STUDY ON RISK MANAGEMENT IN BUSINESS

Teodora – Bianca FLORICEL^[1], Nina GOLOWKO^[1], Andreas BARTELS^[1]

e-mail: tfloricel@gmail.com

Abstract

In the current economic context marked by globalization of phenomena, we can observe an emphasis on keeping business risk under control, therefore being developed some risk management systems, better adapted to different areas of activity.

This paper highlights some results of a study made by the authors, based on literature review, the objectives being: 1) highlighting the current approaches to risk management in business; 2) identifying specific business risks in case of environmental services.

For this purpose, the current approaches are highlighted previously on the model of business risk management systems. In the same time, there are analyzed the risks in various fields.

Following the study, the authors clarify specific aspects of risk management systems and argues the importance of identifying specific risks from companies which develop their activity in the field of environmental management services.

Key words: risk management, business, global economy, environmental management services

Nowadays, the business world is in a continuous process of changing, characterized by complexity, uncertainty and risks.

Throughout time, the characteristics of the current business environment had an important role in the introduction of risk management in organizations.

The reasons for integrating risk management are mainly related to the increasing number and complexity of the risks and the organizations need for security. These possible risks cannot always be completely eliminated, but at least can be controlled so as not affect the company.

The concerns for an efficient risk management had been intensified, in the last years. This has resulted in the establishment of an appropriate risk terminology, and methods supported by modern and efficient management tools.

In order to normalize the process through which it can perform the risk management, organizational structure of risk management and objectives, have been developed a series of standards, guidelines and methodologies.

In contrast with projects for which have been developed a large number of internationally recognized methodologies, in business field there is still no universally accepted procedures for risk management. The disaster management or technological field is good represented because each country creates their own standards or intervention plans, some of these being adopted as risk management procedures in business.

The risk management procedures developed for the public sector are very well detailed and formalized. Beginning from these ones, many specific elements can be adapted and used in risk management in business (Ciocoiu C. N., 2014).

For the purposes of this article, the authors will concentrate on the current approaches related to risk management systems and from existing risks typology they will identify the specific risks of environmental management services.

MATERIAL AND METHOD

Given the global economy and current trends, organizations face more often with various threats to their activity level. For this reason, the integration of risk management system at organization has become a necessity dictated by the business complexity and the multitude of risk factors (Bostan G. M., 2012).

Another reason why risk management is included in sustainability strategies is related to the new environmental dynamics which has strongly affected performance of the companies, in general (Mateescu R. M., Olaru M., Lange S., Rauch M., 2015).

To overcome possible risks, firstly is needed their identification and analysis. Risk analysis has three steps: risks identification, risk assessment and business impact analysis (Gibb  F., Buchanan S., 2006).

The risk is present in all areas, but we will focus further on risk analysis in business.

To have control over risks in business, it appears a new concept called business continuity risk control, defining the application of appropriate controls in order to achieve a balance between operational and recovery services (Nosworthy J. D., 2000).

There is a variety of approaches in terms of stages of the process, but in a large vision, risk management supposes four interrelated processes: continue and systematic investigation of exposure to various risks and losses; assessing their nature, frequency, severity and potential impact; planning and organizing some adequate risk control techniques that minimize losses and capitalize opportunities; implementation of such techniques, internally (at department and top management level of the organization) and externally (in collaboration with organizations specialized in loss control, insurers and other specialists in the area of risk management) (Ciocoiu C. N., 2008a).

The existing business risks in the context of global economy have led to the appearance of specific standards in this field. The purpose of these standards is subjecting companies to the same rules to achieve the desired performance.

Kogan and Nikonov (2009) believe that although organizations manage different risk categories, risk management structure is the same everywhere and a unique standard can help reduce the risk of „too many risk standards”.

Several approaches were investigated, ranging from alignment of management practices to full integration approaches, based on the principles of Total Quality Management. The role of The European Foundation for Quality Management (EFQM) Model for Business Excellence and Risk Management practices outlined by the international standard ISO 31000 as integration factors were investigated (Hohan A. I., Olaru M., Keppler T., 2015).

One of the standards that treats the risk management is ISO 31000: 2009. According to the mentioned standard, the process of risk management begins with the establishment of external and internal context in which will take place the trial.

Addressing to ISO 31000: 2009, the risk management process includes seven iterative elements (Figure 1).

For determining the external context, it is necessary to define the company relationship with its environment, including strengths, weaknesses, opportunities and organization threats (SWOT analysis). This context includes also various stakeholders and the communication policies used with them.

Figure 1 Risk management according to ISO 31000:2009

Source: made by authors after Ciocoiu C. N., 2014

Establishing internal context begins with understanding all the objectives of the company strategy to achieve these objectives and key performance indicators, the organization’s mission and management structure. Also during this stage , it is advisable to identify the organization’s attitude to risk. Another important aspect is the importance given to risk management and to the size of resources allocated to this process.

This stage ends the definition of risk management or risk categories with relevance to the company, departments and activities involved in risk management and its range of application, criteria underpinning risk assessment and the objectives pursued by organization during the analysis. The objectives set will be used in describing the risks impact.

The risk identification suppose a documentation on the conditions and events that are important in achieving the organization’s objectives or represent exploitation areas for competitive advantage. For their identification there are recommended the following methods: lists of risks, the experience of those involved, brainstorming, scenario analysis, flow charts and systems engineering techniques (Ciocoiu C. N., 2014).

Identifying the risks involves equally a good knowledge of the organization, of the market, the legal, social, political and cultural environment in which it operates, as well as organizational objectives (operational and strategic), including critical success factors and threats and opportunities which can arise in achieving these objectives (IRM, AIRMIC, ALARM, 2002).

Risk analysis aims to estimate risk probability of occurrence and impact.

This can use several methods such as: qualitative analysis, quantitative and semiquantitative.

There are followed four steps in risk analysis: determine the frequency of occurrence of each risk, granting a degree of occurrence using a scale, impact assessment of that risk occurrence, scaling the severity of consequences.

Risk assessment is the stage in which are taken the decisions on the risks that require a specific treatment, by comparing the analysis results with criteria set by the organization in the setting  stage of risk management context.

The most active stage is establishing how to deal with risks. Now, they are set strategies to minimize the possibility of such risks or impacts and actions to be taken otherwise.

The risk identification process involves also anticipated determination of events that may affect the organization objectives and the establishment of their characteristics.

The basic condition for the functioning of the risk management system is the correct identification of these ones. If the risk is underestimated, the level of protection would be insufficient to cover losses, and if it is overvalued, the cost of protection in excess will diminish gains from that activity.

The process of risk management is defined so that all material risks can be identified, prioritized and effectively managed.

In the following, it is presented the risk management  scheme with the three phases.

Figure 2 Risk management phases

Source: made by authors after EFQM, DNV (2005)

The risk identification aims the exposure to the risk of property, rights and human resources and the hazard and potential threats that causes these exposures to risk.  It involves two steps: the perception of the fact that a certain risk threatens the organization and the proper risk identification.

First of all, the risk classification  is important to eliminate the confusion between the causes, effects and consequences in risk analysis. Therefore, in the following, we present the risk classification depending on determinant factors.

The 5 categories of risk resulting from risk analysis in relation to the strategy of an organization (Ciocoiu C. N., 2014): 1) strategic risks – from the activities in a particular economic sector or in a particular geographic area; 2) operational risks – derived from various operational and administrative procedures used to implement the strategy; financial risks – come from the financial structure of the company, transactions with third parties and the used financial systems; conformity risks – derived from the necessity of compliance the laws, rules and other less formalized social expectations; environmental risks – it can be included in the conformity risks but in certain fields are very important and need to give a special attention to this category.

Depending on where the risks can be located, there are: risks related to property, risks related to staff, market risks and risks affecting consumers.

Because till now, we treated the risks depending on their specific features, we made also a classification from different criteria, and in the following will be presented some risks identification methods.

The principal stage in risk management is represented by their identification, made in different methods and using a various sort of information.

Regarding the risk identification methods, the intuitive use of managers experience was proved to be a useless and unsatisfactory technique because managers experience and specialization are not sufficient in this process. However, this method can be useful when it is used with other methods.

Company experts can identify a small number of risk because of their involvement in several businesses, avoiding in many cases to discuss the risks with members of other departments. They adopt this attitude to the rest of the organization just disregarding the possible impact on others. The method is recommended for companies with a risk-taking culture that propagates       and       uses other     methods            of identification.

Structured interviews were used a long time to get information from staff consultants and firms, and project or risk managers to identify risks associated with projects.

Brainstorming is a very efficient method to identify risks and establish response strategies. Specialists involved in carrying out the activity or project company must know very well the  functional and operational aspects.

Using external specialists/experts is a highly recommended method, but involves more time for the experts to become familiar with the project, organization and procedures.

The development of some standard questionnaires dedicated to people involved in carrying out activities is an effective method if they are adapted to each type of activity and operational area. Another similar method is represented by risk control lists. These start from potential sources of risk: the framework in which it operates, personnel participating in the implementation, changes in law and economy, wrong estimates of budget and execution term.

Risk table is another method similar with risk control lists. In this table, information is structured in: threats, resources, consequences and factors which may act to modify the undesirable effects of events.

Expert systems are modern methods of risk identification, but are very expensive. Their usefulness is high for many common business risks.

Charts can be used to describe graphic and sequential the activities of a process to identify exposures, dangers and hazards. There are a variety of methods that can be used: flowcharts, process mapping, product analysis, dependency analysis, location analysis, critical path analysis.

These methods can show the existing interdependencies within the organization, can identify bottlenecks and determinate a critical path. They do not indicate frequency or severity of the impact, but show the minor processes with major potential of loss. A characteristic of these is that they have a limited applicability to other types of risks than that one’s of the process and in most cases are too oriented toward process.

Flowcharts are represented as icons processes using predefined symbols. These separate the process in steps in order to facilitate its understanding and identifying risks.

Mapping process is similar with flowcharts, but it can use representative images to describe the process stages, and to show how are correlated the risks.

The advantages of using flowcharts or mapping processes are represented by the fact that: it provides a simple and clear visual representation of the steps involved; facilitates understanding, explaining and analyzing complex processes and associated risks and it is a precondition for using other tools.

The analysis of fault tree starts from a product defect or process that produces losses and presents the necessary conditions to determine the event. It highlights situations that sometimes do not present risks by themselves, but in combination it become dangerous for product, process and for organization. The graphical representation allows identifying risk factors, requirements or incompatible specifications, events or common risk factors (Ciocoiu C. N., 2014).

After the presentation of these risks identification methods we conclude that there is a variety of tools that can identify risks. The condition is that we have to know these methods and choose the most suitable for our organization.

This study was realized after an analysis of the specific literature and current articles from the risk management field.

RESULTS AND DISCUSSIONS

Through this paper, the authors clarify aspects of risk management systems and show the importance of identifying risks within companies.

The risk analysis is often neglected, although it has the biggest impact on business continuity. It consists in predicting the probability of risk occurrence and effects and use of obtained information to quantify the risk value. This process allows decision makers a more accurate and complete assessment of the relationship between risk and potential loss or gain.

Depending on the level of implementation risk management (basic, intermediate, advanced), risk analysis may be qualitative and quantitative or the combination of these two types.

Risk management knows a multilevel implementation within organizations, depending on certain criteria. The most important criterion is the size of the organization.

In the following there are graphically represented the application levels of the risks management and management involvement.

Figure 4 Application levels of the risks management and management involvement

Source: Rusu C., Visoiu. I., 2010

As we can see from figure 4, there are ranked the different levels of risk management depending on the developed level: project level, business unit or corporation.

Considering all items previously discussed, among companies in the field of environmental management, as in other fields, is established a lack of awareness related to importance of implementing risk management.

CONCLUSIONS

The risk management consists in a knowledge process of potential factors that threaten the organization’s security, the measuring of their severity, reducing the effects by prevention and protection and transfer of these effects that cannot be managed at the specialized companies in risk management.

As a conclusion of the study conducted, it has resulted that due to a lack of awareness regarding the importance of implementing risk management in organizations, these do not face the risks.

To analyze the results of risk management in the studied organizations we took into account the use of measures directed on customers’ perception and performance indicators.

So we identified among the company that offers environmental management services in Romania, the following risks: risks of environmental pollution because of the potential area in which they operate, due to faulty construction of gathering stations; operational risk – at material and human resources management level and the strategic risk due to the problem of location and treatment station.

In conclusion, regarding the formal organization of risk management, we cannot speak of a clear separation between general management, management of different fields (production, finance, marketing) and risk management.

Most companies manage risks in individual management departments. Although, in the biggest companies there is a specialized department in evaluation, analysis and risk management, the newly created position serves as an intermediary for traditional functions of the organization management.

REFERENCES

Bostan, G.M., 2012 – Risk management – the foundation of sustainable development in a new society based on knowledge, Bucharest

Ciocoiu, C.N., 2014 – Risk management. An integrated approach, Management Collection, Bucharest, ASE Publisher

Ciocoiu, C.N., 2008a – Risk management. Theories, practices, methodologies, Bucharest, ASE Publisher

EFQM, DNV, 2005 – The EFQM for Risk Management: Driving Excellence in Risk Management, Brussels, Belgium: EFQM; Istanbul: KalDer

Gibb, F., Buchanan, S., 2006 – A framework for business continuity management. Int. J. Inf. Manage, Vol. 26 (2), 128-141

Hohan, A.I., Olaru, M., Keppler, T., 2015 –  Integration of risk management practices in the framework of an integrated management system environmenthealth and safety – information security, Supplement of “Quality-access to success” Journal, categoria B+, Supplement of Quality-Access to Success, Vol. 16, S1, 2015 , pp.289295, http://www.srac.ro/calitatea/arhiva/supliment/2015/Q-asContents_Vol.16_S1_March-2015.pdf

IRM, ALARM, AIRMIC, 2002 – Risk Management Standard, Institute of Risk Management, The National Forum for Risk Management in the Public Sector, UK, The Association of Insurance and Risk Managers, London

Kogan, I., Nikonov, V., 2009 – How can ISO Management System Standards contribute to mitigate business risks?, International Conference on Risk Assessment and Innovation, 24-25 November 2009, Geneva, Switzerland, available on-line at: http://www.unece.org/trade/wp6/documents/2009/2009_ConferenceRisk.html

Mateescu, R. M., Olaru, M., Lange, S., Rauch, M., 2015 – Study on supplier invoice risk  management in a global supply chain, in the Proceedings of the 26^th IBIMA conference on Innovation Manage-ment and Sustainable Economic Competitive Advantage: From Regional Development to Global Growth will be held in Madrid, Spain 11-12 November 2015, http://www.ibima.org/

Nosworthy, J.D., 2000 – A Practical Risk Analysis Approach: Managing BCM Risk, Vol. 19

Rusu C., Visoiu I., 2010 – Implementing risk management at organization level, Bucharest, Economica 

[1] The Bucharest University of Economic Studies, Romania