"A company's objectives, its internal organisation and the environment in which it operates are continually evolving and, as a result, the risks it faces are continually changing. A sound system of internal control therefore depends on a thorough and regular evaluation of the nature and extent of the risks to which the company is exposed. Since profits are, in part, the reward for successful risk-taking in business, the purpose of internal control is to help manage and control risk appropriately rather than to eliminate it."
The above is a quote from FINANCIAL Reporting Council Internal Control Revised Guidance for Directors on the Combined Code October 2005. It should be noted that it refers to the management and control of risks rather than their elimination. No organisation can progress in the modern business climate and maximise the benefits of opportunities without taking risks. The risks, however, must be clearly understood and evaluated before an informed decision can be made. Once the risks have been identified and assessed, informed decisions can be made as to whether the risk can be taken, treated, transferred or avoided altogether by not going ahead with the action that causes the risk.
Take The risk is acceptable without any action
Treat Instigate mitigation measures to reduce the risk to an acceptable level
Transfer Transfer the risk to another party by means of contractual arrangements or by insurance.
EP personnel are multi-disciplinary and have very diverse backgrounds, giving great depth and breadth to our risk assessment capability. In addition to facilitating risk management workshops, other specialist risk assessments include:
- Cost Risk assessment;
- Schedule Risk assessment;
- Decision Risk Assessment using Event Tree Analysis.
Risk management is an ongoing process. Once risks have been identified, assessed and mitigating actions raised, it is crucial that the actions are followed through to completion and regular risk review meetings should be held to monitor the progress.
EPConsult Energies has developed software called EPRisk that is tailored for the management of risks. It covers the entire life of risks including:
- Identify risk;
- Assess the risk;
- Assign mitigation actions;
- Monitor mitigation actions;
- Identify recovery or contingency measures;
- Re-assessment;
- Close-out.
It must be understood that the above is essentially a semi-quantitative process that may not cover all of the risks in sufficient detail. It may be therefore that other techniques such as Event Tree Analysis need to be used for fully evaluating business risks and opportunities.