In a competitive business landscape, the most successful organizations are those that have managed to adapt to the new conditions as quickly as possible and to control the risks imposed. Despite being constantly faced with internal and/or external factors that affect the uncertainty and unpredictability of the situation and the achievement of business goals, it is still important that the organizations try to reduce risks to a level that is still manageable.

Risk management should be ensured to the extent that they don’t have an impact on the core business processes. This is why it is also necessary to invest more in the continuous education and skills-building of the employees who are dealing with risks. Risk management and corporate security processes are an indivisible set of organizational management models, visible through corporate management and corporate social responsibility.

In many organizations, risk management is ineffective, what consequently shows as a devastating impact on business and competitiveness (Lam, 2014). Some authors therefore advocate educational programs that more fully provide knowledge to deal with such vulnerability, threats and risks (Flammini, 2012, Gritzalis, 2018).

In this aspect, corporate security is a preferred tool for the management to be able to identify the necessary activities to manage security risks. By preventing financial losses and protecting organization’s reputation, the risk manager, together with other services, creates the conditions for successful business and for achieving the organization’s development strategy.

What to study is one of the more important decisions in a person’s life. Every student should think about what makes him/her happy, how his/her life will look like in 10 years, and in which area of expertise he/she will most likely to get a job. It is important that we know what we want in life, as without having goals and plans, our aspirations can remain unmet.

It is odd that sometimes an individual can spend more time planning a holiday than his/her own career path. The desires make us crave for their fulfilment, but it is our goals that motivate us into taking an action. The greatest assurance for our success is therefore “the intensity of our purpose”. This is why, besides knowing what we want in life, we must also be aware of the cost of the effort we are willing to devote to achieving our goal. Only when one knows all this, he/she can take a path of personal growth, realize personal potentials, competences and lead a quality life.

Risk management and Corporate Security Study enables the management of business and security conditions in the economy, critical infrastructure, industry, state bodies and civil society. This is the study for the profession of the future, and represents an upgrade of a much wider area of business studies.

The study enables students to acquire knowledge by analysing theoretical and methodological concepts, and later transferring them into practice and problem-solving. The program is multidisciplinary by design, as the risk management represents a very complex process that demands one to obtain skills from various professional disciplines. As such, it doesn’t only reflect the needs in Slovenia, but is easily comparable to programs of reputable European and American universities with a similar curriculum. It is also the basis for attaining the Certified Protection Professional (CPP) certification, which is considered to be the “gold standard” for risk management professionals around the globe.

If you are wondering whether the today’s labour market is in need for risk managers, I find the field greatly lacks of knowledge (and knowledge is the only thing in the world that is properly deployed among each and every one of us). In my opinion, any large organization in the area of national critical infrastructure in Slovenia should have at least one risk manager employed. This person should have a strategic knowledge on how to establish risk management system, and implement risk management processes accordingly.

In 2017, there were 195,756 organizations registered in Slovenia, employing 881,920 individuals and generating 108,840 million EUR in revenue (SURS, 2017). Of that, 346 large organizations (over 250 employees) employed 270.739 individuals, and generated the largest revenue share (38,703 million EUR).

If we also consider medium-sized organizations, there is a strong need to improve the staff structure of those responsible for risk management and corporate security (estimated above 500), which is a great potential for employing corporate security managers and professionals in the future. Therefore, I believe this program will be one of those areas where a great need for continuous training of relevant experts will be constantly present.

Among the many interesting challenges that we face, the most important one remains that we understand the upcoming technological revolution which also involves the transformation of the entire mankind. We have come to the threshold of the Fourth Industrial Revolution (some even refer to it as the Fifth) which will fundamentally change our way of life, work and mutual understanding. This is why its extent, scale and complexity cannot be compared of anything that humanity has experienced so far.

The Fourth Industrial Revolution will have a significant impact on the nature of the relations between states and international security. The technology will enable higher efficiency, which most of us wants. However, most people also want to feel they are not just part of the process, but something that is bigger than themselves. Security is a topic that is not sufficiently discussed in the public and in all sectors outside the government. The critical danger is that highly connected world of rising inequalities can lead to social unrest, and also to violent extremism. This is why the nature of security threats will also change, or as poet Rainer Maria Rilke wrote in his Letter to a Young Poet: “The future enters into us, in order to transform itself in us, long before it happens.” In other words, everything depends on us.

The Fourth Industrial Revolution is also forming the need for new professions, and has already significantly changed the old ones, however in my personal opinion, the role and significance of the security manager will increase in time. The main obstacles to a more resolute approach to this new situation are the lack of understanding of the impacts of change in organizations, inadequate staffing strategies, constraints on operating resources, and pressures on short-term profitability.

Consequently, there is a disproportion between the scale of future changes, and the relatively marginal measures that organizations now accept as preparation for these changes. A new approach is needed to examine each organization staffing need, and avoid possible unwanted outcomes.

Despite the potential favourable impact of technology on economic growth, it is essential to address the potential adverse effects on the labour market. Fears about the impact of technology on jobs are not new. As early as 1931, economist John Maynard Keynes warned us in a resounding manner against extensive technological unemployment “due to our discovery of ways for more economical work that overtakes the discovery of new ways to exploit the workforce.” His predictions did not prove to be true at the time, but what if he might be right this time around?

***

Contact Silver Bullet Risk team if you need help with risk management.

For more information about risk management follow their LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.

In my previous blog post I talked about risk measurement system, which I will now present you in practice. I am sure this approach will make it easier to evaluate the risks in your every day work.

I often say to our clients that the system is merely a tool, which is why it cannot capture all aspects and anticipate all possible scenarios. Therefore, I always suggest to use common sense and also leave some room for maneuverer.

Now that we have discussed the good principles of setting up a risk measurement system, we are ready to give an example that works for most companies.

The system is an extension of the typical “Likelihood-Impact” matrix. The added dimensions make it possible to assess most of the risk characteristics in a coherent way. For instance, one cannot define likelihoods for many risks at all (foreign exchange rate risk, interest rate risk), and thus they cannot be estimated at all in the “Likelihood-Impact” manner.

All the losses are defined in terms of lost profit within 1-year period, and the frequency is defined in terms of years (once every x years).

Frequency

This value tells you how many times you can expect that a certain risk will occur over a period. If a certain risk cannot realize repeatedly, one can substitute frequency with likelihood during a time period.

Typical loss

When there is a risk realization, a range of damage is possible from very small to very high losses. For example, a computer virus in most cases leads to only a few hours of work failure, which is a typical loss. This is a relatively common phenomenon and damage from such event falls under a typical loss.

Mathematically one should define this as the average loss per realization.

Worst case loss

Loss in the worst-case scenario is the damage that occurs when an extremely high and extremely rare realization. Linking, to the example typical loss example – in the worst-case scenario, the virus infects a computer that manages certain critical systems in the company. This can lead to the loss of the most important computer tools and systems, which in turn implies the shutdown of all activities and huge losses.

Mathematically the worst-case loss should be based on certain percentile of losses, similar to Value at risk.

Persistency

Persistency can take values from “no persistence”, which means that the company feels the negative effects of the risk only in the year in which the risk is realized, to a completely persistent one, which means that after the realization of the risk the company feels negative effects in all subsequent years. Persistency is used to evaluate the net present value (NPV) of future losses which measures to total firm value loss in one year.

‘Social’ impact in the worst case

This aspect of the risk measurement system is meant account for impacts that cannot meaningfully be compared to financial damages. This impact scale is not quantitative in nature, but one should aim to set specific impact categories that are objective. For instance, this risk scale could be set to capture the potential impact on employee health, ranging from minor injuries to death or even death of multiple employees.

 

As there are multiple distinct dimensions of what makes a risk ‘serious’ we have numerous perspectives of how to rank risks. How much importance is given to each way of measuring depends on the organization, and the intended usage of risk estimates. 

Below are presented 4 ways to estimate the risk severity that are based on the above-mentioned risk dimensions.

Short term [Liquidity horizon]

Long term [Solvency horizon]

Average based measures

Expected profit loss due to risk

What does it mean: Indicates how much on average per year, specified risk reduces the profit?

How its calculated: Frequency X Typical loss

Why is it relevant: This is the starting point to benchmark running risk mitigation cost. If risk mitigation on annual bases costs less than it reduces the expected costs of risk, then it certainly makes sense to mitigate the risk.

Expected loss in company value due to risks

What does it mean: Adding the effect of persistency of risk effects allows us to estimated how much the value of the company is expected (on average) to decrease due to assessed risk.

How its calculated: Frequency X Typical loss X Present value factor based on the persistency

Why is it relevant: this is most meaningful way to benchmark does it makes sense to make certain capital investments to mitigate risk. If the investment value is lower than the expected loss in company value, then investment adds value to the company.

Worst case-based measures

Worst case profit loss 

What does it mean:

How its calculated:

Why is it relevant: This is important in evaluating whether the company can operate normally (service debt, etc.) even if the risk has the worst-case impact.

Worst case value loss

What does it mean: Estimates how much the economic value (not accounting) decreases in one year due to the risk?

How its calculated: Worst case loss X present value factor

Why is it relevant: This is important in determining whether the company has enough capital to withstand the effects of the risk realizing.

 

Find present value factor calculator on the following link.

Until next time, when we will examine how to combine and analyse the risk in order to get the best results, I invite you to check our latest posts:

– How to manage risks systematically?

– How to identify risks?

– How to define “a risk”?

***

Contact our team if you need help with risk assessment.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.