An Analysis of Risk Management Processes and Comparison with ISO31000:2018

(1)

An Analysis of Risk Management Processes and Comparison with ISO31000:2018

Hakimah Hamir¹, Rabihah Md. Sum^1*

1 Faculty of Science and Technology, Universiti Sains Islam Malaysia, Bandar Baru Nilai, Malaysia

*Corresponding Author: [email protected]

Accepted: 15 December 2021 | Published: 31 December 2021

__________________________________________________________________________________________

Abstract: The risk management literature documented a variety of risk management processes. The ISO 31000:2018 grouped risk identification, risk analysis and risk evaluation under risk assessment. The step after risk assessment is risk treatment. The final step is risk monitoring and review. The Institute of Risk - Risk Management Standard grouped risk identification, description, and estimation under risk assessment. COSO defined risk identification as event identification. Event identification identifies both risks and opportunities. This study explores and analyses risk management processes. This study seeks to understand steps in risk management processes, and whether all the steps follow the steps as outline by ISO 31000:2018 risk management process. The study finds variety of risk management process developed by previous studies. A risk management process can be as simple as four-step process or as comprehensive as twenty-three-step process. Regardless the number of steps, ultimately there are four common steps in the risk management processes.

The steps are risk identification, risk analysis, risk treatment, and monitoring and review. The finding of this study enhances knowledge on risk management processes. Each risk management process is unique to a particular business or area of application. However, despite the uniqueness, the study finds that the risk management processes use the sequence of the risk management process as outlined by ISO 31000: 2018 as their basis. The differences being the terms and descriptions of the steps in the process.

Keywords: risk management process, risk management, ISO 31000:2018

___________________________________________________________________________

1. Introduction

Risk management is a systematic process. The process involves everyone in the organization.

The purpose of risk management is to maximize the probability and consequences of positive events and minimize the probability and consequences of negative events. Risk management is the process of identifying risks, assessing risks by measuring the probability and the possible impacts of risk events, and treating risks. The purpose is to eliminating, or reducing the risk effects with minimum investment of resources (Baranoff et al., 2009; Verbano & Venturini, 2013; Ekwere, 2016; Md. Sum & Hamir, 2019). Risk management reduce volatility, emphasizing the capabilities of a business to grow by managing risks, not avoiding them ( Duong, 2009; Abu Bakar, 2019).

Md. Sum (2015) point out that risk management literature documented a variety of risk management processes. The ISO 31000 risk management process grouped risk identification, risk analysis and risk evaluation under risk assessment. The step after risk assessment is risk treatment. The final step is risk monitoring and review. The Institute of Risk - Risk

(2)

Management Standard (IRM, 2002) grouped risk identification, description, and estimation under risk assessment. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) (Moeller, 2007) defined risk identification as event identification. Event identification identifies both risks and opportunities. Different types of business require different tools, techniques and process to manage risks (Zoghi, 2017). Even though, risk management has become a necessity and requires a systematic consideration in decision- making processes of businesses (Gorzeń-Mitka, 2015), there is no specific tool, technique, or steps for managing risks. Therefore, this study aims to explore and analyse the risk management processes developed for businesses. This study seeks to understand steps in risk management processes, and whether all the steps follow the steps as outline by ISO 31000:2018 risk management process. Findings of this study enhance knowledge on risk management processes for different types of business. Being the generally accepted risk management process, this study seek knowledge whether risk management processes developed by previous studies follow the steps as outline by the ISO 31000:2018 risk management process.

2. Literature Review

ISO 31000:2018 Risk Management Guideline developed by International Organization for Standardization.

ISO 31000:2018 (ISO) developed a six-step risk management process.

Step 1. Scope, Context, And Criteria. The first step is establishing the internal and external context, the scope of risk management, the objectives and decisions that need to be made, time frame, and resources. The context of the organization can be established from understanding the internal and external environment of the business. At this step the organization also need to develop its risk criteria.

Step 2. Risk Assessment. Risk assessment consist of three steps. The steps are risk identification, risk analysis, and risk evaluation. Risk identification is the process of finding, recognizing and describing risks. Risk analysis is a detailed consideration of uncertainties, risk sources, consequences, likelihood, events, scenarios, controls, and controls effectiveness. Risk evaluation is comparing the results of risk analysis with the established risk criteria developed in Step 1.

Step 3. Risk Treatment. Risk treatment as a process to modify risk (ISO Guide 73). Risk treatment aims to select and implement options to address risk.

Step 4. Monitoring and Review. At this step, an organization monitors and reviews the effectiveness of the risk treatment plan, strategies and management systems that have been set up to effectively manage risk.

Step 5. Communication and Consultation. The purpose of communication and consultation is to aid relevant stakeholders to understand risk, the basis in decision making, and why particular actions are needed.

Step 6. Recording and Reporting. Recording and reporting aim to improve risk management activities, and to assist interaction with stakeholders and those responsible and accountable for risk management activities.

The Risk Management Process Developed by Baranoff et al. (2009).

Baranoff et al. (2009) developed a seven-step risk management process.

Step 1. Communication and Identification. An organization must have a tool, policy, or company mission statements to communicate the risk management process.

(3)

Step 2. Risk Profiling. Risk profiling is a process of evaluating all risks in the organization.

Risk is evaluated based frequency and severity.

Step 3. Risk Mapping. Risk mapping is a technique to identify risks and choosing the best approach to mitigate them. A risk map graph is divided into the four quadrants of the classic risk management matrix. From the risk map, the risk manager can identify loss exposures, estimate, and forecast the frequency and severity of each risk.

Step 4. Projection of Frequency and Severity of Risk and Cost-Benefit Analysis Using Capital Budgeting. Develop a proper data system to allow risk managers to quantify loss history.

Step 5. Risk Management Alternatives. Baranoff et al. (2009) proposed to use a risk matrix to aid in finding alternatives to manage risks. Figure 1 presented a simple risk matrix. The four alternatives suggested are risk retention, risk reduction, risk transfer and risk avoidance.

Step 6. Comparison to Current Risk-Handling Method. Baranoff et al. (2009) proposed creating a separate graph to show how the firm is handling risk. Figure 2 presented an example of the graph. Compare Figure 1 and Figure 2 to see if there is any current risk handling method that is not appropriate.

Step 7. Ongoing Monitoring. Regular and constant monitoring to ensure the decisions are correct and implemented correctly; and whether they require revised plans to manage them.

Risk Low frequency High frequency

Low severity Retention-self insurance Retention with loss control – risk reduction

High severity Transfer - insurance Avoidance

Figure 1: A simple risk matrix

▪ Mold (Retained)

o Credit risk

o Foreign exchange risk o Interest rate risk (Risk reduction – hedged)

• Property

• Liability (Insurance)

❖ Reputation risk

❖ Intellectual property piracy (Avoid)

Figure 2: An example of current risk handling

Risk Management For Agricultural Risks Developed By Crane et al. (2013).

Crane et al. (2013) develops a nine-step risk management process for American farmers and ranchers.

Step 1. Identify Risks. Identify and classify risks from main sources of risk. The farmers can identify their risks from the major sources of production risks such as weather, climate changes, and pests.

Step 2. Measure Risks. Crane et al. (2013) proposes using probabilities to represent the chance of risks occurring, and the impact of the risks.

Step 3. Assess Risk Bearing Capacity. Bearing capacity focuses on financial capability. Farm owners can consider their annual expenses by assessing historical financial data.

Step 4. Evaluate Risk Tolerance or Preferences. Risk tolerance of farm owners can be either risk averse, risk neutral, and risk preferring producers.

Step 5. Set Risk Management Goals. Set goals over areas that can be well controlled. Farmers can opt for objective analysis and adjust to improve the likelihood of success if the farm cannot achieve the measurable goals.

(4)

Step 6. Identify Effective Risk Management Tools. Combine different risk strategies depending on situations, types of risk, and risk preferences. The aim is to reduce the probability of risk occurring, and to provide protection against the consequences of risk.

Step 7. Get Professional Assistance. The farmers are suggested to look for professionals or stakeholders’ assistance if they struggle to implement risk management.

Step 8. Decide and Implement the Plan. Be confident in following the steps and numerical measurements in implementing any plans that best fits the situation.

Step 9. Evaluate The Results. Use a mechanism to collect the results from the implemented plans. Compare the results with expected outcomes. Make plans for any adjustments and future decision cycles if necessary.

Risk-Based Thinking Framework Developed By Ramly & Osman (2018).

Ramly & Osman (2018) use the ISO31000 risk management process as a basis to determine issues in the implementation of risk-based thinking (RBT). The issues are too many and complicated RBT approaches, no integration between RBT with strategic and operation, and lack communication and awareness of RBT. Ramly & Osman (2018) then modifies the ISO 31000 risk management process to address the RBT issues. They develop a seven-step risk management process.

Step 1. Determine the Purpose. Determine the purpose by including external issues, internal issues, and organization strategies and aims. The output is the purpose of risk management linking the organization’s risks and context.

Step 2. Determine the Issues. Issues are the key drivers from external and internal environment of the organization impacting objectives. The study suggests using Balance Scorecard (BSC) to determine issues. The categories in the BSC can further derive organizations’ issues in term of key performance indicator.

Step 3. Determine the Consequences Criteria. Determine risk consequences criteria from the issues determined in Step 2. The criteria can be described qualitatively or quantitatively.

Step 4. Risk Identification. Risk identification includes a detailed risk description such as risk sources, potential events, the consequences, and the likelihood of the risks. The aim is to assign a proper risk treatment for the risk cause.

Step 5. Risk Assessment. Risk assessment determines whether the risk level is acceptable when compared to risk appetite of an organization. Risk level can be determined by combining the consequences and likelihood of risks.

Step 6. Determine Risk Appetite. Risk appetite is the amount of risk an organization is prepared to accept, tolerate, or be exposed to at any point of time.

Step 7. Determine Risk Treatment. The study adopts risk treatment options proposed by ISO 31000.

Operational Risk Management For SMEs Developed by Naude & Chiweshe (2017).

Naude & Chiweshe (2017) develops a risk management process for SMEs to use. The process identifies and analyse risks in their operations and taking corrective actions to mitigate the risks. The study uses a conceptual analysis approach based on relevant literature to formulate the four-step operational risk management process.

Step 1. Risk Identification. This step aims to identify and understand the possible risk sources.

The risk identification step is divided into three sub-sections that are objective, description of risk, and responsible person.

Step 2. Risk Assessment. There are three actions under risk assessment. The first action is severity rating of the identified risks. The second action is probability rating of the identified

(5)

risks. The third action is determining the risk score by multiplying the severity and the probability rating.

Step 3. Risk Response – Mitigation Strategy. This step aims to look over the existing controls and to see whether added measures are needed to mitigate more severe risks.

Step 4. Risk Monitoring and Control. Implementing this step help organization to react to changes and formulate new alternative to mitigate risks. SMEs need to re-evaluate, rescore, and overwrite the original values of each identified risk. This process is the key to closing the risk management cycle and to ensure forward progress and momentum.

Enterprise Risk Management System For SMEs Developed by Bensaada & Taghezout (2019).

Bensaada & Taghezout (2019) develop enterprise risk management (ERM) system for SMEs.

The ERM system consists of five key components that are imbedded in a multicycle iterative process. Figure 3 presents the ERM system. The five components are foundations and context, modelling and assessment, response, and treatment, monitor and review, and communication and information.

Component 1. Foundation And Context (F&C). F&C consist of five modules. Module 1 is risk stakeholder committee appointment, Module 2 is common terminology characterization, Module 3 is strategic context characterization, Module 4 is operational context characterization and Module 5 is operational strategies formulation. Module 1 consists of determining who should participate in the ERM process, and their tasks, responsibilities, and accountabilities.

Module 2 is developing and using common terminology across the organisation. Module 3 is understanding and defining strategic context in a meaningful and actionable way. Strategic context items such as business core values, objectives, model, and risk appetite policies must be clarified, and parameters must be developed. Module 4 is prioritization of the areas in the organization which are targeted as focus drivers in terms of devoted resources and efforts. The targeted area is called risk units (RU). Module 5 is defining and expressing the operational and strategic context of operational the RU identified in Module 4.

Figure 3: ERM process developed by Bensaada & Taghezout (2019).

(6)

Component 2. Modelling And Assessment (M&A). M&A has nine modules. Module 6 is risk identification. The aim of this Module 6 is to identify all possible risks of the organization.

Module 7 is risk representation modelling. Module 7 integrates all risk management components. Module 8 is risk representation normalisation. The objective of this module is to familiarize with risk description. The identified risks could be represented in various ways.

Hence, the risks identified in Module 6 must be analysed following the risk representation template from Module 7. The aim is to standardize the risk description because risks may be represented in various ways. Module 9 is risk portfolio view setting. Module 9 aims to build a tailored flexible risk categorization for the organization. Module 10 is risk analysis and measurement. Organizations can use qualitative or quantitative method to analyse the risks, depending on type of the risks and the analysis depth-scope wanted. Module 11 is risk characterization modelling. This module includes the process of consistently integrating the risk management components used with risk characterization tool that meets non-expert needs.

The outcome from Module 11 combined with risk representation model yields the full entity- wide risk definition. Module 12 is risk characterization normalisation. Module 12 is to make the whole process independent towards risk analysis tools. Hence, provide a universal and coherent risk characterization for the organization. Module 13 is risk capacity and profiling.

The risk capacity set up must be within the organization resources. The organisation’s level of risk distribution is to be expressed in terms of impact on strategic levels, leading to the establishment of the organization risk profile. Module 14 is risk strategic evaluation. Module 14 aims to determine the level of exposure to each risk. The risk level obtained in Module 12 will be used on this module. The output from this module is a refined classification and prioritization of risks requiring adequate risk response.

Component 3. Response And Treatment. Component 3 has five modules. Module 15 is response option identification. Risk responses can be either avoidance, reduction, or acceptance. Module 16 is response option analysis. This module is meant as the analysis of the response options with respect to feasibility of the organization and the cost/benefit criteria.

Module 17 is treatment plan formulation. Module 17 is the comprehensive plan of the response options and the detail description on how the plan should be caried out. Module 18 is treatment plan evaluation. In module 18, the treatment plans will all be process through the M&A modules. If the deduced remaining risk exposure estimate is not acceptable, the organization must return to Module 15. Module 19 is response/treatment implementation. Module 19 the execution of the response options or treatment plans selected.

Monitor & Review, and Communication & Information. Modules 20, 21, 22 and 23 are meant to be implemented throughout the risk management steps. Module 20 is monitor. An organization should check the effectiveness of its activity, and any external factors varying over time that might change or invalidate the previous assumptions. Module 21 is review. The activity in this module is to observe and assess any substantial change concerning the monitored entities. Module 22 is communication. In this module, an organization defines the methodologies for diffusion and exchange of information elements, and interaction between individuals. Module 23 is information. Information can be articulated around three basic items that are gathering, storage framing, and visualization and exploration. Module 24 is culture diffusion. The final module aims to diffuse risk culture in the organization. by the reducing change resistance, spreading of risk awareness, and motivation through culture diffusion mechanisms.

Project Risk Management Process Developed By Srinivas (2019).

Srinivas (2019) develop a four-step risk management process for construction process.

(7)

Step 1. Identification Of Risks. This step aims to obtain a list of risks that may impact on the progress of a project.

Step 2. Risk Assessment. Risk assessment can be done by short listing the risks identified from Step 1 and ranking the risks starting from low impact to the highest impact on the project.

Step 3. Risk Response Planning. Risk response is a form of mitigation by adopting necessary strategies in respect of positive and negative risks.

Step 4. Monitoring And Controlling Risk. Organization can use parameters such as risk register, main risk management plan, and work performance information to monitor and control risk. In addition, tools that can be used to monitor and control risk are risk reassessment, risk audits, and status meetings.

Risk Management Process For Social Media Risk Developed By Demek et al., (2018).

The study develops a social media risk management model to examine whether the way organizations address social media risk is consistent with a formal risk management process.

The Social Media Risk Management Model (SM-RMM) proposed by Demek et al. (2018) consists of four components and six steps The components and steps are matched to Enterprise Risk Management Integrated Framework (ERM-IF) as presented in Figure 4.

Component 1. Social Media Use (SMU). Before conducting a formal risk assessment, organizations must understand the objective of using social media within their organization.

SMU is mapped to objective setting in ERM-IF.

Component 2. Perceived Risk of Use. The components event identification and risk assessment in ERM-IF are mapped to perceived risk of use in SM-RMM because they are directly related to identifying the perceived risk of social media use in an organization.

Component 3. Policy Implementation (PI). There are two components from ERM-IF relating to how an organization manage risks which directly match to policy implementation. The components are risk response and control activities.

Component 4. Training And Technical Controls (TTC). At this stage, the control activities are to implement control. Employees need to undergo training to ensure they know and follow the established policies and procedures of risk management. The component information and communication are match to TTC. Information to employees is conveyed through communications in trainings.

Figure 4: Matching ERM-IF and SM-RMM.

(8)

Risk Management For SMEs In India Developed By Panigrahi (2012).

Panigrahi (2012) analyses risk management practices of small and medium enterprises in India.

The study develops a five-step risk management process.

Step 1. Identify Loss or Disruption Events. The first step is to identify the events that can cause loss or disruption to the business.

Step 2. Analyse the Events. Analyse the events to find the likelihood of the event occurring, and how serious the consequences are if the event occurs. Business owners can start by assessing each risk using terms ‘very likely’, ‘moderately likely’, or ‘very unlikely’. Place dollar values on the risk to prioritize them.

Step 3. Plan Actions. The third step is to plan actions. Address risks that have highest likelihood score and the most expensive events first.

Step 4. Monitor and Implement. The fourth step is monitor and implement. Business owners can develop procedures of risk treatments within their risk tolerance.

Step 5. Measure and Control. The final step is measure and control. The procedure of risk treatments must be monitored to ensure it is in place and effective to mitigate the risks.

Risk Management Process For SMEs Developed by Verbano & Venturini (2013).

Motivated by the needs to promote SMEs growth, Verbano & Venturini (2013) suggests risk management process following a simple four-step process.

Preamble Step. Define Risk Management Plan. Before beginning with the first step, business owners need to define risk management plan. The risk management plan must be consistent with strategic business objectives and the business contexts.

Step 1. Identify All Risks. The first risk management step is to identify all risks the business is exposed to.

Step 2. Assess and Analyse Risks. The second step is to assess and analyse risks. The aim is to determine the probability and the expected magnitude of the occurrence of the damage. A threshold of acceptability must be set up before going to the next step.

Step 3. Risk Treatment. The third step is treatment of unacceptable risks. Treatment of risks is to take actions to reduce the risks likelihood and magnitude.

Step 4. Supervision. The final step is supervision. The implementation of risk management is a long-term, dynamic, and interactive process. It requires continual improvement and integration in the organization’s strategic planning.

Risk Management Model For Small Businesses Developed By Ekwere (2016).

Ekwere (2016) explores and analyses risk management techniques used by small businesses.

Ekwere (2016) recommends seven-step risk management process for small businesses.

Step 1. Communicate and Consult. The first step is to communicate and consult. The aim is to draw out risk information and to identify who should involve in the risk management process.

Step 2. Establish the Context. The second step is to establish the context. Establishing the context includes internal context, external context, risk management context, development of risk criteria and defining the structure for risk analysis.

Step 3. Identify Risks. The third step is to identify the risk. The identification process should include all risks, whether it has happened, currently happening, or not yet happen.

Step 4. Analyse Risks. The fourth step is analysis of the risks. Risk analysis enables business owners to determine the risks that have greater impact to the businesses. Risk analysis is conducted by combining the possible impact of the risk with the likelihood of it happening.

(9)

Step 5. Evaluate Risks. The fifth step is evaluating the risks. Evaluating risks is determining the importance of the risks to the business. It is a process of comparing risk level from Step 4 with previously established risk criteria in Step 2.

Step 6. Treat Risks. The sixth step is to treat the risks. Risk treatment is an action taken to treat or control risks. The action should reduce or eliminate negative consequences or reduce the likelihood of the risk event to occur and increase positive outcomes. Business owners can choose, prioritize, and implement the most appropriate combination of treatments. The study proposes four risk treatment options. The options are risk avoidance, changing the consequences, risk sharing, and risk retaining.

Step 7. Monitor and Review. The final step is monitoring and reviewing. Business owners must monitor the risks and review the effectiveness of the treatment plan, strategies, and management system set up to manage risks effectively.

Risk Management Process For SMEs Developed By Falkner & Hiebl (2015).

Falkner & Hiebl (2015) develops five-step risk management process. The steps are risk identification, risk analysis, selection of techniques, strategy implementation, and control.

Step 1. Risk Identification. The first step is risk identification. The first step in risk management is to identify the possible source of loss and risks. This step should be carried out continuously and systematically.

Step 2. Risk Analysis. The second step is risk analysis. Risk analysis is measuring or estimating the potential frequency of losses and the potential impact of a risk on the business’s operation.

Step 3. Selection of Techniques. The third step is selection of techniques. The techniques are insurance, weather derivatives, selection of suppliers, overcapacity in production, emergency plan, networking, and asset securitization.

Step 4. Strategy Implementation. The fourth step is strategy implementation. The study suggests informing all affected employees on the business’s risk management objectives.

Step 5. Control. The final step is control. The final step is to consistently review the techniques and measures taken to ensure the business meets the current requirements. Business owners are advised to define a performance benchmark to monitor the risk management process.

3. Methodology

This study conducts an in-depth analysis on previous studies on risk management processes developed for businesses. The steps of the analysis are explained in detail as follows.

Step 1. The analysis begins with extensive search of article journal on open repository sites.

The sites are Google Scholar, ResearchGate, Academia, and Elsevier. The search uses keywords “risk management”, “risk management process”, “risk management model” and

“risk management framework”. The raw data of this study is 62 academic articles from 15 years back on risk management processes, models, and frameworks of different sectors.

Step 2. The data is further filtered by manually scanning the abstracts and contents for studies focusing on developing risk management process. The final data consist of 11 previous studies.

Step 3. The common steps with the same purpose are grouped together. The common purposes of each step of the risk management process is identified by grouping statements (Barafort et al., 2019). In this study, the common purpose of each step follows the risk management steps developed by ISO 31000: 2018 as presented in Table . The purpose of each step follows the purpose of the steps in risk management process by ISO 31000: 2018. For example, Author 1 uses the term “risk analysis” and Author 2 uses the term “risk assessment” to analyse risks.

(10)

Referring to ISO 31000: 2018, both terms have the same purpose with “Risk Analysis”. Hence, the terms “risk analysis” by Author 1 and “risk assessment” by Author 2 is grouped under “risk analysis”.

Step 4. A benchmark is developed to determine commonly used risk management steps. The benchmark is defined as the steps that appear in at least ten of the articles will be defined as the common risk management steps. Table 2 shows the comparison of steps in the risk management processes developed by previous studies and ISO 31000:2108. Any steps that appear in less than ten articles are not counted as common step.

4. Findings

This study explores and analyzes risk management process. The aim is to find commonly used risk management steps. The study finds four common steps of risk management process. The steps are risk identification, risk analysis, risk treatment, and risk monitoring and review. Table 3 presents the steps and description of each step.

5. Discussions

Panigrahi (2012) and Srinivas (2019) develop risk management processes consist of only four steps. On the other hand, Bensaada & Taghezout (2019) develops a comprehensive risk management process with more than twenty steps. The variety of steps in risk management processes indicates that a risk management process can be customized according to the business necessity (ISO 31000, 2018). While each study develops a risk management process unique to the field of research, nevertheless, the steps in the risk management processes converge to the risk management process developed by ISO 31000: 2018. The common steps of risk management processes are risk identification, risk analysis, risk treatment, and risk monitoring and review. The result infers that a four-steps risk management process is sufficient to implement risk management. A risk management process with many steps is beneficial for businesses such as big corporations as it requires detail items and information needed for risk management. Large organisations with complex business may need comprehensive risk management processes. Furthermore, they have the resources to implement a comprehensive risk management program. However, small or micro business owners may have limited knowledge and less exposure on business management (Abdul Rahman et al., 2016). Hence, a risk management process with many steps can be difficult for business owners to follow.

Table 1: Grouping of the risk management steps following ISO 31000:2018.

ISO 31000:

2018

Scope, context &

criteria.

Identify business objective &

environment to define objective and risk criteria

Risk

identification.

Find,

recognize, and describe risks

Risk analysis.

Understan d the nature of risk and its characteris tics

Risk evaluation.

Support decision by comparing the results of risk analysis with risk criteria

Risk treatment.

Select and implement options for addressing risk

Monitoring and review.

Assure and improve the quality and effectiveness of process design, implementati on &

outcomes Crane et

al. (2013)

Identify risk Measure risk; assess

risk

Evaluate risk tolerance;

set risk

Identify effective risk management

; decide and

Evaluate the results

(11)

bearing capacity

management goals

implement the plan Ramly &

Osman (2018)

Determine purpose, issues, &

consequence s criteria

Risk identification

Risk assessment

Determine risk appetite

Determine risk treatment

Bensaada

&

Taghezou t (2019)

Common terminology

and context

Risk identification

Risk analysis &

measureme nt

Risk capacity and

profiling;

risk strategic evaluation

Response identificatio n, analysis &

implementati on

Monitor;

review

Baranoff et al.

(2009)

Communicat ion

Risk identification

Risk profiling

Risk mapping;

risk management

alternatives;

comparison to current risk handling

Ongoing monitoring

Srinivas (2019)

Identification of risk

Risk assessment

Risk response planning

Monitoring, controlling

risk Demek et

al. (2018)

Objective setting

Event identification

Risk assessment

Risk response

Control activities Panigrahi

(2012)

Identify risks. Assess &

analyse

Plan action Monitor, implement, measure &

control Verbano

&

Venturini (2013)

Corporate and management

objectives

Risk identification

Evaluation Treatment Monitoring /

auditing

Ekwere (2016)

Establish the context

Identify the risk

Analysis of the risks

Evaluate the risks

Treat the risk

Monitor and review Naude &

Chiweshe (2017)

Risk identification

Risk assessment

Risk response – mitigation strategy

Risk monitoring and control

Falkner

& Hiebl (2015)

Risk identification

Risk analysis

Selection of methods

Strategy implementati

on

Control

Table 2: Comparison of risk management steps in risk management processes developed by previous studies against ISO 31000:2018.

ISO 31000: 2018 Scope, context, and criteria

Risk identification

Risk analysis

Risk evaluation

Risk treatment

Monitoring and review Crane et al.

(2013)

√ √ √ √ √

Ramly &

Osman (2018)

√ √ √ √ √

Bensaada &

Taghezout (2019)

√ √ √ √ √ √

Baranoff et al.

(2009)

√ √ √ √ √ √

Srinivas (2019) √ √ √ √

(12)

Demek et al.

(2018)

√ √ √ √ √

Panigrahi (2012)

√ √ √ √

Verbano &

Venturini (2013)

√ √ √ √ √

Ekwere (2016) √ √ √ √ √ √

Naude &

Chiweshe (2017)

√ √ √ √

Falkner &

Hiebl (2015)

√ √ √ √ √

Count 6 11 10 7 11 10

Table 3: Common risk management steps and descriptions

Risk identification Risk analysis Risk treatment Monitoring and review ISO 31000:

2018

The process of finding, recognizing and describing risks

A detailed consideration of uncertainties, risk sources,

consequences, likelihood, events, scenarios, controls, and controls effectiveness.

Select and

implement options to address risk.

Monitor and review the effectiveness of the risk treatment plan, strategies and management system that have been set up to effectively manage risk.

Crane et al.

(2013)

Identify and classify risks from main sources of risk

Measure risks using probabilities to represent the chance of risks occurring, and the impact of the risks.

Assess financial capability to bear risks.

Identify effective risk management tools to reduce the probability of risk occurring, and to provide protection against the

consequences of risk.

Collect the results from the

implemented risk treatment plans.

Compare the results with expected outcomes. Make plans for any adjustments and future decision cycles if necessary.

Ramly &

Osman (2018)

A detailed risk description such as risk sources, potential events, the consequences, and the likelihood of the risks

Determines whether the risk level is acceptable when compared to risk appetite of an organization. Risk level can be determined by combining the consequences and likelihood of risks.

Adopts risk treatment options proposed by ISO31000

Bensaada &

Taghezout (2019)

Identify all possible risks of the

organization.

Use qualitative or quantitative method to analyze the risks, depending on type of the risks.

Identify response options and analyze the response options with respect to feasibility of the

Check the effectiveness of treatment

activities, and any external factors varying over time

(13)

organization and the cost/benefit criteria.

that might change or invalidate the previous assumptions.

Observe and assess any substantial change concerning the monitored entities Baranoff et

al. (2009)

Identify all risks. Projection of frequency and severity of risk.

Develop a proper data system to allow risk managers to quantify loss history.

Use a risk matrix to aid in determining alternatives to manage risks.

Regular and constant monitoring to ensure decisions are correct and implemented correctly; and whether they require revised plans to manage them

Srinivas (2019)

Obtain a list of risks that may impact on the progress of a project.

Short listing the risks and ranking the risks starting from low impact to the highest impact on the project.

Adopt necessary strategies in respect of positive and negative risks.

Use parameters such as risk register, main risk management plan, and work

performance information to monitor and control risk Demek et al.

(2018)

Identify risk events relevant to

objectives.

Assess risk likelihood and impact.

Implement risk response policy.

Implement risk control policy.

Panigrahi (2012)

Identify the events that can cause loss or disruption to the business.

Find the likelihood of the event occurring, and how serious the consequences are if the event occurs.

Plan actions to address risks that have highest likelihood score and the most expensive events first.

The procedure of risk treatments must be monitored to ensure it is in place and effective to mitigate the risks Verbano &

Venturini (2013)

Identify all risks the business is exposed to.

Determine the probability and the expected magnitude of the occurrence of the damage.

Take actions to reduce the risks likelihood and magnitude.

Continual improvement and integration in the organization’s strategic planning Ekwere

(2016)

Identify all risks.

Whether it has happened, currently happening, or not yet happen.

Risk analysis is conducted by

combining the possible impact of the risk with the likelihood of it happening.

Plan actions to treat or control risks. The action should reduce or eliminate negative consequences or reduce the likelihood of the risk event to occur and increase positive outcomes.

Monitor the risks and review the effectiveness of the treatment plan, strategies, and management system set up to manage risks effectively.

Naude &

Chiweshe (2017)

Identify and understand the possible risk sources.

Determine severity rating, probability rating and risk score of the identified risks.

Look over the existing controls and see whether added measures are needed

Re-evaluate, rescore, and overwrite the original values of

(14)

to mitigate more severe risks.

each identified risk.

Falkner &

Hiebl (2015)

Identify the possible source of loss and risks.

Measuring or estimate the potential frequency of losses and the potential impact of a risks on the business’s operation.

Select risk treatment techniques. Such as insurance, weather derivatives or asset securitization.

Consistently review the techniques.

Define a performance benchmark to monitor the risk management process.

6. Conclusions

The exploration and analysis of the risk management processes contributes to enhance knowledge and understanding on risk management processes developed for businesses.

Different researchers use different terms for their risk management steps but the steps lead to the same meaning and purposes. Although ISO 31000:2018 is the generally accepted risk management process, it not a requirement that all risk management processes must follow the risk management process as outline by ISO 31000:2018. A risk management process is unique to a business, project, or area of application. The limitation of this study is that the search for the risk management processes is only on open repository sites (Google Scholar, ResearchGate, Academia, and Elsevier). Hence, this study recommends future research to broaden the search for risk management process on other sites to see the pattern and development of the risk management steps.

References

Abdul Rahman, N., Yaacob, Z., & Mat Radzi, R. (2016). The Challenges Among Malaysian SME: A Theoretical Perspective. World Journal of Social Sciences, 6(3), 124–132.

Abu Bakar, W. (2019). Risk Management Of Agriculture Project To Achieve Production Output: A Case Study On A Rockmelon Farm. Universiti Sains Islam Malaysia.

Barafort, B., Mesquida, A. L., & Mas, A. (2019). ISO 31000-Based Integrated Risk Management Process Assessment Model for IT Organizations. Journal of Software:

Evolution and Process, 31(1). https://doi.org/10.1002/smr.1984

Baranoff, E., Brockett, P. L., & Kahane, Y. (2009). Risk Management For Enterprises And Individuals. Flat World Knowledge, L.L.C.

Bensaada, I., & Taghezout, N. (2019). An Enterprise Risk Management System for SMEs:

Innovative Design Paradigm And Risk Representation Model. Small Enterprise Research, 26(2), 179–206. https://doi.org/10.1080/13215906.2019.1624190

Crane, L., Gantz, G., Isaacs, S., Jose, D., & Sharp, R. (2013). Introduction To Risk Management: Understanding Agricultural Risk (2nd ed.). Extenson Risk Management

Education and Risk Management Agency.

http://www.extensionrme.org/pubs/IntroductionToRiskManagement.pdf

Demek, K. C., Raschke, R. L., Janvrin, D. J., & Dilla, W. N. (2018). Do Organizations Use A Formalized Risk Management Process To Address Social Media Risk? International Journal of Accounting Information Systems, 28, 31–44.

https://doi.org/10.1016/j.accinf.2017.12.004

Duong, L. (2009). Influence Of Risk Management In Operations Of Small-Medium Enterprises And Micro Companies: A Case Study For Viope Solutions Ltd. Arcada University of Applied Sciences.

(15)

Ekwere, N. (2016). Framework Of Effective Risk Management In Small And Medium Enterprises (SMEs): A Literature Review. Bina Ekonomi, 20(1), 23–46.

https://doi.org/10.26593/be.v20i1.1894.23-46

Falkner, E. M., & Hiebl, M. R. W. (2015). Risk Management In SMEs: A Systematic Review Of Available Evidence. The Journal of Risk Finance, 16(2), 122–144.

https://doi.org/10.1108/JRF-06-2014-0079

Gorzeń-Mitka, I. (2015). Risk Management In Small And Medium-Sized Enterprises: A Gender-Sensitive approach. Problems of Mangement in the 21st Century, 10(2), 77–87.

ISO Guide 73:2009(en), Risk management — Vocabulary. (n.d.). Retrieved June 23, 2021, from https://www.iso.org/obp/ui/#iso:std:iso:guide:73:ed-1:v1:en

Md. Sum, R. (2015). Risk Prioritisation (RP): A Decision Making Tool For Risk Management (Issue December). Macquarie University.

Md. Sum, R., & Hamir, H. (2019). Sole Proprietor Micro Enterprise Risks and Risk Mitigation Techniques. In K. Mohd Noor, N. H. Ab Aziz, & M. Jober (Eds.), National Conference on the Humanities and Social Sciences (NACOSS) Proceeding (p. 17).

Moeller, R. R. (2007). COSO Enterprise Risk Management: Understanding the New Integrated ERM Framework. John Wiley & Sons.

Naude, M. J., & Chiweshe, N. (2017). A Proposed Operational Risk Management Framework For Small And Medium enterprises. South African Journal of Economic and Management Sciences, 20(1). https://doi.org/10.4102/sajems.v20i1.1621

Panigrahi, A. K. (2012). Risk Management In Micro, Small and Medium Enterprises (MSMEs) In India: A Critical Appraisal. Asia Pacific Journal of Marketing & Management Review,

1(4), 59–72.

http://www.unido.org/fileadmin/user_media/Publications/Pub_free/Effective_policies_f or

Ramly, E. F., & Osman, M. S. (2018). Development Of Risk Management Framework - Case Studies. Proceedings of the International Conference on Industrial Engineering and Operations Management, 2542–2551.

Srinivas, K. (2019). Process of Risk Management. In Perspectives on Risk, Assessment and

Management Paradigms (pp. 0–16). IntechOpen.

https://doi.org/10.5772/intechopen.80804

Technical Committee ISO/TC 262. (2018). ISO 31000:2018(en) Risk management — Guidelines. International Organization for Standardization.

https://www.iso.org/obp/ui#iso:std:iso:31000:ed-2:v1:en

The Institute of Risk Management. (2002). A Risk Management Standard.

Verbano, C., & Venturini, K. (2013). Managing Risks In SMEs: A Literature Review And Research Agenda. Journal of Technology Management and Innovation, 8(3), 186–197.

https://doi.org/10.4067/s0718-27242013000400017

Zoghi, F. S. (2017). Risk Management Practices And SMEs: An Empirical Study On Turkish SMEs. International Journal of Trade, Economics and Finance, 8(2), 123–127.

https://doi.org/10.18178/ijtef.2017.8.2.550