**2. Risk management – Defining function within the organization**

Risk management is the process of identifying, analyzing and responding to the risks the organization faces and is exposed to. The costs of implementing this system depend on the methods used to manage unexpected events.

Risk management process is an ongoing one and the results are embodied in the decisions taken on accepting, reducing or eliminating risks that affect the achievement of objectives. The aim is to optimize the organization's exposure to risk in order to prevent losses, avoid threats and exploit opportunities.

© 2012 Vasile and Croitoru, licensee InTech. This is an open access chapter distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/3.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. © 2012 Vasile and Croitoru, licensee InTech. This is a paper distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/3.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

## **2.1. Conceptual approaches for risk**

In general terms, risk is part of any human effort. Once we leave to go back home, we are exposed to risks of different levels and degrees. It is significant that some new risks are completely voluntary, and some are created by us through the nature of activities.

Integrated Risk Management System – Key Factor of the Management System of the Organization 255

In conclusion, the risk can be defined as a problem (situation, event etc.) which has not yet occurred, but can occur in the future, threatening the achievement of agreed outcomes. Viewed in this context, risk is the uncertainty in obtaining expected results and should be

The probability of risk occurrence is the possibility that the risk materializes and it can be appreciated or determined by measurement, when the nature of risk and available

The risk impact is a consequence of the results (objectives) when risk materializes. If the risk represents a threat, the consequence upon the results is negative and if the risk represents an

The probability of risk occurrence and its impact on the results contribute to establish the

Based on concepts presented above, in our opinion, the risk is a permanent reality, an inherent phenomenon that accompanies all activities and actions of an organization and that occurs or not, depending on the conditions created for it. This could cause negative effects by deteriorating the quality of management decisions, reducing profit volume and affecting the organization's functionality, with consequences even in blocking the implementation of

In the literature, but also in practice, besides the concept of risk other concepts are used,

*Inherent risk* is the risk that exists naturally in any activity and is defined as *"the risk existing before* the *implementation of internal control measures to reduce it"* or *"all risks that threat* the

*Residual risk* is the risk remaining after implementation of internal control measures. Applying these measures should have as effect the limitation of inherent risk to a level accepted by the organization. The residual risk should be monitored in order to maintain it

*Risk appetite* is the level of exposure that the organization is prepared to accept, namely the

Practitioners recommend to organizations' management to bear in mind that risks can not be avoided and under these conditions to be concerned by their evaluation to keep them "under control" at levels considered acceptable, tolerated by the organization, and not to seek the total

Internal and external environment in which the organization operates generate risks. In these circumstances the organization should identify its weaknesses and threats it faces, in order to

manage and minimize them. Also, strengths must capitalize and exploit opportunities.

*entity/organization and may be internal or external risks*, *measurable or immeasurable".*

elimination of them, as this can lead to other unexpected and uncontrolled risks.

treated as a combination of probability and impact.

information permit such evaluation.

risk value.

activities.

respectively:

at accepted levels.

risk tolerated by the organization.

**2.2. Risk – Threat and opportunity** 

opportunity, the consequence is positive.

The word *"risk"* derives from the Italian word *"risicare"*, which means *"to dare"*. In this sense, *the risk is a choice, not fate*1*.* From this definition it follows that the risk is not an option, but we are permanently exposed to risk in everyday life, what is really important is that each time, to gain control over it.

Nowadays there is no unanimously accepted definition of the concept of risk by all specialists in the field. Among the most commonly used definitions, we present the following:

*"Risk is the possibility of obtaining favorable or unfavorable results in a future action expressed in terms of probabilities*."

#### or

"*Risk is a possible future event whose production could cause some losses*."

or

*"Risk is the threat that an event or action to affect in a negatve manner the capacity of an organization to achieve its planned goals.*2 *"* 

The analysis of these definitions of risk gives rise to the following conclusions:


In conclusion, the risk can be defined as a problem (situation, event etc.) which has not yet occurred, but can occur in the future, threatening the achievement of agreed outcomes. Viewed in this context, risk is the uncertainty in obtaining expected results and should be treated as a combination of probability and impact.

The probability of risk occurrence is the possibility that the risk materializes and it can be appreciated or determined by measurement, when the nature of risk and available information permit such evaluation.

The risk impact is a consequence of the results (objectives) when risk materializes. If the risk represents a threat, the consequence upon the results is negative and if the risk represents an opportunity, the consequence is positive.

The probability of risk occurrence and its impact on the results contribute to establish the risk value.

Based on concepts presented above, in our opinion, the risk is a permanent reality, an inherent phenomenon that accompanies all activities and actions of an organization and that occurs or not, depending on the conditions created for it. This could cause negative effects by deteriorating the quality of management decisions, reducing profit volume and affecting the organization's functionality, with consequences even in blocking the implementation of activities.

In the literature, but also in practice, besides the concept of risk other concepts are used, respectively:

*Inherent risk* is the risk that exists naturally in any activity and is defined as *"the risk existing before* the *implementation of internal control measures to reduce it"* or *"all risks that threat* the *entity/organization and may be internal or external risks*, *measurable or immeasurable".*

*Residual risk* is the risk remaining after implementation of internal control measures. Applying these measures should have as effect the limitation of inherent risk to a level accepted by the organization. The residual risk should be monitored in order to maintain it at accepted levels.

*Risk appetite* is the level of exposure that the organization is prepared to accept, namely the risk tolerated by the organization.

Practitioners recommend to organizations' management to bear in mind that risks can not be avoided and under these conditions to be concerned by their evaluation to keep them "under control" at levels considered acceptable, tolerated by the organization, and not to seek the total elimination of them, as this can lead to other unexpected and uncontrolled risks.
