Risk is defined in ISO 31000 as the effect of uncertainty on objectives (whether positive or negative). Risk management can therefore be considered the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. Risks can come from uncertainty in financial markets, project failures, legal liabilities, credit risk, accidents, natural causes and disasters as well as deliberate attacks from an adversary.
The Following are the key disciplines in risk management, from which slight modification will bring the disciplines in a line with Islamic teaching.
1. Recognition of Risks
Recognition or identification of all risk is the first step in risks management. Due to the technological development in various aspects of modern human life, new risks also develop/appear. Individuals and organizations are encouraged to develop their knowledge and capability to properly recognize or identify risk that they are facing in their life. Questions need to be answered during the process of risk recognition and identification are :
- What could go wrong? (Hazard risk)
- What needs to be controlled or implemented to prevent error? (Control Risk)
- What must go right? (Known as Opportunity risk)
2. Ranking of Risks
Ranking or evaluation of each identified risk need to be carefully taken, in order to identify which of those is significant (high risk/exposure) and which is represent lower risk and so on. Each risk must be ranked in two main areas,i.e :
- The magnitude (severity) of the impact if it the risk should occur/ become a reality
- The likelihood (frequency) and the potential of the risk
Once risk are ranked based on the above for formula, individuals or organizations can focus on those risks that are significant in terms of both severity and frequency
3. Risk Controlled
The purpose of tisk control basically is to review whether each identified significant risk is under adequate control. Each risk will have its original value to represent the frequency and severity of its impact without any controls. The owner of the risk then needs to have adequate controls in place to reduce those values - up to an acceptable and affordable level.
4. Response to Significant Risk
The above risk recognition, rating and control is also known as a Risk Assessment process. The individual or organization then needs to establish a proper response to the result of such assessment. There responses will fall into one of the following five categories :
a. Accept or retain risk - if the current level of the risk is already at an acceptable level, the individual or organization may decide to retain the risks (not transfer it on). Proper resources then need to be allocated to anticipate and compensate if the risk should occur.
b. Avoid or eliminate the risk - if the risk is so unacceptable then the individual or organization decides not to continue the activity or business that presents such a risk. If this decision is made, then the individual or organization decides not to continue the activity or business that presents such a risk. If this decision is made, then the individual or organization will need an alternative activity or business to replace the abandoned one.
c. Neutralize or hedge the risk - it is a form of balancing one risk with another risk, whereby they have opposite affects if these risk occur. Islam only allows these steps if it is free of Maisir or gambling atitude.
d. Control or reduce - This is the action to improve the risk to achieve a standard and acceptable level. A constant review process will be required in order to ensure that the correct standard is achieved.
e. Share the risk with others - for those risk that go beyond individual or organization capability to retain or controll, individuals or organization can share it with the others who have a similar nature of risk. In Islam this practice is called Takaful or mutual protection. Islam does not allow risk to be exchanged ( Total transfer of financial consequence of losses arising from risks) which is the case when using conventional insurance arrangements. This practice is not recognized as being fair to each party as it is contains Gharar. The current practice may lead to an over-burden of claims beyond the original intention of the insurer, or otherwise may also result in charges of unacceptable levels of premium to the insured.
5. Reaction Planning
The Organization needs to have a pro active contingency plan or reaction planning in the event that a risk materializes. This plan should at least include disaster plans and recovery or a business continuity plan. These disaster plans should address all steps needed to be taken in the event an identified risk materializes, and how the damage should be limited and how the overall cost should be contained.
The business continuity plan is to ensure the continuity if the core of business process, which may include utilization of the remaining resoures or outsourcing the core business process to the third parties.
6. Risk Management System
The organization needs to ensure the early establishment of risk management, reporting and monitoring. Paper communication needs also to be maintaned by all parties. A systematic risk management system to monitor risk management performance may also need to be developed based on modern performance management tools.
7. Risk Assurance System
Proper risk management needs to be equipped/ bolstered by a Risk Assurance System. This system basically should deal with risk reporting, overall monitoring, risks review and to some extend could also introduce risks indicators for the organization