Introduction

Risk is a common word from our vocabulary used today either to refer to personal circumstances (health, money), social (political views, laws) orbusiness (strategy, corporate culture). Even if the term is widely spread does not have a clear definitions to cover all the possible cases. The Oxford English Dictionary definition of risk is as follows: 'a chance or possibility of danger, loss, injury or other adverse consequences'. As it can be seen in this definition it can be felt a negative perspective. Before 1997 risk was understood totally as an uncertainty that could have a negative or harmful effect. After 1997 standard publications started to present risk as an uncertainty that could have a positive or negative effect on one or more objectives. Starting 2000 scholars see risk related to both threats and opportunities. Among all the past definitions the common fact is that risk has an aspect of uncertainty but is not a synonym with this word. Risk has two main characteristics, it is an uncertain event and has consequences on the defined objectives, aspect that can be seen also in the definition from the Oxford English Dictionary. It is clear that when an objective is set, the risk has direct impact on it if there are factors that will prevent it from happening. For example if tomorrow the employees will be able to set alone their air conditioning due to the high temperatures around, has no impact, being an isolated event with no objectives attached. But if according to their results, at the end of the quarter, the employees will received a bonus, has both the uncertainty (which employees will meet the target ?) and an objective (the bonus). An easy definition of risk is 'an uncertain event that has consequences on the defined objectives'.

It can been agreed that each company has to decide on the definition of the risk to be used as there are other organism with different views. The Institute of Risk Management (IRM) defines risk as the combination of the probability of an event and its consequence. Consequences can range from positive to negative. ISO Guide 73/ISO 31000 defines risk as the 'effect of uncertainty on objectives'. The Institute of Internal Auditors (IIA) defines risk as the uncertainty of an event occurring that could have an impact on the achievement of objectives. According to the Orange Book from HM Treasury the effect may be positive, negative, or a deviation from the expected.

Risk management essentials

As previously stated, the risk, as it is seen today and also as can be found in the Guide 73 (2002) definition, is divided in three categories:

* Hazard Rick - this is the risk that generates negative impact and companies try to make all the possible to mitigate it.

* Control Risk - this is the risk associated with the management of the projects and with the analysis of the future benefits. Uncertainties appear about the delivery of the project that has to be in time, within budget or specifications.

* Opportunity Risk - organizations deliberately take decisions that bring positive gains but have at the same time risk associated. Especially this actions comes at commercial level and bring in the future positive returns. The decision of a company to change the production flow in order to bring more internal and external flexibility it is seen as an opportunity towards the main competitors but at the same time the results are not for sure unveiled from the moment of the project initiation.

A common tool used to measure the risk is the Risk Matrix. This is a two chart axis measuring the risk from the perspective of the probability to happen or more correctly said it would be the likelihood because in this case the risk is not seen as for sure to happen and the impact. Some matrix compare the likelihood with the magnitude but it is more wise to use the impact in place.

A risk is analyzed against the consequences that show the influence on the objectives established. Figure 1 shows on the horizontal line the impact and on the vertical line the probability having a drill down on more quadrants depending on the level of probability. The orange and red areas are seen as major risk zone unacceptable to happen.

In order to understand what is process followed in case of a risk management flow, in figure 2 are presented the main 6 steps. The first step is the Initiation where the objectives of the new projects are defined, stakeholders identified and all the details that will take place in the process. The second step, Identification, can be performed with the help of several techniques such as brainstorm, check lists, prompt lists, assumption analysis, root cause analysis or previous experience. Standard documents such as the Risk Log includes the main information on category, owner, risk reduction actions.

Then the significance of the identified risk has to be Assessed from both qualitative and quantitative perspective. The Risk matrix described above is a well-known tool used for risk assessment. In table 1 are presented some of the techniques used together with their associated advantages and disadvantages.

Next comes the response planning representing the action itself after the strategies and actions determined in the former phases of the process and establishing the method on how to deal with the risk, that has to be appropriate, achievable and affordable. When creating a response it is essential to be taken into consideration any secondary risk that may appear to the response of another risk. The options for responding to risk can then be identified as the 4Ts:

* Tolerate (accept) - the risk may be affordable to be tolerated with no actions to be taken. Even if practically it is no response it does not mean that supplementary cost will not be incurred.

* Treat (control) - by far the most used risk response. The purpose is that the activities can continue while actions to control the risk are being put in place. For example if some machines are to be replaced in factory to facilitate flexibility, the process line has not to be stopped in order to avoid not respecting delivery deadlines agreed.

* Transfer - the risk is transferred by contract to other parties that have the necessary experience to handle it better, for example the case of debts not paid by the client are going to some debt collection companies.

* Terminate - some risk can be treatable or acceptable by terminating the activity. Although this choice can be limited due to private sector rules or own company strategy.

All the planning above must lead to actions and to the Implementation phase when all the arrangements done have to be put in action. The last step, Monitoring, has not to be forgotten. It is essential to follow closely the implementation of the response and assess the results, being able, if the feedback is positive, to use it as a best practice for other future references.

The purpose of the risk management is to offer compliance and assurance for any type of activity. Risk management has to be addressed in terms of effectiveness (and efficacy) rather than a simple efficiency since the objectives is to maximize the achievements of the defined objectives. In figure 3 is presented the difference between efficiency, effectiveness and efficacy.

In simple terms, the contributions brought by undertaking a risk can be called the upside of the risk. This happens when the benefits obtained from taking the risk are higher than the benefits resulted if the risk would have not been controlled.

Taking the example of a process line that was developed to easily adapt and produce with high flexibility two types of products according to the demand received from the clients an upside of this risk are fewer disruptions in the new process than in the normal operations system where just one standard product was created.

As a conclusion risk management influences in the first line individuals that approach each case by their personal attitude and in the end reflects on the company processes and further to the possibility to control or tolerate the uncertainties appeared.