The Securities and Commodities Authority (SCA) has identified eight stages and key steps for the "risk management" process in companies.
Among the things that are closely linked to corporate governance, and integrated with other tools, to reach companies to the best degree of management, is the process of risk management and compliance with laws and regulations, which regulate the company's work in the environment in which it operates.
In an awareness leaflet Emirates Al Youm received a copy of Risk Management as a risk measurement and assessment process and development of strategies to manage it. These include risk transfer, avoiding, minimizing negative impacts, and accepting some or all of their consequences.
According to «Securities», the eight steps or stages of the basic risk management process, are:
Preparation
This step or stage involves planning the risk management process, mapping the scope of work, the basis to be adopted in the risk assessment, as well as defining the framework for the process, and an agenda for analysis.
hazard identification
The risks involved are identified at this stage. When the problem or its source is known, the accidents that result from this source or that may lead to a problem can be investigated.
Securities have identified common ways of identifying risks, namely, goal-based identification, scenario-based identification, classification-based identification, and common risk review. All organizations and teams working on a project had objectives, and any event that jeopardized the achievement of those objectives, whether in part or in whole, was considered dangerous.
"In the process of scenario analysis, different scenarios are created that may be alternative ways to achieve a goal, so any event that generates a scenario that is different from what was conceived and undesirable is defined as dangerous."
The Board noted that "classification-based identification" is a breakdown of all potential sources of risk, whereas a "common risk review" is based on lists of potential risks in many institutions.
Evaluation
"Evaluation" is the third step in risk management. After identifying the potential risks, an evaluation must be conducted in terms of their severity in making the losses and their likelihood of occurrence. In its publication, Securities noted that it is sometimes easy to measure these quantities, while others can not be measured.
Dealing with risk
Once the process of identification and evaluation of risks has been identified, all the techniques used to deal with them fall within one or more of four main groups: first, "transport": means that assist the acceptance of risk by another party, usually through contracts or financial prevention .
For example, "insurance" is an example of "insurance", saying that insurance is an example of risk transfer through contracts. The contract may include a formula that guarantees transfer of risk to another party, without obligation to pay premiums. "Avoidance" means trying to avoid activities that cause a risk. For example, not buying a property, or entering into a business, to avoid taking legal responsibility.
It warned that "avoidance" seemed to solve all risks, but at the same time could lead to the denial of benefits and profits that could have been obtained from the avoided activity.
The agency referred to "downsizing", which includes ways to mitigate the resulting losses, for example software development companies that follow risk reduction methodologies by gradually developing programs.
Develop the plan
This includes making decisions about the choice of ways to deal with risks, and each decision must be recorded and approved by the appropriate management level. The decision must be taken by senior management. In the case of information system decisions, for example, the responsibility of the decision lies with the IT manager.
The Commission stressed that the plan should propose security controls that are logical and feasible, in order to manage risks. Such as reducing the risk of viruses to computers, through the use of anti-virus programs.
Perform the operation
At this stage, the planned methods are to be used to mitigate the risks. Insurance should be used in case of risks that can be transferred to an insurance company. Avoidable risks are avoided without sacrificing the institution's goals, other risks are minimized, and the rest are retained.
Review and evaluation
The initial plans for risk management are not complete. Through practice, experience and losses on the ground, there is a need to make adjustments to the plans and use the knowledge available to make different decisions.
Securities stressed that the results of the risk analysis process, as well as management plans, should be updated periodically to assess previously used security controls if applicable and effective, as well as assess the level of potential changes to the business environment, such as information risk.
Obstacles
Securities have confirmed that if risk is assessed or prioritized improperly, it may waste time dealing with risk of losses that are unlikely to occur.
She added that taking a long time to assess and manage potential risks leads to the dispersion of sources that could have been used more profitably, pointing out that giving risk management processes a very high priority, impeding the institution's work in completing its projects, .
She stressed the importance of taking into account the good distinction between "gravity" and "uncertainty".
Abdullah's strategy
The Securities Commission stated that "acceptance" or "detention" in dealing with risk means accepting losses when they occur.
In the opinion of the Board, this is an acceptable strategy, in the case of small risks where the cost of risk insurance over time is greater than the total losses.
It considered that all unavoidable or transferable risks must be accepted, pointing out that war was the best example of this, as property could not be insured against war.