institutions spanning 160 countries, including Nobel Prize winners and some of the world’s most-cited researchers. Publishing on IntechOpen allows authors to earn citations and find new collaborators, meaning more people see your work not only from your own field of study, but from other related fields too.
Brief introduction to this section that descibes Open Access especially from an IntechOpen perspective
Want to get in touch? Contact our London head office or media team here
Our team is growing all the time, so we’re always on the lookout for smart people who want to help us reshape the world of scientific publishing.
Home > Books > Risk Management - Current Issues and Challenges
Submitted: 18 April 2012 Published: 12 September 2012
DOI: 10.5772/50669
Cite this chapter
There are two ways to cite this chapter:
From the Edited Volume
Edited by Nerija Banaitiene
To purchase hard copies of this book, please contact the representative in India: CBS Publishers & Distributors Pvt. Ltd. www.cbspd.com | [email protected]
Chapter metrics overview
7,950 Chapter Downloads
Impact of this chapter
Total Chapter Downloads on intechopen.com
Total Chapter Views on intechopen.com
Overall attention for this chapters
Gurudeo anand tularam, gowri sameera attili.
*Address all correspondence to:
Life is full of risks for example risk is involved in simple things like turning on the gas at home or when dealing with life threatening medical emergency decisions. Risk plays an important role in the way we manage our economy, organization or our family. Risk can be rather complex when household money is involved; such as for individuals or families – for example, mums and dads stand to either gain or lose large sums of money. The types of risks involved influence decisions on how to manage or invest money in shares, bonds or property. When faced with risks, the challenge is how well prepared are we to overcome risks. Risk awareness may be limited in which case there is a high likelihood of risk turning into hazard -leading to disastrous outcomes. Successful businesses make constant efforts to change or update their in house administrative polices and frameworks to allow for possible risks in their business requirements. Some decisions that are likely to have been factored into the component of risk are: rigid corporate governance requirement, human resource planning, succession planning, training and development, merger and acquisitions, adapting to different cultures, foregoing or discontinuing some existing products, outsourcing, new market development etc. No matter how important a decision is made, strategic alignment is critical in business decision making. New ideas should be implemented according to the business needs a company. The introducing of novel ideas should involve all personnel particularly during the decision making processes of development and setting of targets. A well-managed business is also well prepared one and thus able to confront challenges of the modern dynamic business environments.
Yet managing risk is rather challenging for the world is mostly unpredictable. The processes are continuously changing and evolving in terms of resources that are available - technology, innovation, human resources and time to name a few. In order to adequately address an impending risk, it is important to gather as much factual information as possible for analysis to help manage and thus minimize risk.
Risk can be classified into both voluntary and involuntary [ 1 ]. This classification depends on how an individual or an organization judges the situation. For example, a person with a habit of smoking or drinking fails to associate the habits as involving risks; yet often the habit becomes hazardous and they can significantly affect a person’s quality life. Involuntary risk places a person or the organization in a state of ambiguity, where the people involved in the decision making process have not been exposed to a particular circumstance or they lack knowledge and awareness of the particular risk situation. The ability to deal with such risks is a crucial factor in determining successful outcomes irrespective of the stature of an individual or an organization.
For some individuals, the ability to deal with risk appears to be built in their character but for the rest of us it seems, it is knowledge that can be acquired through training. In order to gain the skill set required so that one to deal with risk, it is important to step out of one’s comfort zone and be willing to change, learn, develop new skills, or be challenged to manage risk. Risk management is a methodical approach that could be taught and learnt by most. The general process and steps involved is presented in Figure 1 .
The process of risk management
This paper is organized in the following manner: In the next few sections risk is defined and risk management explored focusing on types of risks associated with real estate market. The Australian real estate market is then reviewed and possible risks involved are explored in some depth particularly in terms the global financial crisis. The paper compares the market with the rest of the world and summaries investor risks and rewards in Australian real estate market.
In the international context, the ISO 31000/ISO Guide 73: 2009 [ 2 ] defines risk as the “effect of uncertainty on objectives” (p. 1). When there is a lack of knowledge or exposure to a certain event then such a situation can be termed uncertain. Taking decision on an uncertain event or situation may or may not be successful, which is what risk is about. Many definitions of risk exist in common usage [ 3 - 4 ]; however the ISO definition of risk was developed by an international committee representing over 30 countries and is based on the input of several thousand subject matter experts.
Risk is defined in Australia by the Australia/New Zealand standard for risk management [ 2 ] as “the possibility of something happening that impacts on your objectives. It is the chance to either make a gain or a loss. It is measured in terms of likelihood and consequence…” (p. 2). Risk can also be defined as the uncertainty of future events that might influence the achievement of one or more objectives such as an organization’s strategic, operational and financial objectives [ 3 ]. Risk management may produce positive opportunities for developers although the negative aspects of risk are usually the once that are emphasized [ 4 ].
Likelihood of risk occurring varies from industry to industry and how complex a job maybe. Some areas where there is a high chance of risk are construction, transport, mining, health care, sports, finance and banking, insurance and superannuation.
Risk can be broadly understood and explained in three different scenarios [ 5 ]: risk versus probability; risk versus threat; and all outcomes versus negative outcomes. It is believed that any risk can be managed through the engagement of a proper risk management process.
There seems to be an increasing demand of organizations to meet and exceed the financial expectations of shareholders. In the pursuit of growth, many organizations (for example: Toyota) have adapted and responded to expectations of the shareholders by becoming lean and efficient. It is always easy to think that risks and their potential consequences could have been predicted and managed. This is clearly not true when it comes to success in a business. Business success usually requires some acceptance of risk and, as such any risky strategy undertaken may lead to a failure.
In large organizations and corporations there are designated personnel; namely, risk managers. Hillson [ 6 ] argued that risk is mostly managed “continuously, both consciously an unconsciously, though rarely systematically” (p. 240). Risk manager’s main role is to be aware of the market, collect data and predict forthcoming threats so that a company can manage the risks in a successful manner. Risk manager duties include developing and communicating risk polices and process, building risk models involving market, conducting credit and operational risk analysis, coordinating with concerned stakeholders involved in the process and creating a risk awareness culture in the organization.
Risk management not only prevents organizations from entering a dangerous and uncertain territory, which could lead to a catastrophic failures, but also ensure the development and growth of the business. The depth and clarity with which a risk is defined is critical for risk management. In an event where an organization has a low risk situation at hand and decides to postpone rather than resolve the issue involved for financial or other reasons, the risk may eventually become a threat of moderate to high level and this could prove to be disastrous for management. Ignoring the risks that apply to the business activities or the events that have been planned could impact on the following:
customer and public confidence in the organization;
credibility, reputation and status;
equipment and the environment;
financial position of the concerned; and
health and safety of employees, customers, volunteers and participants.
A systematic approach to managing risk is now regarded as best management practice. The approach taken almost always benefits the organization irrespective of type of risk involved. Once the risk is identified it is documented in detail; subsequently the concerned stakeholders undertake possible risk management and mitigation processes. A comprehensive review of the situation and critical feedback are usually required that may ultimately lead to changes in the organizational polices and structures; particularly in case of a major events.
Organizations that thrive to be successful constantly monitor themselves and willfully undertake only calculated risks. In doing so, they enjoy a competitive advantage in addition to meeting their business objectives. In era of globalization, companies are often expanding their business opportunities and in the process, they may undertake challenging and ambitious projects. In most cases, they need to take a number of risks. In this regard, businesses such as Microsoft, Google, and Wal-Mart appear to have been successful global players mainly because they were able to manage risk in a timely manner.
Risk management decisions should be a part of business objectives. Every new project, policy or invention should include all the possible anticipated risks that one may possibly confront. Decision making process needs to consider threats identified, its impact and reaction on the business. By making a careful analysis, companies will have fewer surprises and thus may in the end spend less time recovering from the losses that may be inevitable at times. When companies do not have “a keen eye on the kind of risk”, risk retention can become a legitimate way of managing the risk. Figure 2 shows the six steps involved in the risk management process: establish the context, identify the risk, analyze the risk, evaluate the risk, and manage and review the risk.
The steps in risk management
To establish context and define goals is an important step. Once the context is established it is critical that the risk is defined and the objectives are set. Also important is to know the limitations of the risk strategies proposed. An effective risk management team understands the needs of the organization and the way it operates. Once the goal is defined there is a need to identify the scope of the context. In general, these factors can be classified into strategic and operational risks. Strategic risk management includes economic, social, environmental, political, legal and public issues; while operational risk management includes technological, human resource, financial, reputation and other relevant strategic issues. Clearly, management may not be able to totally control the many factors but the risks posed by them could indeed be minimized.
The process of risk management has to be simple, precise and effective. For it to be effective, organizations should consider strength, weakness, opportunities and threats (SWOT) type analysis of the situation. By conducting SWOT analysis, the management can identify and analyze different situations [ 7 ]. Once threats are identified, appropriate measures and decisions may then be taken to convert the threat into an opportunity. The organizational context provides an understanding of the organization, its capability and goals, objectives and strategies. In establishing the context the identification of stakeholders is critical; these are individuals who may affect, or be affected by decisions made by the risk management team. For example, stakeholders may be employees, volunteers, visitors, insurance organizations, government agencies or suppliers etc. Each stakeholder will have different needs, concerns and opinions; therefore it is important to communicate with the stakeholders involved in the process of addressing risks.
Identification of risk involves a systematic process of examining situations and finding solutions. The process includes stages such as group discussions and brainstorming sessions to generate a variety of ideas. While all the ideas or issues generated may or may not be relevant, it is important to document all problems, possible impacts and solutions identified. There are four primary areas in which risk can occur in a general business environment:
financial: this could mean loss of funding, insurance costs, fraud, theft, fees etc.;
physical: this involves physical assets of the organization, personal injuries and environmental;
ethical or moral: involves a perpetuated, actual or potential harm to the reputation or beliefs of an individual or organization; and
legal: this includes responsibilities and adherence to the law, rules and regulations of governing bodies such as the federal, state or local governments.
Risks can be identified by examining records of previous activities or events. Other ways in which risks could be identified are results from past experiences (personal, local or overseas) [ 8 ], through conduction interviews of stakeholders (example: Susilawati and Armitage [ 8 ]) or by analyzing specific real life or generated scenarios.
This step determines and addresses the impact of threats that have been documented. Threats identified are rated according to the likelihood of occurrence. The potential of an identified risk can be estimated by the effect it has on financial and other resources. When analyzing a risk, one decides on the relationship between the likelihood of a risk occurring and the consequences of the risk identified. The level of risk is then defined and management of it is then explored. Managing risk can be done in several ways such as contingency planning, using existing assets or making an investment in new resources. The levels of the risks can be classified into
extreme: an extreme risk requires immediate action as the potential could be devastating to the enterprise;
high: a high level of risk requires action, as it has the potential to be damaging to the enterprise;
moderate: allocate specific responsibility to a moderate risk and implement monitoring or response procedures; and
low: can manage a low level of risk with routine procedures.
The tools most commonly employed to measure risks include qualitative techniques [ 10 ]. Melton [ 11 ] described the tools as probability and impact analysis tools and Webb [ 4 ] called these likelihood and consequences tools. A risk matrix presentation tool (qualitative technique) can provide better insights to the nature of a risk. Risk matrix is often used as a tool to display different risks once they have been analyzed. It allows an organization to mark a threshold above which risks will not be tolerated; or will receive additional treatment from the board or delegated staff. In Figure 3 the threshold is set at risks score of 5 or above. It is then important to ask the following questions in relation to each of the identified risks:
What is the likelihood of the risk occurring?
Are there any controls currently in place to manage the risk - if yes then, are there any remaining risks?
What are the consequences if the risk should occur? and
What is the level of the risk?
Risk matrix Source: adapted from Austrac
In this step the tolerance of the risk is determined; that is, whether the identified risk is acceptable or unacceptable. The evaluation takes into account the following:
importance of risk management and possible outcomes of a risky activity;
potential and actual losses that may arise from the risk;
benefits and opportunities presented by the risk; and
degree of control one has over the risk.
An acceptable risk is a type of risk that that a business can tolerate; a loss for example- the risk does not have major impact on business. An acceptable risk has to be constantly monitored, reviewed and documented so that it remains tolerable. A risk is deemed to be an acceptable risk because of following reasons:
risk level is low and the benefits presented by the risk outweigh the cost of managing it;
risk level is so low that it does not warrant spending time and money to manage it; and
risk presents opportunities that are much greater than the threats posed by it.
A unacceptable risk is when a business is bound to experience significant losses and such losses cannot be tolerated. In such an event it is important to address and treat the risk in an appropriate manner.
Risks may be dealt with in several ways; it can be avoided, reduced, shared or retained. Risk is avoided when appropriate decisions are taken to eliminate all possible pitfalls thereby preventing the situation from occurrence. In most decision making processes, calculations are made and ideas are contemplated to strike a balance between the cost and effect. In such situations calculated risks are accepted and a high risk situation may be reduced by:
identifying options to treat the risk;
selecting the best treatment option;
preparing a risk treatment plan; and
implementing a risk treatment plan.
In other cases, risk is shared between the stake holders in terms of how profits and losses are shared. This is done mainly to share the impact of a risky event when it occurs. For example, in the era of globalization it is challenging for the companies to enter new markets and countries. In order to minimize uncertainty and exploit business situations that may exist, companies often decide to share risk; careful consideration and research undertaken by the companies often suggest risk sharing. Risk sharing develops opportunities while engaging all partners in achieving strategic goals and the gains and loss are then shared accordingly. The nature of strategies to mitigate risk often depends on the experience of the risk manager who may consider one or more of the following [ 3 ]:
avoid the risk by deciding not to proceed with the activity or choosing another way to achieve the same outcome;
control the risk by reducing the likelihood of the risk occurring, the consequences of the risk or both;
transfer the risk by shifting all or part of the responsibility of the risk to another party who is best able to control it; and
retain the risk after accepting that the risk cannot be avoided, controlled or transferred.
It seems the simplest of all methods of addressing a risk is by retaining an identified risk that may not potentially impact upon the operations of a business. It is important to continuously monitor such risks for in the absence of careful monitoring, the risks may become threats in due time.
A dedication towards risk management often projects a wiser professional image to the community. In doing so, the stake holders recognize the fact that the concerned organization has a keen interest in safeguarding its assets as well as that of its employees, visitors and volunteers among others. In the process of identifying, analyzing and evaluating risks an organization improves its management team’s ability to make educated decisions.
Every organization irrespective of size clearly strives to reduce the risks involved. In order to reduce risk organizations have to align their policies and structures in a consistent manner and constantly monitor business activities. Also, there is a need to allocate resources (financial, human resource, technology etc.) efficiently to improve performance and to win the approval of all stake holders. It is also important to ensure personnel working at different levels in the organization report to the appropriate authorities when a risk is identified. Such a culture enables an organization to document and then undertake suitable and timely measures to avert risks. In the risk management process, data capture and reporting can provide valuable insights into the risk management process. A sample risk management planning template is shown in Table 1 . As discussed, risk management team play a vital role in identifying and addressing risks.
Risk management planning template
It is necessary to constantly monitor and evaluate the strategies that are employed to manage risks. This is because risks do not remain the same - new risks are created, existing risks are increased or decreased, some risks may no longer exist and previous or existing risk management strategies may no longer be effective. In the end risks can originate from accidents, legal liabilities, natural causes and disasters, uncertainty in financial markets, credit risk, project failures (at any phase in design, development, production, or sustainment life-cycles), or events of unpredictable root-cause. Several risk management standards exist including those from the Project Management Institute, National Institute of Science and Technology, Actuarial Societies, and ISO standards. The risk management definitions, methods and goals vary widely according to the context of project management, security, engineering, industrial processes, financial portfolios, actuarial assessments, public health and safety and real estate.
An important aim of the paper is to study and review the real estate market in Australia to identify risk and rewards as well as compare the Australian market conditions and performance with the rest of the world. Therefore, the focus of the next section is on risks in the real estate market.
Types of risk in real estate market
As is the case with every other industry, there are several risks in the real estate market. For example, there exists a risk factor in land procurement; housing development; asset management; property management; tenancy management to name a few [ 13 ]. The risks may be classified as internal or external risks ( Figure 4 ). In turn, the internal and external risks can be divided into various other risk categories shown in Figure 5 and Figure 6 [ 14 ]. Builders, project managers, owners and investors who plan to make an investment or hold an investment in the property market may need to consider one or more of the following risks and then implement appropriate strategies for their projects to be successful.
Internal risk can be divided into financial management, human resources, property management, legislative compliance, corporate governance and housing management as shown in Figure 5 .
Financial management: A detailed analysis of any proposed or existing projects need to be conducted for project viability. It is also important to plan the cash flow and management of the same. A poor cost control may lead to a budget over shoot and the project may run into un-chartered territories. When it comes to servicing the debt due care needs to be given to income streams - to take into account either reduction or loss of future income streams. In this regard, banking organisations need to be diligent in testing the capacity to repay the loans that are being offered. Fraud often occurs in real estate market mainly involving the use of false documents regarding number of properties, outgoing fees or rates, income streams and so on.
Internal risk Source: adapted from Sheryl and Adam [ 14 ]
Insurance also plays a vital role in financial management of a project or investment. Adequate insurance is needed to cover the various risks that may be involved such as the type of property, its location, exposure to natural calamities etc. to name a few. Insurance also need to be updated with the changes in conditions.
Property management of a construction project: During the construction of a new project the builders needs to plan their inventory and keep control of their stocks irrespective of the size of the project. Stock control starts from buying goods to using and maintaining them, and also reusing or reordering as required. Quality of the stock also plays a vital role in real estate business. To maintained quality several techniques are adapted. Just in time technique (where items are ordered when necessary and used immediately), minimum stock level technique and stock review technique.
Contractors play an important role in success of a construction project. They are responsible for recruitment and supervision of employees working on the project. Contractors are also responsible for material management coordinating with suppliers thus acquiring necessary goods in time for the construction phases. Poor response from the contractors or failure to perform their duties will delay the project and overshoot budgets.
Legislation compliance: Often a property holder has to disclose his personal and financial information to third party. Protecting information plays a key issue in this business. Once all the parties are ready to proceed it is necessary to have a privacy act is in place so that all information is secure. The corporation act provides the guidelines for conflicts or issues arising in construction or maintenance of a property. There are several agencies that provide comprehensive legal services to better understand the litigations involved. Anti-discrimination law and disability service act also play an important role in real-estate. Property owners are liable for any discriminatory acts.
Occupational health and safety (OH&S) also arises in real-estate and a number of OH&S compliance officers are usually assigned to monitor the safety and health; for example, conditions provided to the workers at construction sites. OH&S officer duties include inspecting construction sites and providing support to internal clients. It is important to report any hazard or incident and all incidents should be attended to and documented for future reference.
Corporate governance: Corporate governance plays an important role in risk management in the real estate industry. It is important to properly align the ideas, interests and decisions of managers to the interests of both internal and external shareholders. For example, failure to recruit appropriate personnel may lead to conflicts of interest. If the conflicts are not managed effectively they may have a substantial impact on the company bottom line. It is required and expected of the managements or boards of construction companies always carefully analyze performance in terms of the market so that they are able to keep track of their company’s performance and progress in a dynamic environment. It is also expected that the managements re-inspect and update their policies and procedures to meet the market trends and demands of all concerned stakeholders.
Housing management: A holistic management of the investment made in real estate can be defined as housing management. Housing management includes keeping track of maintenance and financial arrangements. As a common and popular practice the management of an investment property is outsourced to property management companies who appoint property managers to manage and oversee duties as required. Property managers on a daily basis are responsible for taking maintenance requests, collecting rent, dues or other fees and are responsible for the overall upkeep of the property. They also perform routine property inspections and organize inspections for the owners. Poor performance of the property managers leads to more grievances for the tenants as well as the owners.
External risk depends on a number of factors such as economic risk, funding, regulation, environment, reputation, competition, partnerships and natural disasters ( Figure 2 .6). Each of the factors noted are discussed briefly in turn.
Eternal risks Source: adapted from Sheryl V and Adam W, 2008
Funding: The availability of funding depends on a number of aspects such as the economic situation in general, market performance, and credit based upon any future cash flow. Some factors that influence economic performance are: change in political regime, rise in the price of raw materials, emergence of a new competitor and disruptions in production process. Market performance usually depends on changes in interest rates, changes in laws, and political and financial market factors. The risk of loss of principal or loss of a financial reward stemming from a borrower's failure to repay a loan or otherwise meet a contractual obligation falls under the funding risk. It is important to take into consideration as many of the previously mentioned factors while undertaking an investment decision, even when one already has an investment portfolio. Investors often anticipate future cash flow situations while borrowing money to pay a current debt. The failure of the anticipated cash flow leads to credit risk. However credit risk can be considered less likely since most often the investors are compensated by way of interest payments made by the borrower in end.
Regulatory environment: Investors in real estate projects should be aware of the local, state and federal laws and regulations. These laws depend on economic, credit and market risk as explained above. Failure to comply with the rules and regulation often leads to delays or in the worst case - complete scrapping of the project; all of which may lead to a complete or partial loss of capital invested.
Reputation: The reputation of a project developer often attracts investor attention and also provides favorable environment for investments. Joint ventures and partnerships are possible if the reputations are well known and have been built over time - providing partners the opportunities to win potentially new clients and investors, as well greater opportunities for new investments. An investor has to study the “people” perception of the organization and the credit history and rating of the project developer. An investment made into a company with poor credit history may end up losses of the principle amount invested. It could also be wise for an investor to know the value of the tangible and intangible assets and the market value of the organization into which an investment is being planned.
Competition: Property market plays an important role in the economy. There are several players in the market who usually try to attract investors. While a healthy competition is good for growth in the industry, it is important for the investors to research exactly what they are being offered because the agents often utilize high pressure selling strategies to gain client’s cash. It is possible that in the process the investors may receive inappropriate financial advice. For example, consumers may not be aware of non-disclosed information pertaining to advice they receive.
Partnership: Partnership plays an important role in investing, as it reduces the impact of potential risk on the individual or company investment. For an investor to be successful in a real-estate partnership it is important to know the partner well and therefore trust plays a vital role. The role of each partner does need to be well defined and documented. Having a clear legal document will protect the interest of all partners. It also important to plan and document an exit strategy for all involved, because personal situations may change over time. Clearly, before a partnership agreement is made it is necessary to conduct a detail research to become self-confident about the deal.
Natural disasters: In the real real-estate market, location plays an important factor in the investment decision. A property purchased at an appropriate location is expected to provide a good return on the investment. One of the main factors affecting location is the potential exposure to natural calamities such as bushfires, floods, sea level raise and erosion to name a few. If the location has a history or is likely to be exposed to a natural disaster it can be expected that the property prices will eventually be exposed to the risk. Therefore, it is wise to not be enticed into such toxic locations. Other factors that need to be accounted for are the costs of maintenance of properties and the nature and level of insurance required for risky locations, if chosen.
The nature of risk definition and management process is such that it should be integrated into “the philosophies, practices and business plans” of any individual investor or large organization’s culture (Hillson [ 5 ], p.240). It is certain that there are many risks involved in real-estate market as mentioned. While real-estate provides variety of investment options every investor has to find their comfort level upon taking risks involved. It is not easy to decide if a selected property for investment is appropriate, but the decision should be made based on the consideration of all the factors discussed earlier. In the end however, the willingness to take risks largely depends upon individual preferences and circumstances.
The elements that usually determine the scale of risk or reward are the amount of money that is invested, length of time investment, rate of return or property appreciation, depreciation, fees, taxes, inflation etc. While it is natural for the individual and organizations to invest and expect returns it is important the investors make the informed choice to reduce the odds of losing the principle invested. The potential risks and rewards in investing in the Australian real estate market are investigated next.
The speculation about Australian housing market has been intense since 2003. First it was the international monitory fund (IMF) which warned of the housing bubble in Australia “would bust” [ 15 ]. In mid-2008, IMF stated that the Australian property market was overvalued by about 25% [ 16 ]. In more recent times (April 2010), “The Economist” house price indicators estimated Australian house prices were the most overpriced in the world (56.1% overpriced - against long-run average of price to rents ratio) [ 17 ]. The US based analysts Jeremy Grantham (Boston-based hedge fund GMO analysts co-founder) and Heather Hagerty (Fidelity Investments), were also speculating whether or not the Australian residential market is experienced a housing bubble, after the US housing crisis. According to Edward Chancellor [ 18 ], a US-based investment strategist and financial author, Australia was "in the midst of an unsustainable housing bubble that could burst at any time" and the "house prices are more than 50% above their fair value - a once in 40-year event." (p.1). In 2011 Morgan Stanley’s global strategist Gerard Minack said that "we've had 20 years where the Australian consumers have been willing to borrow more to buy an asset that they believe always goes up in value. The classic sign of an asset bubble." and that "home prices are 30 to 40% above fair value [p.1, 19].
The house price-to-income ratio has been the main focus in Australia. The house price-to-income ratio is comparatively high when compared to other countries. Also, the price-to-income ratio in Australia since has been more than 40% higher than the long term average. In the next sections a discussion of the fundamentals that govern the house prices in Australian residential housing market is examined. Also, the potential risks and rewards to the investors are explored in terms of the risk analysis framework presented earlier.
Since the U.S. housing crisis, analysts have been speculating about the potential housing bubble in the Australian residential property market. A report by Real Estate Institute of Australia (REIA) argued that analysts primarily focused their attention on the higher house price-to-income ratio in Australia as compared to other countries (REIA 2010). Moreover, it is observed that the house price-to-income ratio levels are at levels that are similar to that in the US before the housing market there crashed in 2008. The raise in the price-to-income ratio in Australia since 2003 by over 40% higher than the long term average adds fuels the speculation. However, it is important to analyze the fundamentals that govern Australian residential market price growth against the rest of world.
In the US, the residential finance system played a significant role in the housing bubble of 2008. The regulation, residential finance institutional arrangements, and mortgage characteristics aided the excessive demand for housing finance. Housing finance was available and offered to borrowers with poor borrowing capacities. Consequently, excessive borrowing led to the housing bubble and the collapse of the financial system in the U.S in 2008. There are some fundamental differences in the lending practice in Australia when compared to the US [ 21 ].
In Australia the lending process is highly regulated by the institutional arrangement. The lending practices enforce the regulatory provisions on financial institutions forcing them to avoid excessive risk taking behavior. Table 2 outlines the characteristics of housing loans both in the U.S and in Australia. The table highlights the systemic susceptibility to riskier mortgages in the US and that availability of such funds to finance the mortgages were more common than in Australia.
Regulation is high on mortgage loans | No full recourse of mortgages |
No negative amortisation of loans | yes |
Securitization is low in housing finance | Securitization is high in housing finance |
Non-conforming loans | Subprime loans |
Full recourse of mortgages | No full recourse of mortgages |
Mortgage characteristics of Australia as compared to US
In the US, the non-conforming housing loans represent 13% compared to 1% in Australia [ 21 ]. Negative amortization loans are common in the US but no such loans existed in Australia at the time of the crisis. In Australia the mortgages are “full recourse” lenders and hence the incentive that is offered to households to take out loans they cannot repay is reduced. This is also deters financial institutions from offering risky loans. These primary differences stand out to support and contribute to a relatively strong performance of the housing loans in Australia when compared to the US. It is important to note that the share of non-performing loans in Australia were less than 1.5% even during the financial crisis.
Another fundamental difference is that there is no government sponsored enterprise (GSE) in Australia while they exist in the US. The GSE in the US holds a guarantee of the loans that are offered. This potentially provides an impression that bad loans offered to borrowers with poor repayment capacity would be covered by the Federal Government [ 23 ]. This is not so in Australia where commercial banks provide 90% of all housing loans. The commercial banks are mainly funded by the bank deposits, short term and long-term wholesale debt [ 24 ]. The absence of the so called Federal guarantee restricts Australian banks from any excessive risk taking behavior. In 2007, at the beginning of the financial crisis, GSE’s possessed 90% of these securities. The shadow banking system in which the financial institutions have a greater participation and the GSE’s can be said to have led the excessive risk taking behavior and practices in the US [ 21 ]. In addition, according to the RBA [ 21 ], the regulation level of financial institutions in Australia is about 80% while in the US only 50% of all the financial institutions are regulated [ 21 ].
Non-performing housing loans Source: Real estate Institute of Housing America
The Loan to Value Ratio (LVR) refers to the amount of money borrowed against the total value of the property in a home equity loan. For example, a $50,000 loan against a home worth $200,000 has a Loan to Value Ratio of 25%. In Australia, loans with an LVR exceeding 80% require mortgage insurance - the risk of the borrower defaulting is far too great for the lender. The value of the property is determined by the lender and is often significantly less than the purchase price, which often surprise first-time borrowers. Typically, the amount that lenders have been prepared to lend for housing has been restricted by one or both of the following:
scheduled repayments should not exceed some fixed share of the borrower’s income – the repayment-to-income, or serviceability, constraint; and
the loan should not exceed a certain proportion, most commonly 80% [ 21 ] of the property’s purchase price – the LVR constraint.
The analysis presented in the previous section shows that Australia is fundamentally different to the US when it comes to the residential housing market. But, how does Australia compare to the other countries in the world? New research conducted by Lloyds TSB [ 27 ] - International Global Housing Market Review, shows that Australia just made it into the top 10 list of countries with the highest house price increases over the past decade ( Table 3) . Four of the six top performing housing markets since 2001 were in the emerging economies of the world. India with a booming real estate market tops the list - house prices rise by 284% over the last decade; Russia coming second - house price increase of 209% over the same period. China faired only marginally when compared to other major economies - ranked 14th with a 47% growth rate since 2001.
8.7 | 284 | 14.4 | |
-24.3 | 209 | 12 | |
-1.1 | 161 | 10.1 | |
-1.3 | 143 | 9.3 | |
13.6 | 125 | 8.4 | |
-10 | 106 | 7.5 | |
4.3 | 82 | 6.2 | |
-2.1 | 79 | 6 | |
6.9 | 72 | 5.5 | |
0.4 | 69 | 5.4 |
Real house price changes – A global comparison.
According to the findings of the report Australian house prices increased by 76% and had the ninth fastest growing house prices during 2001-2011. During the same period house price declines were seen in the world’s largest economies such as Germany, Japan and the United States. Japan registered the largest house prices fall of 30%, while house prices in Germany and US were down 17% and 2% respectively during the same time. Other major findings of the research include:
housing markets have typically risen fastest in countries with the fastest growing economies. On average, the countries with the biggest rises in house prices since 2001 have seen GDP increase by more than 100%. Countries that had large rises in pre-crisis times lost the most after the GFC affected their economies; and
house prices within countries that form part of the Euro have climbed an average of 23 percent since 2001. France saw the largest increase with 82%, Belgium rose 69%, Spain 26% and Italy was up 31%. But Spain has seen a major decline in 2012.
The performance of the established house prices in Australian housing market provided by the Australian Bureau of Statistics (ABS) is presented in Figure 8 . The Australian housing over the past five years has seen some corrections. The period can be divided into pre-global financial crisis (GFC), during GFC and post GFC. Prior to GFC, there has been a considerable growth in the established housing prices. This growth pattern however changed course and reached the worst levels in August 2008 when the GFC was setting in. However, the prices of established homes climbed steeply during the peak of the GFC when markets around the world were playing havoc. This defiance could be mainly attributed to the management initiatives taken by the RBA [ 21 ] and government of Australia. The RBA drastically reduced the interest rates to a record low of 3.25% supported by the federal government incentives such as economic stimulus plan, which included substantial increase in first home grants among others.
This financial incentive was “too good to miss” for anyone considering their first home purchase. This led to flood of first home buyers entering the market that drove the prices up against all odds. Since the time the incentives have been wound back, and the market and investor sentiment took over. This led to a fall in the growth when compared to the preceding three years and has been mostly in the low sentiment in the past two years. Therefore, although Australian market prices are influenced by the global events, a collapse similar to that seen in markets elsewhere seems appears a distant possibility. This can be attributed to the underlying government incentives to manage the risks during the crisis. Other micro-economics aspects also helped manage the downturn.
Australian housing demand has been strong and can be also attributed to the following:
strong overseas migration from 2004 to 2007;
housing shortages due to a rapidly growing population;
Australian household sizes are shrinking;
lending standards stricter than most advanced economies including the US; and
interest rates at record lows.
Australian annual house price change in the last decade
House prices have been underpinned by a chronic housing shortage in Australia. This was brought about by an ever increasing population and constraints placed on housing supply over time. Figure 9 shows the increase in population growth from both natural growth and migration since 2006. From 2006 to September 2010 natural population growth has only seen a marginal increase, but during the same period the net overseas migration growth has been substantial.
Trend of natural population increase and net overseas migration
Figure 10 shows that there has been an increase in the total population by about 1.6 million people 2006–2010. During the same period, the Net Overseas Migration (NOM) accounted for 1.02 million people compared to only 600 000 increase in natural population. However, given that there has been a large influx of people into Australia, the question was whether there was enough housing infrastructure in place.
Net overseas migration and components of population change
Figure 11 shows the trend in the population and dwellings commenced from January 2007 to October 2010. As shown earlier, the population growth showed an upward trend over the entire period. The number of dwellings commenced shows a rather distressing trend. Figure 11 shows the commencement of new dwellings significantly fell short and did not keep pace with the rapid growth in population. For an addition of 1.25 million people during this period only about 235 000 new homes were built demonstrating a significant shortage in the housing market. Interestingly, this situation presents a case for more property investment as people search for a place to live.
Historically, Australia has been behind in the demand versus supply of residential dwellings, but more so in the last decade than any time earlier. Figure 12 shows the dwelling gap in the previous decade. Australia continues to run large annual deficits in housing supply - the underlying demand for dwellings and the completion of dwellings has not matched. In view of this it can be expected that in the longer term Australia’s housing market is underpinned by insufficient supply in addition to robust underlying demand.
Trend in the number of dwellings commenced and population
Estimated dwelling gap in the last decade
National housing supply council (NHSC) estimates a demand versus supply gap of approximately 640 000 houses in 2030; and an increase in the gap from 250 000 in 2012. Figure 13 shows the projections in the supply gap to 2030. The figure shows an increase over time till 2015, and indeed a higher rate of increase predicted from 2015 till 2030.
Supply and demand gap projections to 2030
To examine whether the situation is the same throughout Australia or mainly confined to a few states, data from all the states are explored in more depth. Figure 12 and Figure 14 both show that not all states have an acute shortage of housing such as South Australia (SA), Tasmania (Tas) and Australian Commonwealth Territory (ACT). Their data runs against the trend for the last decade but more so during 2009-2010. The larger states of New South Wales (NSW), Victoria (Vic), Queensland (Qld) and Western Australia (WA) all continue to have high deficits year after year and the deficit is increasing – however, Victoria being an exception in 2009-2010 where it managed to go against the trend temporarily ( Figure 14) . To further understand the nature of the differences between states, the net population increase in the demand across states needs to be compared. Figure 15 shows the state by state net change in population as well as housing issues. The states with a high influx of population showed higher dwelling demand.
Not surprisingly, the high demand has led to a rather strong rental market particularly in the larger states and this has provided an impetus for higher rental returns and an ideal time for new investors to consider for the longer term. With recent housing approvals declining, this demand supply gap can only be expected to widen. Clearly, the population increase cannot only be driving the market. Therefore, other aspects need investigation such as house price to income ratio; and house hold debt to income ratio.
Housing demand and supply by states
Net population change - state by state over 2000-2011
The house price-to-income ratio is generally calculated using average income of the whole population. This method of calculating house price may not be appropriate in that a set of buyers whose incomes are above the average income of the wider population, and have the ability to service the loans tend to bid in the auctions there by inflating house prices [ 28 ]. Such competition is visible across all capital cities but more so in Sydney, Melbourne, Perth and Canberra than other cities. Figure 16 shows the median change in the house prices across eight capital cities since 2007.
Figure 16 shows that the increase in house prices in the major capital cities have been greater than those of other cities. This suggests the increase in house prices in Australia over the past five years was driven mostly by house prices in the most expensive cities, where home buyers tend to be higher income earners. The house price-to-income ratio does not seem to pick up the distributional differences. The household debt to disposable income ratio can provide valuable insights while assessing the vulnerabilities. Therefore, disposable incomes of people need to be considered when assessing the vulnerability of an average mum and dad investor.
Dwelling prices in capital cities in Australia Source: ABS
Figure 17 shows the distribution of debt to income since 2006. The data indicates that the debt to income ratios has been fairly high – but consistent around 160% for the total debt, of which close to 140% is towards the mortgage. An indication to the scale of vulnerability can become salient when the house hold income to debt and the annual change in established home price are compared. Figure 18 shows that there has been a somewhat volatile situation in the housing market in all capital cities during 2006-2011; yet, during the same period, the debt to income ratio seem to be approximately constant over time. The comparison shows the average households are not so vulnerable to at least a change in their income situation given there was volatility in house price changes over time.
Owner occupier debt Source: RBA
Annual change in established home prices Source: ABS
The aim of this paper was to define risk and risk management in terms of real estate investment thus demonstrating the in depth nature and complexity of the process. Another aim was to conduct risk analysis of the Australian real estate market in particular, in terms of the global financial crisis – pre GFC, during GFC and post GFC. The review shows that risk analysis involves a number of steps with each step in turn involving another set of procedures. Risk analysis is a process that it is often ignored by investors particularly by the individual or smaller investors who tend to be more vulnerable. Similarly, risk management involves a number of processes and stages with steps and these have been outlined in the paper. A risk analysis is conducted here for investors in Australia real estate market. The results are rather interesting in that several conditional differences exist between Australia and the rest of the world. The factors identified that influence Australia’s house price are different from the rest of the world; including for example the rather stricter and well regulated lending practices of Australia’s financial institutions. A tight financial system regulation in Australia means a highly disciplined financial sector. The tougher regulation of the industry therefore prevents financial institutions from taking on excessive risks, contrary to the US counterparts. In fact, increasing house prices was identified in Australia after the crises of 2007-8; and this was associated with the changes in mortgage lending rates, rising family income, increasing overseas migration demand, government incentives to name a few. Together the market situation suggests that Australia is unlikely to face a US style housing bubble. The results of the risk analysis show that:
rising incomes and population growth ensure the demand for housing outpaces current supply, thereby increasing the prices;
high capital growth in larger cities where there has been large population migration such as Perth, Sydney and Melbourne;
high demand still exists for residential and commercial real estate to accommodate growing expatriate working community;
increased property prices has to many Australians increasingly seeking rental accommodation, making housing investment a healthy growth area for investors;
higher growth rate in property investment in Australia - superior to most OECD countries, including the UK, Spain and the US; and
foreign exchange rate changes have been favorable, making property purchase in Australia a valuable option; that in turn driving property prices higher. This has changed in 2011-12 when the higher Australian dollar has posed interesting challenges for the Australian investments.
The findings are in line and relate to that of the Australian housing and urban research institute’s findings [ 29 ], which further suggest:
investors are motivated to invest in the private rental market for a number of reasons such as financial factors, personal goals (retirement or future home for children at university), and household circumstances (proximity to their own dwelling);
investors use their own measures of quality and personal preference when selecting a dwelling even though they will not be living in the property;
investors perceive property as a long-term, safe and stable investment that is low risk and will produce guaranteed returns;
investors largely expect capital gains from investing rather that rental yield only and this is how success is measured; and
informality characterizes investor approaches to the housing market where property is considered familiar, relatively easy to invest in when compared to other investments.
In summary, Australian housing industry continues to experience significant housing shortages in major cities due to a rapidly growing population; in particular, the growth has been fueled by strong overseas migration during 2004-2007, but the Australian current government immigration laws suggest that the strong levels of immigration will continue for some time due to the lack of skills in the labor market. The housing demand is further supported by the fact that the size of the Australian household appears to be shrinking adding to the pressure on housing both in rental and investment. The demand of rental housing together with somewhat lower house prices in recent times (buyer marker) has lured many new investors in the market. This aspect, the negative gearing benefits, and the first home ownership schemes supported by significantly lower interest rates have all led to a favorable and stronger real estate market in Australia. All of this has occurred within a framework of a stronger, tightly regulated financial sector that has been more-stricter than most advanced economies including the US. Such a regulated real estate market appears to have kept the mortgage repayment failure and housing related bad debts at a minimum in Australia.
© 2012 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution 3.0 License , which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
Risk management.
Published: 12 September 2012
By Jordi Botet
7110 downloads
By Pedro Maria-Sanchez
7240 downloads
By Nerija Banaitiene and Audrius Banaitis
104914 downloads
In this article
In the modern business landscape, navigating uncertainties and pitfalls is essential for sustainable growth and longevity. Effective risk management emerges as a shield against potential threats – and it also unlocks opportunities for innovation and advancement. In this article, we will explore risk management and its significance and criteria for excellence. We will also examine case studies of two companies that have excelled in this domain. Through these insights, we aim to glean valuable lessons and best practices. As such, businesses across diverse industries can fortify their risk management frameworks.
Risk management is vital for the sustenance and prosperity of companies, regardless of their size or industry. At its core, it is the identification, assessment and mitigation of potential risks that may impede organisational objectives or lead to adverse outcomes. Having a robust risk management approach means businesses can safeguard their assets, reputation and bottom line.
The statistics are somewhat alarming. According to research , 69% of executives are not confident with their current risk management policies and practices. What’s more, only 36% of organisations have a formal enterprise risk management (ERM) programme.
Proactive risk management isn’t just a defensive measure; rather, it is necessary for sustainability and growth. With 62% of organisations experiencing a critical risk event in the last three years, it is important to be proactive. By identifying and addressing potential risks, organisations can become more resilient to external shocks and internal disruptions. This means they’re better able to survive through difficult times and maintain operational continuity. Moreover, a proactive stance enables companies to seize strategic advantages. It allows them to innovate, expand into new markets and capitalise on emerging trends with confidence.
Achieving excellence in risk management means adhering to several key criteria:
Now, let’s take a look at a case study that highlights risk management excellence in practice.
ApexTech Solutions is a company known for its exemplary risk management practices. Founded in 2005 by visionary entrepreneur Sarah Lawson, ApexTech began as a small start-up in the tech industry. It specialises in software development and IT consulting services.
Over the years, under Lawson’s leadership, the company expanded its offerings and diversified into various sectors, including cybersecurity solutions, cloud computing and artificial intelligence. Today, ApexTech is a prominent player in the global technology market, serving clients ranging from small businesses to Fortune 500 companies.
ApexTech’s journey to risk management excellence can be attributed to several key strategies and initiatives:
By proactively identifying and addressing operational risks, such as supply chain disruptions and regulatory compliance challenges, ApexTech has maintained operational continuity and minimised potential disruptions to its business operations.
ApexTech Solutions serves as a compelling example of a company that has excelled in risk management excellence by embracing proactive strategies, leveraging advanced technologies and fostering a culture of innovation and adaptation.
TerraSafe Pharmaceuticals is a renowned company in the pharmaceutical industry, dedicated to developing and manufacturing innovative medications to improve global health outcomes. Established in 1998 by Dr Elena Chen, TerraSafe initially focused on the production of generic drugs to address critical healthcare needs.
Over the years, the company has expanded its portfolio to include novel biopharmaceuticals and speciality medications.
TerraSafe Pharmaceuticals has a holistic approach to identifying, assessing and mitigating risks across its operations:
By investing in R&D and adhering to rigorous quality assurance standards, TerraSafe has successfully developed and commercialised several breakthrough medications that address unmet medical needs and improve patient outcomes. What’s more, the company’s proactive approach to regulatory compliance has facilitated the timely approval and market authorisation of its products in key global markets. This has enabled the company to expand its geographic footprint and reach new patient populations.
Despite being in different industries, both companies share similarities. Both ApexTech and TerraSafe Pharmaceuticals know the importance of proactive risk management. They have procedures in place that work to identify, assess and mitigate risks before they escalate. What’s more, both companies are led by visionary leaders who set the tone for decision-making. They prioritise building a strong risk culture with all employees knowing their role in risk management.
One of the most prominent trends in risk management is the increasing integration of technology into risk management processes. Advanced technologies such as artificial intelligence (AI), machine learning and automation are revolutionising risk assessment, prediction and mitigation. These technologies mean companies can analyse vast amounts of data in real time. This allows them to identify patterns and trends and predict potential risks more accurately.
Data analytics is another key trend reshaping risk management practices. Companies are leveraging big data analytics tools and techniques to gain deeper insights. By analysing historical data and real-time information, they can identify emerging risks, detect anomalies and make more informed risk management decisions.
Cybersecurity risks have become a major concern. Threats such as data breaches, ransomware attacks and phishing scams pose significant risks to companies’ data, operation and reputation. Companies are investing heavily in cybersecurity measures and adopting proactive approaches to protect their digital assets and mitigate cyber risks.
Companies are integrating global risk management into their overall risk management strategy too. They are monitoring global developments, assessing the impact of global risks on their business operations and developing contingency plans.
Leadership plays a pivotal role in shaping organisational culture and driving initiatives that promote risk management excellence. Effective leaders recognise the importance of risk management but also actively champion its integration into the fabric of the organisation. Effective leaders:
For organisations to identify, assess and mitigate risks at all levels effectively, they need to encourage a risk-aware culture. Here are some tips for encouraging a risk-aware culture:
Challenges in risk management are inevitable, even for companies excelling in this domain. Despite their proactive efforts, all organisations encounter obstacles that can impede their risk management practices. Here are some common challenges and strategies for addressing them:
In this article, we have explored the importance of effective risk management for businesses. We have delved into the criteria for excellence in risk management, showcasing companies such as ApexTech Solutions and TerraSafe Pharmaceuticals that exemplify these principles through their proactive strategies and robust frameworks.
From embracing technology and fostering a culture of innovation to prioritising regulatory compliance and empowering employees, these companies have demonstrated remarkable achievements in navigating complex risk landscapes and achieving sustainable success.
However, it’s essential to recognise that even companies excelling in risk management face challenges. By acknowledging these and implementing strategies to address them, organisations can enhance their resilience and effectiveness in managing risks over the long term.
Study online and gain a full CPD certificate posted out to you the very next working day.
Take a look at this course
Louise is a writer and translator from Sheffield. Before turning to writing, she worked as a secondary school language teacher. Outside of work, she is a keen runner and also enjoys reading and walking her dog Chaos.
Celebrating our clients and partners.
Fehmarnbelt case study
. . . . . learn more
Lend Lease case study
ASC case study
Tornado IPT case study
LLW Repository case study
OHL case study
Babcock case study
HUMS case study
UK Chinook case study
Copyright © 2024 risk decisions. All rights reserved.
Powered by The Communications Group
Discover the world's research
To read the full-text of this research, you can request a copy directly from the author.
Supply chain risk management is an increasingly critical function within businesses that aims to identify, evaluate, and mitigate risks along the supply chain to ensure reliability and continuity of supply. In a globalized economy, an organization's supply chain can span multiple countries and involve various interdependent processes making it susceptible to a plethora of risks.
This article will explore the multi-faceted approach to managing these risks efficiently, underpinning the importance of robust strategies to maintain competitiveness and deliver value to customers.
Defined succinctly, supply chain risk management (SCRM) is the implementation of strategies designed to oversee and manage potential risks within the supply chain, including but not limited to inventory issues, supplier problems, logistic errors, and environmental factors that could interrupt or delay the flow of goods and services.
This process entails the proactive identification of potential risks, assessment of their possible impact, and development of strategies geared toward their mitigation. Effective SCRM is pivotal to ensuring smooth operational flow and upholding the integrity of a company's supply chain network.
In the dynamic and interconnected world of global trade, the importance of supply chain risk management cannot be overstated. Businesses face an array of challenges, from natural disasters disrupting transportation routes to cyber-attacks compromising data integrity.
These uncertainties necessitate a comprehensive understanding of potential vulnerabilities and the formation of robust SCRM strategies. The integration of logistics courses online and online certification courses greatly contributes to enhancing the knowledge and skills of professionals in this arena, equipping them with the expertise to cope with the complexities of supply chain risk.
Comprehending the myriad of risks pertinent to the supply chain is crucial in devising effective risk management strategies. These risks can broadly be classified into several types, each with the potential to adversely affect supply chain operations and compromise business performance.
Logistics and supply chain professionals often categorize risks into three main types: operational risks, disruption risks, and systemic risks. Operational risks are associated with the day-to-day management of the supply chain and can include vendor shortages, transportation delays, or inventory mismanagement.
On the other hand, disruption risks encompass unforeseen events like natural disasters, political instability, or labor strikes that can abruptly halt supply chain operations. Systemic risks cover macro-level events such as economic recessions or significant technological changes, which may require a complete rethink of supply chain strategy.
Operational risks
Disruption risks
Systemic risks
The repercussions of ignoring supply chain risks can be severe. For instance, a key supplier's failure to deliver an essential component due to financial instability can cause a production standstill. Similarly, a retailer may face significant revenue loss in the occurrence of a cyber-attack that disrupts its distribution system. These examples underscore the absolute necessity for preemptive risk management measures in safeguarding supply chain operations.
Addressing the challenges posited by potential risks requires strategic planning and action. Companies can develop an array of approaches to anticipate, prepare for, and neutralize supply chain risks.
The initial step of supply chain risk management is identifying and evaluating the potential risks that could affect the supply chain operations. This phase involves the use of predictive analytics for risk identification, wherein historical data, market trends, and current events are analyzed to forecast potential disruptions. Subsequently, organizations conduct an assessment of the impact and likelihood of identified risks to prioritize their attention and resources accordingly.
Predictive analytics for risk identification
Impact and likelihood assessment of risks
Upon assessing the risks, developing mitigation and prevention strategies is instrumental for risk management. Contingency planning plays a significant role in this, where alternative plans are in place in the event of supply chain disruptions. Moreover, prioritizing supplier diversity is vital to spread the risk and avoid over-dependence on a single source which can be a critical vulnerability.
The role of contingency planning
The importance of supplier diversity in risk reduction
Building resilience into the supply chain is about creating a robust setup that can withstand and recover from unexpected disruptions. Replicating supply chains across different regions can mitigate risks associated with geographical limitations. Furthermore, proactive disruption management ensures swift reactive measures in response to supply chain threats, which minimizes impacts and accelerates recovery time.
Replicating supply chains for risk mitigation
Proactive disruption management
The rapid advancement of digital tools has provided businesses with innovative opportunities to strengthen their supply chain risk management tactics. Utilizing cutting-edge technologies can significantly enhance the capability of organizations to predict, manage and mitigate risks more efficiently.
Technological innovations such as Artificial Intelligence (AI) and Blockchain are revolutionizing supply chain risk management. AI algorithms can help predict potential disruptions before they occur, allowing for proactive measures to be implemented. Blockchain technology introduces a layer of transparency and security to supply chain transactions, which serves to build trust and traceability across the entire network.
Artificial Intelligence in supply chain risk management
Usage of Blockchain for Supply Chain transparency
An examination of case studies where companies successfully incorporated technology to manage their supply chain risks can offer valuable insights. These practical examples showcase the effectiveness of digital tools in real-world applications, reinforcing the argument for their wider adoption in SCRM strategies.
The field of supply chain risk management remains paramount to the success and resilience of organizations worldwide. The continuous evolution of risks makes it imperative for businesses to stay vigilant, be adaptive, and incorporate robust risk management processes into their supply chain operations.
It is crystal clear that the significance of identifying, evaluating, and mitigating risks cannot be understated. The employment of practices like engaging in logistics courses online and obtaining online certification courses invigorates the knowledge base and skill set of those overseeing and managing supply chains, equipping them to handle potential risks successfully.
Looking forward, the domain of SCRM is set to encounter new challenges and trends such as the growing significance of sustainability, digitization, and geopolitical shifts. Companies need to remain proactive and innovative in crafting their risk management strategies to stay ahead of these evolving dynamics.
Optimizing supply chain risk management is a strategic imperative that transcends operational efficiency and encompasses the broader scope of sustaining business growth and customer satisfaction. By embracing comprehensive risk management practices, including the augmentation of professional capabilities through continued learning and the adoption of advanced technologies, companies can fortify their supply chains against an unpredictable future.
Identifying potential risks.
Supply chains face myriad risks. These range from supplier insolvency to natural disasters. Sound risk management begins with rigorous identification. Here are several strategies to pinpoint those risks effectively.
First, create a visual map. This chart should detail each step in the chain. It helps pinpoint where risks might arise.
Next, engage with your team. Conduct brainstorming sessions. Identify risks via expert input. This often reveals unforeseen threats.
Perform a SWOT analysis. Assess Strengths , Weaknesses , Opportunities , and Threats . This frames risks concerning your competitive position.
Historical data is invaluable. It shows where past issues occurred. Use this to predict and prepare for future risks.
Keep an eye on the market. Monitor news, trends, and reports. This will point to external risks quickly.
Once identification is complete, evaluation follows. The goal is to measure each risk's potential impact.
Begin by categorizing risks. Common groups are operational, financial, strategic, and compliance-related. This organizes risks by nature.
Every risk has a chance of occurrence. Assess this probability. Also, estimate each risk's impact if it materializes.
Risk matrices are a simple tool. Place each risk within a matrix based on its score. This shows clear priorities.
Consider the costs. Weigh them against the benefits of mitigation. This illuminates which risks justify investment.
Plan for various outcomes. Simulate different scenarios. How does each risk affect your operation? This will prepare you for different eventualities.
Risks change. Review your assessments often. Update them to reflect new information. This ensures your risk profile remains current.
Map the supply chain
Use qualitative assessments
Conduct a SWOT analysis
Review historical data
Collect external intelligence
In short, efficient supply chain risk identification and evaluation call for a structured approach. Map out the chain, assess qualitatively and quantitatively, and keep your information updated. Use tools such as risk matrices and scenario planning to keep a clear focus on where to direct your mitigation efforts. With these strategies, businesses can better prepare for the unpredictable and mitigate risks in their supply chains.
The interplay of technology and risk management in supply chains.
In today's fast-paced market, managing supply chain risk is vital. Companies face numerous uncertainties. Technological advancements provide tools to mitigate these risks. Key benefits stem from technology's role in supply chain oversight.
Advanced analytics aid risk forecasting. They help identify patterns and predict disruptions. Machine learning algorithms process vast datasets. This analysis discerns potential problems early. It thereby supports proactive measures. Risk prediction turns more precise over time. The tech learns from each event, enhancing future responses.
Real-time tracking is critical. It allows for immediate response to disruptions. Sensors and GPS generate live data flows. Companies monitor shipments around the clock. Any deviation triggers alerts. Thus, stakeholders can take quick, informed action. Real-time visibility also means enhanced transparency across the chain.
Automation streamlines operations. It reduces human error risk in routine tasks. Automated systems handle order processing and inventory updates. They provide accurate data for decision-making. Better data means better risk management. Time-sensitive decisions benefit from automation's speed.
Effective communication underpins risk mitigation. Digital platforms enable instant data sharing. Stakeholders remain aware of any changes or issues. Collaboration tools facilitate rapid strategy adjustments. Partners synchronize their response efforts. Instant communication is crucial in crisis scenarios.
Amidst technological reliance, data breaches pose significant risks. Robust cybersecurity measures are indispensable. They protect sensitive information integral to supply chains. Secure data transmission and storage are priorities. Cybersecurity efforts safeguard against costly data-related disruptions.
Blockchain technology offers unparalleled transparency. It creates secure, immutable records. Each transaction adds a new 'block' to the 'chain.' Every party can access this unalterable ledger. Blockchain prevents fraud and errors. It thus fosters trust among trade partners. Blockchain makes verifying authenticity simpler. It further ensures that all participants follow agreed-upon protocols.
IoT devices collect crucial operation data. They monitor goods and equipment condition. IoT sensors can track temperature, movement, and more. Alerts notify managers of deviations from norms. Managers can then take preventive action. This minimizes the impact of potential issues. The IoT also facilitates predictive maintenance. It reduces the risk of machinery breakdowns.
Cloud computing centralizes data storage. It grants access from anywhere, anytime. Supply chain parties can retrieve vital information on demand. Decision-making becomes more informed and timely. Cloud computing supports scalability and collaboration. It offers robust backup solutions. These are crucial in disaster recovery scenarios.
AI and Machine Learning enhance risk assessment. They can model complex risk scenarios. These technologies offer insights into potential impact. Firms can assess various risk strategies efficiently. AI-powered tools also assist in supplier evaluation. They can predict supplier reliability and performance.
Drones and autonomous vehicles promise safer logistics. Drones inspect hard-to-reach areas. They can check for hazards without endangering workers. Autonomous vehicles can reduce accidents caused by human error. They promise to make the transportation of goods safer.
Technology is reshaping supply chain risk management. Firms that adopt these advancements may gain competitive edges. They do so through enhanced efficiency, accuracy, and responsiveness. Technology's role will only grow. It will keep transforming risk management and supply chains.
Understanding supply chain risk management.
Supply chain risk management (SCRM) involves handling disruptions. It is crucial for business sustainability. Risks can occur at any moment. They can emerge from various sources. These include natural disasters, economic shifts, or technological failures. Efficient SCRM mitigates the impact of these disruptions. It ensures continuity and resilience.
Communication drives successful SCRM. It does so by facilitating information flow. Stakeholders stay informed through clear communication. It enables quick response to risks. Information must be precise. It must also be timely.
Effective communication promotes collaboration. Different departments must work together. Suppliers, logistics, and retailers also need to coordinate. Good communication makes this possible. It breaks down silos within organizations.
Transparency is essential in communication. It builds trust among partners. It allows for shared risk perception. Understanding risks becomes easier. So does finding solutions.
Implementing communication strategies involves several steps. These steps ensure that communication is efficient and effective. Here are some critical considerations:
Establish Protocols: Define clear communication channels. This ensures that messages reach the right people.
Regular Updates: Keep all parties informed with frequent updates. It ensures that everyone is on the same page.
Train Employees: Teach staff how to communicate during disruptions. Prepared teams manage risks better.
Technology Utilization: Use technology to enhance communication. Digital tools can provide real-time data sharing.
Several barriers can impede communication. These challenges include:
Cultural Differences: Global supply chains face this. It can lead to misunderstandings.
Information Overload: Too much information can confuse stakeholders. Distill it to what is necessary.
Resistance to Change: Some may resist new communication methods. They need convincing of the benefits.
Leadership commitment is important for overcoming these challenges. Leaders must champion open communication. They inspire their organizations. They guide them toward efficient SCRM.
Communication is not just critical. It is the backbone of SCRM. It empowers organizations to face uncertainties. It builds resilient supply chains. It should, therefore, receive the attention it deserves. Continuous improvement is key. Organizations must strive for better communication to manage their supply chain risks effectively.
Yu Payne is an American professional who believes in personal growth. After studying The Art & Science of Transformational from Erickson College, she continuously seeks out new trainings to improve herself. She has been producing content for the IIENSTITU Blog since 2021. Her work has been featured on various platforms, including but not limited to: ThriveGlobal, TinyBuddha, and Addicted2Success. Yu aspires to help others reach their full potential and live their best lives.
Part of the book series: Contributions to Management Science ((MANAGEMENT SC.))
2281 Accesses
Risks in the rapidly increasing global business environment began to receive more attention among both researchers and practitioners illuminating the delicate balance between enterprise efficiencies and risk economies. However, Risk Management, in recent years, are becoming more complex to analyze and more challenging to manage and optimize.
Besides that, risk and uncertainty concept have always been a significant concern not only for private sectors and public sectors but also for non-profit organizations (NPOs) sector. In this chapter, the potential risks and their drivers are identified, assessed and ranked for a wide spread and most effective for a non-profit organization which aims to bring together native and foreign students for creating a bridge of humanity and education. After investigating the key control measures of major sources of risk, risk management processes and strategies were developed. To provide analytical results, Analytic Hierarchy Process (AHP) used by utilizing the questionnaire technique.
This is a preview of subscription content, log in via an institution to check access.
Tax calculation will be finalised at checkout
Purchases are for personal use only
Institutional subscriptions
Beasley M (2011) Increasing risk awareness for mission critical objectives of not-for-profit organizations. American Institute of Certified Public Accountants, Durham
Google Scholar
Boas K (2012) Building capacity in NGO risk management. Retrieved from http://www.thesustainablengo.org/
Carter TS, Demczur JM (2013) Legal risk management checklist for non- for-profit organizations. Carters Professional Corporation, Ottawa, Toronto
Chen L (2010) Risk management for nonprofit organizations. Oregon State University, Corvallis
Chopra S, Sodhi MS (2004) Managing risk to avoid supply-chain breakdown. MIT Sloan Manag Rev 46(1):53–62
Christopher M, Peck H (2004) Building the resilient supply chain. Int J Logist Manag 2:1–13
Article Google Scholar
Gaudenzi B, Borghesi A (2006) Managing risks in the supply chain using the AHP method. Int J Logist Manag 17(1):114–136
Harper TJ (2012) Agent based modeling and simulation framework for supply chain risk management. Dissertation, Air Force Institute of Technology
INCOSE (2002) What is “Risk”. Risk Management Working group, Hall, DC
Jackson P (2006) Nonprofit risk management and contingency planning. Wiley, New Jersey
Matan R, Hartnett B (2011) How nonprofit organizations manage risk. Sobel & Co, Livingston
Mohammed KM (2007) Managing risk: a case study of a non-governmental organization that provides long- term care and support service for people with mental, intellectual and physical disabilities. Massey University, Palmerston North
Park K (2011) Flexible and redundant supply chain practices to build strategic supply chain resilience: contingent and resource-based perspectives. Dissertation, The University of Toledo
Pehlivanli D (2012) Kâr Amacı Gütmeyen Kuruluslarda Kurumsal Risk Yönetimi ve Risk Çalıstayı Vaka Çalısması. Muhasebe ve Finasman Dergisi:117–128
Ritchie B, Brindley C (2007) Supply chain risk management and performance: a guiding framework for future development. Int J Oper Prod Manag 27(3):303–322
Saaty TL (1980) The analytic hierarchy process. St. Louis ua, New York
Sitkin SB, Pablo AL (1992) Reconceptualizing the determinants of risk behavior. Acad Manag Rev 17(1):9–38
Tang C, Tomlin B (2008) The power of flexibility for mitigating supply chain risks. Int J Prod Econ 116(1):12–27
Trivunovic M, Johnsøn J, Mathisen H (2011) Developing an NGO corruption risk management system: considerations for donors. U4 Issue, 2011(9)
Wilson‐Grau R (2003) The risk approach to strategic management in development NGOs. Dev Pract 13(5):533–536
Wilson-Grau R (2004) Strategic risk management for development NGOs: the case of a grant-maker. Seton Hall J Dipl and Int’l Rel. 5:125
Young DR (2009) How nonprofit organizations manage risk. In: Musella SD (ed) Paid and unpaid labour in the social economy. Georgia State University, Georgia
Download references
Authors and affiliations.
Logistics Program, Vocational School of Social Science, Istanbul Medipol University, Kavacik Campus, Beykoz, 34810, Istanbul, Turkey
Elif Karakaya
Department of International Trade, Istanbul Commercial University, Sutluce Campus, Beyoglu, 34445, Istanbul, Turkey
Gencay Karakaya
You can also search for this author in PubMed Google Scholar
Correspondence to Elif Karakaya .
Editors and affiliations.
Istanbul Medipol University , Eyup, Istanbul, Turkey
Hasan Dinçer
Istanbul Medipol University , Beylikduzu, Istanbul, Turkey
Ümit Hacioğlu
Reprints and permissions
© 2017 Springer International Publishing AG
Karakaya, E., Karakaya, G. (2017). Developing a Risk Management Framework and Risk Assessment for Non-profit Organizations: A Case Study. In: Dinçer, H., Hacioğlu, Ü. (eds) Risk Management, Strategic Thinking and Leadership in the Financial Services Industry . Contributions to Management Science. Springer, Cham. https://doi.org/10.1007/978-3-319-47172-3_20
DOI : https://doi.org/10.1007/978-3-319-47172-3_20
Published : 20 December 2016
Publisher Name : Springer, Cham
Print ISBN : 978-3-319-47171-6
Online ISBN : 978-3-319-47172-3
eBook Packages : Economics and Finance Economics and Finance (R0)
Anyone you share the following link with will be able to read this content:
Sorry, a shareable link is not currently available for this article.
Provided by the Springer Nature SharedIt content-sharing initiative
Policies and ethics
If 2023 was the year the world discovered generative AI (gen AI) , 2024 is the year organizations truly began using—and deriving business value from—this new technology. In the latest McKinsey Global Survey on AI, 65 percent of respondents report that their organizations are regularly using gen AI, nearly double the percentage from our previous survey just ten months ago. Respondents’ expectations for gen AI’s impact remain as high as they were last year , with three-quarters predicting that gen AI will lead to significant or disruptive change in their industries in the years ahead.
This article is a collaborative effort by Alex Singla , Alexander Sukharevsky , Lareina Yee , and Michael Chui , with Bryce Hall , representing views from QuantumBlack, AI by McKinsey, and McKinsey Digital.
Organizations are already seeing material benefits from gen AI use, reporting both cost decreases and revenue jumps in the business units deploying the technology. The survey also provides insights into the kinds of risks presented by gen AI—most notably, inaccuracy—as well as the emerging practices of top performers to mitigate those challenges and capture value.
Interest in generative AI has also brightened the spotlight on a broader set of AI capabilities. For the past six years, AI adoption by respondents’ organizations has hovered at about 50 percent. This year, the survey finds that adoption has jumped to 72 percent (Exhibit 1). And the interest is truly global in scope. Our 2023 survey found that AI adoption did not reach 66 percent in any region; however, this year more than two-thirds of respondents in nearly every region say their organizations are using AI. 1 Organizations based in Central and South America are the exception, with 58 percent of respondents working for organizations based in Central and South America reporting AI adoption. Looking by industry, the biggest increase in adoption can be found in professional services. 2 Includes respondents working for organizations focused on human resources, legal services, management consulting, market research, R&D, tax preparation, and training.
Also, responses suggest that companies are now using AI in more parts of the business. Half of respondents say their organizations have adopted AI in two or more business functions, up from less than a third of respondents in 2023 (Exhibit 2).
Most respondents now report that their organizations—and they as individuals—are using gen AI. Sixty-five percent of respondents say their organizations are regularly using gen AI in at least one business function, up from one-third last year. The average organization using gen AI is doing so in two functions, most often in marketing and sales and in product and service development—two functions in which previous research determined that gen AI adoption could generate the most value 3 “ The economic potential of generative AI: The next productivity frontier ,” McKinsey, June 14, 2023. —as well as in IT (Exhibit 3). The biggest increase from 2023 is found in marketing and sales, where reported adoption has more than doubled. Yet across functions, only two use cases, both within marketing and sales, are reported by 15 percent or more of respondents.
Gen AI also is weaving its way into respondents’ personal lives. Compared with 2023, respondents are much more likely to be using gen AI at work and even more likely to be using gen AI both at work and in their personal lives (Exhibit 4). The survey finds upticks in gen AI use across all regions, with the largest increases in Asia–Pacific and Greater China. Respondents at the highest seniority levels, meanwhile, show larger jumps in the use of gen Al tools for work and outside of work compared with their midlevel-management peers. Looking at specific industries, respondents working in energy and materials and in professional services report the largest increase in gen AI use.
The latest survey also shows how different industries are budgeting for gen AI. Responses suggest that, in many industries, organizations are about equally as likely to be investing more than 5 percent of their digital budgets in gen AI as they are in nongenerative, analytical-AI solutions (Exhibit 5). Yet in most industries, larger shares of respondents report that their organizations spend more than 20 percent on analytical AI than on gen AI. Looking ahead, most respondents—67 percent—expect their organizations to invest more in AI over the next three years.
Where are those investments paying off? For the first time, our latest survey explored the value created by gen AI use by business function. The function in which the largest share of respondents report seeing cost decreases is human resources. Respondents most commonly report meaningful revenue increases (of more than 5 percent) in supply chain and inventory management (Exhibit 6). For analytical AI, respondents most often report seeing cost benefits in service operations—in line with what we found last year —as well as meaningful revenue increases from AI use in marketing and sales.
As businesses begin to see the benefits of gen AI, they’re also recognizing the diverse risks associated with the technology. These can range from data management risks such as data privacy, bias, or intellectual property (IP) infringement to model management risks, which tend to focus on inaccurate output or lack of explainability. A third big risk category is security and incorrect use.
Respondents to the latest survey are more likely than they were last year to say their organizations consider inaccuracy and IP infringement to be relevant to their use of gen AI, and about half continue to view cybersecurity as a risk (Exhibit 7).
Conversely, respondents are less likely than they were last year to say their organizations consider workforce and labor displacement to be relevant risks and are not increasing efforts to mitigate them.
In fact, inaccuracy— which can affect use cases across the gen AI value chain , ranging from customer journeys and summarization to coding and creative content—is the only risk that respondents are significantly more likely than last year to say their organizations are actively working to mitigate.
Some organizations have already experienced negative consequences from the use of gen AI, with 44 percent of respondents saying their organizations have experienced at least one consequence (Exhibit 8). Respondents most often report inaccuracy as a risk that has affected their organizations, followed by cybersecurity and explainability.
Our previous research has found that there are several elements of governance that can help in scaling gen AI use responsibly, yet few respondents report having these risk-related practices in place. 4 “ Implementing generative AI with speed and safety ,” McKinsey Quarterly , March 13, 2024. For example, just 18 percent say their organizations have an enterprise-wide council or board with the authority to make decisions involving responsible AI governance, and only one-third say gen AI risk awareness and risk mitigation controls are required skill sets for technical talent.
The latest survey also sought to understand how, and how quickly, organizations are deploying these new gen AI tools. We have found three archetypes for implementing gen AI solutions : takers use off-the-shelf, publicly available solutions; shapers customize those tools with proprietary data and systems; and makers develop their own foundation models from scratch. 5 “ Technology’s generational moment with generative AI: A CIO and CTO guide ,” McKinsey, July 11, 2023. Across most industries, the survey results suggest that organizations are finding off-the-shelf offerings applicable to their business needs—though many are pursuing opportunities to customize models or even develop their own (Exhibit 9). About half of reported gen AI uses within respondents’ business functions are utilizing off-the-shelf, publicly available models or tools, with little or no customization. Respondents in energy and materials, technology, and media and telecommunications are more likely to report significant customization or tuning of publicly available models or developing their own proprietary models to address specific business needs.
Respondents most often report that their organizations required one to four months from the start of a project to put gen AI into production, though the time it takes varies by business function (Exhibit 10). It also depends upon the approach for acquiring those capabilities. Not surprisingly, reported uses of highly customized or proprietary models are 1.5 times more likely than off-the-shelf, publicly available models to take five months or more to implement.
Gen AI is a new technology, and organizations are still early in the journey of pursuing its opportunities and scaling it across functions. So it’s little surprise that only a small subset of respondents (46 out of 876) report that a meaningful share of their organizations’ EBIT can be attributed to their deployment of gen AI. Still, these gen AI leaders are worth examining closely. These, after all, are the early movers, who already attribute more than 10 percent of their organizations’ EBIT to their use of gen AI. Forty-two percent of these high performers say more than 20 percent of their EBIT is attributable to their use of nongenerative, analytical AI, and they span industries and regions—though most are at organizations with less than $1 billion in annual revenue. The AI-related practices at these organizations can offer guidance to those looking to create value from gen AI adoption at their own organizations.
To start, gen AI high performers are using gen AI in more business functions—an average of three functions, while others average two. They, like other organizations, are most likely to use gen AI in marketing and sales and product or service development, but they’re much more likely than others to use gen AI solutions in risk, legal, and compliance; in strategy and corporate finance; and in supply chain and inventory management. They’re more than three times as likely as others to be using gen AI in activities ranging from processing of accounting documents and risk assessment to R&D testing and pricing and promotions. While, overall, about half of reported gen AI applications within business functions are utilizing publicly available models or tools, gen AI high performers are less likely to use those off-the-shelf options than to either implement significantly customized versions of those tools or to develop their own proprietary foundation models.
What else are these high performers doing differently? For one thing, they are paying more attention to gen-AI-related risks. Perhaps because they are further along on their journeys, they are more likely than others to say their organizations have experienced every negative consequence from gen AI we asked about, from cybersecurity and personal privacy to explainability and IP infringement. Given that, they are more likely than others to report that their organizations consider those risks, as well as regulatory compliance, environmental impacts, and political stability, to be relevant to their gen AI use, and they say they take steps to mitigate more risks than others do.
Gen AI high performers are also much more likely to say their organizations follow a set of risk-related best practices (Exhibit 11). For example, they are nearly twice as likely as others to involve the legal function and embed risk reviews early on in the development of gen AI solutions—that is, to “ shift left .” They’re also much more likely than others to employ a wide range of other best practices, from strategy-related practices to those related to scaling.
In addition to experiencing the risks of gen AI adoption, high performers have encountered other challenges that can serve as warnings to others (Exhibit 12). Seventy percent say they have experienced difficulties with data, including defining processes for data governance, developing the ability to quickly integrate data into AI models, and an insufficient amount of training data, highlighting the essential role that data play in capturing value. High performers are also more likely than others to report experiencing challenges with their operating models, such as implementing agile ways of working and effective sprint performance management.
The online survey was in the field from February 22 to March 5, 2024, and garnered responses from 1,363 participants representing the full range of regions, industries, company sizes, functional specialties, and tenures. Of those respondents, 981 said their organizations had adopted AI in at least one business function, and 878 said their organizations were regularly using gen AI in at least one function. To adjust for differences in response rates, the data are weighted by the contribution of each respondent’s nation to global GDP.
Alex Singla and Alexander Sukharevsky are global coleaders of QuantumBlack, AI by McKinsey, and senior partners in McKinsey’s Chicago and London offices, respectively; Lareina Yee is a senior partner in the Bay Area office, where Michael Chui , a McKinsey Global Institute partner, is a partner; and Bryce Hall is an associate partner in the Washington, DC, office.
They wish to thank Kaitlin Noe, Larry Kanter, Mallika Jhamb, and Shinjini Srivastava for their contributions to this work.
This article was edited by Heather Hanselman, a senior editor in McKinsey’s Atlanta office.
Related articles.
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock ( ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
CDC’s Respiratory Virus Guidance provides strategies you can use to help protect yourself and others from health risks caused by COVID-19 and other respiratory viruses. These actions can help you lower the risk of COVID-19 transmission (spreading or catching COVID-19) and lower the risk of severe illness if you get sick.
CDC recommends that all people use core prevention strategies to protect themselves and others from COVID-19:
When you are sick:
In addition, there are other prevention strategies that you can choose to further protect yourself and others.
Using these prevention strategies can be especially helpful when:
Find out if respiratory viruses are causing a lot of illness in your community. Data updated weekly.
Learn more about all three of these respiratory viruses, who is most at risk, and how they are affecting your state right now. You can use some of the same strategies to protect yourself from all three viruses.
Get the Latest on COVID-19, Flu, and RSV
Search for and find historical COVID-19 pages and files. Please note the content on these pages and files is no longer being updated and may be out of date.
To receive email updates about COVID-19, enter your email address:
In a business environment filled with uncertainties, how can business leaders steer their organizations toward sustainable success while navigating through the maze of potential risks?
One example of effective risk management in action is the case of Johnson & Johnson during the Tylenol crisis in 1982 . Faced with the crisis where cyanide-laced Tylenol capsules resulted in several deaths, Johnson & Johnson swiftly and decisively recalled all Tylenol products from the market, despite the financial implications.
This move, driven by a commitment to consumer safety and ethical responsibility, not only managed the immediate risk but also rebuilt public trust in the brand. This incident is a classic example of how risk management extends beyond financial and operational risks to encompass ethical considerations and consumer trust.
The answer often lies at the executive level, where understanding and implementing effective risk management becomes a pivotal aspect of strategic decision-making. This process is crucial for day-to-day operations and shaping long-term business strategies and policies at the C-suite and board levels.
Risk management is the systematic process of identifying, assessing, and prioritizing potential risks and implementing strategies to minimize or mitigate their impact.
It involves analyzing uncertainties and making informed decisions to protect organizations from potential harm or loss. Risk management is a critical component of effective decision-making and essential for the long-term success and sustainability of businesses and industries.
In today’s era, risk management strategies are increasingly influenced by the dig ital transformation of businesses. The rise of cyber risks, data privacy concerns, and the need for digital resilience are reshaping the risk landscape. Organizations are adopting digital tools and analytics, not only to comply with technological advancements but also to predict and mitigate risks more effectively.
We’ll explore the importance of risk management and how to implement an effective plan in the contemporary business landscape, especially from a strategic executive perspective.
Risk management process.
Embrace a culture of continuous learning and adaptation in risk management, types of risks.
In the business realm, myriad risks are categorized based on their nature and source. Here’s an insight into some types of risks:
Understanding these risks is the steppingstone to developing a robust risk management framework, ensuring business longevity amidst a landscape of uncertainties.
Risk management plays a vital role in various industries, as it helps organizations anticipate and address potential threats and uncertainties. By proactively managing risks, businesses can minimize financial losses, protect their reputation, and ensure the safety and well-being of their employees and stakeholders.
Moreover, risk management enables organizations to seize opportunities and make informed decisions, leading to improved performance and competitive advantage.
IMD’s Boards and Risks program provides board members with the opportunity to hone their risk oversight capabilities and ensure they’re well-equipped to guide their organizations through the complex landscape of contemporary business risks.
The risk management process is a structured approach that enables organizations to identify, assess, mitigate, and monitor risks. Implementing a thorough risk management process is crucial for understanding and preparing for the potential risks that come with operating in any industry.
Adopting standard risk management practices, like those outlined by the International Organization for Standardization (ISO), can benefit businesses by providing a framework to manage risks effectively.
Risk identification is the initial step in the risk management process. It involves recognizing and listing all possible risks that might affect the organization, whether they’re operational, financial, technological, reputational, or otherwise. For example, a retail company might identify the risk of data breaches that could potentially expose sensitive customer information.
Various tools and techniques can be used for risk identification including SWOT analysis, historical data analysis, stakeholder interviews, and expert consultations.
Once risks have been identified, the next step is to assess them based on their likelihood of occurrence and the potential impact they could have on the organization.
As an example, a financial institution might assess the potential financial and reputational impact of fraud risks and determine the likelihood of occurrence is high due to inadequate fraud detection systems.
Risk assessment allows for a better understanding of the risks and aids in prioritizing them. This stage often involves the creation of a risk matrix and a risk register to visualize the severity and priority of each risk.
Alongside traditional methods, a data-driven approach is revolutionizing risk assessment. Advanced data analytics, AI, and machine learning are now pivotal tools in identifying and evaluating risks.
These technologies enable organizations to process vast amounts of data, recognize patterns, and predict potential risks with unprecedented accuracy. By leveraging these tools, businesses can gain deeper insights into potential threats, leading to more informed decision-making.
Risk mitigation involves developing and implementing strategies to address the identified risks. The aim is to reduce the likelihood of the risks or lessen their impact should they occur.
For example, a health care organization might implement stricter data security measures and train staff on cybersecurity best practices to mitigate the risk of cyberattacks .
Common risk mitigation strategies include risk avoidance, risk reduction, risk transfer, risk treatment, and implementing risk controls to ensure a balanced approach. It’s crucial to align mitigation strategies with organizational objectives to ensure a balanced approach.
Risk monitoring is the ongoing process of tracking and reviewing the identified risks and the effectiveness of the mitigation strategies put in place. Continuous monitoring ensures the organization is well-prepared to respond to changes in the risk profile over time.
Effective risk monitoring includes regular reporting, reviewing, and updating the risk management plan to ensure it remains relevant and effective in the current business environment.
Enterprise risk management (ERM) embodies a comprehensive approach to risk management that extends beyond traditional methods to encompass a broader range of business risks.
Unlike conventional risk management, which may focus on isolated domains such as operational, financial, or technological risks, ERM integrates risks from various facets of a business and offers a unified view. This consolidated perspective is particularly beneficial for C-suite leaders and board members, as it facilitates strategic decision-making.
By understanding the interdependencies and cumulative impact of different risks on overall business objectives, executives can align risk management with their strategic planning, enhancing their organization’s resilience and adaptability.
For example, consider how Apple has implemented ERM to manage its complex global operations. Apple’s ERM framework encompasses various risks, including supply chain disruptions, intellectual property issues, and market volatility.
By integrating this broad range of risks, Apple can make strategic decisions that balance innovation with risk, such as diversifying its supplier base and investing in robust cybersecurity measures. This approach has helped Apple not only to mitigate risks but also to seize growth opportunities in the fast-evolving tech industry.
This comprehensive analysis and assessment of potential risks aid in devising robust business continuity plans, ensuring the organization remains operational and continues to meet its objectives even in the face of adversities.
For example, a hospital system implementing ERM could identify potential risks related to natural disasters and infectious disease outbreaks. By aligning its ERM findings with its business continuity plans, the hospital is better prepared to maintain operations during a pandemic and provide continuous care for patients.
Furthermore, ERM contributes to achieving business benchmarks by fostering a culture of informed decision-making. Identifying and analyzing risk events in a structured manner provides valuable insights that aid in setting realistic and attainable benchmarks.
It also offers a clear pathway for monitoring progress toward achieving these benchmarks and makes sure the risk management initiatives are aligned with overall business success. An illustration of these benefits can be seen in a financial services firm employing ERM to align its risk management strategies with its business benchmarks in customer satisfaction, regulatory compliance, and financial performance. Through continuous monitoring and adjustment of its risk management practices, the firm can achieve and exceed its set benchmarks, showcasing the value of a holistic risk management approach.
Creating an effective risk management plan is pivotal for business leaders who want to safeguard the organization against unforeseen adversities. Here’s a step-by-step guide to aid leaders in developing a robust plan.
Begin with a thorough identification process to list down all possible risks that could affect your organization. Use tools like SWOT analysis, brainstorming sessions, and historical data analysis to uncover potential risks. Engage different departments to ensure a comprehensive identification process.
Assess the identified risks based on their likelihood and potential impact on the organization. Utilize risk assessment matrices to prioritize risks and understand their implications better. This step should provide a clear insight into which risks need immediate attention.
Formulate strategies aimed at mitigating risks and the impact of identified risks. Each strategy should correspond to a specific risk and might range from risk avoidance to risk acceptance. Additionally, consider investing in insurance policies to transfer certain risks.
Allocate necessary resources like finances, personnel, and technology to support the implementation of your risk mitigation strategies. Ensure there are clear budgets and responsible persons assigned to each strategy.
Communicate the risk management plan to all stakeholders and train relevant personnel on their roles within the plan. Effective communication and training ensure everyone is aligned and equipped to manage risks effectively.
Put the plan into action by implementing the formulated risk mitigation strategies. Monitor the implementation process to confirm it aligns with the plan, and make adjustments as necessary to address any challenges that arise.
Continuously monitor the effectiveness of the risk management plan and the evolving risk landscape. Regular reviews help identify any gaps in the plan, so leaders can make necessary updates..
Create a feedback mechanism to gather insights from the implementation process. Encourage stakeholders to report on the effectiveness of risk mitigation strategies, and use this feedback to improve the response plan.
Engage risk management experts or enroll in specialized programs like IMD’s Boards and Risks program , which can help board members upgrade their risk oversight capabilities by offering a structured approach toward understanding and managing various business risks
Promote a culture of continuous improvement by learning from the successes and failures of the risk management process. Analyze performance data, stay updated on evolving best practices, and strive for continuous enhancement of your risk management plan to ensure it remains robust and relevant.
Throughout this exploration, we’ve underscored the pivotal role of risk management in steering organizations through the myriad of uncertainties inherent in today’s business landscape.
From understanding the risk management process to the broader perspective offered by enterprise risk management (ERM), the journey toward effective risk governance is both a necessity and an opportunity for organizational resilience and sustainable success.
As the business ecosystem evolves, embracing a culture of continuous learning and adaptation in risk management is imperative. Engage with IMD’s Board at Risk learning journey to further enhance your risk management acumen and prepare your organization to not only withstand adversities but to thrive amidst them.
To quote O. Sarl Simonton, “In the face of uncertainty, there is nothing wrong with hope.” Coupling hope with a robust risk management strategy is the blueprint for enduring success in an unpredictable world.
Subscribe now for exclusive content from imd.
Leadership is crucial to the success of individuals, teams, and organizations. It encompasses diverse skills, qualities, and approaches that empower individuals to guide and inspire others toward achieving common goals. As the business environment continues to evolve, so will the concept of leadership — adapting to meet the demands and challenges of a dynamic world. […]
Imagine navigating a ship through uncharted waters in the dark, with each crew member holding a piece of the map. That’s the challenge of leadership in today’s dynamic, ever-evolving business landscape. How do you, as a leader, unite these diverse pieces to chart a successful course? The answer lies in inclusive leadership. In a world […]
What if you could supercharge your leadership development in a way that’s tailored specifically to you? Today’s business leaders are under immense pressure to deliver. It’s not just about achieving quarterly targets; it’s about being a visionary, a strategic thinker, and a great manager. That’s where executive coaching comes in. Far from being a sign […]
Do you believe each team member has a unique strength that can fuel innovation and solve complex challenges? If your answer is yes, you might want to explore the landscape of laissez-faire leadership. Laissez-faire leadership, a term many have heard but few completely understand, is growing more relevant in today’s ever-changing, complex work environments. It […]
IMAGES
VIDEO
COMMENTS
Importance of risk management. Risk management plays a vital role in various industries, as it helps organizations anticipate and address potential threats and uncertainties. By proactively managing risks, businesses can minimize financial losses, protect their reputation, and ensure the safety and well-being of their employees and stakeholders.
Risk is an effect, in terms of a positive or negative deviation from expected outcomes, resulting from uncertainty (ISO 31000, 2018), that can affect economic performance, business continuity, reputation, and environmental and social outcomes of an organization.Risk management (RM) supports companies in achieving their goals, exploring new opportunities, and reducing potential losses in an ...
by Samuel G. Hanson, David S. Scharfstein, and Adi Sunderam. In modern economies, a large fraction of economy-wide risk is borne indirectly by taxpayers via the government. Governments have liabilities associated with retirement benefits, social insurance programs, and financial system backstops. Given the magnitude of these exposures, the set ...
4 Reasons Why Risk Management Is Important. 1. Protects Organization's Reputation. In many cases, effective risk management proactively protects your organization from incidents that can affect its reputation. "Franchise risk is a concern for all businesses," Simons says in Strategy Execution. "However, it's especially pressing for ...
Accessibility. This Doctoral Thesis, A systems thinking approach to risk reduction and mitigation. for improving disaster management, presented by Anshu Shroff, and Submitted to the Faculty of The Harvard T.H. Chan School of Public Health. in Partial Fulfillment of the Requirements for the Degree of Doctor of Public.
Establishing an enterprise risk management (ERM) system is widely viewed as providing firms with the tools and processes needed to build resilience and expertise, enabling them to manage the consequences of crises that have led to the collapse of major firms across different industries globally. Intended for use in advanced accounting, auditing, and finance courses, this case study (of a true ...
A rules-based approach is effective for managing preventable risks, whereas strategy risks require a fundamentally different approach based on open and explicit risk discussions. To anticipate and ...
global financial crisis. The concern is that top-down risk management will inhibit innovation and entrepreneurial activities. We disagree and argue that risk management should function as a Revealing Hand to identify, assess, and mitigat risks in a cost- e efficient manner. Done well, the Revealing Hand of risk management adds value to firms
In particular, RQ1 and RQ3 are formulated to understand how to adopt PRM in SMEs, and RQ2 is defined to identify the evidences and outcomes deriving from a successful PRM adoption. To achieve the research objective and answer the research questions, an exploratory and explanatory research through multiple case studies was conducted as it is the most suitable methodology for this type of ...
Introduction. Risk is an essential part of everyday life and risks are unavoidable in any complex program. 1 A common definition of risk is "the chance of something happening that will have an impact on the achievement of the stated organizational objectives". 2 Risk management is defined in the literature as "all the activities connected with hazard identification, assessment, selection ...
Current crises pose uncertainties and threats to family businesses (FBs), demonstrating the importance of risk management (RM). Based on an explorative case study of nine Austrian medium-sized FBs, we examine the design of RM in FBs and how the COVID-19 crisis impacts their RM practices. The findings highlight that the medium-sized FBs analyzed generally rely on both formal and informal RM ...
Improve phase including risk mitigation; 5. Control phase including 5-1. The recommended improvement action plan be documented; 5-2. ... The most important phase, guiding the risk management process, and determines the main policies in risk management is the phase of planning and setting objectives, which is done incompletely in most studies ...
Like strategy, risk and resilience management requires a strong business and market perspective, a risk mindset, and interdisciplinary thinking. For risk professionals, this is a call to come out of the ivory towers and into the marketplace. Identify the organization's natural strengths and Achilles' heels.
The Study investigated to acquire an overall idea about risk and its consequences in construction field and the process required for its management. The effect of risk on assessment of a project ...
This work provides a general risk management procedure applied to synchronized sup-ply chains. After conducting a literature review and taking the international standard ISO 28000 and ISO 31000 as a reference. The most important steps that enable organizations to carry out supply chain risk management are described.
Purpose. The purpose of this study is to examine how managers in financial institutions satisfy themselves of the effectiveness of risk mitigation strategy and management control. It studies the co-opting of accounting tools within a single financial institution case study, examining the recursive and emergent characteristics of risk management ...
Once the risk is identified it is documented in detail; subsequently the concerned stakeholders undertake possible risk management and mitigation processes. A comprehensive review of the situation and critical feedback are usually required that may ultimately lead to changes in the organizational polices and structures; particularly in case of ...
Conclusions: It is important that the entire risk management process is standardizsed and . managed in an active manner . In the case study below , risk management was one of the success . factors ...
Company A: Case Study in Risk Management Excellence. Now, let's take a look at a case study that highlights risk management excellence in practice. ApexTech Solutions is a company known for its exemplary risk management practices. Founded in 2005 by visionary entrepreneur Sarah Lawson, ApexTech began as a small start-up in the tech industry.
How do different organisations use Predict! to manage their risks and opportunities? Read our risk management case studies to learn from their experiences and insights. Find out how Predict! helps them to achieve their strategic objectives, deliver projects on time and budget, and improve their risk culture.
He has a broad range of knowledge of Investment Management systems including investment research, portfolio management, trading, compliance, back office, CRM, and client reporting. Gary has expertise with technical infrastructure, operational risk, business continuity, SOX compliance, SSAE16 certification, vendor management, and cloud services.
The study have consistently shown that machine learning algorithms outperform traditional statistical methods in areas such as credit risk assessment, fraud detection, market risk management, and ...
The initial step of supply chain risk management is identifying and evaluating the potential risks that could affect the supply chain operations. This phase involves the use of predictive analytics for risk identification, wherein historical data, market trends, and current events are analyzed to forecast potential disruptions.
This work provides a general risk management procedure applied to synchronized supply chains. After conducting a literature review and taking the international standard ISO 28000 and ISO 31000 as a reference. The most important steps that enable organizations to carry out supply chain risk management are described. Steps such as defining the context, identifying and analyzing risks or avoiding ...
4.4 Risk Mitigation. Risk Mitigation is the phase in which mitigation decisions are taken to stop or at least reduce the effects of risks. ... This chapter explained the central importance of risk management for NPOs. ... Mohammed KM (2007) Managing risk: a case study of a non-governmental organization that provides long- term care and support ...
Gen AI high performers are also much more likely to say their organizations follow a set of risk-related best practices (Exhibit 11). For example, they are nearly twice as likely as others to involve the legal function and embed risk reviews early on in the development of gen AI solutions—that is, to "shift left." They're also much more ...
In addition, there are other prevention strategies that you can choose to further protect yourself and others. Wearing a mask and putting distance between yourself and others can help lower the risk of COVID-19 transmission. Testing for COVID-19 can help you decide what to do next, like getting treatment to reduce your risk of severe illness ...
Risk management process. The risk management process is a structured approach that enables organizations to identify, assess, mitigate, and monitor risks. Implementing a thorough risk management process is crucial for understanding and preparing for the potential risks that come with operating in any industry.