Editing Risk management (section)

==Areas==

===Enterprise===
{{Main|Enterprise risk management}}
<!-- {{abbreviations|section|date=September 2016}} -->
Enterprise risk management (ERM) defines risk as those possible events or circumstances that can have negative influences on the [[corporation|enterprise]] in question,  
where the impact can be on the very existence, the resources (human and capital), the products and services, or the customers of the enterprise, as well as external impacts on society, markets, or the environment. 
There are [[Enterprise risk management#ERM frameworks defined|various defined frameworks]] here, where every probable risk can have a pre-formulated plan to deal with its possible consequences (to ensure ''contingency'' if the risk becomes a ''liability'').
Managers thus analyze and monitor both the internal and external environment facing the enterprise, addressing [[business risk]] generally, and any impact on the enterprise achieving its [[business strategy|strategic goals]].
ERM thus overlaps various other disciplines - [[operational risk management]], [[financial risk management]] etc. - but is differentiated by its strategic and long-term focus.<ref>Institute of Enterprise Risk Practitioners [https://insterp.com/distinguishing-between-erm-and-orm-approaches/ "Distinguishing between ERM and ORM approaches"].</ref> ERM systems usually focus on safeguarding reputation, acknowledging its significant role in comprehensive risk management strategies.<ref>{{Cite journal |date=2016-01-01 |title=Taking the risk out of risk management: Holistic approach to enterprise risk management |url=https://doi.org/10.1108/SD-02-2016-0030 |journal=Strategic Direction |volume=32 |issue=5 |pages=28–30 |doi=10.1108/SD-02-2016-0030 |issn=0258-0543}}</ref>
<!-- Too technical and specific
From the information above and the average cost per employee over time, or [[cost accrual ratio]], a project manager can estimate:

* the cost associated with the risk if it arises, estimated by multiplying employee costs per unit time by the estimated time lost (''cost impact'', ''C'' where ''C = cost accrual ratio * S'').
* the probable increase in time associated with a risk (''schedule variance due to risk'', ''Rs'' where Rs = P * S):
** Sorting on this value puts the highest risks to the schedule first. This is intended to cause the greatest risks to the project to be attempted first so that risk is minimized as quickly as possible.
** This is slightly misleading as ''schedule variances'' with a large P and small S and vice versa are not equivalent. (The risk of the [[RMS Titanic|RMS ''Titanic'']] sinking vs. the passengers' meals being served at slightly the wrong time).
* the probable increase in cost associated with a risk (''cost variance due to risk'', ''Rc'' where Rc = P*C = P*CAR*S = P*S*CAR)
** sorting on this value puts the highest risks to the budget first.
** see concerns about ''schedule variance'' as this is a function of it, as illustrated in the equation above.
 -->
<!-- Risk in a [[project]] or [[business process]] can be due either to [[Special Cause Variation]] or [[Common Cause Variation]] and requires appropriate treatment. That is to re-iterate the concern about extremal cases not being equivalent in the list immediately above. -->

===Finance===
[[File:Risk in Banking.jpg|thumb|Risk in Banking]]
{{Main|Financial risk management}}
As applied to [[finance]], risk management concerns the techniques and practices for measuring, monitoring and controlling the  [[market risk|market-]] and [[credit risk]] (and [[operational risk]]) on a firm's [[balance sheet]], due to a bank's credit and trading exposure, or re a [[fund manager]]'s portfolio value; for an overview see {{slink|Finance#Risk management}}.
* A traditional measure in banking is [[value at risk]] (VaR) – the possible loss due to adverse credit and market events. Banks seek to [[Hedge (finance)|hedge]] these risks, and will hold [[risk capital]] on the net position. The [[Basel III]] framework governs the parallel  [[regulatory capital]] requirements, including for operational risk.
* Fund managers employ [[Financial risk management#Investment management|various strategies]] to protect their fund value; these given [[Investment management#Investment managers and portfolio structures|their mandate]] and  [[tracking error|benchmark]].
* Non-financial firms focus on [[business risk]] more generally, overlapping [[enterprise risk management]]: i.e. those events and occurrences which could negatively impact cash flow or profitability, and hence result in a loss of [[Business valuation|business value]] or a decline in [[share price]].

===Contractual risk management===
{{See also|Contract management}}

The concept of "contractual risk management" emphasises the use of risk management techniques in contract deployment, i.e. managing the risks which are accepted through entry into a contract. Norwegian academic Petri Keskitalo defines "contractual risk management" as "a practical, proactive and systematical contracting method that uses contract planning and governance to manage risks connected to business activities".<ref>University of Tromsø, [http://www.jus.uit.no/ansatte/keskitalo/CRM.htm Contractual Risk Management (C-RM)], accessed 6 January 2021</ref> In an article by Samuel Greengard published in 2010, two US legal cases are mentioned which emphasise the importance of having a strategy for dealing with risk:<ref name=greengard>Greengard, S. (2010), [https://www.nxtbook.com/nxtbooks/acec/engineeringinc0910/index.php#/p/12 The Difference Is in the Details], Engineering Inc., September/October 2010, pages 13–15</ref>
*UDC v. [[CH2M Hill]], which deals with the risk to a professional advisor who signs an [[indemnification]] provision including acceptance of a [[duty to defend]], who may thereby pick up the legal costs of defending a client subject to a claim from a third party,<ref>[https://caselaw.findlaw.com/ca-court-of-appeal/1497487.html UDC–UNIVERSAL DEVELOPMENT, L.P., Cross–Complainant and Respondent, v. CH2M HILL, Cross–Defendant and Appellant], Court of Appeal, Sixth District, California, 15 January 2010, accessed 7 January 2021</ref>
*Witt v. La Gorce Country Club, which deals with the effectiveness of a [[Limit of liability|limitation of liability]] clause, which may, in certain jurisdictions, be found to be ineffective.<ref>State of Florida, [https://law.justia.com/cases/florida/third-district-court-of-appeal/2009/3d08-1812.html Witt v. La Gorce Country Club], Third District Court of Appeal, 10 June 2009, accessed 6 January 2021</ref>

Greengard recommends using industry-standard contract language as much as possible to reduce risk as much as possible and rely on clauses which have been in use and subject to established court interpretation over a number of years.<ref name=greengard />

===Customs===
Customs risk management is concerned with the risks which arise within the context of [[international trade]] and have a bearing on safety and security, including the risk that [[illicit drugs]] and [[counterfeit goods]] can pass across borders and the risk that shipments and their contents are incorrectly declared.<ref>European Commission, [https://taxation-customs.ec.europa.eu/customs-risk-management-framework-crmf_en Customs Risk Management Framework (CRMF)], accessed 28 March 2023</ref> The [[European Union]] has adopted a Customs Risk Management Framework (CRMF) applicable across the union and throughout its [[member state of the European Union|member states]], whose aims include establishing a common level of customs control protection and a balance between the objectives of safe customs control and the facilitation of legitimate trade.<ref>European Commission, [https://taxation-customs.ec.europa.eu/customs-4/customs-risk-management/customs-risk-management-details_en Customs risk management in details], accessed 28 March 2023</ref> Two events which prompted the [[European Commission]] to review customs risk management policy in 2012-13 were the [[September 11 attacks]] of 2001 and the [[2010 transatlantic aircraft bomb plot]] involving packages being sent from [[Yemen]] to the [[United States]], referred to by the Commission as "the October 2010 (Yemen) incident".<ref>European Commission, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52012DC0793 Communication from the Commission to the European Parliament, the Council and the European Economic and Social Committee on Customs Risk Management and Security of the Supply Chain], COM(2012) 793 final, page 3, published 8 January 2013, accessed 27 December 2023</ref>

===[[Memory institution]]s (museums, libraries and archives)===
{{Main|Risk management (cultural property)}}

===Enterprise security===
ESRM is a security program management approach that links security activities to an enterprise's mission and business goals through risk management methods. The security leader's role in ESRM is to manage risks of harm to enterprise assets in partnership with the business leaders whose assets are exposed to those risks. ESRM involves educating business leaders on the realistic impacts of identified risks, presenting potential strategies to mitigate those impacts, then enacting the option chosen by the business in line with accepted levels of business risk tolerance<ref>ASIS https://www.asisonline.org/publications--resources/news/blog/esrm-an-enduring-security-risk-model/</ref>

===Medical devices===
For [[medical device]]s, risk management is a process for identifying, evaluating and mitigating risks associated with harm to people and damage to property or the environment. Risk management is an integral part of medical device design and development, production processes and evaluation of field experience, and is applicable to all types of medical devices. The evidence of its application is required by most regulatory bodies such as the [[Food and Drug Administration|US FDA]]. The management of risks for medical devices is described by the International Organization for Standardization (ISO) in [[ISO 14971|ISO 14971:2019]], Medical Devices—The application of risk management to medical devices, a product safety standard. The standard provides a process framework and associated requirements for management responsibilities, risk analysis and evaluation, risk controls and lifecycle risk management. Guidance on the application of the standard is available via ISO/TR 24971:2020.

The European version of the risk management standard was updated in 2009 and again in 2012 to refer to the Medical Devices Directive (MDD) and Active Implantable Medical Device Directive (AIMDD) revision in 2007, as well as the In Vitro Medical Device Directive (IVDD). The requirements of EN 14971:2012 are nearly identical to ISO 14971:2007. The differences include three "(informative)" Z Annexes that refer to the new MDD, AIMDD, and IVDD. These annexes indicate content deviations that include the requirement for risks to be reduced ''as far as possible'', and the requirement that risks be mitigated by design and not by labeling on the medical device (i.e., labeling can no longer be used to mitigate risk).

Typical risk analysis and evaluation techniques adopted by the medical device industry include [[hazard analysis]], [[fault tree analysis]] (FTA), [[failure mode and effects analysis]] (FMEA), hazard and operability study ([[HAZOP]]), and risk traceability analysis for ensuring risk controls are implemented and effective (i.e. tracking risks identified to product requirements, design specifications, verification and validation results etc.). FTA analysis requires diagramming software. FMEA analysis can be done using a [[spreadsheet]] program. There are also integrated medical device risk management solutions.

Through a [https://www.fda.gov/medicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm206153.htm draft guidance], the FDA has introduced another method named "Safety Assurance Case" for medical device safety assurance analysis. The safety assurance case is structured argument reasoning about systems appropriate for scientists and engineers, supported by a body of evidence, that provides a compelling, comprehensible and valid case that a system is safe for a given application in a given environment. With the guidance, a safety assurance case is expected for safety critical devices (e.g. infusion devices) as part of the pre-market clearance submission, e.g. 510(k). In 2013, the FDA introduced another draft guidance expecting medical device manufacturers to submit cybersecurity risk analysis information.

===Project management===
{{Main|Project risk management}}
Project risk management must be considered at the different phases of acquisition. At the beginning of a project, the advancement of technical developments, or threats presented by a competitor's projects, may cause a risk or threat assessment and subsequent evaluation of alternatives (see [[Analysis of Alternatives]]). Once a decision is made, and the project begun, more familiar project management applications can be used:<ref>Lev Virine and Michael Trumper. ''Project Decisions: The Art and Science''. (2007). Management Concepts. Vienna. VA. {{ISBN|978-1-56726-217-9}}</ref><ref>Lev Virine and Michael Trumper. ''ProjectThink: Why Good Managers Make Poor Project Choices''. Gower Pub Co. {{ISBN|978-1409454984}}</ref><ref>Peter Simon and David Hillson, Practical Risk Management: The ATOM Methodology (2012). Management Concepts. Vienna, VA. {{ISBN|978-1567263664}}</ref>

* Planning how risk will be managed in the particular project. Plans should include risk management tasks, responsibilities, activities and budget.
* Assigning a risk officer – a team member other than a project manager who is responsible for foreseeing potential project problems.  Typical characteristic of risk officer is a healthy skepticism.
* Maintaining live project risk database.  Each risk should have the following attributes: opening date, title, short description, probability and importance.  Optionally a risk may have an assigned person responsible for its resolution and a date by which the risk must be resolved.
* Creating anonymous risk reporting channel.  Each team member should have the possibility to report risks that he/she foresees in the project.
* Preparing mitigation plans for risks that are chosen to be mitigated.  The purpose of the mitigation plan is to describe how this particular risk will be handled – what, when, by whom and how will it be done to avoid it or minimize consequences if it becomes a liability.
* Summarizing planned and faced risks, effectiveness of mitigation activities, and effort spent for the risk management.

===Megaprojects (infrastructure)===
[[Megaproject]]s (sometimes also called "major programs") are large-scale investment projects, typically costing more than $1 billion per project. Megaprojects include major bridges, tunnels, highways, railways, airports, seaports, power plants, dams, wastewater projects, coastal flood protection schemes, oil and natural gas extraction projects, public buildings, information technology systems, aerospace projects, and defense systems. Megaprojects have been shown to be particularly risky in terms of finance, safety, and social and environmental impacts. Risk management is therefore particularly pertinent for megaprojects and special methods and special education have been developed for such risk management.<ref>[[Oxford BT Centre for Major Programme Management]]</ref>

===Natural disasters===
It is important to assess risk in regard to natural disasters like [[Flood risk assessment|floods]], [[seismic hazard|earthquakes]], and so on. Outcomes of natural disaster risk assessment are valuable when considering future repair costs, business interruption losses and other downtime, effects on the environment, insurance costs, and the proposed costs of reducing the risk.<ref>Berman, Alan. Constructing a Successful Business Continuity Plan. ''Business Insurance Magazine'', March 9, 2015. http://www.businessinsurance.com/article/20150309/ISSUE0401/303159991/constructing-a-successful-business-continuity-plan</ref><ref>{{cite book|title=Acceptable Risk Processes: Lifelines and Natural Hazards|year=2002|publisher=ASCE, TCLEE|location=Reston, VA|isbn=9780784406236|url=http://www.asce.org/Product.aspx?id=2147485887&productid=5260|editor1=Craig Taylor|editor2=Erik VanMarcke|url-status=dead|archive-url=https://web.archive.org/web/20131203133515/http://www.asce.org/Product.aspx?id=2147485887&productid=5260|archive-date=2013-12-03}}</ref> The [[Sendai Framework for Disaster Risk Reduction]] is a 2015 international accord that has set goals and targets for [[disaster risk reduction]] in response to natural disasters.<ref>{{cite news |last=Rowling |first=Megan |url=http://in.reuters.com/article/us-disaster-risk-agreement-idINKBN0ME27720150318 |title=New global disaster plan sets targets to curb risk, losses |work=Reuters |date=2015-03-18 |access-date=2016-01-13 |archive-date=2016-03-04 |archive-url=https://web.archive.org/web/20160304101704/http://in.reuters.com/article/us-disaster-risk-agreement-idINKBN0ME27720150318 |url-status=dead }}</ref> There are regular [[International Disaster and Risk Conference]]s in [[Davos]] to deal with integral risk management.

Several tools can be used to assess risk and risk management of natural disasters and other climate events, including geospatial modeling, a key component of [[land change science]]. This modeling requires an understanding of geographic distributions of people as well as an ability to calculate the likelihood of a natural disaster occurring.

===Wilderness===
The management of risks to persons and property in [[wilderness]] and remote natural areas has developed with increases in outdoor recreation participation and decreased social tolerance for loss.  Organizations providing commercial wilderness experiences can now align with national and international consensus standards for training and equipment such as [[American National Standards Institute|ANSI]]/NASBLA 101-2017 (boating),<ref>{{cite web|title=American National Standard ANSI/NASBLA 101-2017: Basic Boating Knowledge—Human Propelled|url= https://cdn.ymaws.com/www.americancanoe.org/resource/resmgr/spp-documents/ANSI_NASBLA_101-2017_Human_P.pdf|access-date=2018-11-01}}</ref> [[International Climbing and Mountaineering Federation|UIAA]] 152 (ice climbing tools),<ref>{{cite web|title=UIAA Standard 152: Ice Tools|url=https://www.theuiaa.org/documents/safety-standards/152_IceTools_UIAA2018.pdf|access-date=2018-11-01|archive-date=2020-08-20|archive-url=https://web.archive.org/web/20200820122214/https://www.theuiaa.org/documents/safety-standards/152_IceTools_UIAA2018.pdf|url-status=dead}}</ref> and [[European Committee for Standardization|European Norm]] 13089:2015 + A1:2015 (mountaineering equipment).<ref>{{cite web|title=EN 13089 Mountaineering equipment – Ice-tools – Safety requirements and test methods (includes Amendment A1:2015)|url= https://www.en-standard.eu/din-en-13089-mountaineering-equipment-ice-tools-safety-requirements-and-test-methods-includes-amendment-a1-2015/|access-date=2018-11-01}}</ref><ref>{{cite web|title=Irish Standard I.S.EN 13089:2011+A1:2015 Mountaineering equipment – Ice-tools – Safety requirements and test methods|url= https://infostore.saiglobal.com/preview/is/en/2011/i.s.en13089-2011%2Ba1-2015.pdf?sku=1458668|access-date=2018-11-01}}</ref> The [[Association for Experiential Education]] offers accreditation for wilderness adventure programs.<ref>{{cite web|title=Association for Experiential Education|url=  https://www.aee.org/standards2|access-date=2018-11-01}}</ref> The [[Wilderness Risk Management Conference]] provides access to best practices, and specialist organizations provide wilderness risk management consulting and training.<ref>{{cite web|title=NOLS Risk Services|url= https://www.nols.edu/en/about/risk-services/|access-date=2018-11-01}}</ref>

The text Outdoor Safety – Risk Management for Outdoor Leaders,<ref>{{cite book |last=Haddock |date=2013 |title=Outdoor safety : risk management for outdoor leaders |url= https://www.redmoose.co.nz/SHOP/outdoor-books-guides/574-bushcraft-manual-outdoor-skills-for-the-nz-bush-40--9780908931309.html |location=Wellington, NZ |publisher= New Zealand Mountain Safety Council |isbn=9780908931309}}</ref> published by the New Zealand Mountain Safety Council, provides a view of wilderness risk management from the New Zealand perspective, recognizing the value of national outdoor safety legislation and devoting considerable attention to the roles of judgment and decision-making processes in wilderness risk management.

One popular models for risk assessment is the Risk Assessment and Safety Management (RASM) Model developed by Rick Curtis, author of The Backpacker's Field Manual.<ref name=":0">{{Cite book|title=Outdoor Leadership and Education|last=Schneider|first=Ari|date=23 May 2018|publisher=Xalibu LLC |isbn=9781732348202}}</ref> The formula for the RASM Model is: Risk = Probability of Accident × Severity of Consequences. The RASM Model weighs negative risk—the potential for loss, against positive risk—the potential for growth.

===Information technology===
{{Main|IT risk management}}
[[IT risk]] is a risk related to information technology. This is a relatively new term due to an increasing awareness that [[information security]] is simply one facet of a multitude of risks that are relevant to IT and the real world processes it supports. "Cybersecurity is tied closely to the advancement of technology. It lags only long enough for incentives like black markets to evolve and new exploits to be discovered. There is no end in sight for the advancement of technology, so we can expect the same from cybersecurity."<ref>{{Cite book|title=Cybersecurity: A Business Solution|last=Arnold|first=Rob|publisher=Threat Sketch|year=2017|isbn=978-0692944158|pages=4}}</ref>

[[ISACA]]'s ''[[Risk IT]]'' framework ties IT risk to enterprise risk management. Duty of Care Risk Analysis (DoCRA) evaluates risks and their safeguards and considers the interests of all parties potentially affected by those risks.<ref>{{Cite web|url=https://docra.org/|title=Duty of Care Risk Analysis Standard (DoCRA)|website=DoCRA|access-date=2018-08-22|archive-date=2018-08-14|archive-url=https://web.archive.org/web/20180814170112/https://docra.org/|url-status=dead}}</ref> The [https://www.verizon.com/business/resources/reports/dbir/2024/appendix/ Verizon Data Breach Investigations Report (DBIR)] features how organizations can leverage the Veris Community Database (VCDB) to estimate risk. Using HALOCK [https://www.halock.com/assessing-cyber-risks-using-verizons-vcdb/ methodology] within CIS RAM and data from VCDB, professionals can determine threat likelihood for their industries.

IT risk management includes "[[Incident management|incident handling]]", an action plan for dealing with intrusions, cyber-theft, denial of service, fire, floods, and other security-related events. According to the [[SANS Institute]], it is a six step process: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.<ref>[https://www.sans.org/security-resources/glossary-of-terms/ SANS Glossary of Security Terms] Retrieved on 2016-11-13</ref>

===Operations===
{{Main|Operational risk management}}
Operational risk management (ORM) is the oversight of [[operational risk]], including the risk of loss resulting from: inadequate or failed internal processes and systems; human factors; or external events. Given the [[operations management|nature of operations]], ORM is typically a "continual" process, and will include ongoing risk assessment, risk decision making, and the implementation of risk controls.

===Petroleum and natural gas===
For the offshore oil and gas industry, operational risk management is regulated by the [[safety case]] regime in many countries. Hazard identification and risk assessment tools and techniques are described in the international standard ISO 17776:2000, and organisations such as the IADC ([[International Association of Drilling Contractors]]) publish guidelines for [[Health, Safety and Environment]] (HSE) Case development which are based on the ISO standard. Further, diagrammatic representations of hazardous events are often expected by governmental regulators as part of risk management in safety case submissions; these are known as '''[[bow-tie diagram]]s''' (see [[Network theory in risk assessment]]). The technique is also used by organisations and regulators in mining, aviation, health, defence, industrial and finance.

===Pharmaceutical sector===
The principles and tools for quality risk management are increasingly being applied to different aspects of pharmaceutical quality systems. These aspects include development, manufacturing, distribution, inspection, and submission/review processes throughout the lifecycle of drug substances, drug products, biological and biotechnological products (including the use of raw materials, solvents, excipients, packaging and labeling materials in drug products, biological and biotechnological products). Risk management is also applied to the assessment of microbiological contamination in relation to pharmaceutical products and cleanroom manufacturing environments.<ref name=Sandle>{{cite book |editor-last1=Saghee |editor-first1=M |editor-last2=Sandle |editor-first2=T |editor-last3=Tidswell |editor-first3=E |title=Microbiology and Sterility Assurance in Pharmaceuticals and Medical Devices |edition=1 |publisher=Business Horizons |year=2011 | isbn = 978-8190646741}}</ref>

===Supply chain ===
{{Main|Supply chain risk management}}
Supply chain risk management (SCRM) aims at maintaining [[supply chain]] continuity in the event of scenarios or incidents which could interrupt normal business and hence profitability. Risks to the supply chain range from everyday to exceptional, including unpredictable natural events (such as [[tsunami]]s and [[pandemic]]s) to counterfeit products, and reach across quality, security, to resiliency and product integrity. Mitigation of these risks can involve various elements of the business including [[logistics]] and cybersecurity, as well as the areas of finance and operations.

===Travel===
Travel risk management is concerned with how organisations assess the risks to their [[business travel|staff when travelling]], especially when travelling overseas. In the field of [[international standard]]s, ISO 31030:2021 addresses good practice in travel risk management.<ref>International Organization for Standardization (ISO), [https://www.iso.org/standard/54204.html ISO 31030:2021 Travel risk management — Guidance for organizations], Edition 1, published in 2021, accessed on 22 January 2025</ref>

The Global Business Travel Association's education and research arm, the GBTA Foundation. found in 2015 that most businesses covered by their research employed travel risk management protocols aimed at ensuring the safety and well-being of their business travelers.<ref name=gbtaf>GBTA Foundation, [https://www.gbta.org/overwhelming-majority-of-companies-keep-travelers-safe-through-travel-risk-management-protocols/ Overwhelming Majority of Companies Keep Travelers Safe Through Travel Risk Management Protocols], published on 19 May 2015, accessed on 23 January 2025</ref> Six key principles of travel risk awareness put forward by the association are preparation, awareness of surroundings and people, keeping a low profile, adopting an unpredictable routine, communications and layers of protection.<ref>Global Business Travel Association Risk Committee, [https://www.gbta.org/keeping-safe-with-some-solid-advice-travel-risk-awareness-clarified/ Keeping Safe with Some Solid Advice: Travel Risk Awareness Clarified], published on 20 July 2022, accessed on 23 January 2025</ref> Traveler tracking using mobile tracking and messaging technologies had by 2015 become a widely used aspect of travel risk management.<ref name=gbtaf />