Implementation of risk management in the armed forces of the Slovak Republic.
Risk management has to create and protect the value ensuing from the achievement of objectives and the improvement of performance, thereby contributing to the organization. It has to be an integral part of all business processes in the organization, and also part of the responsibility inherent of management positions. It requires to be a part of the decision-making process that helps to better distinguish the alternative course of action, explicitly deal with uncertainty, be systematic, structured, and timely, be based on available information, take into account human and cultural factors, be transparent and abstract, dynamic and responsive to the evolving security changes . The process of risk management could consist of the following:
--the definition of intention and objectives of risk management,
--the definition of responsibilities underlying the risk management process, design and conduct,
--the definition of the scope, depth and width of the risk management activities that will be carried out, including specific implications and exceptions,
--the definition of activities, processes, functions, project, product, service or benefit in terms of time and location,
--the definition of the relationship between a specific project, process, or a specific activity and other projects, activities or processes within the organisation,
--the definition of methods needed for risk assessment,
--the definition of the method of evaluation of efficiency and effectiveness in the management of risk,
--identification and specification of the decisions to be taken,
--identification, research on the contiguity and necessary structures, their scope and objectives, as well as the sources required for such examination .
2. IMPLEMENTATION OF RISK MANAGEMENT
In connection with the issue, it is important to realize that the structure of risk management is not intended to specify the management system but rather to support the organization when integrating risk management into its overall management system. A possible structure of risk management after its implementation into the OS SR may consist of: mandate and commitment, the draft of the risk management structure, the introduction of risk management as a process, monitoring and review the structure and the latter's continuous improvement (Figure 1). The international standard for risk management offers a different perspective on the implementation and the following terms are used (Figure 2):
--risk management, which relates to architecture (principles, structures and processes),
--risk management, which relates to the use of this type of architecture for a particular risk.
A source of risk is an element, which by itself or in combination, has the potential to cause the risk (a thing or activity able to cause consequence). There is a large number of sources of risks that must be taken into account before a decision be made. Sources of risk may include:
--the potential for positive consequences (opportunities),
--the danger of potential threats with negative consequences,
--potential threat (risk), as well as the potential for positive consequences (opportunities) . All conducted activities (training, education, but also the everyday job) affect the level of uncertainty. The latter may also be considered in relation to probability provided that there is sufficient information on uncertainty.
Probability is based on the occurrence of the event and must therefore have an impact on the outcome of such an event. The effect of the event may be determined on the basis of the cause and the description of the event. An example of the causes, description and impact of probability may run as follows "crossing the street without looking around" mostly results in "injuries".
Determining the probability of the cause and effect of an event contributes to calculating the probability distribution. With regard to the range of options, this probability distribution can determine the occurrence of a given risk and reduce the uncertainty associated with this event. The prediction is usually based on data or past experience and thus provides a basis for the potential risk.
It is necessary to point out that in specialized literature there is no unified perspective on defining the concepts of risk and uncertainty. There are indeed authors who consider these terms to be synonymous, and the authors who define them as two separate categories. In the English language, there are two terms: risk and uncertainty. The relationship between them is usually characterized as follows:
1. uncertainty (as a broader term): this is the uncertainty, the randomness of the conditions or the results of any phenomena or processes,
2. the risk (as a narrower term): this is such a kind of uncertainty, when it is possible to quantify the probability of the formation of differing alternatives.
The term of uncertainty is used to describe situations where it is not possible to connect probability to the randomness of events, and a discrepancy between a good decision and a good result emerges. The distinguishing factor between risk and uncertainty is that the risk is taken as a measurable trait and has a place in the calculation of probabilities, while the uncertainty does not have such a quality .
The responsibility for risk management means responsibility, authority and adequate competence in managing the risk, implementing, and maintaining the risk management process, the adequacy, effectiveness and efficiency of any controls. These procedures can be mitigated by:
* identification of risk owners (a person or an authority with responsibility and the power to manage the risk),
* identification of persons responsible for the development, implementation and the maintenance of the risk management structure,
* identification of the other people at all levels within the organization responsible for the risk management process,
* creation of the risk management performance measurement processes, administration of external or internal reports and improvable processes,
* ensuring appropriate levels of recognition.
The implementation of risk management represents a step aimed at implementing the proposed structure into the practice and the resurgence of risk management in the organization. Successful implementation of risk management must guarantee that:
* the owner (a person or an entity with the responsibility and authority to the risk control) understands the process of the risk management,
* activities in connection with the risk management will be actually carried out,
* the decision--making process will feasibly take the risk into account .
A Risk Management Plan must exist with the organization that implements risk management. This document specifies the approach to risk management, its components and the resources that are to be used. The management components usually include processes, experience, and the allocation of responsibilities, the sequence and timing of activities. The risk management plan may include:
* Access to risk management (implementation of risk management into the organization, determination of responsibility for the management of the risks and risk management policy);
* Components of the risk management--procedures, experience, the allocation of responsibilities, the sequence and timing of activities;
* the documentation on found risks--the risk-list (index, catalogue), the choice of the initial risk response;
* outputs of the risk analysis the most important risks, the resulting values of the risks, the risk priority;
* selected choices in response to the identified risks--risk allocation among the parties involved in order to ensure the provision of the right risk related measures and the inherent risk related contractual arrangements a contingency plan, insurance and other risk transfer arrangements,
* monitoring and controlling the comparison of actual results with the expected risks,
* maintenance of a risk management system as a means of updating and improvement,
* the evaluation--record information about the risk,
* the sources that are to be used in the risk management process.
Prior to the introduction of the risk management structure within the OS SR, it is necessary:
* to define a convenient schedule and an appropriate strategy for implementing structures,
* to apply the risk management policy and related processes,
* to be in accordance with the requirements of the laws and regulations,
* to ensure that decisions to be taken, including the development and determination of the objectives, have been in accordance with the outcomes of the risk management processes,
* to provide information and training opportunities,
* to communicate and consult with concerned parties in order to ensure that its risk management structure is still appropriate.
3. THE RISK MANAGEMENT PROCESS
Risk management and its underlying processes will be introduced within the OS SR based upon a risk management plan as an intrinsic part of organization practices and processes at all relevant levels and in all functional locations.
The risk management process represents the systematic application of management policies, procedures and experience resulting from communication and consultation. Its goal is to create the context for the identification, analysis, evaluation, treatment, monitoring, and review of risks. Hence, the process of risk management is to be an integral part of management practices and as such integrated into the organization culture and practices, and adapted to the latter's processes. The implementation of the risk management process should include:
a. Communication and consultancy.
b. Creating context: (creating external context, internal context, creating the risk management process context and defining risk criteria).
c. Risk assessment: (identification of risks, risk analysis and risk assessment).
d. Risk treatment: (methods of treatment, the choice of handling options and the introduction of plans to deal with risks .
The aim of creating context is to set parameters and the boundaries defining a unique approach of the organization towards risks and risk management activities. By creating context, the organisation:
* expresses its risk assessment objectives,
* defines internal and external parameters that need to be taken into account in risk management;
* establishes the risk assessment programme,
* determines the scope and risk criteria for risk evaluation.
Many of these parameters are similar to the parameters specified in the design of the risk management architecture. When determining the relationships triggered by the risk management process, more details must be taken into account and these need to be analysed in terms of how they relate with the overall aim of the risk management process. Creating context in this process incurs:
--creating external context,
--creating internal context,
--creating the risk management
--defining the risk criteria.
While creating the context of the risk management process, the organisation strategy, objectives, scope and parameters are determined. Next, associated risk management accountability and competence, required resources and records are applied. The context of the risk management process will vary depending on the needs of the organization. They may include:
--definition of the intent and objectives of the risk management,
--definition of responsibilities within the process and the process of risk management,
--definition of the scope, depth and width of the risk management activities that will be carried out, including the specific activities to be included in the process and those that are to be excluded from the process,
--definition of activities, processes, functions, project, product, service or benefit in terms of time and location,
--definition of the relationship among specific projects, processes, or activities within the organisation,
--definition of risk assessment methods,
--definition of risk criteria,
--definition of the method to be employed in the evaluation of the performance and effectiveness of the risk management process,
--identification and specification of the decisions and interventions to be taken,
--identification, exploring the context and the necessary structures, their scope and objectives, as well as the sources required for such examination.
Prior to risk assessment, the risk criteria for assessing risk severity are to be defined. By defining criteria, the organization determines its acceptable level (severity) of risk. The risk criteria are to reflect the values of the organization, its objectives and resources. Some criteria may be derived from the requirements of laws and regulations, and, other criteria organizations abide to. The risk criteria must:
--be in accordance with the risk management policy of the Organization,
--be defined at the beginning of the risk management process,
--be constantly reviewed and reevaluated.
The risk assessment criteria must be determined at the beginning of the risk management process and, subsequently, are to be continuously controlled. The risk criteria should be consistent with the risk management policy of the organization, should be defined at the beginning of the risk management process and must be constantly reviewed and re-evaluated.
When defining the risk criteria it is necessary to define factors shall include:
--the nature and types of causes and consequences that may occur and ways to measure them,
--time frame (time frames) of the definition of probability or the aftermath (consequences),
--how to define the probability of occurrence,
--how to determine the level of risk,
--opinions of concerned participants,
--the level at which the risk shall be acceptable or tolerable,
--considering whether the multiple combinations of risks to take into account and if so, how and which combinations need to be considered.
When assessing risks, it is necessary to answer the following questions:
--What can happen and why?
--What are the consequences?
--What is the probability of their next occurrence?
--Are there any factors that mitigate the consequences of the risk or that reduce the probability of the risk?
--Is the level of risk tolerable or acceptable and does it require further handling?
The implementation of the entire risk management system into OS SR requires adequate preparation in terms of learning on the basis of available knowledge, experience and information. Correct implementation of this issue will help to eliminate or remove a range of risks that may occur in the processes of the organization in the future. The risk assessment itself means the overall process of risk identification, risk analysis and risk assessment. Risks can be assessed at the level of organizations, departments, projects, individual activities or as specific risks. Risk assessment is a part of risk management that provides a structured Erocess by which we can determine how the objectives of the organization may be influenced. This is to be done by analysing the risks in terms of consequences and their probabilities, before deciding whether other risk handling is necessary.
 STN 31000 Manazerstvo rizika;
 HOFREITER, L. : Bezpecnost, bezpecnostne rizika a ohrozenia. Zilina: EDIS, ZU Zilina. ISBN 80-8070-181-4;
 MERNA, T., SMITH, N. J. : Projects Procured by Privately Financed Concession Contracts. Cast 1,2. Asia Law. Practice, Hong Kong. 1996;
 ISO 31000:2009 (2011)--Principles and Guidelines on Implementation (Zasady a navod pre implementaciu) ;
 SIMAK, L. Krizovy manazment vo verejnej sprave. Zilina: ZU, 2001, 243 s. ISBN 80-88829-13-5;
 BEL AN, B., BEL AN, L.. Bezpecnostne rizika. Zbornik z 19. medzinarodnej vedeckej konferencie "Riesenie knzovych situacii v specifickom prostredi" Fakulta specialneho inzinierstva ZU, Zilina, 20.--21. maj 2014. ISBN 97880-554-0875-0;
 ISO/IEC 31000:2010--Risk management--Risk assessment techniques
 ISO Guide 73:2009--Risk management--Vocabulary.
Department of Management, Armed Forces Academy of General M. R. Stefanik Liptovsky Mikulas, Slovakia
Table 1. The coherence of risk--uncertainty (source Rafferty 1994) RISK UNCERTAINTY measurable non-measurable statistic assessment subjective probability hard data qualified opinion
|Printer friendly Cite/link Email Feedback|
|Publication:||Journal of Defense Resources Management|
|Date:||Oct 1, 2015|
|Previous Article:||A study on defense acquisition models with an emerging market perspective. The case of Turkey.|
|Next Article:||Evaluation of military activity impact on humans through a probabilistic ecological risk assessment. Example of a former missile base.|