**4.2. Assessing and measuring risks – Component of integrated risk management system**

In the integrated risk management process, the component on risk assessment is a major step aiming to:



268 Risk Management – Current Issues and Challenges

following:

**system** 

step aiming to:

effectively;

affecting the achievement of the objectives.

achievement of organizational objectives;

decision-making process if risk occurs.

risk, if it constitutes a threat to the organization;

From the scheme presented above it can be seen that developing and implementing an integrated risk management enables entity's management to focus efforts on the risks

Also, the integrated risk management system reflects the integration of all activities and actions related to risk and risk management in a single system so that it can act upon them at one level. By it, the parallelism and dysfunction of action and communication are eliminated, occuring within organized systems operating independently of each other.

Implementing an integrated risk management system within the organization leads to the





organization, that may be used in the analysis and decision-making strategy.


Exercising risk management function, as defining function within an organization, involves making through integrated risk management system a coherent set of processes, activities and operations, by which it is ensured an effective risk management and defined the

However, depending on the types of risks identified, on the response to risk determined according to risk appetite, on the costs involved and the levels at which risks may be maintained after their treatment, integrated risk management system can guide

**4.2. Assessing and measuring risks – Component of integrated risk management** 

In the integrated risk management process, the component on risk assessment is a major


organization to improve work according to the benefits of good risk management.


that targets set to objectives to be achieved within conditions planned;


Risk assessment depends on the probability of occurrence and severity of the consequences if the risk materializes, meaning the impact of risk and uses as tools the risk assessment criteria. These criteria should cover the purpose, in which risk was identified, in terms of compliance and performance.

By prioritizing are selected medium and large risks on which will conclude responses to the risk.

The risk assessment process includes the assessment of inherent risks existing before the implementation of control measures and residual risks, resulted after implementing control measures and have two phases, namely:

a. *Assessing probability* is a qualitative element and is carried out by evaluating the potential for risk occurrence, by considering qualitative factors specific to the context in which goals are defined and achieved. This can be expressed on a scale of values on three levels as follows: *low probability, medium probability and high probability*. Illustration:


b. *Assessing impact* is a quantitative element and is carried out by evaluating the effects of risk if it would materialize, by considering quantitative factors specific to the financial nature of the context of achieving objectives. This can be expressed on a scale of values on three levels as follows: *low impact, moderate impact and high impact*. Illustration:


Integrated Risk Management System – Key Factor of the Management System of the Organization 271

PT= P x I**,** 

Depending on the outcome of the risk measurement process, applied to all risks the organization faces and that affects achieving objectives employment shall be: high risk,

To assess the internal control are considered the risks associated with the objectives the

Internal control assessment process involves the identification and analysis of internal controls expected and existing, implemented by the entity to manage risks and aims to establish areas where it does not work or work improperly. This can be expressed on a scale of three levels as follows: compliant internal control, internal control partially compliant and

COMPLIANT Implemented internal control system, prevent risk materializing.

Systematic reporting on activities development.

Objectives met and appropriate remedies for violations.

**If**

Regulatory framework of risk management and internal control known. Positive attitude towards internal control/management and risks.

Internal control/management integrated into organization's activities and

assessment, establishing risk management measures and monitoring their

Internal control/management is partially integrated into the organization's

assessment, but risk management measures are not always adequate and

Systematic reporting on activities development, but states objectives met.

Risk management ensures identification of significant risks, their

Internal control system is implemented, but does not prevent risk

Neutral attitude towards internal control/management and risks.

Risk management process ensures the identification of risks, their

where: PT = total risk score P = probability I = impact


**INTERNAL CONTROL** 

PARTIALLY COMPLIANT

medium risk and low risk as follows:

organization faces and that were measured.

non-compliant internal control. Illustration:

actions.

effectiveness.

materializing.

effective.

activities and actions.

Risk analysis criteria are represented by the probability assessment of risk occurrence and the impact level assessment if the risk would materialize, as follows:


**Figure 2.** The level of risk depending on the probability and impact

Establishing the response to risk and pursuing if it falls into the risk appetite, agreed by the organization's management, is carried out by multiplying probability and risk impact, obtained from the formula:

PT= P x I**,** 

where: PT = total risk score P = probability I = impact

270 Risk Management – Current Issues and Challenges

**IMPACT If**

Good quality services

Good image of the organization

Continuity of activities is ensured

Moderate image of the organization

Moderate quality of services provided Very rare interruptions in activity

Poor image of the organization

Poor quality services provided Significant break in activity

factors specific to the context in which objectives are defined and met;

factors specific to financial nature of the context of achieving objectives.

the impact level assessment if the risk would materialize, as follows:

**Figure 2.** The level of risk depending on the probability and impact

obtained from the formula:

MODERATE Costs of implementing the activities/actions equal to planning

Decisions made without assuming responsibilities

Risk analysis criteria are represented by the probability assessment of risk occurrence and



Establishing the response to risk and pursuing if it falls into the risk appetite, agreed by the organization's management, is carried out by multiplying probability and risk impact,

HIGH High costs in relation to implementation planning of activities/actions

Decision making without ensuring the competence and responsibilities

LOW Low cost of implementation of activities/actions, under planning No losses of financial assets, employees nor materials

Competencies and responsibilities provided in decision making

Reduced losses of financial assets, employees and materials

Depending on the outcome of the risk measurement process, applied to all risks the organization faces and that affects achieving objectives employment shall be: high risk, medium risk and low risk as follows:


To assess the internal control are considered the risks associated with the objectives the organization faces and that were measured.

Internal control assessment process involves the identification and analysis of internal controls expected and existing, implemented by the entity to manage risks and aims to establish areas where it does not work or work improperly. This can be expressed on a scale of three levels as follows: compliant internal control, internal control partially compliant and non-compliant internal control. Illustration:



Integrated Risk Management System – Key Factor of the Management System of the Organization 273

This stage involves carrying out specific activities to implement risk management within the


In relation to the means of establishing the context of implementation of risk management it is established and designed risk management policy, objectives and tasks of the implementation of risk management methods and methodologies for the identification, evaluation, treatment and control risk. At the same time, it is determined the structure responsible for risk management, the powers and responsibilities of it, taking into account the fact that *"management activity it means to commonly achieve the necessary objectives for the* 

The characteristic of this work is the tone given by the organization on risk management and methodology they use in risk management and how are communicated the concepts of

Implementing an integrated risk management system involves identifying and assessing the

This includes risks related to activities and actions of input and risks of actual processes undertaken within the organization, risks that prevent achieving the intended results and

Identification of the events that may affect achieving the expected results is only possible if objectives are set in advance and under each one were defined activities necessary to ensure

If we consider the approach according to which performance is characterized as "achieving organizational objectives regardless of their nature and variety" 12, we believe that goals

Management by objectives has a beneficial effect for the organization, it facilitates the exercise of effective control over all activities, motivates employees to participate in the objectives and it creates a coherent organizational framework which stimulates the

The control of meeting the objectives is considered necessary for the management of the organization and requires each manager to have established controls for each activity and objective for which he has responsibility. At the same time, it must be taken into account the

the risks about the impact of realized activities on organizational development.

their implementation which, therefore ensures, the delivery of the expected results.

should be established to represent a challenge for management and employees.

they face and the level of acceptance in relation to exposure to risk.

risk and the response of staff on risk management philosophy.

risks that are threatening to accomplishment of objectives.

collaboration between all structures within the institution.

organization, as follows:

*final of the organization*11*"*.

*5.1.2. Objectives establishment* 

Risk response involves establishing and implementing possible actions, selecting those appropriate to the risk appetite and the costs required to implement risk management measures, by considering the following:

