Introduction
Management Information system is a system of processing data in an organization and presenting it to the management in the form of reports which are used for decision making. It is a broad term which refers to a system of processing information and producing regular and timely reports. (O’Brien, 1999).
Risk management refers to the management of the identification and assessment of risks and finding means to monitor, control and minimize them. (Hubbard, 2009).
Types of Business Risks
A business organization faces a number of risks. These risks are broadly classified into the following categories – (Jolly, 2003).
- Strategic Risk – Risks to the business arising from the industry in which the business operates are called strategic risks. Changes in demand and supply, relocations, mergers, takeovers, new technology, investor relations strategies are all types of strategic risks.
- Financial Risk – Financial risks are risks arising due to transactions within the industry and the financial structure of the organization.
- Operational Risk – These are risks associated with the operations of the organization itself and common procedures within the industry. Flaws or loopholes in procedures or processes give rise to such operational risks.
- Compliance Risk (Legal Risk) – Risk of lack of compliance with governmental rules and regulations are termed as compliance risks. These risks are generally of a legal nature.
- Other risk – Other risks like natural disasters and international factors affecting the entire industry may also affect the organization.
Identification of Risk
There can be many risks to an organization, both internal and external. Strategic risks and natural disasters are external while operational risks are internal. The risks may be direct or indirect that is they may either directly impact the organization like a sudden cyclone which and affect the working of the business and thus result in a loss. Or the risk may be indirect for example the business of a supplier running in loss or a fall in the value of the dollar which may affect the business adversely.
It is very important to identify the risks to an organization in order to ensure that the business does not incur a loss and remains operational through trying times. Identifying and managing risks forms an integral part of business strategy. There are several steps to identifying risks –
- Identifying the source – the organization must be aware of the potential areas of risk. These sources can be identified through the internet or other social and business contacts within the industry.
- What if Analysis – Using a what-if analysis to identify which of the threats may affect the organization.
- Employee Awareness – Making your employees aware of the potential risks and alerting them to the possible solution.
- Charting – Draw up a chart showing the source, the specific threat from the source and the effect on the organization.
- Qualify the risk – Identify which factors may affect the organization and grade them into low medium or high risks.
Identifying the risks clearly and prioritizing them can help the organization be prepared to combat the risk when it does arise. (Duggan)
Risk Control Strategies
Merely identifying the risk serves no real purpose. Once the risk has been identified, it is important to control it and minimize its effect. Admittedly, no risk can be eliminated. However, efforts can be made to control the risk and minimize its effect on the organizations. This is called risk management.
There are four main ways in which organizations deal with risks – Avoidance, Transference, Mitigation, and Acceptance. (Gorrod, 2004).
Avoidance
Avoidance means setting up checks to ensure that the risk does not affect the working of the organization for example storing data backups at a distant physical location or having employees sign a non-disclosure agreement to avoid espionage.
Transference
Transference means shifting the risk to other areas within the organization or to other organizations. An example of transference would be outsourcing a process or taking out insurance.
Mitigation
Mitigation means minimizing the effect of the risk. The risk exists and cannot be avoided or transferred so the next best solution is to minimize its effect on the organization. In order to mitigate or minimize the risk, organizations set up three types of plans –
- Incident Response Plan – How to respond when the disaster – like fire - occurs
- Disaster Recovery Plan - Plan in advance to recover from the disaster – store data at a distant location and insure all property.
- Business Continuity Plan – Plan in advance how the business will continue after the disaster has passed.
Acceptance
It may sometimes be more prudent to accept a business risk than to attempt to avoid or mitigate it. This situation may occur when the loss from the risk is negligible and does not justify the expense incurred for control. (Hopkin, 2012). Even when the organization decides to accept the risk, it must –
- Ascertain the level of the risk
- Ascertain the probability of the risk occurring
- Ascertain the vulnerability of the organization
- Ascertain the loss which may occur as a result of the risk
- Conduct a cost benefit analysis
- And finally determine that the expense for control is not justified considering the loss
Selecting the right strategy or approach to risk control depends on the type of risk, the cost benefit analysis of risk against potential gain, and the feasibility of the strategy. (Alexander et. al. 2005).
Conclusion
Every organization faces certain amount of risk and every management attempts to control or minimize the effect of that risk. The success or failure of the organization depends, among other things, on the selection of the right type of risk control strategy and its implementation. In general, every organization should train its employees regarding the potential risks and general precautions that they should take to avoid those risks. Setting up a good risk management plan is one further step towards controlling the risks.
References
O’Brien, J (1999). Management Information Systems – Managing Information Technology in the Internetworked Enterprise. Boston: Irwin McGraw-Hill.
Hubbard, Douglas (2009). The Failure of Risk Management: Why It's Broken and How to Fix It. John Wiley & Sons. p. 46.
Jolly, Adam (2003). Managing Business Risk: A Practical Guide to Protecting Your Business. Kogan Page Limited. pp. 6–7.
How to Identify Business Risk by Tara Duggan, Demand Media (http://smallbusiness.chron.com/identify-business-risk-780.html)
Hopkin, Paul "Fundamentals of Risk Management 2nd Edition" Kogan-Page (2012) http://riskskillscenter.com/images/downloads/Risk%20Control%20Techniques.pdf
Gorrod, Martin (2004). Risk Management Systems: Technology Trends (Finance and Capital Markets). Basingstoke: Palgrave Macmillan
Alexander, Carol and Sheedy, Elizabeth (2005). The Professional Risk Managers' Handbook: A Comprehensive Guide to Current Theory and Best Practices. PRMIA Publications.
