DEFINITION OF RISK

The concept of risk may be explained as the possibility of

unfavourable results following from any occurrence. In business, the
risk may be defined as the danger of loss from the unforeseen
circumstances in future. It implies a possibility of loss due to
unpredictable or unfavourable happening in the future. To the
ordinary man, risk means exposure to danger. But at the same time in
insurance practice risk is also used for peril or loss producing events.
For example, it is said that insurance covers the risks of fire,
explosion, cyclone, flood, etc. (Here the risks refer to th e subject
matter of insurance).
The concept of risk may be distinguished from peril and
hazard. A peril is cause of loss for example, fire, wind, storm, hail or
theft. Hazard is a condition that may create or increase the chance of
a loss arising from given peril or under a given condition. Hazards
can be classified into three categories: Physical hazard, Moral hazard
and Morale hazard.
(a) P h y s i c a l h a z a r d consists of those physical conditions
that increase the chance of loss from any peril. A
physical hazard is a condition stemming from the
material characteristics of an object. These include such
phenomenon as the existence of dry forests (a hazard
affecting the peril of fire), earth faults (a hazard for
earthquakes) and existence of oily rags in a firm’s
storage, (a hazard of fire) etc. Such hazard may or may
not be within human control.
(b) Mo r a l h a z a r d refers to an increase in probability of
loss that result from dishonesty in the character of the
insured person. The condition stems from an
individual’s mental attitude. It is associated with
intentional actions designed either to cause a loss or to
increase its severity with a sole objective of deceiving
or cheating. For example, managers who purchase fire
insurance on a factory full of unprofitable, out -of-date
equipment may feel an incentive to ‘sell the building to
insurance company’ by arranging fire to destroy the
property.
(c) Mo r a l e h a z a r d refers to the mental attitude of a
 careless or accident-prone person. Sometimes a
subconscious desire for a loss may exist, even though
the individual is not fully aware of this desire. In other
cases, circumstances may cause someone to be
indifferent to the possibility of a loss, thus, causing that
person to behave in a careless manner. Morale hazard
which is not to be confused with moral hazard, acts to
increase losses where insurance exists, not necessarily
because of dishonesty, but because of a different
attitude towards losses that will be paid by insurance
than the attitude towards losses that would be borne by
the individual. Morale hazard may be reflected in a
careless attitude toward the occurrence of loss or in an
indifference to the cost of restoring damage. In short,
morale hazard acts to increase both the frequency and
severity of losses when such losses are covere d by
insurance.

CLASSIFICATION OF RISKS

The risks are the result or effect of any unforeseen event or its happening. The
business world is dynamic and full of risks of vagueness. The future is
unpredictable and full of confusion. Planning alone cannot solve or protect against
vagueness. In modern world, people are usually leading a mechanical life. The
present business is carried on large-scale basis and is based on the anticipation of
demand and supply. The risks exist till the moment the product reaches the
consumer.
From the practical point of view, the risks can be classified
into:
(a) Financial and Non-financial Risks
(b) Fundamental and Particular Risks
(c) Pure and Speculative Risks
The following chart can facilitate a better understanding of the classifications of
risks.
RISK
Financial and Non-Financial Risks

If any risk is concerned with financial loss it is termed as

Financial Risk. Other than financial consequences (only incidental)
those risks are referred to as Non-Financial Risks.

Fundamental and Particular Risk

F u n d a me n t a l Ris k: Fundamental risk is also termed as group

risk. It involves those losses that occur resulting from the causes or
problems relating to the major factors such as changes of economic,
social, cultural and political environment. The consequences of the
fundamental risk severely affect the whole population. The following
are the examples of fundamental risks such as unemployment, war,
inflation, earthquakes, floods, droughts, famine, etc.
P a r t i c u l a r Ri s k: As far as particular risk is concerned, unlike
fundamental risk, it involves losses that occur resulting out of
individual events. Burning of a house and robbery of a bank are the
examples of particular risk.
Pure and Speculative Risk

The concept of pure risk denotes those situations that involve

the chances of loss or no loss. Pure risks(exist whenlhere is
uncertainty as to whether loss wiljj3Ccun)No possibility of gain is
presented by pure risk-only the potential loss^Examples of pure risk
include the uncertainty of damage to property b^flj^^oiLflfiQ^or the
prCspecFof premature death caused by accident or illness.
Tn contrast to pure risk, speculative risk exists when there is
uncertainty about an event that could produce eithe r a profit or a loss.
Speculative risk are those risk situation where there is a possibility of
gain. The nature of insurable risk refers to the losses involved
relating to only pure risk and not against speculative risk. Because
speculative risk is mainly concerned with nature and possibility of
gain. Business ventures and investment decisions are examples of
situations involving speculative risk.

Pure Risk Vs. Speculative Risk

Pure Risk Speculative Risk

1. Pure risks are ordinarily 1. Speculative risks are not.

insurable.

2. Risk pooling arrangement can 2. In most of the speculative risks

be done in case of pure risk. conceptual framework of risk
pooling is not possible.

Static and Dynamic Risks

S t a t i c Ri s ks : Static risks involve those losses resulting from the

destruction of an asset or changes in its possession as a result of
dishonesty or human failure. Such financial losses arise even if there
were no changes in the economic environment. Normally static ri sks
are not a source of gain to the society. Static losses arise with a
degree of regularity overtime and, as a result are generally
predictable unlike dynamic risk. Static risks are most suitable to
treatment by insurance.
D y n a mi c Ri s ks : Dynamic risks involve those iosses mainly
concerned with financial loss. This results from the causes relating to
the changes in the price level, consumer wants and needs, income, out
put and development of technology. Dynamic risks also affect the
society and public. Unlike static risks, these risks are the’best
indicators of progress to society over the long run since they are the
result of adjustment to misallocation of resources.
At this stage, the points of distinction between dynamic and
static risks may be pointed ou t.
Dynamic Risks Vs. Static Risks

Dynamic Risks Static Risks

1. Dynamic risks are those
losses resulting from
changes in the economic
environment.
2. Occurrence of dynamic loss
cannot be easily predictable
1. It involves those losses that
occur even if there were
no changes in the
economic environment.
2. Occurrence of static loss can
be easily predictable

3 Dynamic risks are not suited 3. Static risks are more suited
to treatment by insurance. to treatment by insurance
than dynamic risk.

4. Dynamic risks normally 4. Static risks are not a source

benefit the society.
5. Dynamic risks also occurs
resulting from the causes
relating to the changes in the
price level, consumers wants
and needs, income, etc.
of gain to society.
5. Static losses involve either
the destruction of an asset
or a change in its
possession as a result of
dishonesty or human
failure.

Subjective and Objective Risk

Subjective risk refers to the mental state of an individual who

experiences doubt or worry as to the "income of a given event. In
addition to being subjective, a particular risk may also be either pure
or speculative and either static or dynamic. Subjective risk is
essentially the psychological uncertainty that rinses from an
individual's mental attitude or state of mind.
Objective risk differs from subjective risk primarily in the sense that
it is more precisely observable und therefore measurable . In general,
objective risk is the probable variation of actual from expected
experience.
The concept of subjective risk is especially important because it
provides a way to interpret the behaviour of individuals faced with
seemingly identical situations yet arriving at different decisions. For
example, one person may be ultraconservative and tends always to
take the “safe way” out, even in cases that may seem quite risk -free
to other decision-makers.
Objective risk may actually be the same in two cases, but may be
viewed very differently by those examining this risk from their own
prospective. Thus, it is not enough to know only the degree of
objective risk; the attitude toward risk of the person who will act on
the basis of this knowledge must also be kn own.

SOURCES OF RISKS

The sources of risks are personal risk, property risk, liability risk, and
financial risk.

(a) Personal Risk

Some uncertainties arise out of human elements, perhaps the major

source of risks. Potential losses associated with the healt h and well-
being of individuals also belong to the source of risk. Other risks that
confront an employed individual are those associated with
unemployment and retirement. Both results in the loss of an income
are sources that previously existed. A signific ant difference, however,
relates to timing. Retirement usually is not a surprise and therefore
presents many options for advance planning, liven in case of
retirement, he may have made arrangements for his needs but these
would have been made on the basis of some expectations like he may
live for another twenty years. If any of these expectations do not
become true, the original arrangement would become inadequate and
there could be difficulties. In contrast, abrupt lay offs often are not
expected and are therefore harder to plan for ahead of time,
Human life is an income generating asset and this asset can be
lost through unexpectedly early death or made non -functional through
sickness or disabilities caused by accident. Accident may or may not
happen. Death will happen but the time of death is uncertain. If death
happens, around the time of one’s retirement, when it could be
expected that the income will normally cease, the person concerned
could have made some arrangements to meet the continuing needs but
it happens much earlier when the alternative arrangements are not in
place, insurance is necessary to help those dependants on the income
of the dead person. Other examples of personal risks are premature
death, dependant old age, sickness or disability, u nemployment, etc.
The occurrence of property damage or liability will result in a
reduction in the individuals’ wealth. Other risks may cause a loss of
income- for example, the loss of earnings during the periods of
incapacity caused by sickness or accident. Sometimes, additional
expenses may be incurred to minimize such cases -for example,
expenditure on medical treatment to hasten recovery from injury or
sickness. The cost of many losses may be measured with varying
degrees of accuracy in monetary t erms. However, it is difficult, if not
impossible, to place a monetary value on pain, suffering and loss of
amenities caused by personal injury, or loss of the sentimental value
associated with certain articles.
The risks of unemployment, accident, sicknes s and death
uniquely affect individuals and the occurrence may seriously disturb
future expenditure plans. An observable feature of life is that over the
most people’s lifetime’s income flows rarely match expenditure
needs.
However, certain may be one’s kn owledge of levels ofearnings at
different ages, unemployment, incapacity or death may upset one’s
plan.
Although death is certain, its timing is uncertain so that besides the
possibility of premature death there is also the possibility of living
beyond one’s life expectancy. If that happens, savings accumulated to
provide an income after retirement may prove inadequate.
Fluctuations in price level-notably inflation are hard to predict, and
even harder to plan for over long periods.

(b) Property Risk

Property risk refers to direct losses/consequential losses. All

businesses and individuals that own, rent, or use property are
exposed to the risk that the property may be damaged, destroyed, or
stolen. For example, lightning may strike a building, causing a fire
that destroys the structure and the inventory, supplies, and
equipments inside. Property owned or used outside the building may
also be susceptible to loss. If property damage is extensive, a
business may be forced to shutdown temporarily, thereby incurring a
loss of income in addition to the expense of replacing the damaged
property. But in some instances involving severe damage,
management may decide that temporarily closing the business is not a
viable option. In this situation, the bank would pr obably incur the
extra expenses necessary to continue operations from a different
location,while repairs were made to its own premises. In addition to
risks arising out of property they own and/or use, businesses also are
exposed to risks associated with p roperty owned or used by other
firms. Suppose, one business house sells primarily over the internet.
Such firm typically utilizes others to make deliveries to their
customers and could suffer significant losses if the delivery firms
were unable to perform. The following are the examples of property
risk:
(1) The loss of the property
(2) Loss of use of the property, and
(3) Additional overhead expenses occasioned by the loss of
the property.

(c) Liability Risk

Liability risk is concerned with those losses resulting from the

unintentional injury of other person or damages to their property
through negligence or carelessness. All entities that own or use real
property are susceptible to liability losses if others are injured on
their premises. Drivers involved in accidents may be liable if their
actions are judged to be the cause of harm to someone else or to
another person’s property. Similarly, actions that pollute the
environment or violate the personal rights of employees may also
prove to be expensive from a liability pros pective.
Mainly the liability risks are divided into the following
 categories:
(i) Public (both compulsory as per P.L.I. Act, 1991 and non -
compulsory) liability risks -for the various liabilities
arising out of the damage and injury caused by the
release of liquid gaseous contaminants in the form of
waste affluent product into the air or on land or into
water.
(ii) Product liability risks-for the claims arising out of
accidents during the period of coverage of insurance due
to any defects in the products while us ed and giving rise
to injury fata! damage or damage due to pollution arising
out of or in connection with the specified product
mentioned in insurance schedule.
#
•
(iii) Third party liability risks-to the owners of the buildings
in respect of liabilities arising out of the use and
operation of lifts installed with the buildings giving rise
to death or injury of any person or damage to any
property.
(iv) Risk relating to professional indemnities to provide
insurance protection to professional people such as
doctors, solicitors, chartered accountants, architects,
etc., against their legal liability to pay damages arising
out of negligence in the performance of their
professional duties.
(v) Other liability risks-for utilization of various services
provided by hotels, cinema halls, open air theatres,
medical establishment, airport premises, research
centres, school, public iibraries, exhibition fairs,
stadium, permanent amusement parks, depots,
warehouses, and similar other non -industrial risks.
Liability risks are covered by the above policies but liability is
a long tail business as the loss may be reported over a number of
years in future, long after the expiry of insurance policy. Huge
liability and mandatory character of some lines of these risks are also
factors to be reckoned with. In addition, involvement of third parties
and direct settlement to them compound the problems of loss
assessment. Legal costs involved in settlement are sometimes
astronomical and run off claims are very common in the liability
risks.

(d) Financial Risk

A variety of financial risks, which often are speculative in

nature, can impact on a firm’s earnings. Examples of these financial
risks include credit risk, foreign exchange risk, commodity risk, and
interest rate risk. Although most o f these financial risks tend to have
the characteristics of speculative risks, they still present the firm with
some of the same problems associated with pure risks.
From the insurer point of view risk can be classified into:
(1) Insurable Risk, and
(2) UninsurableRisk

Insurable Risk

The insurable risks are those which after the selection process
can be carried out by an insurer although there can be different terms
and conditions for different policyholders. There is a standard of risk,
if the risk is not too great, it can be insured as substandard risks even
if he does not meet the requirement of a standard risk. The risk of
death among substandard lives varies, but in all cases it is higher than
that of standard lives. Insurable risks are divided into t hree broad
categories-standard, substandard and super-standard.
(i) Standard Risk: The standard risk is related with the
normal life where there is no much or no less risk.
There is certain criteria on which the risks are
judged as normal life. It does not re fer to ideal or
first class life but it is rather a mix of good and bad
lives. This group does not contain only those
persons who are free from all impairments nor those
persons who are under serious illness. It is the group
where majority of the persons can be included and
who may be either more or less than the average.
(ii) Superstandard Risk: The superstandard risk is
 present where there is lesser risk than the standard
risk. This is also called a preferred risk. An insurer
does not prefer to issue preferred. risk policies
because it increases the premium on other standard
risk, which may cause reduction in los s of business.
(iii) Substandard Risk: Substandard risks are those risks
which are higher though insurable than the standard
risk. Thus, the substandard risks are above the
standard risk and below the uninsurable risk. If the
life proposed crosses the maximum li mit of
substandard risk, that will be treated as uninsurable.
The substandard risk is insured after payment of
additional premium.

Uninsurable Risk

If the insurance can be purchased at higher premium, there

should not be any uninsurable risk. Theoretically , after
investigating all the factors affecting a risk, the life insurance
company should be able to give each due consideration and
determining the premium charge for the insurance. Practically,
however, there are number of reasons why some persons are no t
insurable. The premium would be much high for those persons
which will be against the insurance principle because higher
premium will stimulate only to those who are at death bed. If
they are allowed it would be a case of speculation because after
payment of a few premiums he will be gaining. It would be unfair
to other healthy policyholders. The second reason is that
unknown risk cannot be insured to avoid the existing
policyholders, the insurance company must accept those risks
against which it can assess adequate and fair premiums to
provide for claims. Every insurer, however, does not use all these
classifications.
Risk Arising from Failure of Others

In many occasions risk exists due to failure of another

person to meet an obligation. A firm that is he avily dependant
upon a bank to finance working capital may be forced to curtail
its activities severely if its overdraft facilities are cut back all of
a sudden.
A heavy dependence upon local loan capital relative to
equity capital increases the risks for creditors and shareholders
alike. If a firm earns a higher rate of return on capital than the
rate of interest it has to pay on loans; then by borrowing it can be
more than proportionately - increase the profits available for
shareholders. If subsequently, earnings fall, the impact will first
fall on profits, but if interest charges previously were large
relative to earnings, it may soon find itself unable to cover its
obligations to creditors.
The failure of debtors on their inability to settle their
debts can be another source of financial loss. This is a problem
met particularly often in overseas trade where goods may be sold
on extended credit, for the reason that the buyer though willing
and able to pay may be prevented from doing so because of
exchange control regulations or other restrictions imposed by the
government.
RISK MANAGEMENT

Risk management is a structured approach to managing

uncertainty related to a threat, through a sequence of human activities
including: risk assessment, strategies development to manage it,-and mitigation
of risk using managerial resources. The strategies include transferring the
risk to another party, avoiding the risk, reducing the negative effect
of the risk, and accepting some or all of the consequences of a
particular risk. Some traditional risk managements are focussed on
risks stemming from physical or legal causes, (e.g., natural disasters
or fires, accidents, death and law (suits). Financial risk management,
on the other hand, focuses on risks that can be man aged using traded
financial instruments.
The objective of risk management is to reduce different risks
related to a preselected domain to the level accepted by society. It
may refer to numerous types of threats caused by environment,
technology, humans, organizations and politics. On the other hand, it
involves all means available for humans, or in particular, for a risk
management entity (person, staff, and organization).
Risk Management Process

The process used to systematically manage risk exposures is k nown

as risk management. The RMP involves the following steps.

1. Risk Identification

The first step in the process of managing is to identify

potential risks. Risks are about events that when triggered, cause
problems. Hence, risk identification can start with the source of
problems, or with the problem itself.
Source analysis risk sources may be internal or external to the
system that is the target of risk management. Examples of risk
sources are: stakeholders of a project, employees of a company or the
weather over an airport.
Problem analysis risks are related to identify threats. For
example, the threat of losing money, the threat of abuse of privacy
information or the threat of accidents and casualties. The threats may
exist with various entities, most important with shareholders,
customers and legislative bodies such as the government.
When either source or problem is known, the events that a
source may trigger or the events that can lead to a problem can be
investigated. For example, stakeholders with drawing during a project
may endanger funding of the project; privacy information may be
stolen by employees even within a closed network; lightning striking
a Boeing 747 during take off may make all people onboard immediate
casualties. Common methods for risk identification are:
• Objectives-based risk identification: Organizations and
project teams have objectives. Any event that may endanger
achieving an objective partly or completely is identified as risk.
• Scenario-based risk identification: In scenario analysis
different scenarios are created. The scenarios may be the
alternative ways to achieve an objective, or an analysis of the
interaction of forces in, for example, a market or battle. Any
 event that triggers an undesired scenario alternative is
identified as risk-see Futures Studies for methodology used by
Futurists.
• Taxonomy-based risk identification: The taxonomy in
taxonomy-based risk identification is a breakdown of possible
risk sources.'Based on the taxonomy and knowledge of best
practices, a questionnaire is compiled. The answers to the
questions reveal risks.
• Common-risk checking: In several industries lists with known
risks are available. Each risk in the list can be checked for
application to a particular situation. An example of known risks
in the software industry is the Common Vulnerability and
Exposures list found at http:// cve.mitre.org.
• Risk Charting: This method combines the above approaches by
listing resources at risk, threats to those resources modifying
factors which may increase or reduce the risk and consequences
it is wished to avoid. Creating a matrix under these headings
enables a variety of approaches. One can begin with resources
and consider the threats they are exposed to and the
consequences of each. Alternatively one can start with the
threats and examine which resources they would affect, or one
can begin with the consequences and determine which
combination of threats and resources would be involved to bring
them about .

Risk Management Process

2. Assessment of Risk
Once risks have been identified, they must then be assessed
as to their potential severity of loss and to the probability of
occurrence. These quantities can be either simple to measure, in the
case of the value of a lost building, or impossible to know for sure
in the case of the probability of an unlikely event occurring.
Therefore, in the assessment process it is critical to make the best
educated guesses possible in order to properly prioritize the
implementation of the risk management plan.
The fundamental difficulty in risk assessment is determining
the rate of occurrence since statistical information is not available
on all kinds of past incidents. Furthermore, evaluating the severity
of the consequences (impact) is often quite difficult for immaterial
assets. Asset valuation is another question that needs to be
addressed. Thus, best educated opinions and available statistics are
the primary sources of information. Nevertheless, risk assessment
should produce such information for the management of the
organization that the primary risks are easy to understand and that
the risk management decisions may be prioritized. Thus, there have
been several theories and attempts to quantify risks. Numerous
different risk formulae exist, but perhaps the most widely accepted
formula for quantification is:
Rate of occurrence multiplied by the impact of the event equals
risk. Mathematically,
R= RO x IE
Where, R= Risk
RO= Rate of Occurrence IE
= Impact of the Event
Later research has shown that the financial benefits of risk
management are less dependent on the formula used but are more
dependent on the frequency and how risk assessment is performed.
In business it is imperative to be able to present the findings of risk
assessments in financial terms. Robert Courtney Jr. (IBM, 1970)
proposed a formula for presenting risks in financial terms. The
Courtney formula was accepted as the official risk analysis method
for the US governmental agencies.
The formula proposes calculation of ALE ( annualized loss
expectancy) and compares the expected loss value to the security
control implementation costs (cost -benefit analysis).

3. Potential Risk Treatment

Once risks have been identified and assessed, all techniques to

manage the risk fall into one or more of these four major categories
,i.e„ avoidance (elimination), reduction (mitigation), retention
(acceptance and budgeting), transfer (insurance or hedging).
Ideal use of these strategies may not be possib le. Some of them may
involve trade-offs that are not acceptable to the organization or
person making the risk management decisions. Another source, from
the US Department of Defense, Defense Acquisition University,
calls these categories AC AT, for Avoid, Control, Accept, or
Transfer. This use of the ACAT acronym is reminiscent of another
ACAT (for Acquisition Category) used in US Defense industry
procurements, in which Risk Management figures prominently in
decision-making and planning.
(a) Risk Avoidance: It includes not performing an activity
that could carry risk. An example would be not buying a property or
business in order not to take on the liability that comes with it.
Another would be not flying in order not to take the risk that the
airplane were to be hijacked. Avoidance may seem the answer to all
risks, but avoiding risks also means losing out on the potential gain
that accepting (retaining) the risk may have allowed. Not entering a
business to avoid the risk of loss also avoids the possibility of
earning profits.
(b) Risk Reduction: It involves methods that reduce the
severity of the loss or the likelihood of the loss from occurring.
Examples include sprinklers designed to put out a fire to reduce the
risk of loss by fire. This method may cause a greater loss by water
damage and therefore may not be suitable.
Modern software development methodologies reduce risk by
developing and delivering software incrementally. Early
methodologies suffered from the fact that they only delivered
software in the final phase of development; any problems encountered
in earlier phases meant costly rework and often jeopardized the whole
project. By developing in iterations, software projects can limit effort
wasted to a single iteration.
Outsourcing could be an example of ris k reduction if the outsourcer
can demonstrate higher capability at managing or reducing risks. In
this case companies outsource only some of their departmental needs.
For example, a company may outsource only its software
development, the manufacturing of hard goods, or customer support
needs to another company, while handling the business management
itself. This way, the company can concentrate more on business
development without having to worry as much about the
manufacturing process, managing the develo pment team, or finding a
physical location for a call centre.
(c) Risk Retention: Involves accepting the loss when it
occurs. True, self insurance falls in this category. Risk retention is a
viable strategy for small risks where the cost of insuring against th e
risk would be greater overtime than the total losses sustained. All
risks that are not avoided or transferred are retained by default. This
includes risks that are so large or catastrophic that they either cannot
be insured against or the premiums would be infeasible. War is an
example since most property and risks are not insured against war, so
the loss attributed by war is retained by the insured. Also any amount
of potential loss (risk) over the amount insured is retained risk. This
may also be acceptable if the chance of a very large loss is small or if
the cost to insure for greater coverage amounts is so great it would
hinder the goals of the organization too much.
(d) Risk Transfer: Means causing another party to accept
the risk, typically by contract or by hedging. Insurance is one type of
risk transfer that uses contracts. Other times it may involve contract
language that transfers a risk to another party without the payment of
an insurance premium. Liability among construction or other
contractors is very often transferred this way. On the other hand,
taking offsetting positions in derivatives is typically how firms use
hedging to financially manage risk.
Some ways of managing risk fall into multiple categories. Risk
retention pools are technically retaining the risk for the group, but
spreading it over the whole group involves transfer among individual
members of the group. This is different from traditional insurance, in
that no premium is exchanged between members of the group upfront,
but instead losses are assessed to all members of the group.
4. Create a Risk Management Plan

Select appropriate controls or counter measures to measure each risk.

Risk mitigation needs to be approved by the appropriate level of
management. For example, a risk concerni ng the image of the
organization should have top management decision behind
it,‘whereas, IT management would have the authority to decide on
computer virus risks. The risk management plan should propose
applicable and effective security controls for managi ng the risks. For
example, an observed high risk of computer viruses could be
mitigated by acquiring and implementing anti -virus software. A good
risk management plan should contain a schedule for control
implementation and responsible persons for those ac tions.
According to ISO/IEC 27001, the stage immediately after completion
of the Risk Assessment phase consists of preparing a Risk Treatment
Plan, which should document the decisions about how each of the
identified risks should be handled. Mitigation of risks often means
selection of security controls, which should be documented in a
statement of applicability, which identifies which particular control
objectives and controls from the standard have been selected, and
why.

5. Implementation

Follow all of the planned methods for mitigating the effect of the
risks. Purchase insurance policies for the risks that have been
decided to be transferred to an insurer, avoid all risks that can be
avoided without sacrificing the entity’s goals, reduce others, and
retain the rest.

Review and Evaluation of the Plan

Initial risk management plans will never be perfect. Practice,
experience, and actual loss results will necessitate changes in the
plan and contribute information to al low possible different decisions
to be made in dealing with the risks being faced.
Risk analysis results and management plans should be updated
periodically. There are two primary reasons for this:
 • To evaluate whether the previously selected security
controls are still applicable and effective, and
• To evaluate the possible risk level changes in the
business environment. For example, information risks
are a good example of rapidly changing business
environment.
The bread and butter of the insurance industry is based on the
probability and statistics. Actually speaking, the insurance game is a
game of probability. One, who correctly estimates wins, otherwise
loses. The insurance actuaries constantly face a trade -off when
determining the premium to charge for coverage: the premium must
be high enough to cover expected losses and expenses, but low
enough to remain, competitive with premiums charged by other
insurers. Actuaries apply statistical analysis to determine expected
loss levels and expected deviations from these loss levels. Through
the application of the law of large numbers, insurers reduce their risk
of adverse outcomes.