The company's risk management system. Risk management activities Enterprise-level risk management practices

02.11.2021

In the era of economic and financial crisis, risk management is the most pressing issue facing Russian industrial companies. The processes of globalization are becoming another source of economic risks, so the use of the basics of risk management in management will contribute to the achievement of the goals and objectives of chemical companies, although, of course, it will not reduce the likelihood of various kinds of risks to zero.

The introduction of a risk management system at enterprises makes it possible to:

  • identify possible risks at all stages of activity;
  • predict, compare and analyze emerging risks;
  • develop the necessary management strategy and a set of decision-making to minimize and eliminate risks;
  • create the conditions necessary for the implementation of the developed measures;
  • monitor the operation of the risk management system;
  • analyze and control the results.

The features of risk management include: the need for the management of companies to have anticipatory thinking, intuition and foresight of the situation; the possibility of formalizing the risk management system; the ability to respond quickly and identify ways to improve the functioning of the organization, reduce the likelihood of an undesirable course of events.

Comprehensive risk management system ERM (Enterprise risk management) in many foreign companies, for example, in the USA, is already used quite widely, since the owners of large global companies have already made sure in practice that the old management methods do not correspond to modern market conditions and are not able to ensure the successful development of their business.

The application of risk management implies a clear distribution of responsibility and authority between all structural divisions. Top management functions include appointing those responsible for the implementation of the necessary risk management procedures at all levels. Such decisions should be consistent with the strategic goals and objectives of the company and not violate the terms of the current legislation. At the same time, it is necessary to correctly distribute among the executors the measure to identify risks and the functions of control over the created risk situation.

Risk management as a key tool aimed at improving performance

Risk management is one of the key tools to improve the effectiveness of enterprise management programs that they can use to reduce product life cycle costs and mitigate or avoid potential problems that could interfere with the success of the enterprise.

Achieving the goals of the enterprise requires specific ideas about the main activity, production technologies, as well as studying the main types of risks. Prevention of risks and reduction of losses from impact leads to sustainable development of the enterprise. The process by which the activities of an enterprise are directed and coordinated in terms of the effectiveness of risk management and constitutes risk management. Risk management is the process of identifying the losses an organization faces in its core business and their impact, and selecting the most appropriate method to manage each individual risk.

In another view, risk management is a systematic process in which risks are assessed and analyzed in order to reduce or eliminate their consequences, as well as to achieve goals.

Based on the foregoing, it can be concluded that risk management to ensure the viability and efficiency of an enterprise is a cyclical and continuous process that coordinates and directs the main activities. It is advisable to do this by identifying, controlling and reducing the impact of all types of risks, including monitoring, contacts and consultations aimed at meeting the needs of the population, without compromising the ability of future generations to meet their own needs. Risk assessment leads to the stability of the enterprise, contributing to its sustainable development. Risk management - a contribution to sustainable development, is an essential factor in maintaining and improving the stable operation of the enterprise. Proactive risk management is critical to the management process to ensure that risks are being handled at the appropriate level.

Planning and implementation of risk management includes the following steps:

  • Management of risks;
  • identification of risks and the degree of their impact on business processes;
  • application of qualitative and quantitative risk analysis;
  • development and execution of risk response plans and their implementation;
  • monitoring risks and management processes;
  • the relationship between risk management and performance;
  • evaluation of the overall risk management process.

Methodology (program) for continuous risk management

In order to facilitate risk management activities, an enterprise needs to develop a methodology (program) for continuous risk management (CRRM). MNRM is a theoretically significant program aimed at developing project management mechanisms with best practice processes, methods and tools for enterprise risk management. It provides conditions for active decision-making, continuous risk assessment, determining the degree of significance and level of influence of risks on management decisions, and implementing a strategy to combat them. In addition, progress can also be made in the scope of the project, the budget of the enterprise, the timing of its implementation, etc. Figure 1 clearly illustrates the methodology of the continuous risk management process.

Rice. 1. Continuous risk management process

The performance management process acts as an auxiliary tool for obtaining the information necessary for the developed risk management mechanism. Unfavorable trends should be analyzed and assessed for their impact on this mechanism. Appropriate actions of the control mechanism should be taken for those areas of activity that are defined as basic in the business processes of the enterprise. Corrective actions may include a reallocation of resources (funds, personnel, and rescheduling of production) or the activation of a planned risk mitigation strategy. Severe cases, adverse trends and key indicators can also be taken into account when using this mechanism.

It is important that this mechanism emphasizes the need to reassess the identified risks that systematically affect the activities of the enterprise. As the system goes through the development life cycle, in this case, most of the information will become available for risk assessment. If the magnitude of the risk changes significantly, approaches to its treatment should be adjusted.

Overall, this progressive approach to risk management is critical to a comprehensive management process and ensures that risk metrics are handled efficiently and at the appropriate level.

Development of a risk management program at the enterprise

Consider the risk management policy that should be applied in the enterprise. The developed mechanism (program) should be aimed at effective and continuous risk management. Thus, early, accurate and continuous identification and assessment of risks is encouraged, and the creation of informationally transparent risk reporting, planning of measures to reduce and prevent changes in external and internal conditions will have a positive impact on the program.

This mechanism, including relationships with counterparties and contractors, should perform the functions of identifying risks and monitoring them. For its implementation, it is necessary to have a plan in the form of a set of guidance documents developed for specific areas of activity. This plan sets out the guidelines for the implementation of the ISDM in a specific time frame. It does not affect the conduct of other activities of the entire enterprise, but rather can provide management leadership in risk management.

The risk management process must meet a number of requirements: it must be flexible, proactive, and must also work towards providing conditions for effective decision-making. Risk management will influence risks by:

  • encouraging risk identification;
  • decriminalization;
  • identifying active risks (constant assessment of what could go wrong);
  • identifying opportunities (constantly evaluating the likelihood of favorable or timely cases);
  • estimates of the likelihood of occurrence and severity of impact for each identified risk;
  • determining appropriate courses of action to reduce the possible significant impact of risks on the enterprise;
  • developing action plans or steps to neutralize the impact of any risk that needs to be mitigated;
  • maintaining continuous monitoring of the occurrence of risks with a negligible degree of impact at the present time, which may change over time;
  • production and dissemination of reliable and timely information;
  • facilitating communication between all program stakeholders.

The risk management process will be carried out in a flexible manner, taking into account the circumstances in which each risk occurs. The main risk management strategy is to identify the critical areas of risk events, both technical and non-technical, and take the necessary measures in advance to deal with them before they have a significant impact on the enterprise, causing serious costs, reducing product quality or productivity.

Let us consider in more detail the functional elements that are components of the risk management process: identification (detection), analysis, planning and response, as well as monitoring and management. Each functional element will be discussed below.

  1. Identification
  • Data review (i.e. earned value, critical path analysis, integrated scheduling, Monte Carlo analysis, budgeting, defect analysis and trend analysis, etc.);
  • Consideration of submitted risk identification forms;
  • Conducting and assessing risk using brainstorming, individual or group peer review
  • Holding independent evaluation identified risks
  • Enter the risk in the risk register
  1. Risk identification/analysis of tools and methods to be used include:
  • Interview methods for determining risk
  • Fault tree analysis
  • Historical data
  • Lessons learned
  • Risk Accounting - Checklist
  • Individual or group judgment of experts
  • Detailed work breakdown structure analysis, resource exploration and scheduling
  1. Analysis
  • Conducting a probability assessment - each risk will be assigned a high, medium or low level of probability of occurrence
  • Creation of risk categories – identified risks should be associated with one or more of the following risk categories (e.g. cost, timing, technical, software, process, etc.)
  • Assess the impact of risks - evaluate the impact of each risk depending on the identified risk categories
  • Determining Risk Severity - assign probabilities and rating impacts in each of the risk categories
  • Determine when the risk event is likely to occur
  1. Planning and response
  • risk priorities
  • Risk Analysis
  • Appoint a person responsible for the occurrence of the risk
  • Determine an appropriate risk management strategy
  • Develop an appropriate risk response plan
  • Make an overview of priorities and determine its level in reporting
  1. Supervision and control
  • Define reporting formats
  • Define review form and frequency of occurrence for all risk classes
  • Risk report based on triggers and categories
  • Conducting a risk assessment
  • Submission of monthly risk reports

For effective risk management at the enterprise, we consider it expedient to create a risk management department. The main responsibilities of this structural unit, including for personnel and other users (including employees, consultants and contractors), in order to successfully implement the risk management strategy and processes are given in Table. one.

Table 1 — Risk Management Department Roles and Responsibilities

Roles Assigned duties
Program Director (DP) oversight of risk management activities.

Risk monitoring and risk response plans.

Approval of the decision to finance risk response plans.

Monitoring of management decisions.
Project Manager assisting in the control of risk management activities

Assistance in creating organizational authority for all risk management activities.

Timely response to funding risk.
employee facilitating the implementation of risk management (the employee is not responsible for the identification of risks, or the success of individual risk response plans).

The need to encourage proactive decision-making in determining appropriate risk responses for risk owners and department managers.

Stakeholder administration and commitment, risk management process

Ensuring regular coordination and exchange of information on risk between all stakeholders,

Management of risks in the registered risk register (database).

Development of knowledge of personnel and contractors in the field of risk management activities.
Secretary the functions of the secretary are performed by an employee of the risk department or they alternate between all employees. Features include:

Planning and coordinating meetings;

Preparing meeting agenda, risk assessment packages, and meeting minutes.

Get and track the status of proposed risk types.

Performing an initial assessment of the proposed types of risk to determine the most important.

Expert in the subject area of ​​risk analysis at the request of the Chairman of the Board of Directors.

Facilitate analysis by members of the Board of Directors who will decide whether risk mitigation is necessary.

Regular coordination and communication of risk information exchange with all stakeholders,
Department Director (DO) appointment of risk owners in their area of ​​responsibility and / or competence.

Active promotion of employees

Tracking the integration of risk management efforts of responsible persons in their areas of responsibility.

Selecting and approving a risk response strategy. This includes approving resources (eg owner risk) for further risk analysis and/or drawing up a more detailed risk response plan if necessary. Approval of all tasks.

Assign resources to the risk management response contained in the detailed plan.
Individual member of the Office of Management (OMP) program identification of risks.

Access to risk management data

Identification of possible risks from the data using a standard form of identification if necessary

Drawing up and implementing a risk response plan

Determination of the time and all costs associated with the implementation of the risk response plan
Risk owner / Responsible person attending meetings of the risk management department.

Review and/or provision of relevant data, e.g. critical path analysis, project/data management support tools, defect analysis, auditing, and the possibility of adverse trends

Participation in the development of response plans

Risk status report and effectiveness of risk response plans

Work to identify means of responding to risks through any additional or residual risk.
Integrated Brigade (KB) identification and provision of information on the risks that may arise as a result of the CB's activities.

Participation in the planning of any risk in accordance with this program. Such planning requires coordination with the risk management department, who, acting as a guide, can help acquire resources to respond to risks.

Report on the progress and results of the risk response.
Quality control control and review of the RCM when updating or changing the plan

Commitment to maintain the quality of documentation practices and risk management processes

Risk management functions consist in organizing interaction with existing divisions organizational structure. CPIs are formed for functional areas that are critical to the successful implementation of the objectives. All functional departments or business processes not covered by the CU are assessed and reviewed by the DP, PM, and employee to ensure adequate behavior in relation to the occurrence of risk. Risk identification is the process of determining which events may affect the operation of the enterprise and documenting their characteristics. It is important to note that risk identification is an iterative process. The first iteration is a pre-assessment and risk check of the team, as needed, with a risk ID. The second iteration includes presentation, review and discussion. The risk management process includes three separate risk characterization steps: identification, assessment and adjustment, and confirmation.

A graphical representation of the risk identification process is shown in fig. 2.

Rice. 2. Structural scheme risk identification algorithm

As a result of its implementation, a set of measures can be developed to assess the operational risks of the enterprise, the integral risk, the quantitative assessment of which is based on a comprehensive analysis of financial and accounting statements, and the assessment of the integral risk based on all levels of responsibility of the enterprise.

Conclusion

Risk management at chemical enterprises must be carried out within the framework of systemic and process approaches, taking into account the specifics of the industry, using modern effective management methods and production organizations, as well as using risk management tools. The risk management system for the activities of a chemical enterprise must necessarily take into account the safety requirements established by state authorities and ensure the safety and health of personnel associated with a hazardous technological facility. For the purpose of effective risk management of an enterprise, an integral risk management system is needed, which consists in an integrated approach to assessing the maximum number of risk factors for an enterprise's activities carried out in a dynamic economic environment. The author believes that the development of the above set of measures will be accompanied by an increase in the level of management and risk assessment in industrial organizations.

Essence of risks and their classification

For the first time, the concept of "risk" in relation to the business sphere of human activity was formulated in the insurance business, and later in the exchange business. Management as a management science has brought to a new field of knowledge an understanding of how the risk management process should be organized.

The concept of "risk" is defined ambiguously and often depends on the context of its use. Risk in the most general form can be defined as a possible hazard.

In a broad sense, risk is a situational characteristic of the activity of any market entity, which is a consequence of uncertainty in its internal and external environment, and when it is realized, adverse consequences may occur for this entity.

IN narrowly at risk it is necessary to understand the probability of incurring losses by the enterprise as a result of doing business.

The main characteristics of the risk are as follows:

The risk is always present at all stages of the activities of economic entities, regardless of the scope of their functioning, while the difference is only in its degree;

Complete elimination of risk is impossible due to a number of reasons, both objective and subjective.

Risk management began to take shape as a separate science in the second half of the 20th century; the categorical apparatus and methodology of risk management have not yet fully settled down. Nevertheless, it is believed that at the micro level, the occurrence of risks is associated with uncertainty.

According to the degree of severity, there are three main types of uncertainty:

Complete uncertainty (characterized by close to 0 predictability of the occurrence of an event);



Partial uncertainty (characterized by the fact that the probability of the occurrence of an event, and therefore the degree of its predictability, is in the range from 0 to 1);

Complete certainty (characterized by the predictability of the occurrence of an event close to 1).

The causes of uncertainty can be grouped into several main groups:

The indeterminacy of the processes taking place in society in general and in economic life in particular;

Lack of complete information when planning the behavior of a market entity or its subjective analysis;

Influence of subjective factors on the results of the analysis.

The emergence of uncertainty in the conditions of the operation of the enterprise and its management may be due to the action of various factors, among which the most common are:

Uncertainty in determining the period of strategic planning for the development of an enterprise;

Uncertainty in the formation of enterprise goals and the choice of development priorities;

Errors in assessing the current state of affairs within the enterprise and its place in the market;

Insufficient completeness or erroneous information about the prospects for the development of this enterprise and the market as a whole;

Failures in the process of developing an enterprise strategy, as well as during its implementation;

Uncertainty in the control and evaluation of the results of the enterprise.

The development strategy of an enterprise in a market economy should be formed taking into account these types of uncertainty at each stage: at the stage of determining the strategy; formation of goals; development of ways to implement the chosen strategy and the formation of areas of activity; analysis of own competencies; control over the implementation of the strategy.

Economic entities in the process of their functioning are affected by various types of uncertainty and risks and, to a certain extent, can manage them.

The effectiveness of risk management is largely determined by the identification of risks in the general system of their classification. Risks can be classified according to various criteria (table 16.1).

Table 16.1

Risk classification

Classification features Types of risks
Relationship with business activities Entrepreneurial Non-entrepreneurial
Belonging to the country of operation of the economic entity Internal External
Occurrence rate Firm (micro level) Sectoral Intersectoral Regional State Global (worldwide)
Sphere of Origin Socio-political Administrative-legislative Production Commercial Financial Natural-environmental Demographic Geopolitical
Causes Uncertainty of the future Lack of information Subjective impacts
The degree of justification for risk acceptance Justified Partially justified Adventurous
Degree of consistency Systemic Non-systemic (unique)
Limit Compliance Permissible Critical Catastrophic
Realization of risks Realized Unrealized
The adequacy of the time for making a decision on the response to the realization of risks Preventive Current Late
A group that analyzes the risk and decides on behavior if it occurs Individual solution Collective solution
Scale of influence Monosingular Polysingular
Possibility of Forecasting Predictable Partially unpredictable
Degree of impact on activities Negative Zero Positive

Principles and main stages of the process

risk management

In the economic literature, there are a fairly large number of approaches to risk management. In a broad sense, risk management is understood as the science of ensuring the conditions for the successful functioning of any production and economic unit under conditions of risk, in a narrow sense, as the process of developing and implementing a program to reduce any random losses.

risk management Like any control system, it consists of a controlled and a control subsystem. Managed Subsystem or the control object is a combination of risks and related relationships, and control subsystem or the subject of management is a special group of people who, through various methods and methods of management influence, carries out the functioning of an economic entity under conditions of risk.

There are several basic principles of the risk management process:

1) scale principle lies in the fact that the economic entity should strive for the most complete study of possible areas of risk. Thus, this principle leads to the reduction of the degree of uncertainty to a minimum;

2)risk minimization principle means that enterprises seek to minimize, firstly, the range of possible risks, and secondly, the degree of their impact on their activities;

3) principle of adequacy of response consists in the fact that an economic entity must quickly respond to internal and external changes, taking into account the forecast of their development;

4) prudent acceptance principle means that only if the risk is justified, the enterprise can accept it. The components of this principle can be summarized as follows:

It is unwise to risk more for less;

It is necessary to accept risk only in the amount of own funds;

It is necessary to predict in advance the possible consequences if the risk materializes.

The process of effective risk management includes the following: stages:

1. Identification. At this stage, the enterprise determines the occurrence of a combination of all possible risks.

2. Grade.At this stage, a complete analysis of the risk is made both in terms of the scale of its influence and the likelihood of occurrence.

3. Choosing a strategy regarding risk. The firm's strategy may be different: cautious, risky or balanced (table 16.2).

Table 16.2

Enterprise risk strategies

4. Reducing the degree of risk. At this stage, the enterprise is engaged in the choice of methods for influencing the risk in order to minimize either the amount of possible damage or the likelihood of adverse events.

5. Control. This stage consists in monitoring the effectiveness of the application of risk management methods, monitoring the current situation (both internal and external), identifying new circumstances that change the level of risk.

At each of these stages, information is collected and exchanged, and the degree of risk depends on its volume and quality.

In some cases, to manage risk in an organization, a special unit must be created - a risk management department headed by a risk manager, that is, a leader who deals exclusively with risk management problems and coordinates the activities of all units in terms of managing risk and ensuring compensation for possible losses and losses.

There are three main organizational aspects of creating a risk management structure:

Activities of the lead risk manager;

Activities of the risk management department;

The relationship of the unit with other structures of the enterprise.

The functions of a risk manager include:

Ensuring security and risk control;

Formation of the organizational structure of risk management at the enterprise;

Development of basic provisions and instructions for risk management.

The main task of the risk manager and his division is to develop a strategy and principles of risk management at the enterprise, which should be set out in internal normative documents, the main of which are the Risk Management Regulations and the Risk Management Guidelines.

Risk Management Statement expresses the company's attitude towards risk management. It should set out the key points of the enterprise's management strategy in this area, delineate powers between various structural units, etc.

Unlike him Risk Management Guide is a document that defines specific actions. It should contain instructions on how each specific risk management task will be solved, as well as answers to the following questions: who should assess possible losses; who and how should determine the conditions of insurance; what to do if an event occurred that led to losses; how to limit losses.

The main functions of the risk management department are: risk identification; risk assessment; selection and implementation of methods for influencing risks.

Risk assessment

The concepts of "damage", "loss" are closely related to the concept of "risk". If the risk is an indefinite possibility of loss, damage and destruction, then the loss is associated with the realization of the risk, that is, it is a material, monetary expression of losses.

Losses arising in the process of entrepreneurial activity, depending on their belonging to a specific type of resources used by the enterprise, can be divided into the following types: financial, material, marketing, time losses, moral and psychological, social, environmental.

In order to determine the likelihood of adverse events and the possible size of the loss, a risk assessment is carried out.

There are three levels in the system of risk assessment principles:

1. Methodological principles, that is, the principles that define the conceptual provisions that are the most general, and most importantly, do not depend on the specifics of the type of risk under consideration (uniformity, positivity, objectivity).

2. Methodological principles, that is, the principles directly related to the type of activity, its specificity (dynamism, consistency, etc.).

3. Operational principles related to the availability, reliability, unambiguity of information and the possibilities of its processing (modelability, simplification).

Risk assessment methods consist of two groups: qualitative and quantitative. Qualitative assessments are the most complex, their main task is to identify risk factors, identify areas of activity and stages at which risk may arise. That is, as a result of a qualitative assessment, potential areas of risk are identified.

Quantitative risk analysis gives a numerical definition of the size of individual risks, as well as the risk of the entire chosen line of business.

Risk can be defined both in absolute and relative terms. Measurement of the degree of risk in absolute terms is advisable to use when characterizing certain types of losses, and in relative terms - when comparing the predicted level of losses with the real, industry average, average for the economy.

The main risk assessment methods include statistical, cost feasibility analysis, expert assessments, the analogy method, etc.

Statistical Method is one of the most common. The method is widely used in cases where, when conducting a quantitative analysis, a company has a significant amount of analytical and statistical information on the necessary elements of the analyzed system. Essence statistical method risk assessment is based on the theory of probability distribution of random variables. This provision means that, having a sufficient amount of information about the implementation of certain types of risk in past periods for specific types of business, any business entity is able to assess the likelihood of their implementation in the future. This probability will be the degree of risk.

The probabilistic forecast of a random variable X, where x 1, x 2, ..., x n - the values ​​\u200b\u200bthat it takes, is a table of the following form (table 16.3):

Table 16.3

Probabilistic prediction of a random variable

X x 1 x 2 x n
R (X) p1 p2 p n

According to one of the basic formulas of probability theory, the sum of probabilities in a probabilistic forecast should be equal to one, which is reflected in the formula:

Based on the probabilistic forecast of a random variable, the formulas can be used to find the mathematical expectation (that is, the forecast of its most probable value) and the standard deviation characterizing the forecast error:

,

where M (X) - mathematical expectation;

X - values ​​that the parameter under study can take;

P is the probability of accepting these values.

The probabilistic meaning of the mathematical expectation of a specific parameter from conducting entrepreneurial activity is that it is approximately equal to the arithmetic mean of its observed (possible) values.

The economic meaning of the standard deviation from the point of view of risk theory is that it is a characteristic of a particular risk, which shows the maximum possible deviation of a certain parameter from its average expected value. Moreover, the larger the value of the standard deviation, the more risky this management decision is and, accordingly, the more risky this path of development of the enterprise.

However, the value of the standard deviation does not make it possible to compare the riskiness of activities and specific situations according to signs (losses) expressed in different units.

This disadvantage can be eliminated by introducing the coefficient of variation. The coefficient of variation is a relative value, which is calculated as the ratio of the standard deviation to the mathematical expectation:

The coefficient of variation is a dimensionless and non-negative value, which characterizes the risk of not achieving the set goals in full. The relationship between the coefficient of variation and the level of risk is presented in table 16.4.

Table 16.4

Correspondence of the level of risk with the value of the coefficient of variation

If our goal is for the random variable X to reach the value x * , i.e

,

then the mathematical expectation of the absolute non-achievement of the goal (ANC) will be found by the formula:

for all x i< х * .

Relative non-achievement of the goal (ONC) can be found by the formula:

.

Obviously, the higher the value of the relative failure to achieve the goal, the higher the risk. An increase in the OCC indicates an increase in risk.

Essence cost-benefit analysis method is based on the fact that in the process of entrepreneurial activity, the costs for each specific direction, as well as for individual elements, have a different degree of risk.

So, for example, gambling is hypothetically riskier than bread production, and the costs that a diversified firm incurs in developing these two lines of business will also differ in degree of risk. The same situation persists with the costs within the same direction. The degree of risk in terms of costs associated with the purchase of raw materials (which may not be delivered exactly on time, its quality may not fully comply with technological standards, or its consumer properties may be partially lost during storage at the enterprise, etc.) will be higher, than payroll costs.

Determining the degree of risk through cost-benefit analysis is focused on identifying potential risk areas. This makes it possible to identify "bottlenecks" in the activities of the enterprise in terms of riskiness and develop ways to eliminate them.

The state for each of the cost elements should be divided into risk areas, which represent a zone of general losses, within which specific losses do not exceed the limit value of the established risk level: area of ​​absolute stability; region of normal stability; region of unstable state; area of ​​critical condition; area of ​​crisis.

Table 16.5

Areas of activity of the enterprise in terms of sustainability

Each cost item is analyzed separately for its identification by areas of risk and maximum losses. At the same time, the degree of risk of the entire line of business activity will correspond to the maximum value of risk by cost elements. The advantage of this method is that, knowing the cost item with the maximum risk, you can find ways to reduce it.

Method for determining the degree of risk by expert assessments is more subjective than other methods. This subjectivity is a consequence of the fact that a group of experts involved in risk analysis expresses its own subjective judgments both about the past situation and about the prospects for its development.

Most often, this method is used when there is not enough information or when determining the degree of risk of such a direction of business activity, which has no analogues, which also makes it impossible to analyze past performance.

In the most general form, the essence of this method is that the enterprise identifies a certain group of risks and considers how they can affect its activities. This consideration is reduced to scoring the probability of occurrence of a particular type of risk, as well as the degree of its impact on the company's activities.

Analytical method includes several stages.

At the first stage, preparation for analytical processing of information is carried out, which includes:

a) determination of the key parameter against which a particular area of ​​business activity is assessed (for example, sales volume, profit volume, profitability, etc.);

b) the selection of factors that affect the activities of the company, and therefore on the key parameter (for example, the inflation rate, political stability, the degree of fulfillment of contracts by the main suppliers of the enterprise, etc.);

c) calculation of key parameter values ​​at all stages of the production process .

At the second stage, the dependencies of the selected resulting indicators on the value of the initial parameters are built. The main indicators are selected that have the greatest impact on this species entrepreneurial activity.

At the third stage, critical values ​​of key parameters are determined. In this case, the critical point of production or the break-even zone, which shows the minimum allowable sales volume to cover the costs of the company, can be most simply calculated.

At the fourth stage, the obtained critical values ​​of key parameters, the factors influencing them are analyzed, and possible directions for improving the efficiency and stability of the company's work are determined, and, consequently, ways to reduce the degree of risk.

Thus, the advantage of the analytical method is the combination of a factor-by-factor analysis of the parameters that affect the risk and the identification of possible ways to reduce it.

Essence method of using analogues consists in the fact that when analyzing the degree of risk of a certain area of ​​business activity, it is advisable to use data on the development of the same and similar areas in the past.

So, if it is necessary to identify the degree of risk in any innovative direction of the company's activity, when there is no strict basis for comparison, it is better to know past experience, although it does not fully correspond to modern conditions, than not to know anything. The method is aimed at revealing similarities in the patterns of development of processes and, on this basis, making forecasts. When using the method, one should distinguish between historical, literary and mathematical analogy.

The analysis of past risk factors is carried out on the basis of information obtained from a variety of sources, such as published reports of companies on their past activities, websites and print publications of government organizations, data from insurance companies, etc. The data obtained in this way is processed in order to identify dependencies between the planned results of the company's activities and potential risks.

The objective difficulty in using the analogy method for assessing the degree of risk is that the data of past periods should be applied at the present time without taking into account the fact that any business activity is in constant development. This danger is most clearly visible when considering the production lines of entrepreneurial activity. Any product goes through several life stages from its development to its removal from production. Therefore, it is advisable to compare past and present indicators within the same stage. Otherwise, the probability of error during the analysis is quite high.

Risk Management Methods

All methods of influencing risk can be divided into the following main groups: risk rejection, risk acceptance, risk reduction, risk transfer.

In the practice of the company, there are major risks, which are simply impossible to avoid. These risks can be partially reduced, but not completely eliminated. In addition, the reduction of such risks practically does not reduce the danger of the consequences of their implementation. Therefore, the purpose and essence of using this method of managing major risks is to create such production and economic conditions under which the likelihood of such risks is minimized.

When deciding on failure from a risky operation, the following should be considered.

First, avoiding risk completely may simply be impossible or unlikely, especially for small firms.

Secondly, the expected profit from making a risky decision can significantly exceed the possible losses. In such situations, risk avoidance is not considered as a possible solution.

Thirdly, the avoidance of one type of risk can lead to the emergence of other types of risk. That is, such a risk management method is effective when the probability of losses and the possible size of the loss are high - avoiding risky situations in this case is the best alternative.

Obviously, risks cannot always be avoided. Most often, businesses have to take the risk. It is necessary to pay attention to the fact that some risks are accepted by the company, as they contain the possibility of obtaining additional profit, other risks are accepted by the organization, since they are inevitable.

The essence of this method is to cover possible losses at the expense of the company's own financial capabilities. The use of this method is justified in the following cases:

Loss frequency is low;

The potential loss is small.

Losses with this method of risk management can be covered either at the expense of the current cash flow or at the expense of reserve funds specially created for these purposes.

As for the next control method, then risk reduction implies a reduction in either the likelihood of adverse events or the amount of possible damage.

The essence of the loss prevention method consists in carrying out measures aimed at reducing the likelihood of their occurrence. The use of this method is justified in the following cases:

The probability of realization of the risk is quite high;

The potential damage is small.

The use of this method is associated with the development of a program of preventive measures, the use of which is justified only as long as the cost of their implementation is less than the gain due to these activities.

When drawing up a preventive action plan, you should:

Assess the economic feasibility of each event;

Clarify with the management of the company and (or) its specialists the amount of funds that can be used for events;

Engage specialists to develop a program of activities or obtain advice on it, if necessary (for example, special knowledge is required);

Get approval from the company's management to carry out preventive measures;

Correct, clarify and control activities;

Periodically review the set of measures.

The essence of the method of reducing the amount of loss consists in carrying out measures aimed at reducing the size of a possible loss. The use of this method is justified in the following cases:

Large amount of possible damage;

The likelihood of the risk being realized is low.

It is possible to use the following methods to reduce the amount of losses: segregation (separation) of assets, combinations (combination) of assets and diversification.

Separation of assets often reduces the amount of possible losses in the event of an undesirable event. The essence of this method lies in the maximum reduction of possible losses per event. Assets can be separated by physically separating the assets themselves by use or by separating assets by ownership.

Combination of assets also makes losses or gains more predictable by reducing the number of units at risk controlled by a single commercial entity.

The combination of assets may occur on the basis of business concentration through internal growth (for example, an increase in the car fleet). But it can occur on the basis of business centralization, that is, when two or more commercial firms merge (the new commercial organization, as a rule, will have more assets, more employees, etc.). The desire to reduce losses is often the main reason for the merger of firms.

Process diversification assets and their application is understood in two aspects: in broad and narrow.

Diversification in a broad sense refers to the expansion of the scope of any organization.

Diversification of production should be understood as the process of penetration of specialized enterprises into new sectors of material and non-material production in order to ensure stable operating conditions.

One of the most convenient and common ways of risk management is insurance, which can be attributed to methods of reducing and transferring risks.

The essence of this management method is to reduce the participation of the company itself in compensation for damage due to the transfer by it (the insuring company) of the insurance company (insurer) of responsibility for bearing the risk.

The use of this method of risk management at the firm level is justified in the following cases:

If the probability of realization of the risk, that is, the occurrence of damage, is low, but the amount of possible damage is large enough. Regardless of the homogeneity or heterogeneity of risks, as well as the number of risks (mass or single), the use of insurance in this case is advisable;

If the probability of realization of risks is high, but the amount of possible damage is small. Insurance is justified if there are many risks.

Insurance methods differ in the way in which liability for risk is shared between the parties. A distinction is made between full insurance, which covers the entire specific risk, and partial insurance, which limits the liability of the insurer, leaving part of the risk to the insured.

There are two large groups of methods of partial insurance: proportional and non-proportional.

Under our vigilant gaze, the management activities and risk analysis that we use in our professional activity. In the past, since our last rendezvous, we managed to prepare the following article.

To be continued right now...
Today we will talk about risk management activities.

Introduction

Risk management activities, like any complex activity, are a complex iterative process that has its own stages, goals and objectives. Any stage has its own purpose, “takes” / “receives” the data determined by the “pre-activity” as input to its activity, and forms the final / intermediate result at the output.

Risk management can be defined at the top level by the following sequence of steps:

  1. Risk identification;
  2. Assessment of the likelihood of its occurrence and the scale of the consequences that may arise;
  3. Preliminary analysis and determination of the maximum possible losses;
  4. Selection of methods and tools for managing the identified risk;
  5. Development of a risk strategy to reduce the likelihood of risk realization and minimize possible negative consequences;
  6. Implementation of the risk strategy;
  7. Evaluation of the results achieved and adjustment of the risk strategy;
  8. Monitoring problem areas.

The reflected sequence of stages is only a distant representation of the activity in question, and will be further detailed and expertly expanded. For example, the “risk strategy” presented in this plan is just a set of certain interrelated processes and documents that reflect the essence of all or some stages of risk management.

Risk management, as it was said in the first article, is a rather young branch of activity, in the current understanding of its goals and objectives. It studies the degree of influence on various areas, processes, etc., both main and indirect / related, of certain events that entail the onset of various types of damage or profit, and how it can be managed or, in extreme cases, , guide or control.

Risk management and analysis is a separate area with a well-defined relationship to IT. But at the same time, it would be incorrect to call this area of ​​work a science, but it would be quite correct to talk about a methodology that has its own conceptual apparatus, classification, types of analysis, etc.

From the presented point of view, the main distinguishing feature of this methodology is the terminology. It is a mixture between such activities as information technology, technology, engineering, theory of machines and mechanisms, insurance business and stock exchange business, etc. The existence of such a “chimera” has developed historically, in accordance with the development of risk management, and requires a broad outlook and a versatile understanding of not only the “approximate” essence of the subject, but also its details, otherwise the professional risks being left behind. understanding of what is happening, which eliminates his participation in this process.

Behind each term, which will be given later in this article, there is a certain meaning and history of the development of the initial causes and effects, which acquired their right to exist due to the fact that their importance and continued relevance was confirmed by time and the validity of the results obtained, such as success or damage.

Thus, in order to competently manage and direct the development of risks, because the result of a risk can be not only damage, but also an effective result, it is necessary to understand in detail their categories, classifications and types. The uniqueness of each risk lies in the fact that the causes that give rise to them depend on factors such as the type of activity in which they manifest themselves, the environment of the process or event, the type of technology, etc.

Despite the fact that we announced that risk management and analysis is more of a methodology than a separate scientific direction in the field of information technology, the importance of perceiving and understanding the fundamentals that are directly related to seemingly non-IT disciplines is one of the components of success in mastering and applying knowledge of risk management in practice.

Definition of basic concepts

In order to speak with you, dear colleagues, in the same language (after all, we have already understood how important this is), the language of risk activity, it is necessary to immediately agree on the terms that you need to know in order to successfully master and apply knowledge of risk management in practice .

On the one hand, due to the specifics of the subject being studied, it is too early to talk about the established terminology in risk management in relation to information technology. Of course, this objective situation is associated with a variety of types of risk that are the object of consideration of our discipline. But we need to outline the scope of our research, otherwise you and I run the risk (yes, yes, that's right :)) to think about different things.

The definition of risk was given by us in the first article, but here, in order to form a complete picture of the subject under study, and a comprehensive look at a rather complex concept, we will give it again:

Risk is the potential for the occurrence of a probable event/phenomenon or a combination of them that can cause a certain amount of impact on the ongoing activity.

Given the complexity and diversity of disciplines that “fill” risk management, it is advisable to give an alternative concept of risk, given in one of the financial and investment textbooks:

A risk event or a group of related random events that cause damage to an object that has a given risk.

The given "financial" definition of risk obliges us to decipher the concepts that are included in it:

  • Randomness (many people associate the concept of randomness and unpredictability, which is not entirely true) of the occurrence of an event means the inability to determine the time and place of its occurrence.
  • Object - a material object or interest, a property of an object.
  • Damage is the deterioration or loss of the properties of an object.
  • Probability of an event is a sign of an event, which means that it is possible to calculate the frequency of the occurrence of an event if there is a sufficient amount of statistical data.

Thus, risk, as an independent event, or part of a larger event, has two of the most important properties in terms of risk management - probability and damage.

Each event is generated by a particular cause or set of causes. Such reasons are called incidents. The chain of successive stages that lead from the initial incident to the final event is a development scenario. Knowing the probabilities that led to the occurrence of incidents, it is possible to establish a sequence of intermediate steps and calculate the probabilities of the scenario. The determining factor in mastering risk management in information technology is the ability to simultaneously analyze, take into account and synthesize, when considering a specific situation or scenario, the following three domains:

  • Risk Domain
  • Management Domain
  • Information technology domain

It is the ability to simultaneously interconnect these seemingly completely different in nature subjects of a humanitarian and technical nature that contributes to success in the development and practical application of the field of risk analysis management. The ability to understand and recognize incidents belonging to different "nature" of occurrence and the skill of building scenarios, the various stages and steps of which belong to different domains, is an important characteristic of a high-class specialist in risk management.

Risk management on the example of modern methods

Today, many popular and fundamental IT methodologies from areas such as project management (PMBOK), analytics (BABOK), IT audit (COBIT), service activities (ITIL), software development (MOF), etc., are trying to to provide a tool that could offer an effective risk management and analysis algorithm. The following methods are such “tools” for various activities of the information technology domain: CORAS, OCTAVE, CRAMM, MOF risk management, Risk it, etc. The presented processes are the main ones in terms of demand and use, so we will consider them all and try to understand the specifics of each.

Brief overview of IT risk management methodologies:

CORAS

It was developed within the framework of the Western program "Information Society Technologies". The purpose of this methodology is to adapt, refine and combine such basic risk analysis methods as Event-Tree-Analysis, Markov chains, HazOp and FMECA.

CORAS uses UML technology and is based on the Australian/New Zealand standard AS/NZS 4360: 1999 Risk Management and ISO/IEC 17799-1: 2000 Code of Practice for Information Security Management.

In CORAS, information systems are considered not only from the point of view of the technologies used, but from several angles, more precisely, as a complex complex, in which the human factor is also taken into account. The rules of this methodology are implemented in the form of Windows and Java applications.

OCTAVE

The OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation) methodology was developed at the Software Engineering Institute at Carnegie Mellon University (alma mater of many modern IT methodologies and software engineering areas) and provides for the active involvement of information owners in the process of identifying critical information assets and the risks associated with them.

Key elements of OCTAVE:

  • identification of information assets subject to risk and damage;
  • identification of threats to critical information assets;
  • identification of vulnerabilities associated with critical information assets;
  • assessment of risks associated with critical information assets.

OCTAVE provides for a high degree of flexibility, achieved by selecting criteria that an enterprise can use when adapting the methodology to suit its own needs. The methodology was developed for use in large companies, and its growing popularity has led to the creation of a version of OCTAVE-S for small enterprises.

OCTAVE does not provide a quantitative risk assessment, however, a qualitative assessment can be used in determining the quantitative scale of their ranking. The assessment may include various risk areas that, with the exception of technical and legal risks, are not directly included in the methodology. These are taken into account indirectly, during interviews with the owners of information assets, during which it becomes clear what consequences may occur if threats are realized.

CRAMM

The CRAMM methodology (CCTA Risk Analysis and Management Method) was developed by the British Central Computer and Telecommunications Agency in 1985 and is used for both large and small government and commercial organizations. CRAMM involves the use of technologies for assessing threats and vulnerabilities by indirect factors with the ability to verify the results. It contains a mechanism for modeling information systems from a security perspective using an extensive database of preventive measures to reduce / eliminate the impact of risks. CRAMM is aimed at a detailed assessment of the risks and effectiveness of the combinations of various countermeasures intended to be used.

MOF Risk Model (MOF Risk Model)

This methodology deserves special mention. We will devote a little more material and your time to it.

It is the most common in this moment time and defines the main stages of risk management, which will be covered in a separate article in the future (we really count on it), but which we will mention here:

  • Identification of risks - determination of the causes of the risk, the conditions for its occurrence, consequences;
  • Risk analysis - assessment of the likelihood of risk and damage to the information system and business;
  • Planning of actions - definition of the actions allowing completely to avoid risk or to reduce its influence. It also develops a plan of action in case of a risk;
  • Risk tracking - collection of information about changes, over a certain period of time, of various elements of risk. If the risk is considered insignificant for some time, it must be excluded from the list of risks. If the impact of the risk has changed, you should go to the analysis stage to re-evaluate this impact.
  • Control (Control) - the execution of planned actions as a response to the occurrence of a risk event.

If we consider the risk management model in isolation from the standards where it is used (ITIL, MOF, etc.), then we can see a relatively shallow, but fundamental view of the risk management model. For example, such a methodology as CRAMM contains more detailed instructions on risk assessment mechanisms, and BASEL II (mentioned in the first article) describes in more detail the issues of organizing a risk management system in a company.

COBIT 5 for Risk (RiskIT)

This standard considers the approach to risk management from two aspects: risk function and risk management.

In the first case, it talks about what you need to have in an organization in order to build and maintain a risk management system. In the second, we review key governance and management processes for risk optimization and regular procedures for risk identification, analysis, response and reporting.

As you have already understood, there is no single and centralized view of risk management in the IT field. The plurality of standards and methods is caused, first of all, by the specifics of risk analysis and management in application to certain industries and resources that can be spent on their implementation. But each of the described methods has the right to "be" only because they have proven their worth not only as "bookish" values, but also as a specific and effective tool activities. All of the above methods solve, in fact, the same type of problems caused by similar reasons and aimed at minimizing the damage from the occurrence of a risk or eliminating it in principle, but are “sharpened” for different types of organizations and processes in which it is planned to eliminate or minimize risks . Of the methods outlined, the most universal, without a doubt, is MOF, which, with varying degrees of adaptation, can be used in any type of activity, while the rest are, for the most part, specialized tools that require different degrees of attention and different resources. If desired, each of you can find more detailed information about the methods outlined in the "global web".

The relevance of risk management activities today

To date, information technology provides a variety of tools to support and develop any type of special activity, regardless of its specifics and other characteristics, whether it is a narrowly focused type of electronic business, education or a commonly used type of business services.

High technologies make it possible to increase the efficiency of already existing processes, to become the foundation for the creation of new ones, but at the same time, if they are used unmanaged, they become a source of enormous risks, which, in case of "overlapping", can be the sources of many "emergent" results. It is a well-known fact that risk management activities, in most countries, are in a particularly deplorable state in this direction observed in the Russian Federation, they are treated as unnecessary redundancy, which has recently become a “fashionable” direction of activity, which must be “as it were” followed due to many factors. But the realities modern conditions are such that at the current pace of development of the modern world (it is predicted that these rates will only grow), it is practically impossible to foresee, identify and fix the full range of possible problems for IP (the most dynamically changing industry), regardless of what type of work is being done : introduction of new software products and complexes, support and development of existing ones or decommissioning of obsolete ones, followed by the process of migration of information that is critical for a particular organization. In such an environment, a type of activity that is aimed at proactive and preventive activity in the context of solution / prevention / elimination, etc. emerging tasks and problems becomes especially important. This type of activity is the direction of risk analysis and management, which is confirmed by the active growth of the base of standards and methods, in which work with risks is fully or partially considered. Examples include the following methodologies COBIT, PMBOK, BABOK, ISO/IEC 17799, ISO/IEC 27000, BS7799, NIST SP800-30, etc.

Common Causes of Risks

At the heart of any constructive activity is a clear understanding of the goals, objectives and resources that are necessary to achieve the final result.

The more certain and unambiguous these factors are, the lower the degree of uncertainty that can potentially affect the achievability of the goal. Based on this, it is absolutely obvious that the main reason for any risk is the degree of uncertainty that is inherent in those postulates that are the framework of the process or project that initiates the activity we are considering. How obvious are our problems and the resources that are allocated to solve them, determines the riskiness of our activities. Uncertain tasks, a priori, are doomed to the fact that the possibility of compiling and implementing a viable plan for their resolution is a “poke” with a finger to “nowhere”.

The higher uncertainty of the conditions of both the external and internal environment leads to the fact that the resources allocated to overcome these conditions should be of the highest quality possible. Many negative factors and causes can be foreseen and "eradicated" based only on the experience of specialists with high risk management skills, but this can hardly be considered a predictable factor that should be used when building a risk management system. The problem of "limitation" of resources is a problem that leads to a shortage of productivity.

When implementing projects that have a high degree of uncertainty, it is necessary to pay increased attention to the commonly used risk analysis and management system. Such a system should take into account the specifics of both the activities in which the processes associated with risks take place, and the organizational component of the project and the organization in which it is carried out.

The organizational component and the attention paid to working with risks is a separate topic and area of ​​activity, which, unfortunately, is given scanty costs in Russia. An example of this may be that many guidance documents do not consider the aspect of risks in principle, their acceptable level and responsibility for accepting a certain level of risks.

This is not the case in developed countries. For example, in the American security glossary, you can find the term Designated Approving Authority - this is a person authorized to decide on the acceptability of a certain level of risks, which indicates a qualitatively different attitude to risk analysis and management, which in our country, of course, will eventually come to, but spending a lot of useless resources for this.

The involvement of all employees at all levels of the structural hierarchy of any enterprise in risk analysis activities and a closer attitude on the part of management could radically change the pessimistic trends that have been developing for years in this area and thereby bring the main processes of the IT industry to a qualitatively new level.

A clear understanding of the goals and objectives of the activities carried out helps to identify and minimize the overwhelming number of causes that lead to risks.

Goals and objectives of risk management

Risk analysis and management activities should be based on a clear, definite and unambiguous vision of why it is necessary for a given, specific subject to analyze and manage risks. Without a clearly defined plan (in an ideal situation, emerging from a development strategy), it is very difficult, and sometimes even impossible, to assess and correctly identify information risks. The success of these activities will depend only on the qualifications of the personnel serving them, which was discussed a little earlier. It should be noted that there is no single view and standard/order/regulation that could describe and suggest a way to solve all obvious and potential problems.

Each situation, each process consists of many elementary objects. These components must be subjected to the analysis procedure. The detail of the consideration of a particular particle depends on the value of the contribution of the object in question to the result of the activity.

The more complex and multifaceted processes we consider, the more important is the detailed preliminary study of the scope of activity, the methodology in which risk may arise and the application of best practices and methods recognized and tested earlier in work on them.

Understanding the goals helps to consciously control all the processes under consideration, understanding the given trend and the permissible deviations in its “path”.

The main goal in risk analysis activity is to provide the most complete and sufficient information for adequate risk management.

Under management, it is more correct to understand not “management”, as a specific function of management, but as the discipline “management” itself, which includes 5 processes:

  • Control
  • Initiation
  • Planning
  • Performance
  • Monitoring and control

The process of improvement, which has recently received the most rapid development due to the spread of the process approach to organizing activities, is not entirely correct to consider here. The reason for this is that the risk component should be "extinguished" over time during the analysis and management processes.

Analysis activity implies the implementation of a part of improvement activity due to the fact that a timely built system of metrics for the main “flawed” components of a process or project at the monitoring and control stage will significantly reduce the costs of this component and direct them in a more constructive direction.

The result of the analysis stage is exhaustive quantitative and qualitative data coming to the “input” of the management stage. The result of this stage is a no-risk or “controllable risk” result.

It will be possible to put into practice the above theses when each subject involved and interacting with an object at risk realizes the importance and necessity of their involvement in working with risks, the appearance of which, even hypothetically, is possible.

Understanding and participation in the management of risk analysis and timely escalation of emerging problems and tasks, at all hierarchical levels of any organization, will allow you to achieve your goals.

After the goals and objectives are set, accepted and unambiguously understood by all participants, the next step in dealing with risks is their identification (in the plans, the next article will be devoted to risk identification). The basis of the identification process is the categorical base, which is a tool for assigning a risk to a particular class or group of risk categories. "Placing" the risk in the correct category is a guarantee that in the future, work on processing the available information about it and developing a further algorithm for working on it will eliminate or reduce the amount of damage from its occurrence.

Classification and categories of risks

At the current moment in the development of the area of ​​risks in information technology, it is appropriate to talk about multiple typification of risks. The information technology industry has a set of risks that is most typical for risks associated with high-tech and complex activities that include various types of processes. A set of risks specific to a certain type of activity is called a set of risks.

When it comes to the complex, then, using technical terminology, it can be stated that the risk complex is a "mutually intersecting set" between all existing risk complexes. Despite the recursiveness of the resulting definition, it most clearly expresses the essence of the concept of risk complex.

Complexes of risks are a characteristic component for industry, financial and investment areas, commerce, lending and, of course, the field of information technology. Thus, the more complex and complex type of activity, located at the “junction” of various practical and theoretical areas, we consider, the more complex and multifaceted the risks will be.

Information risks arising in processes and projects differ in the place and time of occurrence, the totality of external and internal factors that affect their level and, consequently, the way they are analyzed and the methods of primary and subsequent descriptions.

As a rule, all types of risks are interrelated and emergent, therefore, they affect the activities carried out not only by themselves, but also in the aggregate.

A change in one type of risk can cause a change in most of the others that are in a certain complex. Risk classification means the systematization of a set of risks on the basis of some signs and criteria that allow combining risk subsets into more general concepts.

The most important elements underlying the risk classification are:

  • time of occurrence;
  • character;
  • occurrence factors;
  • consequences;
  • and etc.

According to the time of occurrence, risks are divided into retrospective (past), current and prospective (future) risks.

Analysis of retrospective risks, their nature and methods of reduction makes it possible to more accurately predict current and future risks, predict the possible nature of their occurrence and, accordingly, manage it.

By nature, risks are divided into:

  • External risks. These include risks that are not directly related to the activities of the enterprise or the environment interacting with it (the activities of suppliers, related companies, external developers, outsourcing and consulting companies, partners, etc.).
  • Internal risks. These include risks caused by the activities of the enterprise itself and its audience (risks associated with the qualifications of personnel, IT infrastructure, technologies used, etc.).
  • Organizational risks (OR). RR are the risks associated with the mistakes of the company's management, its employees; system problems internal control, poorly developed work rules, that is, the risks associated with the internal organization of the company's work.
  • Process risks (PR).. PR is a subsection of organizational risks. This type of risk is typical for certain types of processes. They are associated both with the execution of a separate process and with processes whose activities are interconnected by the functions they perform (cross-processes).
  • Project risks (PRR). PRR are risks that characterize the degree of danger for the successful implementation of the project as a whole or its individual stages.
  • Operational risks (OPR).. ODA are the risks associated with the performance of certain business operations by an organization.

It is difficult not to notice that the classification by the factor of occurrence is a “matryoshka”. The nesting of factors corresponds to the distribution of items in the process model of any company, while each of the risk groups considered has “internal” classifications that can be decomposed and expanded to the level necessary to track and control a certain type of risk.

According to the consequences, the risks are divided into:

  • Pure risks (sometimes also called simple or static) are characterized by the fact that they almost always carry losses for entrepreneurial activity. The causes of pure risks can be natural disasters, wars, accidents, criminal acts, incapacity of the organization, etc.
  • Speculative risks (sometimes also called dynamic or commercial) are characterized by the fact that they can carry both losses and additional profit for the entrepreneur in relation to the expected result. Reasons for speculative risks may be changes in market conditions, changes in exchange rates, changes in tax legislation, etc.

Speaking about the consequences of the occurrence of risks, it is necessary to single out a separate classification according to the degree of consequences of the occurrence of risks. This “sub-classification” is very important for making decisions on the feasibility of a risk-related activity:

  • acceptable risk. This is the risk of a decision, as a result of which, if not implemented, it is possible to “failure to achieve” the set goal of the activity. Within this zone, the activity retains its economic feasibility, i.e. there are losses, but they do not exceed the expected value.
  • critical risk. This is a risk in which the loss of all or part of the value of the result is possible; those. the critical risk zone is characterized by the danger of losses that obviously exceed the possible result and, in extreme cases, can lead to the loss of all funds invested in the project.
  • catastrophic risk. This is a risk in which there is a complete loss of value and it is possible that the risk subject will incur additional costs. This group also includes any risk associated with a direct danger to the life or further activities of people.

Success in attributing risk to one or another item of this classification directly depends on many factors, for completeness of views, 2 of them can be distinguished:

  • Quantitative degree of knowledge and certainty of a particular type of risk
  • Qualification, skill, experience, “foresight” of a risk manager who makes a decision on the implementation of risk-prone activities.

If we are talking only about the second factor, then, as noted earlier, it is difficult to say that the company has built a high-quality risk management system.

The success of such an organization depends only on specific specialists, who represent an "organization within an organization". As a rule, when such specialists leave, the risk management of the enterprise undergoes a complete collapse. Without a well-built system, which is based on a process model with constant measurement of the result of activities, according to specified success metrics, in the modern world of high technologies, the result will be quite difficult to achieve. But more on that later, in a dedicated article.

Summing up the topic of risk classification, it should be mentioned that the classification given here does not claim to be complete and sufficient. In any activity, there may be risks that are imprinted and the results of the specific activities of a particular enterprise. The manifestation of risks in them is possible and unique, single or present in group cases, depending on the specific environment and clearly defined parameters of the activity of a single organization. Such risks should be considered separately, in accordance with the risk analysis and management system, designed for the needs of this particular enterprise.

Before risk classification can be carried out, it is necessary to correctly identify and understand the prerequisites that may lead to the emergence or manifestation of risk. The stage of risk analysis that allows such activity to be carried out is risk identification. The accuracy of the chosen method of work and minimization of further possible or obvious damage depends on how correctly and far-sightedly the risk identification is carried out.

conclusions

We have completed a brief summary of the risk analysis and management direction, briefly outlining the boundaries of this activity. Here we have tried to concisely acquaint colleagues with the variety of species, types and the classification of risks based on them, the emergence of which, in essence, as we have shown, is facilitated, in most cases, by the uncertainty of initial conditions or resources.

In the following, we will proceed to a detailed consideration of the preliminary stage of risk analysis - the process of their identification and related methods and methodologies.

We wish our colleagues improvement in their work with/on IT risks.

All the best and see you soon!

The key to survival and the basis of the stable position of the enterprise is its stability. There are general, price, financial and other types of sustainability. Financial stability is the main component of the overall sustainability of the enterprise. The financial stability of an enterprise is such a state of its financial resources, their redistribution and use, when the development of the enterprise on the basis of its own profit and the growth of capital are ensured while maintaining its solvency and creditworthiness under conditions of an acceptable level of financial risk.

The purpose of financial risk management- reducing the losses associated with this risk to a minimum. Losses can be evaluated in monetary terms, and steps to prevent them are also evaluated. The financial manager must balance these two assessments and plan how best to close the deal from a position of minimizing risk.

Depending on the object of influence, methods of protection against financial risks can be classified into two types: physical and economic protection. Physical protection consists in the creation of such means as alarms, the purchase of safes, product quality control systems, data protection from unauthorized access, hiring security guards, etc.

Economic protection consists in forecasting the level of additional costs, assessing the severity of possible damage, using the entire financial mechanism to eliminate the threat of risk or its consequences.

Let's consider some aspects of the organization of work on risk management, primarily financial.

Financial risk management methods

The literature provides four methods of risk management Keywords: elimination, loss prevention and control, insurance, takeover.

The abolition is the refusal to commit a risky event. But for financial entrepreneurship, the elimination of risk usually eliminates profit.

Loss prevention and control as a method of financial risk management means a certain set of preventive and subsequent actions that are due to the need to prevent negative consequences, protect yourself from accidents, control their scale if losses have already been incurred or are inevitable.

The essence of insurance is expressed in the fact that the investor is ready (to give up part of the income, just to avoid risk, i.e. he is ready to pay for risk reduction to zero.

Insurance is characterized by the intended purpose of the created monetary fund, the expenditure of its resources only to cover losses in predetermined cases; the probabilistic nature of the relationship; return of funds. Insurance as a method of risk management means two types of actions:

1) redistribution of losses among a group of entrepreneurs exposed to the same type of risk (self-insurance);

2) seeking help from an insurance company.

Large firms usually resort to self-insurance, ie. a process in which an organization, often exposed to the same type of risk, sets aside funds in advance, from which, as a result, it covers losses. This way you can avoid a costly deal with the insurance company.

When insurance is used as a service of the credit market, this obliges the financial manager to determine the ratio between the insurance premium and the sum insured that is acceptable to him. An insurance premium is a payment for the insured risk of the insured to the insurer. The sum insured is the amount of money for which material assets or the liability of the insured are insured.

Absorption consists in recognizing the damage and refusing to insure it. Absorption is resorted to when the amount of the alleged damage is insignificantly small and can be neglected.

When choosing a specific means of resolving financial risk, the investor should proceed from the following principles:

you can not risk more than your own capital can afford;

one cannot risk much for the sake of little;

the consequences of risk must be foreseen.

The application of these principles in practice means that it is always necessary to calculate the maximum possible loss for a given type of risk, then compare it with the amount of capital of the enterprise exposed to this risk, and then compare the entire possible loss with the total amount of own financial resources. And only by taking the last step, you can determine whether this risk will lead to the bankruptcy of the enterprise.

Risk management process

The risk management process can be broken down into six stages:

goal definition,

ascertaining the risk

risk assessment,

choice of risk management methods,

application of the chosen method,

evaluation results.

From the point of view of financial risk, the definition of the goal is to ensure the existence of the company in the event of significant losses.

The goal may be to protect the operation of the enterprise from environmental conditions or to optimize the internal environment. As the external environment of the enterprise consider the bottom group of factors: direct and indirect impact.

Factors of direct impact include suppliers, buyers, competitors, the state. Factors of indirect impact include the state of the economy, socio-cultural factors, political factors, achievements of scientific and technological revolution, international events.

The positive factors of the internal environment include the presence of a special “economic security” service, an “economic warning” system that prevents unforeseen expenses.

The next step is to figure out the risk by collecting various information and using official and informal channels. In addition to financial statements and business plans, official sources of information include information obtained from periodicals, radio, television, etc. Unofficial information includes data received! through industrial espionage.

Risk analysis (assessment). Once a loss has been incurred, the next step is to determine its severity.

Choice of risk management methods. In accordance with the results of previous studies, one or another method of risk management is selected. A combination of several methods is also possible.

Application of the chosen method - the adoption of specific steps to apply a particular method. For example if insurance is chosen, then this step is to purchase an insurance policy. At the same time, different insurance companies are selected depending on their specialization in the field of insurance risks, then the optimal form of insurance policy is selected in terms of time, price and security.

In addition to insurance any risk management strategy includes a loss prevention and control program. Every function of financial management is involved in this: planning, organizing, directing and controlling.

Consider, for example, the role of planning as a management function in relation to financial risk management. One of the elements of intra-company planning is a business plan, in the structure of which there is a section "Risk Assessment".

This section of the business plan introduces an enterprise risk management tool. It is important to foresee all possible types of risks that an entrepreneur may face, to justify the sources of these risks and all possible moments of their occurrence. The section is aimed at studying not only financial, but also other risks (for example, political, legislative, natural (natural disasters), etc.). The section of the business plan "Financial Plan" is a monetary expression of all the calculations contained in the previous sections of the business plan. All risks presented in the "Risk Assessment" section find their monetary expression in the financial plan and affect the overall degree of financial risk. Below we give some typical calculations that are carried out when compiling this section of the business plan.

The use of limits in relation to indicators of the financial resources of the enterprise budget is a concrete expression of the results of risk planning. Limitation is the setting of a limit, i.e. limits on expenses, sales, credit, etc. Limitation serves as an important means of reducing the degree of risk and is used, for example, by banks when issuing loans, and by enterprises in the sphere of circulation when selling goods on credit, etc.

Organizational function of financial management and risk management. Many large firms employ security specialists. These managers plan the firm's risk management strategy, conclude insurance contracts, and direct the firm's efforts to control losses. Their functions go beyond simple insurance. For example, they give: advice on how to protect insurance payments from inflation, choose ways to avoid losses. In medium-sized firms, where there is no security specialist, the functions of a financial manager (financial director) also include the responsibility of managing financial risks, which is why they should plan methods for managing financial and especially investment risks. In small firms, this is one of the functions of the owner.

Control function of management and risk management.

Loss prevention management is in many ways similar to performance and quality management. It is about leadership in the form of actions, and not about verbal influence in accordance with the general theory of management, which is built on trust and obligations of management towards employees, concluding a contract with the union (since the safety of employees is primary for unions). The concept of financial management is based on “distrust of our own employees” and “limited trust” in internal financial information (the most important principles for building an internal financial control system follow from this).

The next (and final) step in the financial risk management process is evaluation of results. This requires a well-established system of accurate information that makes it possible to consider existing losses and the actions taken to prevent them.

Sometimes an investor makes decisions when the results are uncertain and based on limited information. Naturally, with more complete information, you can make a better forecast and reduce the risk. In this case useful information acts as a commodity. The cost of complete information is calculated as the difference between the expected cost of an acquisition when complete information is available and the expected cost when information is incomplete. The purpose of risk analysis as one of the most difficult stages of financial risk management is to provide potential partners with data to make decisions about the feasibility of participating in the project and the ability to provide measures to protect against financial losses.

When conducting a risk analysis, first of all, it is necessary to determine their sources and causes, which of them are the main, predominant ones. Risk sources can be economic activity, human personality, natural factors. The reasons include the lack of information, the uncertainty of the future, the unpredictability of the behavior of a business partner.

Risk analysis is divided into two mutually complementary types: qualitative and quantitative.

Qualitative analysis is the identification of all possible risks. Qualitative analysis can be relatively simple, its main task is to identify risk factors, stages of work during which the risk arises, etc.

When conducting a risk analysis, the degree of risk should be determined. The risk may be:

admissible - there is a threat of a complete loss of profit from the implementation of the planned project;

critical - non-receipt of not only profits, but also revenues and coverage of losses at the expense of the entrepreneur's funds is possible;

catastrophic - loss of capital, property and bankruptcy of the entrepreneur are possible.

Quantitative analysis is the definition of specific monetary damage to individual subspecies of financial risk and financial risk in the aggregate.

Sometimes qualitative and quantitative analyzes are carried out on the basis of an assessment of the influence of internal and external factors: an element-by-element assessment is carried out specific gravity their influence on the work of this enterprise and its monetary expression. This method of analysis is quite laborious from the point of view of quantitative analysis, but brings its undoubted results in qualitative analysis. In this regard, more attention should be paid to the methods of quantitative analysis of financial risk, since there are many of them and a certain managerial skill is required for their competent application.

In absolute terms, the risk can be determined by the scale of possible losses in material (physical) or cost (monetary) terms.

In relative terms, risk is defined as possible losses related to a certain base, for which it is most convenient to take either the property state of the enterprise or the total costs of this type of entrepreneurial activity.

Executive Director of RusRisk,
Ph.D. Shemyakina T. Yu.

Awareness of the importance of risk management is also coming to Russian business.

As you know, risk is understood as the probability of obtaining an unfavorable result that can lead to losses, and therefore risk management should include the processes of identifying, assessing and optimizing its level with subsequent monitoring.

According to the magazines "Risk Management" and "Company", over the past three years, the demand for specialists in the field of risk management has increased almost seven times. The market for these services is growing at least tens of percent a year, enterprises are paying more and more attention not to current problems, but to possible tomorrow's risks.

The specifics of the current perception of possible threats by Russian business can be illustrated by survey data.

Source: Report on the conference "Insurance and reinsurance in the risk management system" big business”, organized by the Russian Policy Information Group with the support of the Russian Risk Management Society (RusRisk).

According to the Risk Management magazine, the following risks will become the most significant in the next five years (in descending order):

  • reputational,
  • regulatory,
  • the risk of missing out on strategic business development opportunities and the dangers associated with outsourcing service providers,
  • political risks,
  • strategic partnership risks,
  • consequences of climate change,
  • New generation IT threats,
  • the risk of pandemics
  • economic instability,
  • terrorist threat,
  • rise in organized crime
  • increased competition from abroad.

The expert survey "Assessment of the development of risk management in Russia" identified the main problems of increasing the level and quality of risk management (% of the number of respondents is given):


Source: Russian Polis magazine.

According to a survey by the British magazine StrategicRISK, in the future, many issues will be addressed outside the traditional ways of transferring risks. In five years, risk management will focus primarily on managing operational risk.

A more aggressive approach to risk management, as opposed to simple risk reduction, will be used more widely. A significant part of the responsibility will be transferred to line managers. The role of risk managers will primarily be to coordinate risk analysis, loss prevention and risk transfer strategies. Risk management will be perceived as a specialized activity that does not fall within the competence of auditors, and risk managers will receive a higher status in the organization - at the level of the board of directors - and will be able to deal with a wider range of issues related to strategic planning, policy development of the organization, production , quality management and decision making.

Profession risk manager

Twenty years ago, as risk managers, company presidents sought to hire insurance business professionals to act as a buffer between company management and the enigmatic world of insurers. According to Tillinghast-Towers Perrin's report "Enterprise Risk Management: Trends and Emerging Practices", typical modern enterprise risk managers are not highly specialized in risk management - their careers have developed in most cases in more general management functions (including number - internal audit). This confirms that the risk manager is required to have the preventive thinking of the head-strategist and coach.

In the field of risk management, the profession of a specialist risk manager is also being formed. Specialists in identification, analysis, monitoring and specific types of risk help to form and justify an integrated risk management program.

In commercial, financial, government organizations, educational institutions, in almost all organizations, risk managers mainly worked with insured risks. At the same time, line managers are primarily interested in business risks such as competitive, operational and personnel uncertainties. It follows that any management in business is one way or another risk management, and any line manager is to a large extent a risk manager.

In a market society, it is the firm that is responsible for paying all damages that have occurred due to its action or inaction. And claims for such damages can be significant. In today's world, every employee becomes a risk manager to a large extent, risk management itself in a well-managed company becomes a "shared collective profession." It is this approach that allows us to resolve the contradiction between the expansion of the need for risk managers and the high requirements placed on them.

What are the specific requirements for professional risk managers.

Criterion 1. The effectiveness of the risk management program developed and implemented in the organization.

Criterion 2. One or more major organizational issues identified and resolved by the risk manager.

Criterion 3. Ability to inventively apply a wide range of risk management and insurance tools.

Criterion 4. Examples of creative and effective use of the insurance market opportunities to create an organization's protection system.

Criterion 5. Contribute to the establishment of an intelligence system within and outside the organization that effectively collects and stores information about risks, events and activities that affect the organization's risk management and insurance.

Criterion 6. Ability to competently manage the risk management unit and perform the risk management function in other parts of the organization.

Criterion 7. Achieve the most cost-effective effective work risk management programs in the long term.

Criterion 8. Achieving excellence in one or more broad areas, resulting in improved management of the organization's core operations.

Criterion 9. The manifestation of attitude and active actions to strengthen and develop the profession of "risk manager".

Criterion 10. Continuing education in the field of risk management.

In order to outline the current state of the profession in developed countries, let's look at some statistics. According to a study by the Center for Risk Management at Georgia Enterprises and Tillinghast Towers Perrin, 85% CRO (Chief Risk Officer - in Russian enterprises, similar functions are now performed by heads of risk management departments or internal control and audit departments, such specialists work in energy, utilities, insurance, banking and financial services), 50% of the organizations surveyed reported that they had a CRO position only in the last 2 years, 20% in the last 3 years, and only 1% in the last 5 years.

There are three main reasons for creating such a position in enterprises and companies of Russian business: 1) centralization and coordination of risk management; 2) implementation of an integrated approach to risk management; 3) improving the awareness of management, the board of directors and other interested groups about the risk position of the organization.

The most important qualification components for a CRO position are: communication skills (18%), ability to manage (8%), knowledge of accounting and reporting (accounting) (15%), knowledge of finance (22%), knowledge of mathematics and statistics (24%) , education in the field of risk management (13%).

Risk management services are often formed in the form of small units capable of achieving a sufficiently high business security with minimal means. This requires an increasing level of professionalism from risk managers. The staff members of these units should be well educated and active employees of the firm. In small firms, risk management functions will increasingly be given to their owners and managers.

The subordination of the risk management service can be different: 45% of CROs are directly subordinate to the top manager of the organization; 35% - higher financial manager organizations and 20% - to other officials.

For the foreseeable future, CRO positions will be created by: financial and infrastructure firms, trading firms, telecommunications companies and large multinational companies, as well as integrated risk management services will be formed in many firms in most industries.

Risk Management Process

Risk management ensures the achievement of the company's goals and objectives and, accordingly, contributes to its capitalization, development and image due to:

  • applying a systematic approach that allows planning and implementing long-term activities of the organization.
  • improving the decision-making process and strategic planning by developing an understanding of the structure of business processes, changes occurring in the environment, potential opportunities and threats for the company.
  • contribution to the most efficient use/allocation of the capital and resources of the organization.
  • protecting the property interests of the company.
  • optimization of business processes.
  • Improving the skills of employees and creating an organizational base of "knowledge".

Risk management is a central part of a company's strategic management. This is a process by which a company systematically analyzes the risks of each type of activity in order to achieve maximum efficiency of its activities and, accordingly, increase the value of the company.

Risk management as a unified management system includes a program for monitoring the fulfillment of tasks, an assessment of the effectiveness of measures taken, as well as a system for rewarding personnel at all levels of company management.

Risk management must be incorporated into the general culture of the company, accepted and approved by the management, and then communicated to each employee of the company as a general development program with specific objectives.

The risk management process includes a sequence of tasks to develop the strategic goals and objectives of the company; risk diagnosis and identification, description and measurement; risk assessment and risk reporting; development of a risk management program and distribution of risk management functions in the company; monitoring the risk management process (Fig. 1).

The risks to which a company is exposed can arise due to both internal and external factors. The diagram below (Figure 2) shows the key risks arising from internal and external factors. Risks are differentiated into the following categories - strategic, financial, operational, dangers.



Different levels of company management require different details of risk information:

The board of directors (shareholders) must be aware of the risks the company faces; monitor the implementation of the risk management program; know the anti-crisis program; maintain the image of the company.

The structural unit of the company must clearly know the risks that fall within the scope of its direct activities; have clear process indicators that allow ongoing monitoring of the effectiveness of the risk management program; report systematically to management on the performance of the risk management program.

Each employee must understand their contribution to the overall risk management program, understand the value of the risk management system for corporate culture, promptly report to their immediate management on any changes or deviations in the risk management program.

Which specialists work in the company's risk management service

1. Specialist in the organization of the risk management process

Must have good organizational and coordination skills as mainly performs administrative functions, for example, drawing up a register and a risk map, convenes a risk committee, monitors the formation of action plans for risk management. At the same time, in its activities, it must be guided exclusively by the approved corporate risk management standard and the company's instructions.

2. Risk Assessor

Must have good skills in mathematical modeling as well as good knowledge of probability theory and mathematical statistics. At the initial stage, it is not necessary to have any qualification in risk management. Since the process of implementing the corporate risk management cycle inevitably goes through the risk assessment stage, the risk management service must necessarily have an employee with sufficient skills and knowledge for this. Like other employees of the risk management unit, he must be guided by the company's regulatory and methodological framework for risk management and management instructions.

3. Expert (analyst) on production risks

On the one hand, the activity of each company in the real sector is unique and specific. On the other hand, the main internal risks of the company are operational risks, which include the production risks of the real sector company. Qualitatively identify production risks and participate in the processes of planning measures to manage production risks can only be an employee who is an expert in precisely the production activities that are inherent in a particular company. This employee can be drawn either from the relevant production business units of the company, or from other companies in the industry, but in any case, it must have specific production experience.

As the necessary experience and qualifications in risk management are obtained, the activities of employees in the organization of the risk management process, risk assessment and production risks can be combined, and the number of these employees is optimized. At the same time, of course, it depends solely on the motivation of each individual employee to obtain related competencies, i.e. from their aspirations to their own universalization within the framework of the company's risk management and their own participation in this process.

If the company has implemented and operates an integrated risk management system (CRMS), then the following specialists may also be involved.

1. Employee for IT support of the CRMS

If a company plans to implement or has already implemented an IT system that supports risk management processes in accordance with the corporate risk management standard, then the administrator of this system must be part of the risk management department. However, the responsibility of the administrator of the IT system for risk management should lie with the person responsible for organizing the risk management process.

2. Occupational Health and Safety Risk Officer

3. Environmental Risk Officer

4. Information Security Risk Officer

The system of labor protection and industrial safety, the environmental management system, the information security management system should be subsystems of the corporate risk management system, especially since the risk management methodology is the same, no matter what risks it relates to.

At the same time, health and safety management systems, environmental management and information security are among the most implemented standards in the world and the Russian Federation, in terms of the frequency of implementation in companies (along with quality management standards). On the other hand, if we examine the relevant basic standards of these systems, then they are talking about risk management. IN Russian companies even before the introduction of a corporate risk management system, one can often find the presence of the above systems implemented or being implemented. Of course, the employees responsible for these systems should ideologically report to the company's head of risk management. However, due to the specifics and uniqueness of the situation in each individual company, at the initial stage, this accountability can only be implemented functionally, i.e. without direct organizational involvement in the risk management unit.

After the CRMS is implemented, and risk managers gain sufficient qualifications (competence) to manage these three systems, appropriate organizational changes should occur leading to the organic entry of these systems into a single corporate risk management system.

5. Market risk officer

This is an employee dealing with the so-called market risks: currency; percentage; price (commodity). That is, the risks of fluctuations in foreign exchange rates, fluctuations in interest rates, as well as fluctuations in market prices for the company's products and for raw materials consumed by the company, electricity, etc.

Managing these risks is often accompanied by working with forwards, futures, options, swaps and other market risk management tools for companies in the real sector of the economy.

At the same time, it is often found that market risk management using the above methods is carried out by one of the divisions of the company's "financial block" long before the start of the implementation of the CRMS.

The profession of a risk manager in Russia in recent years has been increasingly declaring its necessity, since uncertainty and possible losses must be foreseen and their impact on the business must be limited, and not deal with the existing consequences.

This needs to be learned!

Literature

  1. MA Rogov The Concept of Development of the Russian Society for Risk Management. - M., 2009
  2. Risk Management: Textbook / Ed. I. Yurgens.- M .: "Dashkov and K", 2003
  3. Risk management standards. FARM, 2003

Seminar "Competencies of a risk manager"

The speakers from RusRisk will be:

  • Shemyakina Tatiana (executive director)
  • Lyubov Belousova

Participation in the seminar is free.

Please take part in.

Interesting articles

Interesting articles

© imht.ru, 2022
Business processes. Investments. Motivation. Planning. Implementation