2.3 Risk Management
According to IRM-AIRMIC-ALARM (2002), risk management actually defines every organisational strategic management; it comprises the process which identifies and treats the internal and external risks and adds sustainable value to the organisation and its stakeholders by decreasing the probability of not achieving the organisation’s overall objectives. The specific institutes suggest that risk management lies in the strategic, tactical and operational levels, and its embodiment in all tasks and roles is required; it is a consistent manner for an organisations’ operation, which leads to effective decision making, efficient allocation and protection of the organisational ...view middle of the document...
). The internal factors include the ethics and beliefs, the culture, the pressures from the employees, the absence and sickness, and the changes in personnel, procedures and processes. Moreover, Davies et al. (2003) notifies the importance of public perceptions of risk that often comprise the movers of changes in organisations; hence, socially constructed risk and non-experts views of risky or not risky should not be ignored.
Collier (2009) claims that the fundamental role of the Board of the directors in a company is to apply risk management and to review the performance of the organisations’ internal control procedures; these two principal processes will support the Board in the setting of the strategic targets, the transformation of the targets into real products and services, the effective business overseeing, and the realistic reporting to the external stakeholders. Apart from the Board, the author suggests that an effective risk management framework must be facilitated by a risk management group, a chief risk officer, external and internal audits, and a mature organisational culture disseminated to the line managers and employees. Under the same concept, Hampton (2009) presented a flow gram that suggests the path towards the establishment of enterprise risk management, starting from the risk recognition and ending to the standardization of a risk evaluation process, having prior involved the Board, the risk owners and the accountable staff.
The core function of management is not just to identify the hazards and their potential or actual consequences, but to quantify their probability and severity in order to discuss on a common base regarding the risks to be managed, and to allocate resources to the estimated risk levels; the latter comprises the “ALARP” approach that describes the efforts of an organisation to mitigate risks As Low As Reasonably Practicable, lowering them to an acceptable level (ICAO, 2012; Manuele, 2008 and Roland and Moriarity, 1990). Moreover, Manuele (2008), Ferrett and Hughes (2007 and 2011) and Cox et al. (2000) discuss the involvement of subjective estimations during the risk assessment procedure, either in the stage of probabilities calculation or in the stages of severity evaluation and hazard mitigation, especially in the absence of robust historical data; hence, in the cases that accuracy is very much questionable, Manuele (2008) recommends that risk assessment shall not lead to unrealistic expectations, but to be seen as a valuable decision making tool.
Each organisation regardless it main context and focus (e.g. manufacturing, aviation, transportation, banking, insurance services etc.), in order to robustly establish risk management, shall clearly document the main stages of the relevant risk cycle (fully or partially discussed by ICAO, 2012; Stranks, 2006a, 2006b and 2008; Manuele 2008, Ferrett and Hughes, 2007 and 2011; Tummala, 1996; EFW, 2008; Dionne, 2013 and Bessis, 2002) as presented in Figure 2: