The company's risk management system. Enterprise risk management Definition of basic concepts

The key to survival and the basis of the stable position of the enterprise is its stability. There are general, price, financial and other types of sustainability. Financial stability is the main component of the overall sustainability of the enterprise. The financial stability of an enterprise is such a state of its financial resources, their redistribution and use, when the development of the enterprise on the basis of its own profit and capital growth are ensured while maintaining its solvency and creditworthiness under conditions of an acceptable level of financial risk.

The purpose of financial risk management- reducing the losses associated with this risk to a minimum. Losses can be evaluated in monetary terms, and steps to prevent them are also evaluated. The financial manager must balance these two assessments and plan how best to close the deal from a position of minimizing risk.

Depending on the object of influence, methods of protection against financial risks can be classified into two types: physical and economic protection. Physical protection consists in the creation of such means as alarms, the purchase of safes, product quality control systems, data protection from unauthorized access, hiring security guards, etc.

Economic protection consists in forecasting the level of additional costs, assessing the severity of possible damage, using the entire financial mechanism to eliminate the threat of risk or its consequences.

Let's consider some aspects of the organization of work on risk management, primarily financial.

Financial risk management methods

The literature provides four methods of risk management Keywords: elimination, loss prevention and control, insurance, takeover.

The abolition is the refusal to commit a risky event. But for financial entrepreneurship, the elimination of risk usually eliminates profit.

Loss prevention and control as a method of financial risk management means a certain set of preventive and subsequent actions that are due to the need to prevent negative consequences, protect yourself from accidents, control their scale if losses have already been incurred or are inevitable.

The essence of insurance is expressed in the fact that the investor is ready (to give up part of the income, just to avoid risk, i.e. he is ready to pay for risk reduction to zero.

Insurance is characterized by the intended purpose of the created monetary fund, the expenditure of its resources only to cover losses in predetermined cases; the probabilistic nature of the relationship; return of funds. Insurance as a method of risk management means two types of actions:

1) redistribution of losses among a group of entrepreneurs exposed to the same type of risk (self-insurance);

2) seeking help from an insurance company.

Large firms usually resort to self-insurance, ie. a process in which an organization, often exposed to the same type of risk, sets aside funds in advance, from which, as a result, it covers losses. This way you can avoid a costly deal with the insurance company.

When insurance is used as a service of the credit market, this obliges the financial manager to determine the ratio between the insurance premium and the sum insured that is acceptable to him. An insurance premium is a payment for the insured risk of the insured to the insurer. The sum insured is the amount of money for which material assets or the liability of the insured are insured.

Absorption consists in recognizing the damage and refusing to insure it. Absorption is resorted to when the amount of the alleged damage is insignificantly small and can be neglected.

When choosing a specific means of resolving financial risk, the investor should proceed from the following principles:

you can not risk more than your own capital can afford;

one cannot risk much for the sake of little;

the consequences of risk must be foreseen.

The application of these principles in practice means that it is always necessary to calculate the maximum possible loss for a given type of risk, then compare it with the amount of capital of the enterprise exposed to this risk, and then compare the entire possible loss with the total amount of own financial resources. And only by taking the last step, you can determine whether this risk will lead to the bankruptcy of the enterprise.

Risk management process

The risk management process can be broken down into six stages:

goal definition,

ascertaining the risk

risk assessment,

choice of risk management methods,

application of the chosen method,

evaluation results.

From the point of view of financial risk, the definition of the goal is to ensure the existence of the company in the event of significant losses.

The goal may be to protect the operation of the enterprise from environmental conditions or to optimize the internal environment. As the external environment of the enterprise consider the bottom group of factors: direct and indirect impact.

Factors of direct impact include suppliers, buyers, competitors, the state. Factors of indirect impact include the state of the economy, socio-cultural factors, political factors, achievements of scientific and technological revolution, international events.

The positive factors of the internal environment include the presence of a special “economic security” service, an “economic warning” system that prevents unforeseen expenses.

The next step is to figure out the risk by collecting various information and using official and informal channels. In addition to financial statements and business plans, official sources of information include information obtained from periodicals, radio, television, etc. Unofficial information includes data received! through industrial espionage.

Risk analysis (assessment). Once a loss has been incurred, the next step is to determine its severity.

Choice of risk management methods. In accordance with the results of previous studies, one or another method of risk management is selected. A combination of several methods is also possible.

Application of the chosen method - the adoption of specific steps to apply a particular method. For example if insurance is chosen, then this step is to purchase an insurance policy. At the same time, different insurance companies are selected depending on their specialization in the field of insurance risks, then the optimal form of insurance policy is selected in terms of time, price and security.

In addition to insurance any risk management strategy includes a loss prevention and control program. Every function of financial management is involved in this: planning, organizing, directing and controlling.

Consider, for example, the role of planning as a management function in relation to financial risk management. One of the elements of intra-company planning is a business plan, in the structure of which there is a section "Risk Assessment".

This section of the business plan introduces an enterprise risk management tool. It is important to foresee all possible types of risks that an entrepreneur may face, to justify the sources of these risks and all possible moments of their occurrence. The section is aimed at studying not only financial, but also other risks (for example, political, legislative, natural (natural disasters), etc.). The section of the business plan "Financial Plan" is a monetary expression of all the calculations contained in the previous sections of the business plan. All risks presented in the "Risk Assessment" section find their monetary expression in the financial plan and affect the overall degree of financial risk. Below we will give some typical calculations that are carried out when compiling this section of the business plan.

The application of limits in relation to indicators of the financial resources of the enterprise budget is a concrete expression of the results of risk planning. Limitation is the setting of a limit, i.e. limits on expenses, sales, credit, etc. Limitation serves as an important means of reducing the degree of risk and is used, for example, by banks when issuing loans, and by enterprises in the sphere of circulation when selling goods on credit, etc.

Organizational function of financial management and risk management. Many large firms employ security specialists. These managers plan the firm's risk management strategy, conclude insurance contracts, and direct the firm's efforts to control losses. Their functions go beyond simple insurance. For example, they give: advice on how to protect insurance payments from inflation, choose ways to avoid losses. In medium-sized firms where there is no security specialist, the functions of a financial manager (financial director) also include the responsibility of managing financial risks, which is why they should plan methods for managing financial and especially investment risks. In small firms, this is one of the functions of the owner.

Control function of management and risk management.

Loss prevention management is in many ways similar to performance and quality management. It is about leadership in the form of actions, and not about verbal influence in accordance with the general theory of management, which is built on trust and obligations of management towards employees, concluding a contract with the trade union (since the safety of employees is primary for trade unions). The concept of financial management is based on “distrust of our own employees” and “limited trust” in internal financial information (the most important principles for building an internal financial control system follow from this).

The next (and final) step in the financial risk management process is evaluation of results. This requires a well-functioning system of accurate information, which makes it possible to consider existing losses and the actions taken to prevent them.

Sometimes an investor makes decisions when the results are uncertain and based on limited information. Naturally, with more complete information, you can make a better forecast and reduce the risk. In this case, useful information acts as a commodity. The cost of complete information is calculated as the difference between the expected cost of an acquisition when complete information is available and the expected cost when information is incomplete. The purpose of risk analysis as one of the most difficult stages of financial risk management is to provide potential partners with data to make decisions about the feasibility of participating in the project and the ability to provide measures to protect against financial losses.

When conducting a risk analysis, first of all, it is necessary to determine their sources and causes, which of them are the main, predominant ones. Sources of risks can be economic activity, human personality, natural factors. The reasons include a lack of information, the uncertainty of the future, the unpredictability of the behavior of a business partner.

Risk analysis is divided into two mutually complementary types: qualitative and quantitative.

Qualitative analysis is the identification of all possible risks. Qualitative analysis can be relatively simple, its main task is to identify risk factors, stages of work during which the risk arises, etc.

When conducting a risk analysis, the degree of risk should be determined. The risk may be:

admissible - there is a threat of complete loss of profit from the implementation of the planned project;

critical - non-receipt of not only profits, but also revenues and coverage of losses at the expense of the entrepreneur's funds is possible;

catastrophic - loss of capital, property and bankruptcy of the entrepreneur are possible.

Quantitative analysis is the definition of specific monetary damage to individual subspecies of financial risk and financial risk in the aggregate.

Sometimes qualitative and quantitative analyzes are carried out on the basis of an assessment of the influence of internal and external factors: an element-by-element assessment of the share of their influence on the work of a given enterprise and its monetary value is carried out. This method of analysis is quite laborious from the point of view of quantitative analysis, but brings its undoubted results in qualitative analysis. In this regard, more attention should be paid to the methods of quantitative analysis of financial risk, since there are many of them and a certain managerial skill is required for their competent application.

In absolute terms, the risk can be determined by the scale of possible losses in material (physical) or cost (monetary) terms.

In relative terms, risk is defined as possible losses related to a certain base, for which it is most convenient to take either the property state of the enterprise or the total costs of this type of entrepreneurial activity.

Send your good work in the knowledge base is simple. Use the form below

Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.

Hosted at http://www.allbest.ru/

Organizational risk management

The concept of risk

The practice of doing business in market conditions causes an urgent need for managers to skillfully assess risks in the resource management process and effectively reduce or compensate for their negative consequences.

Risk is, in fact, the flip side of free enterprise. There is no risk-free business, and the highest profits tend to come from high-risk operations. The problem is not to look for a case without risk, with a clearly unambiguous predicted result, to avoid risk, but to anticipate it and strive to reduce it to the lowest possible level.

First of all, let's define the initial concept of "risk", bearing in mind that it has several meanings.

The term "risk" is not used here in the sense of danger. Risk is a potentially existing probability of loss of resources or non-receipt of income associated with a specific alternative management decision. In other words, risk is the possibility that an entrepreneur or organization, as a result of an unsuccessful decision, will suffer damage in the form of additional expenses or lost income.

So, risk is a probabilistic category, and it should be characterized and measured as the probability of a certain level of loss occurring. Therefore, risk assessment involves measuring the possible level of losses, on the one hand, and the likelihood of their occurrence, on the other.

Risk is inextricably linked to management. No manager is able to eliminate the risk completely, but by identifying the area of increased risk, its quantitative measurement, assessing the acceptable level of risk, regular control, the manager is able to control the situation and manage the risk to a certain extent. The art of risk management lies in balancing the levels of risk and potential reward. The manager compares the positive and negative aspects of possible decisions and evaluates their likely consequences, i.e. determines how acceptable and justified the risk is in comparison with the possible benefit.

Risk classification

As noted above, all operations in the market and, above all, investments are somehow associated with risk, and market participants always have to take on a wide variety of risks: loss of property, financial losses, reduction in income, lost profits. Therefore, in each case, it is necessary to take into account different types of risks. This means that the effectiveness of risk management largely depends on its type, which requires scientifically based classification. The classification of risks allows you to clearly define the place of each type of risk in their overall system and use the most effective methods and techniques that correspond to this particular type to manage it.

Depending on the possible economic result of the decision, risks can be divided into two groups: pure and speculative.

Pure risks mean the possibility of obtaining a negative (damage, loss) or zero result. This category of risks includes natural, environmental, political, transport and part of the commercial risks - production and trade.

Speculative risks are expressed in the possibility of obtaining both negative and positive (winning, profit) results. These include another part of commercial risks - financial ones.

Depending on the main cause of occurrence, risks are divided into natural, environmental, political, transport and commercial.

· To natural risks refers to the risk of losses as a result of the actions of the elemental forces of nature, for example, economic damage as a result of an earthquake, flood, storm, epidemic, etc.

· environmental risk- the probability of losses or additional costs associated with environmental pollution.

· Political risk- the risk of property (financial) losses due to changes in the political system, the alignment of political forces in society, political instability. Political risks are associated with the socio-political situation in the country and the activities of the state and do not depend on the economic entity. These include the probability of losses due to the revolution, riots, nationalization of enterprises, confiscation of property, the introduction of an embargo, the refusal of the new government from the obligations of the previous ones, etc. This category of risks can also include the risk of legislative changes, i.e. a significant change in the regulations governing business activities, for example, tax laws, laws on currency regulation, etc.

· Transport risk- is the probability of losses associated with the transportation of goods by various modes of transport: road, rail, sea, air, etc.

· Commercial risks represent the probability of losses as a result of business activities of economic entities. In accordance with the main types of business activities, this group of risks is divided into production, trade and financial risks.

· Production risk- the probability of losses or additional costs associated with failures or stoppages of production processes, violation of the technology of operations, poor quality of raw materials or personnel, etc.

· Trading risk- the risk of loss or non-receipt of income due to non-fulfillment by one of the parties of its obligations under the contract, for example, as a result of non-delivery or late delivery of goods, delays in payments, etc.

· Financial risks associated with the probability of loss of financial resources (cash). They are divided into two types: risks associated with the purchasing power of money, and associated with the investment of capital (investment risks).

The risks associated with the purchasing power of money include inflation and currency risks.

· inflation risk- the risk that the income received as a result of

· Currency risk associated with significant losses due to changes in the foreign exchange rate. This type of risk is especially important and needs to be assessed when carrying out export-import operations and operations with currency values.

The group of investment risks is very extensive and includes systemic risk, selective risk, liquidity risk, credit risk, regional risk, industry risk, enterprise risk, innovation risk.

· Systemic risk- this is the risk of deterioration of the conjuncture (fall) of any market as a whole. It is not associated with a specific investment object and represents a general risk for all investments in a given market (for example, stock, currency, real estate, etc.), which means that the investor will not be able to return them without incurring significant losses. Systemic risk analysis is reduced to assessing whether it is worth dealing with this type of asset, such as shares, and whether it is better to invest in other types of property, such as real estate.

· selective risk- this is the risk of loss or loss of profit due to the wrong choice of an investment object in a particular market, for example, the wrong choice of a security from those available on the stock market when forming a portfolio of securities.

· Liquidity risk- the risk associated with the possibility of losses in the sale of the investment object due to a change in the assessment of its quality, for example, any product, real estate (land, building), securities, precious metals, etc.

· Credit (business) risk- the risk that the borrower (debtor) will be unable to fulfill its obligations. An example of this type of risk is the deferral of loan repayments or the freezing of bond payments.

· Regional risk associated with the economic situation of certain regions. This risk is especially characteristic of single-product regions, for example, coal- or oil-producing regions, coffee or cotton-producing regions, which may experience serious economic difficulties as a result of changes in the market conditions (falling prices) for the main product of this region or increased competition.

Regional risks may also arise in connection with the political and / or economic separatism of certain regions.

The high level of regional risks can also be caused by the general depressed state of the economy in a number of regions (a decline in production, a high level of unemployment).

· Industry risk associated with the specifics of individual sectors of the economy, which is determined by two main factors: susceptibility to cyclical fluctuations and the stage of the life cycle of the industry. According to these features, all industries can be divided into cyclical and less cyclical, as well as declining (dying), stable (mature) and rapidly growing (young). Of course, the risk of doing business and investing in mature or young and less cyclical industries is less.

· Enterprise risk associated with a specific enterprise as an investment object. It is largely derived from regional and industry risks, but at the same time, the type of behavior, the strategy of a particular enterprise, the goals and level of its management also contribute. One level of risk is associated with a conservative type of behavior of an enterprise that occupies a certain, stable market share, has regular customers (clientele), high quality products (services) and adheres to a limited growth strategy. A different degree of risk is associated with an aggressive, new, perhaps just created enterprise.

In addition, the risk of the enterprise includes the risk of fraud. So, for example, it is possible to create false companies in order to fraudulently attract funds from investors or joint-stock companies for speculative gambling on the quotes of securities.

· innovation risk- this is the risk of losses associated with the fact that an innovation, for example, a new product or service, a new technology, the development of which can be spent very significant funds, will not be implemented or will not pay off

risk management

Most economic assessments and management decisions are of a probabilistic, multivariate nature. Therefore, mistakes and miscalculations are common, although unpleasant. However, the manager should always strive to take into account the possible risk and provide for certain measures to reduce its level and compensate for probable losses. This, in fact, is the essence of risk management (risk management). The main goal of risk management (especially for the conditions of modern Russia) is to ensure that in the worst case we can talk about the lack of profit, but not about the bankruptcy of the organization. International business experience shows that the majority of bankruptcies are caused by gross errors and miscalculations in management. Therefore, entrepreneurs and managers must pay special attention to effective risk management.

To assess the degree of risk acceptability, it is necessary, first of all, to identify certain risk zones depending on the expected amount of losses.

The area in which losses are not expected, i.e. the economic result of economic activity is positive, called the risk-free zone.

The zone of acceptable risk is the area within which the amount of probable losses does not exceed the expected profit and, therefore, commercial activity has economic feasibility. The boundary of the acceptable risk zone corresponds to the level of losses equal to the calculated profit.

The critical risk zone is the area of possible losses that exceed the amount of expected profit up to the value of the total estimated revenue (the sum of costs and profit). In other words, here the entrepreneur risks not only not receiving any income, but also incurring direct losses in the amount of all costs incurred.

And finally, the zone of catastrophic risk is the area of probable losses that exceed the critical level and can reach a value equal to the organization's own capital. A catastrophic risk can lead an organization or entrepreneur to collapse and bankruptcy. (In addition, the category of catastrophic risk, regardless of the amount of property damage, should include the risk associated with a threat to life or health of people and the occurrence of environmental disasters).

A visual representation of the level of risk is given by a graphical representation of the dependence of the probability of losses on their magnitude - the risk curve. The construction of such a curve is based on the hypothesis that profit as a random variable is subject to the normal distribution law, and assumes the following assumptions:

1) it is most likely to receive a profit equal to the calculated value - Pr. The probability (Вр) of obtaining such a profit is maximum and the value of P can be considered the mathematical expectation of profit. The probability of making a profit, greater or less than the calculated one, decreases monotonically as deviations increase;

2) losses are considered to be a decrease in profit (DP) in comparison with the calculated value. If real profit is equal to P, then DP = Pr - P.

The assumptions made are controversial to a certain extent and are not always fulfilled for all types of risks, but on the whole quite correctly reflect the most general patterns of changes in commercial risk and make it possible to construct a profit loss probability distribution curve, which is called the risk curve (Fig. 4).

The main thing in assessing commercial risk is the ability to build a risk curve and determine zones and indicators of acceptable, critical and catastrophic risks. For this purpose, three main methods of risk assessment can be applied: statistical, expert and calculation-analytical.

· The statistical method consists in the statistical analysis of losses observed in similar types of economic activity, the establishment of their levels and frequency of occurrence.

· The expert method consists in collecting and processing the opinions of experienced entrepreneurs, managers and specialists who give their estimates of the likelihood of certain levels of losses in specific commercial transactions.

* The calculation and analytical method is based on mathematical models proposed by probability theory, game theory, etc. Risk management today is one of the dynamically developing professional activities in the field of management. The staff of many Western firms has a special position - a risk manager (risk manager), whose duties include ensuring the reduction of all types of risk. The risk manager participates along with the relevant specialists in making risky decisions (for example, issuing a loan or choosing an investment object) and shares responsibility for their results with them.

Risk management includes the following main areas of activity:

Recognition, analysis and assessment of the degree of risk;

· development and implementation of measures to prevent, minimize and insure risk;

Crisis management (liquidation of the consequences of emerging losses and development of mechanisms for the organization's survival).

It is very important for an organization to form a certain risk management strategy, for which it is necessary to give specific answers to the following questions:

what types of risks it must take into account in its activities;

what methods and tools allow managing such risks;

How much risk the organization can take on (acceptable amount of loss that can be repaid from its own funds).

However, it is not enough just to formulate a strategy for risk management, it is also necessary to have a mechanism for its implementation - a risk management system, which in turn implies:

creation of an effective system of evaluation and control of decisions made;

allocation in the organization of a special unit (employee) who will be entrusted with risk management;

· Allocation of funds and formation of special reserves to insure risks and cover losses and losses.

Practice also confirms the expediency and necessity of developing a special instruction on risk management, which would regulate the actions of individual employees and structural divisions of the organization associated with possible risks. First of all, this applies to banks, credit, insurance organizations, investment institutions, as well as financial and commercial divisions of organizations of other types of activity.

Ways to manage risks

They can be divided into two main areas, which differ both in goals and in the instruments of influence used;

1) methods for preventing and limiting risk and;

2) methods of compensation for losses.

The first direction, pursuing the goal of reducing the level of risk, includes the following methods:

· a thorough preliminary examination of the variants of the decision to be made and an assessment of the corresponding levels of risk;

risk imitation - setting limits on the costs associated with a particular decision;

use of various kinds of guarantees and pledge operations to ensure the fulfillment of the debtor's obligations;

diversification of risks, for example: investing the organization's capital in various types of activities (at least 12 companies are recommended), investing in various types of securities (8-20 types are considered the optimal value), optimizing the structure of the investment portfolio (1/3-large firms, 1 / 3 - medium, 1/3 - small), duplication of suppliers (at least two suppliers, and preferably three or four), separation of lots (at least two lots) when transporting valuable cargo, marketing of goods and services in several market segments ( different categories of consumers, clients, different regions, etc.), storage of valuables in different places, etc.;

· focus on the average rate of return (yield), as the pursuit of higher profits dramatically increases the risk;

· the use of effective control systems that allow timely detection and prevention of possible losses.

The second direction, which aims to compensate for the damage caused to the organization, should include the following risk management methods:

creation of special insurance or reserve funds. For example, joint-stock companies, in accordance with the law "On Joint-Stock Companies in the Russian Federation", are required to create a reserve fund designed to cover possible losses and repay bonded loans in the event of a lack of profit. In addition, if it is provided for by the charter, a special fund may be created for the payment of dividends;

insurance of risks in insurance organizations. This method involves the conclusion of insurance contracts for various commercial risks, property, civil liability, etc.

There are certain types of business activities in which the risk can be calculated, quantified, and where the methods for determining the degree of risk are well developed both in theory and in practice. This primarily applies to the insurance business and gambling business, where the methods of probability theory, game theory models and mathematical statistics are widely used. However, the application of these methods to other types of activity is often not as effective, since the insured risk refers to a specific object, regardless of the type of activity. For example, home or vehicle insurance does not take into account how the insured object is used. When evaluating entrepreneurial risk, the manager is primarily interested not in the fate of the entire object, but in the degree of probability and the amount of potential damage in the conditions of a particular transaction and related decisions.

The quantitative measure of risk can be determined by the absolute or relative level of losses. In absolute terms, the risk can be determined by the amount of possible losses in physical (natural-material) or cost (monetary) terms, in relative terms - by the ratio of the amount of possible losses to a certain base, for example, capital, total costs or profits. The task, however, is complicated by the fact that in practice, when implementing a specific management decision, as a rule, it is necessary to take into account not one, but several types of risks. In this regard, the overall level of complex risk R is determined by the sum of private risks r.

In this case, private risk can be determined by increasing or decreasing some normatively specified minimum level of the corresponding type of risk (r 0 i).

In this case

It is extremely important to be able to quantify the degree of risk leading to bankruptcy. For this purpose, the risk ratio is calculated, which represents the ratio of the maximum possible amount of losses and the amount of the investor's own funds.

To R= U/S

risk management loss

where Кр - risk factor;

Y - the maximum possible amount of losses;

C - the amount of own funds.

Empirical studies show that the optimal risk ratio is 0.3, and the critical one (exceeding which leads to bankruptcy) is 0.7.

Risk management as a scientific and professional specialization is a very complex area of management, as it is at the intersection of various branches of knowledge and requires skills in using mathematical modeling methods, forecasting, applying elements of strategic, financial and investment management, knowledge of the specifics of insurance activities and exchange trading. Modern business is increasingly in need of using specific exchange-based risk management tools - futures contracts: forward, futures, options, used both for insurance and for profit. Most banks and financial organizations today actively use these tools, but managers of commercial and especially industrial companies have yet to master and actively apply risk management methods.

Thus, entrepreneurial activity and its management are always associated with a certain risk. Risk is the probability of loss associated with a particular solution alternative. The task of managers is not to avoid risk, but to manage it. Therefore, any commercial operation requires careful analysis and risk assessment.

In the practice of management, managers have to deal with various types of risks, the main ones are: political risk, systemic, selective, industry, regional, enterprise, liquidity, counterparty, legislative risk, innovation and a number of others.

Risk management is a relatively new and dynamically developing field of professional activity of modern management. In commercial organizations, special positions are created for risk managers who are involved in the analysis, justification and making of risky decisions. Creating a risk management system in an organization involves: creating an effective system for assessing and controlling decisions made; the allocation of a special unit or employee involved in risk management; allocation of funds and formation of special reserves to insure risks and cover possible losses.

Risk management methods can be divided into two groups, one of which includes methods for preventing and limiting risk (examination of decisions and assessing the level of risk, limiting risk, using guarantees and collateral, risk diversification, etc.), and the other - compensation methods possible losses (reserving funds and risk insurance).

Hosted on Allbest.ru

The essence of risk management

This article echoes the materials of the article on the topic of organizational aspects. Risk management is proposed to be understood as a set of targeted procedures for identifying, assessing and reducing risk to the values set by the strategic choice, which involves a multi-stage implementation process. The economic goal of management is to reduce or compensate for damage to the organization in the event of adverse consequences of decisions.

Under the conditions of uncertainty in the economic activity of an enterprise, risk management is a set of regulation of strategic, tactical, design and operational-production relations. An integrated approach has a number of advantages (the corresponding diagram is located below), and from the position of management functions, almost the entire arsenal of management tools is involved, including components of financial management, logistics, economics, accounting, sales, etc. The complex of procedures is aimed at:

forecasting risk events and their identification;
rationale for risk aversion;
justification of risk acceptability;
risk minimization using the available range of tools;
elimination of the causes and consequences of risky events;
adaptation of companies that survived the crisis period to new business conditions;
bankruptcy protection.

Diagram showing the benefits of a comprehensive approach to risk management

The uncertainty of activity is weakly correlated with the scale of activity. Indeed, regular management, which can be deployed in large enterprises, gives a significant "head start" in comparison with empirical methods of management in small businesses. But, firstly, the cost of management increases dramatically, and secondly, the very number of risk factors becomes much larger. Therefore, it can be confidently stated that one of the conditions for the success of the activity is the implementation by the management of the business, regardless of its size, of anti-risk measures. Another question is how systematic is risk management?

The objects of management are the actual risk, economic relations accompanying probable adverse events and risky investments. The subjects of management can be considered both in the broad and in the narrow sense of the word. From a common position, they are all members of the organization's team, including managers and employees. In a narrow sense, subjects are specially authorized managers, employees and divisions of the company. The goals and objectives of risk management are related to the stages of business development and its passage through the stages of the life cycle. The scheme for changing the composition of management objectives at the stages of the organization's activities and the tasks corresponding to them are shown in the diagram below.

Dynamics of goals and composition of risk management tasks by stages of company development

The concept and content of risk management systems

The risk management system (RMS) as a set of interrelated elements, on the one hand, contains two subsystems: managing and managed. In addition, the RMS is a component of a higher-ranking system - corporate management and is guided by the requirements of the organization's strategy. On the other hand, the system includes a technological complex of management and a complex of organizational tools and structures. Pay attention to the scheme "Buildings of the RMS" presented below. It displays the main elements of the risk management system.

Scheme "Building RMS" in the relationship of technological and organizational aspects

The enterprise risk management system is an element of the internal control and risk management mechanism, which is part of the corporate governance, a technological tool and tools that ensure the effectiveness of risk management. This system provides organizational prerequisites, principles and structures for designing, implementing and improving the organization's risk management business processes. Thus, the RMS creates an infrastructure for risk management on a regular basis.

Ensuring the minimization of the level of uncertainty regarding the achievability of the tasks set for management, the development and practical development of risk management processes is the main goal of the RMS. Under the specified tasks, the results to be achieved according to the development strategy are considered in the programs of the tactical and operational levels. The RMS serves the regulated management of assessed risks, as well as maintaining the integral risk of the company at the level of the preferred acceptable risk. The scheme of interrelation of integral risk management with stakeholders is placed below.

Conflict resolution scheme for business leaders through integral risk management

The risk management system, especially in large companies, is called the corporate risk management system (CRMS). In addition to simply expanding the abbreviation, this, as a rule, entails increased requirements for the level of regulation of activities within the system. From the position of solving the main tasks in the CRMS, the following stages are sequentially performed.

RMS diagnostics at the level of business units and the entire company.
Development of the main structures of the CRMS (organizational, informational, financial, etc.).
Creation of regulatory and methodological support for the CRMS.
Structuring databases according to identified risks and risk events that have taken place.
Development of mechanisms for monitoring and reporting on emerging events.
Identification, identification and assessment of risks, drawing up a plan for their minimization and compensation.
Formation of a risk map.
Integration of the map update procedure into the business planning process.
Analysis and assessment of the facts of response to risk events.

Specifics of risk management standardization

Risk management systems at domestic enterprises are built on the basis of Western standards that are rather poorly adapted to our realities. I do not consider here the experience of banks and insurance companies. It seems that in this sector of the economy the point of no return has been passed and the pace of development of risk management and the RMS supporting them can be considered satisfactory. Are you interested in what Russian companies can rely on, primarily in the manufacturing sector, in order to quickly increase their risk management potential? To do this, you need to touch on the history of the development of a systematic approach to risk management in the world and in our country.

Diagram of the world history of the development of standards in the field of risk management

Composition of current national and international standards in the field of risk management

Above is a diagram of the history of standardization and the composition of existing standards in the field of risk management in the world. It is obvious that in order for a Russian enterprise to meet the needs of investors and inspire confidence in the international arena, the approach to building a CRMS should be at least close to world standards. And in order to meet the requirements of exchange trading platforms, international and Russian corporate legislation, the system itself must be transparent and understandable to a competent stakeholder.

The COSO ERM risk management model is not a standard and is a deep methodological development. Therefore, the COSO cube is difficult to ignore and not emphasize its main postulates. Below are two diagrams that give an overview of this concept. In the model:

defines the basic concepts of the internal control system;
the main components of the risk management process are described in detail;
an integrated risk management model is presented in a cubic visual form;
developed the principles of this management system;
the functions and responsibilities of participants in the risk management process are formulated;
the management process itself is described;
recommendations were given to external and internal stakeholders in ensuring the successful functioning of the RMS in companies.

Key Components of the COSO ERM Risk Management Model

The company always remains face to face with its risks and defends itself from threats and the consequences of their implementation at internal borders. Regulators also have their place on the "far approaches to the front of the fighting." And the support of regulators, of course, is necessary for business. Another thing is that domestic standards are "tracing paper" from Western counterparts. At the same time, it should be understood that the actual practice of the general mass of firms in developed countries has gone far ahead due to a longer history and a different level of managerial culture. However, as a basis, the resources provided by the regulators are useful for starting the implementation of the CRMS.

Scheme of the composition of regulators that determine the requirements for the RMS

Algorithm for building CRMS in a company

You and I remember the axiom that management and its components are connected with the company's strategy. It defines the principles of management activities and the main focus points. The specifics of risk management is that the local risk management strategy undergoes a major adjustment in the middle of the management process. To build a RMS, the company's experience in the practical application of financial and economic theory, tax and civil law, external regulatory assets and standards is important.

Internal and external pillars of building RMS in the company

Building a risk management system according to the model proposed below is based on the experience of Russian companies with a focus on the COSO methodology. This model implies the following steps of the algorithm.

Analysis of the environment. First of all, they analyze the elements of the external environment (the activities of the Central Bank of the Russian Federation, the State Duma, the Ministry of Finance, the Federal Tax Service, etc.), the business environment, market conditions, and business resources. All this creates external risk factors.
Establishing customer risk management processes. The success of the implementation of the CRMS depends on this. Very often in Russian companies, the customer is the financial service, which is associated with the dominant role of financial risks in the functioning of the company. In a number of cases, the customer is the general director, and it is especially valuable if his undertakings are supported by the position of the main shareholders.
Determination of the organizational structure of the control subsystem. The system can be managed by a dedicated specialist or the head of a separate division, who coordinates various areas: risky investments, insurance operations, venture investments. This organizational structure is called the concentrated model. The second variant of RMS organization can be a distributed risk management model.
Development of regulatory documentation of the system: risk management policies, provisions (concepts) for risk management, risk declarations. The policy serves as the main document of the CRMS and is publicly available on the corporate portal.
Development and adjustment of the corporate risk map. Here, measures are cyclically implemented to identify, identify and assess the risks of the company.
Development of a risk management strategy. In the strategy, in addition to the principles of choosing methods for dealing with risks, mechanisms for their financing, a special place is occupied by indicators of the effectiveness of the RMS and the distribution of areas of responsibility between the management company and business units.
The actual implementation of the risk minimization and compensation program.
Development of an operational risk management process.
Regular audit of the CRMS.
Implementation of procedures for informing about changes in the CRMS.
Creation and development of control and monitoring systems.
Implementation of procedures for saving and archiving information generated in the system.

RMS Implementation Principles

The principles of the functioning of the RMS in the company also determine the processes of its implementation and development. These principles are subject to compliance by managers responsible for the implementation of the system procedures by specialists and all employees of the company.

The principle of goal orientation. The goals are written in the company's strategic documents: development strategies, strategic action plan, corporate maps, business plans.
The principle of balancing risks and profits. The RMS should promote a balance between risk and profitability (profitability) of the business, taking into account the requirements of legislative acts and the provisions of internal regulations.
The principle of accounting for uncertainty. Uncertainty is present in any business activity and is an integral part of the decisions made in the company. RMS serves to systematize information about the sources (factors) of uncertainty and helps to reduce it.
The principle of system. A systematic approach allows you to timely and fully identify, identify and assess risks, reduce their negative consequences or compensate for the impact on performance.
The principle of quality information. RMS requires timely, secure and accurate information to function. When making decisions, however, it is necessary to take into account the limitations and assumptions of the sources of information, the possible subjectivity of the position of experts and the peculiarities of the methods used for assessing and modeling risk situations.
The principle of assigning responsibility for risk management. The concept of "risk owner" is introduced, this status is assigned to one of the company's managers. He is given responsibility for the appropriate management procedures within the given powers and functional composition.
The principle of efficiency. The RMS should provide a reasonable and economically justified combination of management effectiveness and costs for its organization and production.
The principle of continuity. The RMS functions in conditions of regularity (cyclicity) of the main processes and their continuity. The processes of the system originate at the time of the development of the company's strategy and cover all areas of its activity.
The principle of integration. The decision-making system at all levels of management should include the subject area of RMS. Decisions are developed and approved taking into account the circumstances and the likelihood of adverse consequences associated with their adoption.
The principle of expansion. RMS involves the identification, assessment and settlement of all possible threats to activities, not limited to financial and insured risks. According to the last three principles, the schemes of their main elements are presented below.

Composition of procedures of the RMS continuity principle

Scheme of the main elements of the RMS expansion principle

Assessment of the company for risk management

What should a company do if it is only thinking about implementing RMS or if elements of the system are already present, but it is not clear how and in what direction to move on? Experts recommend in this case to analyze the risk management system at the enterprise in order to determine its strengths and weaknesses and ways for further development.

It would be very useful for current and potential stakeholders in the company's activities and in investing in it to learn about the real state of affairs from the position of regular risk management. In 2015, the KPMG consulting group conducted a study “Risk Management Practices in Russia”, in which 48 respondents were asked about RMS diagnostics. The results of the answers are presented in the diagram below.

Results of a survey of 48 Russian companies on the diagnosis of SUR.

1. General Provisions

Risk is the effect of uncertainty on the achievement of goals.

Any managerial decision is made under conditions of risk caused by incomplete information about the object of management and its environment and limited time for its adoption. The decision-making environment varies depending on the degree of risk. Conditions of certainty exist only when the leader knows exactly the outcome that each choice will have. Under conditions of risk, the probability of the outcome of each decision can only be determined with known certainty. If there is not enough information to predict the level of probability of outcomes depending on the choice, the decision conditions are uncertain. In conditions of uncertainty, the manager, based on risk analysis, must establish the acceptability of possible risks and their consequences.

Management and risk are inseparable. The risks of managing an organization are the risks of goal setting, marketing and management of the organization.

Goal setting risk is the possibility of incorrectly defining the goals of the organization. With incorrectly defined and set goals, the activities of the organization cannot be successful.

Marketing risk is the possibility of deviations in the results of the organization's activities due to incorrect determination of the uncertainties of market conditions - the choice of a niche and the positioning of the organization and its products in the market.

Management risks are the possibility of wrong actions in the process of achieving the set goals.

Risk management is explicitly or implicitly initially present in all management system standards at least as a preventive action.

In risk management, it is customary to distinguish several key stages:

Identification of risk, its analysis and assessment of the likelihood of its implementation and the scale of consequences;

Selection of methods and tools for managing the identified risk;

Development of a risk strategy in order to reduce the likelihood of risk realization and minimize possible negative consequences;

Implementation of the risk strategy;

Evaluation of the results achieved and adjustment of the risk strategy.

Location of risks:

General classification of risks:

Types of risks by type of hazard:

Technogenic risks- these are the risks associated with human economic activity (for example, environmental pollution).
natural risks- these are risks that do not depend on human activity (for example, an earthquake).
Mixed risks- these are risks that are natural events, but associated with human activities (for example, a landslide associated with construction work).

Types of risks by areas of manifestation:

Political risks- these are the risks of direct losses and losses or shortfalls in profits due to adverse changes in the political situation in the state or the actions of local authorities.
Social risks are the risks associated with social crises.
Environmental risks- these are the risks associated with the likelihood of civil liability for causing damage to the environment, as well as to the life and health of third parties.
Commercial risks- these are the risks of economic losses arising in any commercial, industrial and economic activity. Commercial risks include financial risks (associated with the implementation of financial transactions) and production risks (associated with the production of products (works, services), the implementation of any types of production activities). This includes information security risks.
Professional risks- these are the risks associated with the performance of professional duties, occupational safety, labor protection and health, etc.

Types of risks according to the possibility of foresight:

Forecasted risks- these are risks that, for example, are associated with the cyclical development of the economy, a change in the stages of the financial market situation, the predictable development of competition, etc. The predictability of risks is relative, since forecasting with a 100% result excludes the phenomenon under consideration from the category of risks. For example, inflation risk, interest rate risk and some other types.
Unpredictable risks- these are risks that are characterized by complete unpredictability of manifestation. For example, force majeure risks, tax risk, etc.

According to this classification feature, risks are also divided into regulated and unregulated within the enterprise.

Types of risks by sources of occurrence:

External (systematic or market) risk is a risk that does not depend on the activities of the enterprise. This risk arises when certain stages of the economic cycle change, the financial market situation changes, and in a number of other cases that the enterprise cannot influence in its activities. This group of risks may include inflation risk, interest rate risk, currency risk, tax risk.
Internal (non-systematic or specific) risk is a risk that depends on the activities of a particular enterprise. It can be associated with unskilled financial management, an inefficient asset and capital structure, excessive commitment to risky (aggressive) operations with a high rate of return, underestimation of economic partners and other factors, the negative consequences of which can be largely prevented through effective risk management.

Types of risks by the amount of possible damage:

Tolerable risk- this is the risk, the losses on which do not exceed the estimated amount of profit on the operation being carried out.
Critical Risk- this is the risk, the losses for which do not exceed the estimated amount of gross income for the operation being carried out.
catastrophic risk- this is the risk, the losses on which are determined by the partial or complete loss of equity (may be accompanied by the loss of borrowed capital).

Types of risks according to the complexity of the study:

simple risk characterizes the type of risk, which is not divided into its individual subspecies. For example, inflation risk.
Complex Risk characterizes the type of risk, which consists of a complex of subspecies. For example, investment risk (the risk of an investment project and the risk of a particular financial instrument).

Types of risks by financial consequences:

The risk entailing only economic losses, carries only negative consequences (loss of income or capital).
Lost profit risk characterizes a situation when an enterprise, due to existing objective and subjective reasons, cannot carry out a planned operation (for example, if a credit rating is lowered, an enterprise cannot receive the necessary loan).
Risk entailing both economic losses and additional income (« speculative financial risk inherent, as a rule, speculative financial transactions (for example, the risk of implementing a real investment project, the profitability of which in the operational stage may be lower or higher than the calculated level).

Types of risks according to the nature of manifestation in time:

Constant risk characteristic for the entire period of the operation and is associated with the action of constant factors. For example, interest rate risk, currency risk, etc.
Temporary Risk characterizes a risk that is permanent in nature, arising only at certain stages of a financial transaction. For example, the risk of insolvency of the enterprise.

Types of risks according to the possibility of insurance:

Insured risks- these are the risks that can be transferred in the order of external insurance to the relevant insurance companies.
Uninsurable risks- these are risks for which there is no offer of corresponding insurance products in the insurance market.

The composition of the risks of these two groups under consideration is very mobile and is associated not only with the possibility of their forecasting, but also with the effectiveness of the implementation of certain types of insurance operations in specific economic conditions under the established forms of state regulation of insurance activities.

Types of risks by frequency of implementation:

high risks are risks that are characterized by a high frequency of occurrence of damage.
Medium risks are risks that are characterized by an average frequency of damage.
Small risks- These are risks that are characterized by a low probability of occurrence of damage.

2. General principles of risk analysis

To determine the sources of risk and its types, it is necessary to have reliable information support. All information about the characteristics of individual risks can be obtained from various sources: one-time and permanent, official and unofficial, acquired and received, reliable and doubtful, and so on. At the same time, the information used in risk management should be as reliable, complete and timely as possible. Sources of information for risk identification can be:

1. External:

Statistical economic, political and demographic data;
Forecast information;
Information in the media.

2. Internal:

Data about the processes of the organization;
financial data;
Materials of revisions and audits;
Marketing research data;
Personal experience of the leaders of the organization.

Risk analysis can be divided into two complementary types: qualitative and quantitative. Qualitative analysis aims to identify (identify) factors, areas and types of risks. Quantitative risk analysis should make it possible to numerically determine the size of individual risks and the risk of the organization as a whole.

The risk analysis process covers various aspects of risk management, from identifying and analyzing the hazard to assessing the acceptability of the risk and identifying potential risk reduction opportunities through the selection, implementation and control of appropriate control actions.

Risk analysis is a structured process, the purpose of which is to determine both the likelihood and the magnitude of the adverse consequences of the investigated action, object or system. Harm and loss to people, property or the environment are considered as adverse consequences.

Risk analysis attempts to answer three basic questions:

what threatens (hazard identification);

how likely it is to happen (frequency analysis);

what are the consequences of this event (analysis of consequences).

The results of a risk analysis can be used by decision makers in assessing the acceptability of a risk, as well as in choosing between potential risk mitigation or elimination measures. From the point of view of a managerial decision maker, the main advantages of risk analysis include:

systematic identification of potential hazards;

systematic identification of possible failure modes;

quantitative assessments and/or qualitative ranking of risks;

identification of risk factors and weak links in the system;

a deeper understanding of the structure and functioning of the system;

achieving preferred levels of control system reliability;

comparing the risk of the system under study with the risks of alternative systems or technologies;

identification and comparison of risks and uncertainties;

assistance in setting priorities for improving requirements and standards;

formation of a base for the rational organization of preventive maintenance, repair and control;

ensuring the possibility of post-accident investigation and measures to prevent accidents;

the possibility of choosing measures and techniques to ensure risk reduction.

Risk analysis is part of the risk assessment and risk management process and consists of scope definition, hazard identification and risk assessment.

The general task of risk analysis is to inform decisions about risk. These decisions can be made as part of a larger risk management process by comparing risk analysis results with acceptable risk criteria.

Risk analysis should be aimed at identifying and eliminating, and / or reducing to an acceptable level the risk that threatens the organization's activities through a balanced allocation of resources and effective control of risks and their reduction.

In order to increase the efficiency and objectivity of risk analysis and ensure comparability with other risk analysis results, the following general rules must be observed, - the risk analysis process must be carried out in accordance with the following steps:

a) definition of the scope;

b) hazard identification and preliminary assessment of consequences;

c) risk assessment;

d) checking the results of the analysis;

e) documentary justification;

e) adjusting the results of the analysis in the light of the latest data.

Risk assessment includes conducting a frequency analysis and an impact analysis.

A possible procedure for conducting a risk analysis is shown in the diagram:

A necessary requirement for risk analysis and assessment is a thorough knowledge of the system and the methods of analysis used. If risk analysis results for a similar system are available, they can be used as a reference. In this case, it is necessary to prove that the processes are similar, and that the introduction of changes does not introduce significant differences in the results. Conclusions should be based on a systematic assessment of the changes and how they might affect existing hazards.

Analysts involved in risk analysis should be sufficiently competent. Often, the system being analyzed is too complex for one person to work, so a team of analysts is required to perform the analysis.

Analysts should be familiar with the methods used for risk analysis and should have sufficient knowledge of the system and its risks. If necessary, other necessary information should be presented and used for the analysis. The conclusion of the experts of the working group must be documented.

If risk analysis is used to ensure an ongoing risk management process, it must be performed and documented in such a way that it can be adjusted throughout the life cycle of the system or activity. The analysis should be updated as new information becomes available and in line with the needs of the management process.

In order to develop a risk analysis plan, the scope of the risk analysis must be defined and documented. Determining the scope of the risk analysis should include the following steps:

a) A description of the reasons and/or problems that led to the risk analysis.

This provides:

formulating risk analysis objectives based on the identified potential hazards of concern;

determination of system performance/failure criteria.

b) Description of the system under study. This should include:

general description of the system;

determination of boundaries and areas of contact with adjacent systems;

description of environmental conditions;

definition of operating conditions and system states that are covered by the risk analysis, and the corresponding restrictions.

c) Establishing sources providing detailed information on all technical, environmental, legal, organizational and human factors relevant to the analyzed activities and problem. In particular, any safety circumstances should be described.

d) Description of the assumptions and limiting conditions used in the analysis.

e) Development of decision statements that can be made, description of the required output data obtained from research results and from decision makers.

The task of defining the scope of risk analysis should involve a thorough familiarization with the system being analyzed. One of the goals of familiarization is to identify sources and methods of using specialized information.

The elements of the risk assessment process are common to all hazards. First of all, the possible causes of the danger are analyzed in order to determine the frequency of its occurrence, duration, and nature.

In the course of the analysis, it may be necessary to determine an estimate of the probability of the hazard causing the consequences and to conduct analyzes of the sequence of contributing events.

3. Qualitative risk analysis

To solve the problem, the hazards that cause the risk, as well as the ways in which these hazards can be realized, must be identified.

Known hazards must be clearly and precisely identified. Formal methods should be used to identify hazards not previously considered in the analysis.

A preliminary assessment of the significance of identified hazards should be carried out based on an analysis of the consequences and an examination of their root causes.

A preliminary assessment of the significance of the identified hazards determines the choice of subsequent actions:

a) taking immediate action to eliminate or reduce the hazards;

b) termination of the analysis because the hazards or their consequences are immaterial;

c) transition to risk assessment.

Initial assumptions and results should be documented.

Hazard identification involves the systematic examination of the system under investigation to identify the type of unavoidable hazards present and how they manifest themselves. Statistical records of risk performance and experience from previous risk analyzes can provide useful input to the hazard identification process. It should be recognized that there is an element of subjectivity in opinions about hazards and that the hazards identified may not always be the exhaustive measure of those hazards that could pose a threat to the system. It is essential that identified hazards be reviewed as new data become available. Hazard identification methods broadly fall into three categories:

a) comparative methods, examples of which are checklists, hazard indices and review of operating data;

b) fundamental methods that are designed in such a way as to stimulate a group of researchers to use the forecast in combination with their knowledge in relation to the task of identifying hazards by asking a series of questions like “What if ...?”;

c) methods of inductive approach, such as logical diagrams of the possible consequences of a given event (logical diagrams of the "event tree").

Other techniques can be used to improve hazard identification (and risk assessment capabilities) for specific problems.

Regardless of the techniques used, it is important that due consideration be given in the overall hazard identification process to the fact that human and organizational errors are significant factors in many emergencies. It follows that emergency scenarios involving human and organizational error should also be included in the hazard identification process, which should not focus solely on technical aspects.

In practice, the identification of a hazard from a particular system, equipment or activity can result in a very large number of potential accident scenarios. Detailed quantitative analysis of frequencies and consequences is not always feasible. In such situations, it may be appropriate to qualitatively rank the scenarios, placing them in risk matrices indicating different levels of risk.

The degree of threat of the hazard determines the severity of the events.

The definition of a hazard threat should include:

identification of threats of hazard factors;

threat analysis of hazard factors;

documentation of threats of hazard factors.

Threats are identified both on the basis of external information and on the basis of an analysis of the organization's content and its external environment.

The matrix of qualitative classification of the degree of threat of the hazard factor is given in the table:

Definition	Meaning	Degree
Catastrophic	Loss of business Numerous human casualties
Dangerous	A significant decrease in the "margin of safety", which does not allow guaranteeing a clear and complete fulfillment by the organization of its tasks. Serious injuries to a large number of people. Major financial losses.
Significant	Significant reduction in "margin of safety", reduction in the organization's ability to cope with adverse conditions as a result of increased workload or due to conditions that reduce their effectiveness. Serious incident. Personal injury.
Minor	Interference. Operating restrictions. Use of emergency procedures. The possibility of an incident.
negligible	Minor Consequences

When conducting an analysis, it is necessary to reduce, and, if possible, eliminate the subjectivity of risk analysis.

Frequency analysis is used to estimate the probability of each identified undesirable event, as determined during the hazard identification stage. The following three approaches are commonly used to estimate the frequencies of events that occur:

a) use of available statistical data (history);

b) obtaining the frequencies of occurring events based on analytical or simulation methods;

c) use of expert opinions.

All of these techniques can be used individually or in combination.

The first two approaches are complementary - each has strengths where the other has weaknesses. Wherever possible, both approaches should be applied. Thus, they can be used for mutual checks. This can serve to increase the reliability of the results. In cases where these approaches cannot be used, or are insufficient, it is recommended to involve the opinions of experts.

The purpose of frequency analysis is to determine the frequency of each of the undesirable events or accident scenarios identified during the hazard identification stage. Three main approaches are commonly used:

a) using relevant operational data to determine the frequency with which these events have occurred in the past, and from this, to determine estimates of the frequency with which they may occur in the future. The data used should be appropriate for the type of system, equipment or activity to be considered;

b) predicting the frequency of events using techniques such as analyzing a diagram of all possible consequences of a system failure or failure (“fault tree”) and analyzing a diagram of the possible consequences of a given event (“event tree”). In the event that statistical data is not available or does not meet the requirements, it is necessary to obtain event rates by analyzing the system and its alarm conditions. Numerical data for relevant events, including data on equipment failure and human error, taken from operating experience or published data, are used to determine an estimate of the frequency of undesirable events. When using predictive methods, it is important to ensure that the analysis has taken into account the possibility of violations of the operating mode of the system, as well as its parts or components that should function in the event of system failures .;

c) use of expert opinion. There are a number of methods for drawing up an expert opinion that eliminate the ambiguity of assessments and help in formulating relevant questions.

Probability of occurrence
quantitation	Meaning
Frequent	May occur repeatedly (has already occurred frequently)	5
periodic	May occur from time to time (occasionally)	4
rare	Unlikely, but may occur (rare)	3
unlikely	Very unlikely to occur (no occurrences known)	2
Nearly impossible	It is almost impossible to imagine a situation in which an incident could occur	1

Consequence analysis is used to assess the likely impact that an undesirable event will cause.

The impact analysis should:

a) be based on selected adverse events;

b) describe any consequences resulting from undesired events;

c) take into account existing mitigation measures, along with any relevant conditions influencing the effects;

d) establish the criteria used to fully identify the consequences;

e) consider and take into account both immediate consequences and those that may manifest themselves after a certain period of time, if this does not contradict the scope of research;

e) consider and take into account the secondary effects that apply to related equipment and systems.

Consequence analysis involves determining the effects on people, property or the environment in the event of an undesirable event. For safety risk calculations, the consequences analysis is a rough estimate of the number of aircraft in the event that an undesirable event occurs.

There are many methods for evaluating this kind of phenomena, ranging from simplified analytical approaches to very complex computer models. When using modeling methods, it is necessary to ensure that it is appropriate for the problem to be considered.

When conducting a risk analysis, it is necessary to establish whether the resulting risk assessment reflects the level of the overall risk or is only a part of it.

When calculating risk, both the duration of an undesirable event and the likelihood that people will be exposed to it must be taken into account.

A possible Risk Matrix is shown in the table:

Probability occurrence risk	Severity of risk
Probability occurrence risk	catastrophic	menacing	Large	Malaya	Minor
5 - Frequent
4 - episodic
3 - Remote
2 - Incredible
1 - Almost impossible

4. Risk management

Risk management aims to reduce the negative impact of risks.

The following methods can be used to reduce the negative effect of risks:

Avoidance/Evasion - production and other activities are canceled because the risk exceeds the benefit from continuing this activity.

Reduction - the frequency of production or other activities is reduced, or measures are taken to reduce the scale of the consequences of the admitted/accepted risk.

Risk Isolation - measures are taken to contain the consequences of the risk or to provide redundancy to protect against it.

Risk transfer- transfer of risk to third parties in cases where it is impossible or not economically justified to influence it on the part of the organization, and the level of risk exceeds the permissible level. A typical example of risk transfer is insurance.

The choice of risk management methods can be viewed as an optimization problem under constraints. Selection criteria may be different, including financial and economic criteria (ensuring efficiency). However, when deciding which methods to use, it cannot be all about economic returns. It is important to take into account other criteria, such as technical (reflecting the technological possibilities to reduce risk) or social (reducing the risk to a level acceptable to society).

The approach to determining the acceptability of specific risk factors involves consideration of the following aspects:

a) Management factor . Does this risk conflict with the organization's security policies and standards?

b) Financial Opportunity Factor . Is the nature of the risk beyond the scope of a cost-effective solution?

in) legal factor . Does this risk conflict with current regulatory authority standards and enforcement capabilities?

G) cultural factor . How will the staff of the organization and other participants react to this risk?

e) Market factor . Will the organization's competitiveness and well-being relative to other companies be compromised by not taking action to reduce or eliminate this risk?

e) Political factor . Will the organization pay a political price for not taking action to reduce or eliminate this risk?

and) Public factor . How much influence will the media or special interest groups have on public opinion about this risk?

To manage risk, consider the following:

The risk management system is part of the overall management of an organization;

Features of risk management require specialized knowledge in making decisions for their management;

When managing risk, it is necessary to take into account the existing external and internal restrictions of the organization;

A single policy should be pursued for all risks, which requires a comprehensive and simultaneous management of all the risks of the organization;

The risk management process is a continuous dynamic one.

A more detailed analysis of risk management actions requires a separate article, as well as quantitative risk analysis.

Under our vigilant gaze came, the management and risk analysis activities that we use in our professional activities. In the past, since our last rendezvous, we managed to prepare the following article.

To be continued right now...
Today we will talk about risk management activities.

Introduction

Risk management activities, like any complex activity, are a complex iterative process that has its own stages, goals and objectives. Any stage has its own purpose, “takes” / “receives” the data determined by the “pre-activity” as input to its activity, and forms the final / intermediate result at the output.

Risk management can be defined at the top level by the following sequence of steps:

Risk identification;
Assessment of the likelihood of its occurrence and the scale of the consequences that may arise;
Preliminary analysis and determination of the maximum possible losses;
Selection of methods and tools for managing the identified risk;
Development of a risk strategy to reduce the likelihood of risk realization and minimize possible negative consequences;
Implementation of the risk strategy;
Evaluation of the results achieved and adjustment of the risk strategy;
Monitoring problem areas.

The reflected sequence of stages is only a distant representation of the activity in question, and will be further detailed and expertly expanded. For example, the “risk strategy” presented in this plan is just a set of certain interrelated processes and documents that reflect the essence of all or some stages of risk management.

Risk management, as it was said in the first article, is a rather young branch of activity, in the current understanding of its goals and objectives. It studies the degree of influence on various areas, processes, etc., both main and indirect / related, of certain events that entail the onset of various types of damage or profit, and how it can be managed or, in extreme cases, , guide or control.

Risk management and analysis is a separate area with a well-defined relationship to IT. But at the same time, it would be incorrect to call this area of work a science, but it would be quite correct to talk about a methodology that has its own conceptual apparatus, classification, types of analysis, etc.

From the presented point of view, the main distinguishing feature of this methodology is the terminology. It is a mixture between such activities as information technology, technology, engineering, theory of machines and mechanisms, insurance business and stock exchange business, etc. The existence of such a "chimera" has developed historically, in accordance with the development of risk management, and requires a broad outlook and a versatile understanding of not only the "approximate" essence of the subject, but also its details, otherwise the professional risks being left behind. understanding of what is happening, which eliminates his participation in this process.

Behind each term that will be given later in this article, there is a certain meaning and history of the development of the initial causes and effects, which acquired their right to exist due to the fact that their importance and continued relevance was confirmed by time and the validity of the results obtained, such as success or damage.

Thus, in order to competently manage and direct the development of risks, because the result of a risk can be not only damage, but also an effective result, it is necessary to understand in detail their categories, classifications and types. The uniqueness of each risk lies in the fact that the causes that give rise to them depend on factors such as the type of activity in which they manifest themselves, the environment of the process or event, the type of technology, etc.

Despite the fact that we announced that risk management and analysis is more of a methodology than a separate scientific direction in the field of information technology, the importance of perceiving and understanding the fundamentals that are directly related to seemingly non-IT disciplines is one of the components of success in mastering and applying knowledge of risk management in practice.

Definition of basic concepts

In order to speak with you, dear colleagues, in the same language (after all, we have already understood how important this is), the language of risk activity, it is necessary to immediately agree on the terms that you need to know in order to successfully master and apply knowledge of risk management in practice .

On the one hand, due to the specifics of the subject being studied, it is too early to talk about the established terminology in risk management in relation to information technology. Of course, this objective situation is associated with a variety of types of risk that are the object of consideration of our discipline. But we need to outline the scope of our research, otherwise you and I run the risk (yes, yes, that's right :)) to think about different things.

The definition of risk was given by us in the first article, but here, in order to form a complete picture of the subject under study, and a comprehensive look at a rather complex concept, we will give it again:

Risk is the potential for the occurrence of a probable event/phenomenon or a combination of them that can cause a certain amount of impact on the ongoing activity.

Given the complexity and diversity of disciplines that “fill” risk management, it is advisable to give an alternative concept of risk, given in one of the financial and investment textbooks:

A risk event or a group of related random events that cause damage to an object that has a given risk.

The given "financial" definition of risk obliges us to decipher the concepts that are included in it:

Randomness (many people associate the concept of randomness and unpredictability, which is not entirely true) of the occurrence of an event means the inability to determine the time and place of its occurrence.
Object - a material object or interest, a property of an object.
Damage is the deterioration or loss of the properties of an object.
Probability of an event is a sign of an event, which means that it is possible to calculate the frequency of the occurrence of an event if there is a sufficient amount of statistical data.

Thus, risk, as an independent event, or part of a larger event, has two of the most important properties in terms of risk management - probability and damage.

Each event is generated by a particular cause or set of causes. Such reasons are called incidents. The chain of successive stages that lead from the initial incident to the final event is a development scenario. Knowing the probabilities that led to the occurrence of incidents, it is possible to establish a sequence of intermediate steps and calculate the probabilities of the scenario. The determining factor in mastering risk management in information technology is the ability to simultaneously analyze, take into account and synthesize, when considering a specific situation or scenario, the following three domains:

Risk Domain
Management Domain
Information technology domain

It is the ability to simultaneously interconnect these seemingly completely different subjects of a humanitarian and technical nature that contributes to success in the development and practical application of the field of risk analysis management. The ability to understand and recognize incidents belonging to different "nature" of occurrence and the skill of building scenarios, the various stages and steps of which belong to different domains, is an important characteristic of a high-class specialist in risk management.

Risk management on the example of modern methods

Today, many popular and fundamental IT methodologies from areas such as project management (PMBOK), analytics (BABOK), IT audit (COBIT), service activities (ITIL), software development (MOF), etc., are trying to to provide a tool that could offer an effective risk management and analysis algorithm. The following methods are such “tools” for various activities of the information technology domain: CORAS, OCTAVE, CRAMM, MOF risk management, Risk it, etc. The presented processes are the main ones in terms of demand and use, so we will consider them all and try to understand the specifics of each.

Brief overview of IT risk management methodologies:

CORAS

It was developed within the framework of the Western program "Information Society Technologies". The purpose of this methodology is to adapt, refine and combine such basic risk analysis methods as Event-Tree-Analysis, Markov chains, HazOp and FMECA.

CORAS uses UML technology and is based on the Australian/New Zealand standard AS/NZS 4360: 1999 Risk Management and ISO/IEC 17799-1: 2000 Code of Practice for Information Security Management.

In CORAS, information systems are considered not only from the point of view of the technologies used, but from several angles, more precisely, as a complex complex, in which the human factor is also taken into account. The rules of this methodology are implemented in the form of Windows and Java applications.

OCTAVE

The OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation) methodology was developed at the Software Engineering Institute at Carnegie Mellon University (alma mater of many modern IT methodologies and software engineering) and provides for the active involvement of information owners in the process of identifying critical information assets and the risks associated with them.

Key elements of OCTAVE:

identification of information assets subject to risk and damage;
identification of threats to critical information assets;
identification of vulnerabilities associated with critical information assets;
assessment of risks associated with critical information assets.

OCTAVE provides for a high degree of flexibility, achieved by selecting criteria that an enterprise can use when adapting the methodology to suit its own needs. The methodology was developed for use in large companies, and its growing popularity has led to the creation of a version of OCTAVE-S for small enterprises.

OCTAVE does not provide a quantitative risk assessment, however, a qualitative assessment can be used in determining the quantitative scale of their ranking. The assessment may include various risk areas that, with the exception of technical and legal risks, are not directly included in the methodology. These are taken into account indirectly, during interviews with the owners of information assets, during which it becomes clear what consequences may occur if threats are realized.

CRAMM

The CRAMM methodology (CCTA Risk Analysis and Management Method) was developed by the British Central Computer and Telecommunications Agency in 1985 and is used for both large and small government and commercial organizations. CRAMM involves the use of technologies for assessing threats and vulnerabilities by indirect factors with the ability to verify the results. It contains a mechanism for modeling information systems from a security perspective using an extensive database of preventive measures to reduce / eliminate the impact of risks. CRAMM is aimed at a detailed assessment of the risks and effectiveness of the combinations of various countermeasures intended to be used.

MOF Risk Model (MOF Risk Model)

This methodology deserves special mention. We will devote a little more material and your time to it.

It is the most common at the moment and defines the main stages of risk management, which will be covered in a separate article in the future (we really count on it), but which we will also mention here:

Identification of risks - determination of the causes of risk, conditions for its occurrence, consequences;
Risk analysis - assessment of the likelihood of risk and damage to the information system and business;
Planning of actions - definition of the actions allowing completely to avoid risk or to reduce its influence. It also develops an action plan in case of a risk;
Risk tracking - collection of information about changes, over a certain period of time, of various elements of risk. If the risk is considered insignificant for some time, it must be excluded from the list of risks. If the impact of the risk has changed, you should go to the analysis stage to re-evaluate this impact.
Control (Control) - the execution of planned actions as a response to the occurrence of a risk event.

If we consider the risk management model in isolation from the standards where it is used (ITIL, MOF, etc.), then we can see a relatively shallow, but fundamental view of the risk management model. For example, such a methodology as CRAMM contains more detailed instructions on risk assessment mechanisms, and BASEL II (mentioned in the first article) describes in more detail the issues of organizing a risk management system in a company.

COBIT 5 for Risk (RiskIT)

This standard considers the approach to risk management from two aspects: risk function and risk management.

In the first case, it talks about what you need to have in an organization in order to build and maintain a risk management system. In the second, we review key governance and management processes for risk optimization and regular procedures for risk identification, analysis, response and reporting.

As you have already understood, there is no single and centralized view of risk management in the IT field. The plurality of standards and methods is caused, first of all, by the specifics of risk analysis and management in application to certain industries and resources that can be spent on their implementation. But each of the described methods has the right to "be" only because they have proven their worth not only as "book" values, but also as a specific and effective tool of activity. All of the above methods solve, in fact, the same type of problems caused by similar reasons and aimed at minimizing the damage from the occurrence of a risk or eliminating it in principle, but are “sharpened” for different types of organizations and processes in which it is planned to eliminate or minimize risks . Of the methods outlined, the most universal, without a doubt, is MOF, which, with varying degrees of adaptation, can be used in any type of activity, while the rest are, for the most part, specialized tools that require different degrees of attention and different resources. If desired, each of you can find more detailed information about the methods outlined in the "global web".

The relevance of risk management activities today

To date, information technology provides a variety of tools to support and develop any type of special activity, regardless of its specifics and other characteristics, be it a narrowly focused type of e-business, education or a commonly used type of business services.

High technologies make it possible to increase the efficiency of already existing processes, to become the foundation for the creation of new ones, but at the same time, subject to their uncontrolled use, they become a source of enormous risks, which, in case of "overlapping", can be the sources of many "emergent" results. It is a well-known fact that, in most countries, a particularly deplorable state in this area is observed in the Russian Federation as well, they are treated as unnecessary redundancy, which in the last direction has become a “fashionable” area of activity that needs “as it were” follow due to many factors. But the realities of modern conditions are such that with the continuing pace of development of the modern world (it is predicted that these rates will only grow), it is practically impossible to foresee, identify and fix the full range of possible problems for IP (the most dynamically changing industry), regardless of which it is the type of work that is performed: the introduction of new software products and complexes, the support and development of existing ones or the decommissioning of obsolete ones, followed by the migration process of information that is critical for a particular organization. In such an environment, a type of activity that is aimed at proactive and preventive activity in the context of solution / prevention / elimination, etc. emerging tasks and problems becomes especially important. This type of activity is the direction of risk analysis and management, which is confirmed by the active growth of the base of standards and methods in which work with risks is fully or partially considered. Examples include the following methodologies COBIT, PMBOK, BABOK, ISO/IEC 17799, ISO/IEC 27000, BS7799, NIST SP800-30, etc.

Common Causes of Risks

At the heart of any constructive activity is a clear understanding of the goals, objectives and resources that are necessary to achieve the final result.

The more certain and unambiguous these factors are, the lower the degree of uncertainty that could potentially affect the achievability of the goal. Based on this, it is absolutely obvious that the main reason for any risk is the degree of uncertainty that is inherent in those postulates that are the framework of the process or project that initiates the activity we are considering. How obvious are our problems and the resources that are allocated to solve them, determines the riskiness of our activities. Uncertain tasks, a priori, are doomed to the fact that the possibility of compiling and implementing a viable plan to resolve them is a “poke” with a finger to “nowhere”.

The higher uncertainty of the conditions of both the external and internal environment leads to the fact that the resources allocated to overcome these conditions should be of the highest quality possible. Many negative factors and causes can be foreseen and "eradicated" based only on the experience of specialists with high risk management skills, but this can hardly be considered a predictable factor that should be used when building a risk management system. The problem of "limitation" of resources is a problem that leads to a shortage of productivity.

When implementing projects that have a high degree of uncertainty, it is necessary to pay increased attention to the commonly used risk analysis and management system. Such a system should take into account the specifics of both the activities in which the processes associated with risks take place, and the organizational component of the project and the organization in which it is carried out.

The organizational component and the attention that is paid to working with risks is a separate topic and area of activity, which, unfortunately, in Russia is given meager costs. An example of this may be that many guidance documents do not consider the aspect of risks in principle, their acceptable level and responsibility for accepting a certain level of risks.

This is not the case in developed countries. For example, in the American security glossary, you can find the term Designated Approving Authority - this is a person authorized to decide on the acceptability of a certain level of risks, which indicates a qualitatively different attitude to risk analysis and management, which in our country, of course, will eventually come to, but spending a lot of useless resources for this.

The involvement of all employees at all levels of the structural hierarchy of any enterprise in risk analysis activities and a closer attitude on the part of management could radically change the pessimistic trends that have been developing for years in this area and thereby bring the main processes of the IT industry to a qualitatively new level.

A clear understanding of the goals and objectives of the activities carried out helps to identify and minimize the overwhelming number of causes that lead to risks.

Goals and objectives of risk management

Risk analysis and management activities should be based on a clear, definite and unambiguous vision of why it is necessary for a given, specific subject to analyze and manage risks. Without a clearly defined plan (in an ideal situation, emerging from a development strategy), it is very difficult, and sometimes even impossible, to assess and correctly identify information risks. The success of these activities will depend only on the qualifications of the personnel serving them, which was discussed a little earlier. It should be noted that there is no single view and standard/order/regulation that could describe and suggest a way to solve all obvious and potential problems.

Each situation, each process consists of many elementary objects. These components must be subjected to the analysis procedure. The detail of the consideration of a particular particle depends on the value of the contribution of the object in question to the result of the activity.

The more complex and multifaceted processes we consider, the more important is the detailed preliminary study of the scope of activity, the methodology in which risk may arise and the application of best practices and methods recognized and tested earlier in work on them.

Understanding the goals helps to consciously control all the processes under consideration, understanding the given trend and the permissible deviations in its “path”.

The main goal in risk analysis activity is to provide the most complete and sufficient information for adequate risk management.

Under management, it is more correct to understand not “management”, as a specific function of management, but as the discipline “management” itself, which includes 5 processes:

Control
Initiation
Planning
Performance
Monitoring and control

The process of improvement, which has recently received the most rapid development due to the spread of the process approach to the organization of activities, is not entirely correct to consider here. The reason for this is that the risk component should be "extinguished" over time during the analysis and management processes.

The analysis activity implies the implementation of a part of the improvement activity due to the fact that a timely built system of metrics for the main “flawed” components of a process or project at the monitoring and control stage will significantly reduce the costs of this component and direct them in a more constructive direction.

The result of the analysis stage is exhaustive quantitative and qualitative data coming to the “input” of the management stage. The result of this stage is a no-risk or “controllable risk” result.

It will be possible to put into practice the above theses when each subject involved and interacting with an object at risk realizes the importance and necessity of their involvement in working with risks, the appearance of which, even hypothetically, is possible.

Understanding and participation in the management of risk analysis and timely escalation of emerging problems and tasks, at all hierarchical levels of any organization, will allow you to achieve your goals.

After the goals and objectives are set, accepted and unambiguously understood by all participants, the next step in dealing with risks is their identification (in the plans, the next article will be devoted to risk identification). The basis of the identification process is the categorical base, which is a tool for assigning a risk to a particular class or group of risk categories. "Placing" the risk in the correct category is a guarantee that in the future, work on processing the available information about it and developing a further algorithm for working on it will eliminate or reduce the amount of damage from its occurrence.

Classification and categories of risks

At the current moment in the development of the area of risks in information technology, it is appropriate to talk about multiple typification of risks. The information technology industry has a set of risks that is most typical for risks associated with high-tech and complex activities that include various types of processes. A set of risks specific to a certain type of activity is called a set of risks.

When it comes to the complex, then, using technical terminology, it can be stated that the risk complex is a "mutually intersecting set" between all existing risk complexes. Despite the recursiveness of the resulting definition, it most clearly expresses the essence of the concept of risk complex.

Complexes of risks are a characteristic component for industry, financial and investment areas, commerce, lending and, of course, the field of information technology. Thus, the more complex and complex type of activity, located at the “junction” of various practical and theoretical areas, we consider, the more complex and multifaceted the risks will be.

Information risks arising in processes and projects differ from each other in the place and time of occurrence, the totality of external and internal factors that affect their level and, consequently, the way they are analyzed and the methods of primary and subsequent descriptions.

As a rule, all types of risks are interrelated and emergent, therefore, they affect the activities carried out not only by themselves, but also in the aggregate.

A change in one type of risk can cause a change in most of the others that are in a certain complex. Risk classification means the systematization of a set of risks on the basis of some signs and criteria that allow combining risk subsets into more general concepts.

The most important elements underlying the risk classification are:

time of occurrence;
character;
occurrence factors;
effects;
and etc.

According to the time of occurrence, risks are divided into retrospective (past), current and prospective (future) risks.

Analysis of retrospective risks, their nature and methods of reduction makes it possible to more accurately predict current and future risks, predict the possible nature of their occurrence and, accordingly, manage it.

By nature, risks are divided into:

External risks. These include risks that are not directly related to the activities of the enterprise or the environment interacting with it (the activities of suppliers, related companies, external developers, outsourcing and consulting companies, partners, etc.).
Internal risks. These include risks caused by the activities of the enterprise itself and its audience (risks associated with the qualifications of personnel, IT infrastructure, technologies used, etc.).
Organizational risks (OR). RR are the risks associated with the mistakes of the company's management, its employees; problems of the internal control system, poorly developed rules of work, that is, the risks associated with the internal organization of the company's work.
Process risks (PR).. PR is a subsection of organizational risks. This type of risk is typical for certain types of processes. They are associated both with the execution of a separate process and with processes whose activities are interconnected by the functions they perform (cross-processes).
Project risks (PRR). PRR are risks that characterize the degree of danger for the successful implementation of the project as a whole or its individual stages.
Operational risks (OPR).. ODA are the risks associated with the performance of certain business operations by an organization.

It is difficult not to notice that the classification by the factor of occurrence is a “matryoshka”. The nesting of factors corresponds to the distribution of items in the process model of any company, while each of the risk groups considered has “internal” classifications that can be decomposed and expanded to the level necessary to track and control a certain type of risk.

According to the consequences, the risks are divided into:

Pure risks (sometimes also called simple or static) are characterized by the fact that they almost always carry losses for entrepreneurial activity. The causes of pure risks can be natural disasters, wars, accidents, criminal acts, incapacity of the organization, etc.
Speculative risks (sometimes also called dynamic or commercial) are characterized by the fact that they can carry both losses and additional profit for the entrepreneur in relation to the expected result. Reasons for speculative risks may be changes in market conditions, changes in exchange rates, changes in tax legislation, etc.

Speaking about the consequences of the occurrence of risks, it is necessary to single out a separate classification according to the degree of consequences of the occurrence of risks. This “sub-classification” is very important for making decisions on the feasibility of a risk-related activity:

acceptable risk. This is the risk of a decision, as a result of which, if not implemented, it is possible to “failure to achieve” the set goal of the activity. Within this zone, the activity retains its economic feasibility, i.e. there are losses, but they do not exceed the expected value.
critical risk. This is a risk in which the loss of all or part of the value of the result is possible; those. the critical risk zone is characterized by the danger of losses that obviously exceed the possible result and, in extreme cases, can lead to the loss of all funds invested in the project.
catastrophic risk. This is a risk in which there is a complete loss of value and it is possible that the risk subject will incur additional costs. This group also includes any risk associated with a direct danger to the life or further activities of people.

Success in attributing risk to one or another item of this classification directly depends on many factors, for completeness of views, 2 of them can be distinguished:

Quantitative degree of knowledge and certainty of a particular type of risks
Qualification, skill, experience, “foresight” of a risk manager who makes a decision on the implementation of risk-prone activities.

If we are talking only about the second factor, then, as noted earlier, it is difficult to say that the company has built a high-quality risk management system.

The success of such an organization depends only on specific specialists, who represent an "organization within an organization". As a rule, when such specialists leave, the risk management of the enterprise undergoes a complete collapse. Without a well-built system, which is based on a process model with constant measurement of the result of activities, according to specified success metrics, in the modern world of high technologies, the result will be quite difficult to achieve. But more on that later, in a dedicated article.

Summing up the topic of risk classification, it should be mentioned that the classification given here does not claim to be complete and sufficient. In any activity, there may be risks that are imprinted and the results of the specific activities of a particular enterprise. The manifestation of risks in them is possible and unique, single or present in group cases, depending on the specific environment and clearly defined parameters of the activity of a single organization. Such risks should be considered separately, in accordance with the risk analysis and management system, designed for the needs of this particular enterprise.

Before risk classification can be carried out, it is necessary to correctly identify and understand the prerequisites that may lead to the emergence or manifestation of risk. The stage of risk analysis that allows such activity to be carried out is risk identification. The accuracy of the chosen method for work and minimization of further possible or obvious damage depends on how correctly and far-sightedly the risk identification is carried out.

conclusions

We have completed a brief summary of the risk analysis and management direction, briefly outlining the boundaries of this activity. Here we have tried to concisely acquaint colleagues with the variety of species, types and the classification of risks based on them, the emergence of which, in essence, as we have shown, is facilitated, in most cases, by the uncertainty of initial conditions or resources.

In the following, we will proceed to a detailed consideration of the preliminary stage of risk analysis - the process of their identification and related methods and methodologies.

We wish our colleagues improvement in their work with/on IT risks.

All the best and see you soon!