Page 110 - Rižnar, Igor, and Klemen Kavčič (ed.). 2017. Connecting Higher Education Institutions with Small and Medium-Sized Enterprises. Koper: University of Primorska Press
P. 110
Tatjana Horvat and Franko Milost
of the risk is extensive, since it is necessary to take into account all
of the risks. It must be a continuous and iterative process, which
is often associated with the planning process. The most common
tools for risk identification are commission review and the self-
assessment of risks, which do not exclude each other;
• Second, we have to evaluate the risks, whereby the methodology
for analysing risks can vary. Risks can be identified by numbers
(e.g. financial risks), while a subjective view of the risk is all that
is possible for those that are difficult to measure (e.g. reputational
risk). One of the things that can mitigate the subjectivity in the
process of providing a framework for assessment is using the sys-
tematic application of the criteria for classifying risks. One of the
main purposes of risk assessment is certainly to inform the man-
agement of risk areas where actions should be taken. This is one of
the reasons for developing a framework for identifying risks that
usually denotes them as high, medium or low. Thus, we can deter-
mine the benefits of the management and the decisions about the
risks that they should be given;
• Third, we have to define which level of the risks are acceptable. As-
sessing the level of risk acceptable to an organisation means defin-
ing the ‘amount’ of risk that the organisation is ready to accept and
varies according to the perceived significance of the risk. We can
talk about the style of risk for the organisation. Thus it is neces-
sary to establish the level of risk, for both operational (inherent)
and residual risk, which is acceptable for the organisation. Opera-
tional risk is the risk to the organisation, if the management does
nothing, which could change either in terms of possibility or im-
pact. Residual risk is the risk that remains after the management
responds to the risk;
• Finally, we need to decide how we should response to the risks. Re-
sponses are developed, wherein a response can be divided into four
categories: transfer, admission, restriction and control. Among
them, the most important is risk management, while internal con-
trol is the main mechanism that helps to manage risk and maintain
it at an acceptable level. Internal control procedures are procedures
regulated by the organisation to manage risk. Each control brings
costs, so each control activity must offer benefits for those costs in
relation to the risks they address. The risks and associated controls
108
of the risk is extensive, since it is necessary to take into account all
of the risks. It must be a continuous and iterative process, which
is often associated with the planning process. The most common
tools for risk identification are commission review and the self-
assessment of risks, which do not exclude each other;
• Second, we have to evaluate the risks, whereby the methodology
for analysing risks can vary. Risks can be identified by numbers
(e.g. financial risks), while a subjective view of the risk is all that
is possible for those that are difficult to measure (e.g. reputational
risk). One of the things that can mitigate the subjectivity in the
process of providing a framework for assessment is using the sys-
tematic application of the criteria for classifying risks. One of the
main purposes of risk assessment is certainly to inform the man-
agement of risk areas where actions should be taken. This is one of
the reasons for developing a framework for identifying risks that
usually denotes them as high, medium or low. Thus, we can deter-
mine the benefits of the management and the decisions about the
risks that they should be given;
• Third, we have to define which level of the risks are acceptable. As-
sessing the level of risk acceptable to an organisation means defin-
ing the ‘amount’ of risk that the organisation is ready to accept and
varies according to the perceived significance of the risk. We can
talk about the style of risk for the organisation. Thus it is neces-
sary to establish the level of risk, for both operational (inherent)
and residual risk, which is acceptable for the organisation. Opera-
tional risk is the risk to the organisation, if the management does
nothing, which could change either in terms of possibility or im-
pact. Residual risk is the risk that remains after the management
responds to the risk;
• Finally, we need to decide how we should response to the risks. Re-
sponses are developed, wherein a response can be divided into four
categories: transfer, admission, restriction and control. Among
them, the most important is risk management, while internal con-
trol is the main mechanism that helps to manage risk and maintain
it at an acceptable level. Internal control procedures are procedures
regulated by the organisation to manage risk. Each control brings
costs, so each control activity must offer benefits for those costs in
relation to the risks they address. The risks and associated controls
108