Risk is pervasive throughout an organization as it can arise from any business function or process at any time without warning. Because of this widespread exposure, no single functional department management, other than the board of directors, can oversee the enterprise-wide risk management program. This approach also supports the idea that risks cannot be identified, measured, and monitored on a piecemeal basis. A holistic approach is needed.
Risk management methodology encompasses three processes: risk assessment (risk analysis), risk mitigation, and risk monitoring (risk evaluation). Examples of risk mitigation options include risk rejection (risk ignorance), risk assumption (risk acceptance), risk avoidance, risk reduction (risk limitation), risk transfer, risk contingency, and risk compliance.
Many organizations face various types of risks and exposures. Hence, the chief risk officer (CRO) must identify as many risk types as possible covering both current and potential risks. Each risk alternative for satisfying the business requirements must be evaluated for the selected risk types. The evaluator reviews each of these risks to determine the overall impact of significant variations from the original assumptions on which the expected success of the alternative is based.
Most of these risks are interrelated and interconnected, and have a magnifying effect. ...