Office of The Ombudsman, Hong Kong

We live in a very dangerous and hazardous world, but perhaps no less dangerous or hazardous than our ancestors. Science has improved man's control over its environment and, thereby, has reduced many of the risks of living that existing on this earth. However, with every scientific innovation or discovery, a whole new set of uncertainties and chances for loss develop.

Risk management means many different things to many different people, depending upon their particular disciplines or specialties of management in which they function. Generally, risk management is defined as a decision-making process for living with the potential realization of unwanted consequences from impending events. From a developing discipline, it has emerged to be a profession.

To place risk management in its true perspective, it is important to address the origins of risk management by tracing its evolutionary development, from its early beginning as an integral component of the insurance mechanism through several stages of development until its more recent acceptance as a part of management science. Its subsequent adoption by corporations as an effective management tool for identifying and controlling risks associated with all business activities has paved the way for its introduction as a critical function of management, the job of minimizing risk and maximizing opportunities.

The term "risk management" first appeared in the 1950s when corporate insurance buyers in the Untied States attempted to gain better recognition and status of the position by expanding their function and establishing integrated departments, not only responsible for the corporate insurance programme but also for property loss control, industrial safety, accident prevention and the emerging employee benefits risk area.

A further significant strain of risk management appeared when financial officers, banks, investment firms and other financial institutions began to examine new methods to control increasing financial risks in a rapidly changing business environment.

As industrialization has proceeded, concentration and specialization have increased with size. Developing countries have witnessed a trend towards largest scale projects without having the means of coping with the risk associated with it. Risk management offers apparent benefits to domestic enterprises, public administration, individuals and the economy as a whole. The United Nations Conference on Trade and Development (UNCTAD) in 1985 recommended that the UNCTAD Secretariat "undertake a study on the applicability of modern risk management techniques...to the commercial and industrial enterprises located in developing countries." It was pointed out that the successful promotion of risk management would require the endorsement and active support of government and governmental officials.

Risk management offers many potential benefits. It does have a constructive role to play, provided practices are attuned to the prevailing legal, cultural, economic, environmental and political realities.

To the business sector, risk management focuses on the use of sophisticated financial management techniques, such as "currency hedging" and "interest rate swaps" to control global treasury risks, balance sheet risks and transaction risks, i.e., the risk that commodity prices and interest rates might rise or that changes in exchange rates might move against them, negatively affecting the corporation's financial performance.

To political and social analysts, risk management is the condition and status of world economies, the management of political risks, potential nuclear risk exposures and threats to the earth's environment from industrial development attracting the attention of governments.

To ensure the further development of the risk management concept in private and public business activities, it will need to be developed as a management attitude, and exercised consciously as a main stream activity consistent with all other management practices.

Managing risk is as much a part of the logical framework of management as planning, organising, staffing, directing and controlling. With each of these functions, the tools and techniques have been developed to implement effective resources management strategies in the achievement of goals and objectives. The risk management process requires a multi-disciplinary team approach and should not be regarded in isolation from other management practices, but integrated with the logical framework of the total management system.

The Office of The Ombudsman finds risk management, as a critical function of management, important not only internally but also in our work of investigating alleged maladministration in the public sector.

To properly understand risk management, we must first understand what is meant by risk. Risk means uncertainly of loss. People do not know when it will occur or how much it will cost. There are many classifications of risk: particular versus fundamental, static versus dynamic, and pure versus speculative. However, the unpredictability of risks may be broken into two main classifications: pure and speculative. Pure risk involves all possibilities of loss through either destruction or confiscation. Destruction includes natural disasters, such as floods, earthquakes, typhoons, and man-made events, such as vandalism or civil disorder. Confiscation can be either the illegal variety, e.g. embezzlement, burglary, forgery, or the legal kind which would include forfeiture under bond, attachment or garnishment. Pure risk does not allow for any measure of gain, it is always a loss.

Speculative risk involves the factor of uncertainty. This kind of risks can result in either gain or loss. Marketing risk, financial risk, and political risk are examples of speculative risks. For example, if a person goes into business for himself, he stands to make a profit - or he may loss the money he puts into the business. Speculative risks are often called business risks. Pure risks, on the other hand, can have only one outcome if the peril strikes: a loss. There is a gamble taken with each loan given by a financial institution, for it may either be repaid or be delinquent and require writing-off. There is the possibility of profit or loss with each investment of assets. Because of the factor of uncertainty speculative risk is not in the same category as pure risk.

Risk is not to be confused with probability, which is the degree of likelihood that an event will occur. The possibility of a sudden fire is a true risk, because there is no way of predicting before hand that it will actually happen in any particular place at any particular time. Even the knowledge that a certain number of similar buildings will catch fire in a given year (probability) cannot give a clue as to its happening in a particular incidence or location.

A risk management programme performs three functions, i.e. identifying risks or analyzing exposures, measuring risks and controlling risks. To identify exposures, one must locate potential risks, in the same fashion one prepares for a journey by car: check the petrol, the oil, the tyre pressure, brakes, battery, etc., to see if there is any possibility that one part of the automobile system might fail. To measure risk is to determine how often loss will occur that will affect the operations of an organisation. To continue with the example of the car journey : if one is going on a long trip, the odds of malfunctioning parts increase, as well as the accompanying difficulties of locating replacements, etc. A flat tyre on the street in front of the office is much easier to deal with than one several miles from the nearest service station.

When it comes to controlling risks, ther are five "tools" which can be utilized : avoidance, reduction, spread, assumption and transfer. You can avoid trouble with the car by not driving it. You can reduce the possibility of risk by buying a new car. You can spread the risk by having an expert mechanic replace old parts and examine others, or by driving part way and taking public transportation the remainder of the journey. You can assume the risks and take the trip, and be prepared for something to go wrong with the car. You can transfer the risk by hiring a driver and a car taking the bus, or going by train to your destination.

The very nature of some business operation, such as a financial institution requires that some risks must be assumed from the outset, such as the depreciation of equipment, furniture, vehicles etc. The management of a financial institution can decide that there are certain risks of loss which cannot be avoided all together; one cannot make the office of the financial institution an impregnable castle with armed guards and triple-locked money drawers. Other risks may be spread to different locations of the office or district, such as cash stores, data collection, contract records, etc., so in the case of a robbery or fire, not all is lost in one fell swoop. Lastly, there are risks which can be transferred to other parties, as in the case of insurance or leasing arrangements.

Those who are responsible for making policy in an organisation, such as a board of directors, occupies the position of prime responsibility for carrying on the activities of the organisation in keeping with its goals and objectives. Directors must see to it that the management of the organisation's affairs is done in such a way as to minimize the chances of loss and destruction of assets and personnel, but at the same time set policies which fulfill the needs and purposes of its customers or clients. Failure to recognise these possibilities may seriously impair or even jeopardize the organisation's effectiveness. Management functions involves the following specific activities :

Management
Organising Planning Directing Coordinating Delegating Controlling Reporting	Human Effort And Resources	Goals And Objectives

In reviewing the activities of management, or any business organisation for that matter, experts on management indicated that these activities fall within six basic classifications, i.e.

Financial activities (search for an optimum use of capital)
Technical activities (production, manufacturing, adaptation)
Commercial activities (buying, selling, exchange)
Accounting activities (stock-taking, financial statements, costs, statistics)
Managerial activities (planning, organisation, command, coordination, control)
Security activities (protection of property and persons)

The counterparts of the above six basic activities could be : finance management, production management, marketing management, accounting, general or personnel management, and risk management.

Not only must policy-makers set wise policies to guide management in carrying on its activities, but it also must hold management accountable for the proper execution of these policies.

It is incumbent on the policy-makers and the management to plan ahead and to prepare its programmes and budgets with the thought in mind that possible unexpected future losses may occur. This process of planning and budgeting is fundamental to any well-run or well-operated concern as it is fundamental to the successful economic activities of any family. In carrying out this planning process, however, failure to undergird the programme with a sound and complete programme of risk management may completely upset the best laid plans.

Both the policy-makers and the executive arm / management of an organisation have a vital stake in building the proper risk management programme to avoid the consequences of unplanned and uncontrolled loss.

Some organisations appoint a risk manager to give senior management solid risks assessment and an effective contingency plan while some organisations will exercise risk financing which is the provision of funds to meet contingencies as they occur so as to maintain the fiscal health of public confidence in the organisation.

The basic principles which should guide the preparation of a risk management programme are :

Never risk a lot for a little.
Calculate the probable loss or gain.
Never risk more than you can afford to lose.

Some people do not respond or think in terms of future potential losses. This different attitude towards risk is explanation as many people tend to view the future with different levels of confidence. The explanation for these views can be founded in the fact that certain persons have a different value system, have never experienced or observed the kind of losses to which the organisations are subject, lack the motivation for meeting risk as it arises or tend to view correctly or incorrectly their loss capacity.

Value system
Conditioned responses and learning process
Motivation
Loss capacity

Incorrect or distorted information about causes or size of potential loss
Different levels of fear, worry and uncertainty
Different levels of wealth or resources

The management of an organisation should develop a tailor-made risk management policy statement for its organisation. With an understanding of the risk management concept, what the philosophy of risk management for the organisation should be, and the functional areas of risk management, preparation of a statement is no major task. There are three steps to policy formulation:

A statement of the broad risk management policy,
A statement of specific areas of responsibility for the organisation's personnel, and
A statement categorizing exposures and perils with specific policy decisions in relation to each.

To have a workable policy, it is necessary to elaborate, formulating the overall statement in terms of specific areas of responsibility, hazard identification and a system of internal controls.

Risk management is being actively practices and redefined by many individuals and organisations including environmentalists, economists, currency traders, as well as those in public administration. While each risk management practitioner has a particular perspective on the nature of risks where management effort needs to be directed - such as political, financial or environmental issues, public health and safety risk exposure, property loss prevention, business interruption or contingency planning and disaster recovery management - there is an established logical framework for managing risk that is equally appropriate for which specialist application.

The basic philosophies and principles behind effectively managing risk require the integration of risk management functions with usual management practices and by applying the principles of planning, organising, resourcing, directing and controlling to the fundamental steps in the management of private and public businesses, with emphasis on programmes that improve the process by which successes are achieved instead of focusing on negative impacts.

No risk, no opportunity !