Explain the meaning of risk management to an organisation

Assignment Brief

Indicative content: Assignment 7022- Developing risk management strategies

Task 1

Assessment Criteria & Indicative Content

A.C. 1.1 – Explain the Meaning of Risk Management to an Organisation

• Define risk management in an organisational context.

• Reference relevant academic and industry sources.

• Discuss:

  • Strategic risk and risk management.

  • Risk in organisational/operational contexts.

  • Risk vs. uncertainty.

  • Strategic integration of risk management.

  • Unforeseeable risks (e.g. Nassim Taleb).

  • Predictability vs. unpredictability.

  • Types of strategic risk: operational, financial, corporate, environmental, and project risks.

  • Risk and legislation.

  • Risk and stakeholder perception.

A.C. 1.2 – Determine Roles and Responsibilities at Senior Management Level

• Build upon A.C. 1.1 with focus on senior management.

• Discuss:

  • Senior management responsibilities.

  • Attitudes to risk (Hurwicz, Wald, Savage, Laplace).

  • Managing irrational risk (Taleb).

  • Risk vulnerability (Allan and Beer).

  • Managing complexity, uncertainty, and ambiguity.

  • Dynamic risk management.

  • Senge’s ladder of inference.

A.C. 1.3 – Evaluate Risk Management Models

• Evaluate at least two risk management models.

• Include:

  • ERM approach – COSO ERM framework (pros/cons).

  • MoR (Management of Risk) framework (pros/cons).

  • GRC capability model – OCEG Red Book (pros/cons).

  • ISO 31000:2009 standards (pros/cons).

  • Organisation’s risk policy, objectives, and plan.

  • Slywotzky and Drzik’s six steps to managing strategic risk.

  • Strategic objectives, KPIs, and risk.

Guideline Word Count: 800–900 words

Task 2

Assessment Criteria & Indicative Content

A.C. 2.1 – Evaluate Risk Management Criteria

• Evaluate six risk management criteria.

• Discuss:

  • Risk management process – ISO 31000:2009.

  • Rational approach to decision-making.

  • WBGU risk classes and strategies.

  • Risk profile and risk appetite.

  • Strengths and weaknesses of each criterion.

A.C. 2.2 – Critique Techniques to Identify and Quantify Risk (Including Interdependencies)

• Critically analyse techniques used for risk identification and quantification.

• Discuss:

  • Risk identification and interdependency – ISO Guide 73:2009.

  • Risk analysis techniques and factors.

  • Scoring methods – limitations and issues.

  • Tools/techniques: radar charts, FMECA, probabilistic risk analysis, Monte Carlo analysis.

Guideline Word Count: 800–900 words

Task 3

Assessment Criteria & Indicative Content

A.C. 2.3 – Develop Strategies to Eliminate, Mitigate, Deflect, or Accept Risk

• Select 4 risks:

  • Eliminate 1.

  • Mitigate 1.

  • Deflect 1.

  • Accept 1 (include reduction plan if applicable).

• Justify chosen strategies and compare with alternatives.

• Discuss:

  • Risk evaluation.

  • Types of risk treatment strategies: avoidance, reduction, transfer, retention.

  • Real-world/workplace examples encouraged.

A.C. 2.4 – Communicate, Resource, and Manage Risk Strategies

• Detail communication and resource management.

• Discuss:

  • Communication methods – Shannon and Weaver.

  • Role allocation and resourcing.

  • Financial controls and corporate governance.

  • Policy dissemination – Stafford Beer’s VSM (optional).

  • Risk treatment plan.

  • Cost-benefit analysis and funding.

Guideline Word Count: 800–900 words

Task 4

Assessment Criteria & Indicative Content

A.C. 3.1 – Evaluate the Outcomes of Risk Management Strategies

• Evaluate potential outcomes of Task 3 strategy.

• Assess impact on organisation and stakeholders.

• Discuss:

  • Strategic risk evaluation – Hubbard.

  • Scope of evaluation.

  • Issues with control systems (Hubbard).

  • Tools: HM Treasury, EFQM Model.

A.C. 3.2 – Determine Actions to Respond to Strategy Outcomes

• Identify actions arising from outcomes.

• Discuss:

  • Improving strategic risk management – GRC capability.

  • Over-optimism – Hubbard.

  • Treasury and Risk’s 2009 ERM.

Guideline Word Count: 800–900 words

Task 5

Assessment Criteria & Indicative Content

A.C. 3.3 – Devise a Disaster Recovery Plan

• Develop a disaster recovery plan for a familiar organisation.

• Include:

  • Planning for disaster.

  • Business impact analysis (BIA) – BCI.

  • Ingredients and format of a BIA.

  • Resource implications.

A.C. 3.4 – Examine Influences on Reviewing the Disaster Plan

• Identify and explain influences affecting plan reviews.

• Discuss:

  • Organisational review processes.

  • Best practices for review.

  • Access to individuals and data.

  • Size of organisation.

  • Environmental and legal issues.

Guideline Word Count: 800–900 words

Sample Answer

Developing Risk Management Strategies

Task 1: Understanding Risk Management and Strategic Integration

1.1 Meaning of Risk Management to an Organisation

Risk management refers to the process by which an organisation identifies, assesses, and responds to potential events or circumstances that could negatively impact its ability to achieve strategic objectives. It is a structured, continuous approach aimed at minimising potential losses while maximising opportunities. In an organisational context, effective risk management ensures that decision-makers are aware of potential disruptions and are prepared with strategies to mitigate them, enhancing overall resilience and stability (Hillson, 2009).

Strategic risk relates to uncertainties that affect an organisation’s long-term goals, such as market competition, regulatory changes, or reputational damage. Unlike operational risks, which are usually confined to specific processes or departments, strategic risks have a broader impact on the entire organisation. Risk management, therefore, must be integrated into strategic planning processes to ensure that risks are addressed in line with organisational priorities (Frigo and Anderson, 2011).

A clear distinction exists between risk and uncertainty. Risk involves situations where the probabilities of outcomes are known or can be estimated, while uncertainty pertains to scenarios where these probabilities are unknown (Knight, 1921). Organisations face both. For example, fluctuations in currency exchange rates may represent a calculable risk, while the emergence of disruptive technologies presents uncertain, unpredictable outcomes.

Strategic integration of risk management involves embedding risk-thinking into governance structures, decision-making processes, and organisational culture. This enables proactive identification of risks and ensures that responses are aligned with the organisation’s mission and values.

Some risks are unforeseeable, often referred to as "Black Swan events," a concept popularised by Taleb (2007). These are rare, high-impact events that fall outside the realm of regular expectations. The COVID-19 pandemic exemplifies such a risk, challenging even the most robust risk management systems. While these events cannot be predicted, organisations can enhance their adaptability and preparedness through scenario planning and flexible strategies.

Predictability plays a role in how organisations perceive and manage risk. While some risks, such as equipment failure, are predictable and thus manageable, others like geopolitical instability or public health crises are less so. Effective risk management must accommodate both types by combining quantitative analysis with qualitative judgement.

Strategic risks may include operational risks (e.g., supply chain disruptions), financial risks (e.g., liquidity issues), corporate risks (e.g., governance failures), environmental risks (e.g., climate change), and project risks (e.g., cost overruns). Each type requires different tools and responses, yet all must align with the broader risk management framework.

Continued...