Modern Risk Management Methodologies: Global Experience And Russian Practice

Abstract

At present, science and practice offer risk management methodologies that are relevant to modern production and economic and social humanitarian realities. Risk management methodologies are successfully developed, implemented and realized in Russia through the creation of scientific and professional communities. The purpose of communities is to solve specific management tasks of identifying, analyzing, controlling and forecasting risks. Russian organizations operating internationally are the first to update foreign risk management methodologies for their managers, and now they are implementing a systematic corporate approach of risk management. This process would not have been possible without the involvement of Western consulting companies, their specialists are engaged in training managers, and offering approaches and models of world practice that are suitable for each specific case. Such an inter-statehood in understanding the problem generates a plurality of opinions in shaping the goals and objectives of risk management, establishing a common terminology, structure and process relevant to modern Russian reality. World practice proposes standardization in the field of risk management as a solution to the researched issue. The system is successfully operating in EU - International Organization for Standardization (ISO), which standards specify not only the scope of risk management, but also the quality of management, audit, production control, eco-management and others. Most of the standards are adapted to Russian conditions and are presented in the form of national standards GOST R.

Keywords: Riskrisk managementrisk analysissystem approachstandardization

Introduction

Risk management is a specific management methodology that includes a set of management procedures and methods for solving identification, analysis and evaluation, risk monitoring and risk sharing information to reduce the costs of an organization and increase its profitability (RosStandart, 2002). The tasks of risk management comprise a whole range of problems of a man and society: human security, health protection, environmental safety, the consequences of the financial and economic crisis, and others. When considering risk from the point of view of a particular organization, the task and problem acquires the following outlines. The problem of risk management is relevant and appropriate, particularly in current conditions of the residual financial and economic crisis and its consequences. Risk management tasks being versatile and difficult to formulate, assume the use of an integrated system approach in their decisions, which is contained in modern methodology of “Risk Analysis” (ISO, 2010).

Problem Statement

In the context of this article, the “Risk Analysis” methodology is supposed to consider within the framework of risk management on the example of one of the leading regional enterprises of Kursk city and the Kursk Region - JSC “Institute of Ecological Safety” (INSTEB). This methodology is relevant and widely used both in Russia and in countries of Western Europe. Moreover, the concept of risk analysis is developed precisely in the regulatory documents of the European Union. In this regard, the task of reviewing and demonstrating a risk analysis application is expanding: it is advisable to identify analogies and differences in risk management approaches and methods in Russia and abroad, and also to argue the relevance and priority of risk analysis and its regulatory documents in comparison with other methods and risk management procedures.

Research Questions

Within the confines of this study, we will consider one of the leading risk management methodologies both in Russia and abroad - risk analysis. Let us draw analogies and differences with other modern approaches and risk management methodologies, as well as present the practical application of risk analysis as an effective tool for identifying, analyzing, controlling and forecasting risks using the example of one of the leading regional enterprises of Kursk city and Kursk Region – JSC “Institute of Ecological Safety” (INSTEB).

Purpose of the Study

The aim is the need to disclose risk analysis as an up-to-date modern risk management methodology, evaluate it from the standpoint of Russian and international regulatory documents, and also provide an example of risk analysis in the organization of one of the regions of the Russian Federation.

Research Methods

The global practice of applying risk analysis is focused not only on use in a particular organization, but also on the state level. Thus, the governments of the countries of the European Union have always focused their attention on the safety of citizens, in particular against risks. But lately, risk management has gradually occupied a central position in the activities of the state. The concept of “risk” is used to describe a variety of problems and threats both in Russia and in international and European standards: from the events of September 11, 2001 to the danger of using chemical or biological weapons, or the occurrence of a global accident, without excluding the vulnerability problem of IT systems and “hacker” attacks.

 Modern society is in constant development, which is accompanied by the constant presence of risk in human life and society. This fact determines the global meaning of the risk management task and substantiates its relevance: reducing the external risks associated with various kinds of safety (health protection, physical and financial security), free access to quality public services (Knight, 2003).

At the same time, the existence of risk at the state level (unforeseen political and economic incidents, the threat of disruption of state programs and projects) will not be disputed. Such uncertainty is not new. The characteristics of risk are subject to change for two main reasons. First, the general rapid development of science and technology at the moment is accompanied by constant technological risks: from the threat of total proliferation of GMO products to cybernization and human cloning (Budanov, 2016). Second, inter-state and intra-state risks arise from the integration of global economy, the creation of common communication systems and the generation of common environmental problems. Close interrelations of the global infrastructure characterize systemic risks: adverse events occurring at various points on the globe affect its inhabitants more than before. Such risks currently have a reasonable priority over others. In this regard, the governments of many developed and developing countries focus on improving of the used risk management methods.

Recently, there has been a situation of mass replication of international, including European, standards governing the procedure for managing risks of man-made factors (RosStandart, 2002,1995, 2010). The document “Risk management of organizations. Integrated Model”, developed by Committee of Sponsoring Organizations of the Treadway Commission is the most popular in Russia (Committee of Sponsoring Organizations of the Treadway Commission, COSO) (COSO, 2004a). The regulatory document reflects the conceptual base and risk management methodology within specific organizations and includes clear recommendations on the creation of an intra-organizational risk management system. The risk management methodology of COSO organization consists of eight elements: internal environment definition; setting aims and objectives; risk identification; assessment of each risk; risk response; control means; information and communication; monitoring (COSO, 2004b).

In this regard, the COSO regulatory document presents a risk management methodology from the perspective of the process approach known in risk management and quality management (Mayakova, 2016). In spite of a clear methodology for the presented document, the Russian managers and experts took a risk management standard of the Federation of European Risk Managers associations as a basis for risk management methodologies in Russia. One of the advantages of this standard over the COSO document is the more acceptable terminology adopted in the documents of the International Organization for Standardization (ISO, 2009). The very concept of “risk” is defined as “a combination of the event probability and its consequences” (ISO, 2009). Risk management is a central part of the organization strategic management and includes not only a set of measures and procedures for identifying and assessing risks, but also programs for controlling and minimizing risks.

The risk analysis methodology is such a unified risk management system. The main standard of the Russian Federation regulating the risk analysis methodology is the adapted standard GOST R 51901-2002 “Reliability Management. Risk analysis of technological systems” (RosStandart, 2002). Many industrial enterprises have introduced this methodology into their risk management activities, however many still try to do without it due to the complexity and systemic nature of its implementation. For example, the complexity of implementing risk analysis in the service industry lies in the uncertainty of business processes that must be documented in a risk analysis program.

Consider this methodology in more detail. The process of implementing a risk analysis is divided into two major subprocesses. The first is to identify and assess the scale of the risk subjecting to analysis and management. This subprocess is called the stage of risk characterization (nonconformity). The second subprocess involves a detailed risk assessment and the development of a complex of measures to minimize and eliminate it. This subprocess is defined as the decision making stage. However, the risk analysis process is cyclical and reversible; therefore, it is possible to return to the risk characterization stage in the event of new threats emergence at the decision making stage.

Risk identification is a meaningful procedure in the risk decision making process and strategic planning in general. In most cases, attention is focused on the risk analysis process itself to the detriment of solving a global problem, an integrated approach to eliminating and minimizing risks on a wide scale basis. Concentration on any threat leads to the destruction of the entire risk management system. The solution to this problem should be comprehensive, opening the relationship of threats to each other. Risk management will be effective and efficient only in this case. Such a “slogan” underlies the “Risk Analysis” methodology.

According to GOST R 51901-2002 “Reliability Management. Risk analysis of technological systems”, risk analysis is a structured process, the purpose of which is to determine both the probabilities and the size of the adverse consequences of the studied action, object or system (ISO, 2009). The feature of risk analysis is that this process is structured and contains clear rules for conducting. Moreover, risk analysis necessarily involves the compilation of a risk matrix, where the interrelations of risks and their assessment are clearly traced. So, risk analysis is divided into following stages:

1. definition of the scope (process, complex of processes, organization activities, region, countries, etc.);

2. risk identification (type of risk) with subsequent potential risk assessment (SWOT-analysis, FME(C)A- analysis, FTA- analysis, etc.);

3. qualitative / quantitative risk assessment (risk influence degree; risk probability);

4. risk influence analysis on a specific scope (process, complex of processes, organization activities, region, countries, etc.);

5. development of a complex of measures to minimize and eliminate it;

6. compilation and analysis of a risk matrix.

Findings

As a graphic example, consider the use of risk analysis in one of the leading regional enterprises of Kursk city and Kursk region - JSC the Institute of Ecological Safety (INSTEB). For more effective work, a preliminary self-assessment of JSC INSTEB was carried out using SWOT analysis (Neumann, Grace, Burns, & Surridge, 2019), which resulted in the identification of positive factors and threats to the internal and external environment, as well as the organization potential. In order to provide a more comprehensive presentation of information, we will reflect the results of the conducted research and present the risk analysis in details.

Thus, the following global threats were identified:

•negative impact of economic crisis;

•inflation increase;

•currency exchange rate.

In order to determine the risks of the internal environment, FMECA-analysis was carried out (Pence & Sakurahara, 2019), which results were also systematized for subsequent use in risk analysis. So, real and potential intra-organizational threats were discovered:

•market sharing; untimely entry to target market;

•changing consumer needs;

•increased competition;

•customer dissatisfaction with the product or service provided;

•lack of resources for production / services;

•lack of staff qualifications;

•breach of contract.

For a more ranked presentation of risk analysis data, we will group the identified risks according to the established classification: macroeconomic risks and microeconomic risks (market, production, legal). Given the fact that the risk of “breach of contract” is quite broad in its understanding, it is advisable to detail its meaning and “subject-object” guidelines in order to better work. Thus, there are three different risks instead of one: breach of contract by a supplier of resources, breach of contract by a customer, breach of contract by an organization. The expediency of this action is justified by the fact that a possibility of a clearer choice of measures and decisions making will be at the stage of developing a complex of measures to minimize and eliminate risk.

Risks identified in the previous stages of risk analysis are recorded in a special tabular form (Table  1 ). In order to rank the risks, the following specialized criteria are defined: influence degree (low, medium, high, catastrophic) and probability of occurrence (low, medium, high). According to these criteria, each individual risk (threat) is evaluated, the assessment results are also recorded in a tabular form. These criteria are determined on the basis of SWOT-analysis and FMEA-analysis.

To develop a complex of measures for minimizing and eliminating risks, in the ideal case, a specialized expert group should be formed, which, based on the results of FMEA-analysis, develops this complex of measures. The totals are also contributed to a tabular form. This is the final stage of the tabular form formation (Table 1 ).

Based on the information in the tabular form, a risk matrix is compiled, being the main form of risk analysis. The risk matrix allows determining the most important and probable risks (Fig.1). The risk matrix contains a certain limit that is the limit of risk tolerance. Risks located above this boundary need paramount attention and special control. It is in their direction that the vector of the organization regulatory activities should be shifted.

See Full Size >

Based on the results of the risk analysis in JSC INSTEB, the following conclusions can be drawn. The greatest danger is the risk of “Breach of conditions by the resource provider” and “Currency exchange rate”. Both risks are above the risk tolerance limit, and therefore the greatest efforts should be made to minimize and eliminate them. If the risk reflecting currency exchange rate cannot be eliminated (for objective macroeconomic reasons), then the risk of “Breach of conditions by the resource provider” is completely minimized and even eliminated. For these purposes, measures have been developed for each of the risks that can and should be applied within the organization.

However, “looping” only on critical risks is not the right solution. It is necessary to stabilize the situation in all areas of risk through a policy of minimizing risk-forming factors. Of course, potential threats will remain, particularly macroeconomic ones, but the organization must conduct its activity based primarily on sound strategic planning, which component is risk analysis. At the same time, risk analysis is a complex procedure that must be carried out periodically; otherwise the efficiency and effectiveness of risk management in an organization will be close to zero. The frequency is set individually, depending on the number and characteristics of the risks identified during the first procedure.

Conclusion

In conclusion, it should be noted that the systematic comprehensive risk analysis within the framework of risk management in an organization provides the following possibilities:

1. improving the strategic planning of the organization;

2. modernization of a decision-making policy associated with a complex of specific measures to minimize and eliminate risk;

3. improving the competitiveness of the organization in a market;

4. re-assessment of resources, more successful use of positive factors of the organization;

5. effective management of potential risks and nonconformities;

6. cost reduction in production and services;

7. flexibility and mobility in making decisions regarding the activities of the organization and risks associated with it;

8. development of innovative activity of the organization.

The global practice of risk management is contained in the developed regulatory documents, which contain elements of risk management. Recommendations of the European Union on risk management contain a general requirement, which is supported by the Russian Federation that is a detailed expert analysis to be carried out by employees engaged in risk management activities both within the same organization and at the state and interstate levels. Risk analysis supports this initiative. As can be seen from the risk analysis procedure, the whole methodology is based on the expert analysis principle. Along with expert analysis, international standards for risk management are similar in the dynamics of this process, its systematicity and consistency, focus on strategic goals, transparency and content. So, effective risk management allows not only more efficiently carrying out daily activities, but also planning and making strategic decisions on significant issues at various levels. Risk analysis within risk management is a documented process that enhances traceability of decision making.

Acknowledgments

State assignment No 1.38.17F “Legal regulation of the institution of exclusive rights in the countries of Western Europe and East Asia in the 17^{th –} 19^th centuries: comparative legal research”.

References

1. Budanov, V. G. (2016). New digital life technoscience – prospects and risks of anthroposphere transformation. Philosophical Sciences, 6, 47–55. (in Rus.).
2. COSO (2004a). Enterprise Risk Management – Integrated Framework Executive Summary. Committee of Sponsoring Organization of the Treadway Commission (COSO).
3. COSO (2004b). Risk management organizations. Integrated model. Summary. Committee of Sponsoring Organization of the Treadway Commission (COSO).GOST 51897-2011 Risk management. Terms and definitions. Edition official.
4. ISO (2009). ISO Guide 73:2009 Risk management – Vocabulary – Guidelines for use in standards (IDT). Edition official.
5. ISO (2010). ISO/DIS 31000:2010 Risk management – Principles and guidelines on implementation». Edition official.
6. Knight, K. W. (2003). Risk Management: an integral component of corporate governance and good management. ISO Bulletin.
7. Mayakova, A. (2016). Quality of management in the context of modern economic and managerial paradigm. management in reengineering and redesign. Ekonomicnij casopis-XXI (Economic Annals-XXI), 157(3–4 (1)), 82–84.
8. Neumann, G. K., Grace, P., Burns, D., & Surridge, M. (2019). Pseudonymization risk analysis in distributed systems. Journal of Internet Services and Applications, 10(1), 32–36.
9. Pence, J., & Sakurahara, T. (2019). Data-theoretic methodology and computational platform to quantify organizational factors in socio-technical risk analysis. Reliability Engineering and System Safety, 185, 240–260.
10. RosStandart (1995). INTERSTATE STANDARD 27.310-95 Dependability in technics. Failure mode, effects and criticality analisys. Basic principles. Edition official.
11. RosStandart (2002). GOST 51901-2002 Risk management. Risk analysis of technological systems. Edition official.
12. RosStandart (2010). GOST 54125-2010 Safety of machinery and equipment. Principles for safety ensuring while designing. Edition official.