Memoire Online - Risk management in Etablissement Kazoza et Compagnie-Rwanda

A Dissertation Submitted in Partial Fulfilment of the Requirements for the Award
of a Masters of Arts Degree in Project Planning and Management of Kabale
University.

DECLARATION

I hereby declare that «Risk Management in Etablissement Kazoza Justin et Compagnie-Rwanda» is my own work that has not been submitted to any university for any academic award.

APPROVAL

This research entitled: «Risk Management in Etablissement Kazoza Justin et Compagnie-Rwanda» has been under my supervision.

Signature:.....................................

DEDICATION

I dedicate this piece of work to my wife TUYIZERE Petronille, our son JABO MAKOMA Rock and our lovely daughter JURU MAKOMA Raeka for their endless love and patience for all time i devoted up to the completion of this piece of work.

ACKNOWLEDGEMENTS

I would like to extend my sincere gratitude to my supervisor Mr. Barigye Godfrey who has always been there for me throughout my piece of work by teaching me research with patience and goodwill.

I thank the Almighty God for giving me the power, wisdom, knowledge and the courage to successfully accomplish my mission as a student.

I am so grateful to the management of Kabale University for providing a master degree which is rare in this region. Without their support, this study would not have been possible. My heartfelt thanks go to all the lecturers and staff of the Department of project planning and management for their efforts towards the completion of my studies. I am highly indebted to the management of Etablissement Kazoza Justin et Compagnie and all respondents who participated in this study, without you this study would not have been possible.

I am also grateful to my colleagues at King Faisal Hospital, Kigali for their constant support and love throughout my two years of study. Special thanks go to members of Boundless Consultancy Group Ltd and their families for the moral support and words of encouragement they always gave me throughout my studies.

Lastly, my utmost appreciation goes to my late father Rutaganira, my mother Madeleine Nyiragapasi and my brothers Ntamuhanga Ningi Emmanuel and Sekaneza Jean Pierre for their persistent love and care that i received from them days and nights.

LIST OF TABLES

LIST OF FIGURES

LIST OF ABBREVIATIONS

ABSTRACT

This study examined how Etablissement Kazoza Justin et Compagnie (EKJ & Cie) handled potential risks which were threatening its business. It was guided by four objectives. It adopted a case study design, used both qualitative and quantitative research methods for data collection. It covered 50 respondents and employed interviews, questionnaires and observation methods for data collection. The findings from interviews revealed that there are no structured and written risk management plans but still employees have some knowledge about risk as confirmed by interviewees. Ninety two percent of respondents confirmed to have had trainings related to risk management, 84% expressed their concern about physical and technological risks. Seventy four percent had been once at risk which could put their life in danger. Also, respondents demonstrated their need of protective equipment by 88% but this number dropped to nearly 57% with no convincing reasons as the management confirmed their existence. Respondents admitted by 72% that they don't know whether there are risk management plans within the company but, nearly the same percentage confirmed the existence of rules and regulations that govern the company. All respondents (100%) know that they have health insurance which helps them to pay less when they are sick or their close relatives. As far as the future of risk management is concerned, the management is planning to hire a consultant to carry out the feasibility study. The study demonstrated needs for the enterprise management to come up with strong operational risk management plans.

CHAPTER ONE: BACKGROUND TO THE STUDY

This chapter contains the background of the study, statement of the problem, the purpose of the study, general and specific objectives, research questions, significance of the study, definitions of terms as well as the conceptual framework. It covers the overview of risk management in general, highlights the motivation of the researcher to carry out this study and states the importance of the study towards the readers as well as to the research setting.

1.1 Background to the study

Risk is usually defined as an assessment of the possibility of some adverse event occurring and the likely consequences of this event. Risk is inherent in the functions and activities of any organisation and its service providers.

Risks can come from uncertainty in all areas such as in accidents, natural causes, business and project failures, attack from adversaries etc (Hillson D.1997). Any business has exposure to a diverse range of risks. This exposure includes professional risks, commercial risks, political risks, risks to beneficiaries, community services and risks associated with competition. The organisation's main risk mitigation strategies to date have included administrative, contractual, technical, safety and management controls as a part of business and program activities (www.treasury.act.gov.au).

As the consequences of an adverse event may include an inability to meet beneficiary and customer requirements, financial loss, organisational or political embarrassment, operational disruption, legal problems, and so forth, it is important that management policies, procedures and practices are in place to minimise the organisation's exposure to risk. Risk management involves adopting and applying a systematic process to identify, analyse, assess, control and monitor risk so that it is reduced and maintained within an acceptable level. Risk management is a business tool and a part of «good management» and good planning processes. (Hillson D.1997)

Risk management is a key part of improving a business and services to be a leading business. The aim is to achieve best practice in controlling all the risks to which business is exposed. To achieve this aim, risk management standards should be created, maintained and continually improved. This will involve risk identification and risk evaluation linked to practical and cost-effective risk control measures. ( www.standards.com.au)

Risk management is a continuous process demanding awareness and proactive action from all the organisation's employees and outsourced service providers to reduce the possibility and impact of accidents and losses, whether caused by the organisation or externally. Risk management is a core responsibility for all managers. Suitable risk management activities should be incorporated into the business planning, operations and the management. ( www.insuranceriskadvi ce.act.gov.au).

Risk management is one way of business planning and implementation process, but, the fact of having a Risk Management Plan (RMP) is not enough, it must be operational and all company's employees must be aware of it and get trainings on how it is implemented. These trainings are mandatory because these ones must know how to prevent some risks and how they behave in front of a materialized risk (issue) because they may be themselves either, source of risk or be at risk if not well protected (www.treasury.act.gov.au). Importantly, the research will assess the level of risk management in private institutions.

Risks are everywhere in this world, it is almost impossible for all of them to be prevented or controlled before they appear. Some risks are harder to identify and prevent their occurrences (e.g. risks of a natural disaster like Tsunami, draught, floods etc). But, some of them are manageable and preventable but do occur and cause serious negative consequences in life simply because of ignorance, negligence or lack of planning ( http://www.mindtools.com). Etablissement Kazoza et Compagnie (EKJ&CIE) is a fourteen year old company working in Rwanda involved in house and road building, electrical ware repair. With time and of the ambitious plans by owners, its capacity was increased time to time. However, EKJ&CIE like any other business company faces a high market competition of similar and older companies registered in the Rwanda Development Board (RDB). Among others, it faces risks like high competition, theft, environmental pollution, physical injuries to the personnel, fire, IT fraud, insecurity among others which may cause negative consequences such as financial loss, injuries, deaths of employees etc ( www.morebusiness.com) despite good financial investments. The success on the open market requires many factors among which the risk management plays a big role.

1.2 Statement of the problem

The EKJ & CIE like any other business company was under threat of a number of business risks. These are linked with high competition, tax penalties, theft, insufficient capital investments, unstable human resource, physical injuries to personnel, fraud, global economy crisis etc.

The researcher investigated the company's operational risk management plan, assessed challenges they face and examined the current trend in risk management. The researcher also assessed the level of awareness of company's staff about risk and how they deal with them.

This study aimed at examining how EKJ&CIE deals with potential risks that endanger its businesses. It found out the current trend in risk management strategies in EKJ&CIE and assessed the employees' awareness in matters related to risk management procedure. It aimed at finding out the gap in risk management between the current and the one desired and made appropriate recommendations to the management of EKJ&CIE which other similar business institutions may benefit as well.

To examine the risk management plans of EKJ&CIE. These are documents prepared by/for the manager to foresee risks, to estimate the impacts, and to create response plans to mitigate them.

1.4.2 Specific objectives of the study

1. What is the level of awareness of EKJ&CIE employees in relation with risk management?

This study covered only the area of risk management whereby the researcher analysed how the management assessed, treated and communicated risks. The research demonstrated risk management plans used in EKJ&CIE, identified challenges faced, assessed the level of awareness of the staff and, examined the current trend of EKJ&CIE in risk management. It was a case study due to financial and time constraints and was carried out in EKJ&CIE and covered the period from 2006 to 2011.

Risks are worldwide and human beings need to control and minimize them at some extent in order to cope with life. In the business/project environment, it is ideal to equip with a well structured risk management which requires sequential and orderly phases namely; Risk identification, quantification, response, monitoring and control. However, there have been a lot of researches done in other countries regarding risk management as one of business promoting strategies. However, in Rwanda, there was no research done concerning risk management in private businesses/projects and therefore no information was available on risk management as business promoting strategy. The study highlighted the role of risk management plans, challenges of risk management plans, the current trends of risk management and the employee awareness regarding risk management in EKJ&CIE.

It was hoped that the findings from this study would be relevant to a variety of beneficiaries including the researcher, Kabale University, future readers of the findings as well as the EKJ&CIE management.

1.7 Definitions of terms

Business: A business (also known as enterprise or firm) is an organization engaged in the trade of goods, services, or both to consumers. Businesses are predominant in capitalist economies, in which most of them are privately owned and administered to earn profit to increase the wealth of their owners. Businesses may also be not-for-profit or state-owned. A business owned by multiple individuals may be referred to as a company, although that term also has a more precise meaning.

Personal protective equipment (PPE): it is any apparel, accessories, apparatus, or substance which guards an individual from suffering injuries during mishaps. As such, equipments such as these are vital in industries working with heavy machinery, production, medical, and the like requiring the handling of dangerous substance and equipment. It can also refer to those protective attire and accessories used in sporting activities. The key reason for PPE is to reduce occupational hazards to ensure the safety of employees.

Risk analysis: Risk analysis is the process of defining and analyzing the dangers to individuals, businesses and government agencies posed by potential natural and human-caused adverse events or a process of assessing identified risks to estimate their impact and probability of occurrence (likelihood).

Risk control: The process through which decisions are reached and protective measures are implemented for reducing risks to, or maintaining risks within, specified levels.

Risk identification: The process of identifying risks using techniques such as brainstorming, checklists and failure history.

Risk Management (RM): the way through which an organisation identify and treat risk minimise loss. It is a logical and systematic method of identifying, analyzing, treating and monitoring the risks involved in any activity or process.

Risk Management Plan: is a document prepared by a business/manager to foresee risks, to estimate the effectiveness, and to create response plans to mitigate them.

Risk: A risk is something that may happen and if it does, will have a positive or negative impact

This is a theoretical structure of assumptions, principles, and rules that holds together the ideas comprising a broad concept. It is structured from a set of broad ideas and theories that help a researcher to properly identify the problem they are looking at, frame their questions and find suitable literature. It is used to guide in data collection and analysis.

-Risk identification
-Risk quantification
-Risk analysis
-Risk response
-Risk monitoring and control

- Prevention of financial loss
-Risk awareness
-Quality management
-Business plans
-Communication
-Business growth

Private business development is one of development leading factors in any country. However, there are many factors that influence this growth either inside the business institution itself or from outside of it. One of those factors is the government policies (other variables) in relation with trade, taxes etc. In Rwanda for instance, the doing business policy allows new entrepreneurs to register in Rwanda development board and start the business within 24 hours only.

The business establishment is not enough, it requires other factors for its growth and sustainability like risk management (dependent variable) among others. This is a continuous process whose purpose is to clarify the importance and events for tackling the risks that the business may face. Risk management is important because it gives the ability to figure out methods for which events can be managed, especially those events that may have an adverse impact on the financial or human capital of the organization.

This includes the information about the evaluation of various risks and four options for managing each risk (intermediate variables) which are risk identification, quantification, response and risk monitoring and control. This is a proactive process and not reactive.

The implementation of the risk management process illustrated above leads to the following positive outcomes (consequential variables); prevention of financial losses whereby resources are well planned and allocated, risk awareness by all employees of the institution by following internal rules and regulations and obeying the law among others which leads to quality management, establishing good business plans, adequate communication within the business organisation which in combination lead to a business growth of the institution (independent variable)

CHAPTER TWO: LITERATURE REVIEW

2.0 Introduction

This chapter gives an overview of the literature of other researchers and writers about risk management. However key words are well explained and theories are discussed. The historical back ground of risk management is explained, dangers and benefits of implementing a risk management plan, challenges of risk management and the current trend of risk management.

2.1 Overview of Risk Management

The entire history of the human species is a chronology of exposure to misfortune and adversity of efforts to deal with risks. Although it is perhaps an exaggeration to claim that the earliest profession was risk management, it can be argued that from the dawn of their existence, humans have faced the problem of survival, not only as individuals but as species. The initial human concern was a quest for security and avoidance of the risks that threatened extinction. Our continued existence is testimony to the success of our ancestors in managing risk (Emmett, 1997).

The real risk management record is from Babylon in the code of Hammurabi, dating from around 2100 BC (Sadgrove, 2005). This concerned a form of naval insurance whereby the owner of the vessel can borrow money to buy cargo and does not have to pay the debt if the ship is lost at the sea. Until recently insurance was still the main way that companies managed risk. Thus in 1960s and 1970s insurance companies sought to reduce their potential losses by encouraging businesses to make their premises safer. This was the «1^st age» of risk management. Currently, insurance desire other aspects for risk management.

Businesses considered only non entrepreneurial risk (such as security). They also used risk reactively, to see how much insurance they should buy. In 1980s, businesses started to introduce quality assurance, to ensure that products conformed to their specifications. This was heralded by the British Standard Institutions (BSI) launching the quality standard BS5750 in 1979. In this, the «2^nd age» of risk management, companies treated risk in a more proactive or preventive way (Emmet, 1997).

In 1993, James Lam became the world's first Chief Risk Officer, at the US financial services firm GE capital.

The «3^rd age» of risk management arrived in 1995 with the publishing by Standards Australia of world's risk management standard, AS/NZS4360: 1995, which has now been updated three times. This was followed by the Canadian standard, CAN/CSA-Q850-97 (Fone & Young, 2000).

It is not known when exactly risk management was used in Africa in general and in east Africa in particular but, really, as in the middle-east and Europe. Africans also had their ways of handling risks and issues even though data were not recorded like other parts of the world because of illiteracy. For instance, in the field of prediction and early warning of disasters, the Luo community in the Lake Victoria basin had a large number of climate monitoring indicators that enabled them to tell such things as the right time to start planting in anticipation of the rains or to preserve and store food in anticipation of a dry season. These indicators included observation of the behaviour of animals, birds, reptiles, amphibians, insects, vegetation and trees, winds, temperatures and celestial bodies. In the area of animal health, the Maasai, who inhabit both Kenya and Tanzania, had at least half a dozen different medicinal plants for treating East Coast Fever alone in cattle. In farming technologies, the Matengo people, believed to have lived in the steep slopes of Matengo Highlands since the Iron Age, had developed a sophisticated system that enabled them to grow crops on hillsides while at the same time controlling soil erosion and improving soil moisture and fertility. For example, the Banyala community in Budalang'i living on the shores of Lake Victoria had a well-organized system for mitigating impeding disasters. There were elders who dealt with rainfall prediction and early warning. Each homestead had a dugout canoe ready for transport in case of heavy flooding. Each community was also required to dig trenches to control the water around the homestead and around farmlands. In addition, they were required to avoid ploughing along the lake shores when heavy flooding was predicted and were advised to catch fish during April-August rainy period when they were plentiful and preserve them by drying and smoking for use in times of scarcity.

Those living on the highlands were expected to accommodate neighbours displaced by floods in the lowlands, which were flood prone areas, and so on.

In Swaziland, where drought and occasional floods are common disasters, communities took precautions after predicting disasters. For example, they used the height of the nests of the emahlokohloko bird (Ploceus spp.) on trees to predict floods. When floods are likely to occur the nesting of the emahlokohloko is very high up the trees next to a river and when floods are unlikely the nests are low down. The Swazis also used the cry of certain birds to predict rain and yields of certain wild fruit plants to predict famine. Other indigenous methods used by the Swazis to predict natural hazards include wind direction, the shape of the crescent moon and the behaviour of certain animals (UNEP, 2008).

2.2 Risk management plan

Some experts have said that a strong risk management process can decrease problems on a project/business by as much as 80 or 90 percent (www.executivebrief.com)

There are four stages to risk management planning; Risk Identification, Risks Quantification, Risk Response and Risk Monitoring and Control ( www.projectperfect.com).

2.2.1 Risk Identification

It consists of identifying and naming all possible risks. The best approach is a workshop with all staff to carry out the identification by using a combination of brainstorming and reviewing of standard risk lists ( www.projectperfect.com). Other researchers have identified other methods to identify risks by using a risk calculator (www.referenceforbusiness.com). The risk calculator measures three kinds of internal pressures: risk stemming from growth, corporate culture, and information management. Using the risk calculator, managers can determine if their company has a safe or dangerous amount of risk.

Although the risk calculator is not a precise tool, it does indicate areas where risks and potential losses exist, such as the rate of expansion and the level of internal competition.

2.2.1.1 Objectives of Risk Identification

The objectives of risk identification are to identify and categorize risks that could affect the project and document these risks. The outcome of risk identification is a list of risks. What is done with the list of risks depends on the nature of the risks and the project. On noncomplex, low-cost projects with little uncertainty (few risks), the risks may be kept simply as a list of red flag items. The items can then be assigned to individual team members to watch throughout the project development process and used for risk allocation purposes. On complex, high-cost projects that are by nature uncertain, the risks can feed the rigorous process of assessment, analysis, mitigation and planning, allocation, and monitoring and updating described in this document (Highways Agency 2001).

The risk identification process should stop short of assessing or analyzing risks so that it does not inhibit the identification of "minor" risks. The process should promote creative thinking and leverage team experience and knowledge. In practice, however, risk identification and risk assessment are often completed in a single step, a process that can be called risk assessment. For example, if a risk is identified in the process of interviewing an expert, it is logical to pursue information on the probability that it will occur, its consequences/impacts, the time associated with the risk (i.e., when it might occur), and possible ways of dealing with it. The latter actions are part of risk assessment, but they often begin during risk identification (Federal Highway administration, 2005).

2.2.1.2 Risk Identification Process

The risk identification process begins with the team compiling the risk events. The identification process will vary, depending on the nature of the project and the risk management skills of the team members, but most identification processes begin with an examination of issues and concerns created by the project development team. These issues and concerns can be derived from an examination of the project/business description, work breakdown structure, cost estimate, design and construction schedule, procurement plan, or general risk checklists. The team should examine and identify events by reducing them to a level of detail that permits an evaluator to understand the significance of any risk and identify its causes, (i.e., risk drivers). This is a practical way of addressing the large and diverse numbers of potential risks that often occur on highway design and construction projects. Risks are those events that team members determine would adversely affect the project (Highways Agency, 2001).

After the risks are identified, they should be classified into groups of like risks. Classification of risks helps reduce redundancy and provides for easier management of the risks in later phases of the risk analysis process. Classifying risks also provides for the creation of risk checklists, risk registers, and databases for future projects (Federal Highway Administration, 2005).

Numerous techniques are available to facilitate risk identification after documents have been reviewed. Brainstorming, scenario planning, and expert interviews are tools commonly used. The nominal group method allows each team member to create a list individually. The Delphi method is a process in which each team member individually and anonymously lists potential risks and their inputs. The Crawford slip method allows the team to individually list up to 10 risks. Afterward these risks are divided by the team into various categories and logged by category. Influence or risk diagramming is explained in the "Probability or Decision Trees and Influence Diagrams". Nominal group, Delphi, Crawford slip, and influence diagramming also serve as good tools for risk assessment, which is often blurred with risk identification (Operations, 2005)

The key to success with any risk identification tool or technique is to assist the experts in identifying risks. People and the agency's risk culture are the keys to continuous risk identification and risk management. The documents and techniques should only support the people in the risk assessment process and never inhibit or replace the engineering judgment required for a comprehensive risk identification process (United States Department of Labour, 2003)

The risk identification process identifies and categorizes risks that could affect the project/business. It documents these risks and, at a minimum, produces a list of risks that can be assigned to a team member and tracked throughout the project/business development and delivery process. Risk identification is continuous and new risks should continually be invited into the process. The tools and techniques should support the risk identification process, but it will be the people involved in the exercises who are most critical to the success of the process (Highways Agency 2001).

2.2.2. Risk Quantification

Following the risk identification and qualitative risk assessment phases, risks are characterized by their frequency of occurrence and the severity of their consequences. Frequency and severity are the two primary characteristics used to screen risks and separate them into minor risks that do not require further management attention and significant risks that require management attention and possibly quantitative analysis. Various methods have been developed to help classify risks according to their seriousness. One common method is to develop a two-dimensioned matrix that classifies risks into three categories based on the combined effects of their frequency and severity. It requires classifying risks into one of five states of likelihood (remote through near certain) and into five states of consequence (minimal through unacceptable). These assessments yield a five-by-five matrix that classifies a risk as either "high" (red), "moderate" (yellow), or "low" (green).

Risks need to be quantified in two dimensions. The impact of the risk needs to be assessed. The probability of risk to occur needs to be assessed. For simplicity, rate each on a 1 to 4 scale.

The larger the number, the high is the impact or probability of that event to occur. By using a matrix, a priority can be established (www.projectperfect.com).

If probability is high, and impact is low, it is a Medium risk. On the other hand if impact is high, and probability low, it is High priority. A remote chance of a catastrophe warrants more attention than a high chance of a hiccup (www.projectperfect.com).

2.2.2.1 Low Risk Events

Risks that are characterized as low can usually be disregarded and eliminated from further assessment. As risk is periodically reassessed in the future, these low risks are closed, retained, or elevated to a higher risk category (www.projectperfect.com).

2.2.2.2 Moderate Risk Events

Moderate-risk events are either high-likelihood, low-consequence events or low-likelihood, high-consequence events. An individual high-likelihood, low-consequence event by itself would have little impact on project cost or schedule outcomes. However, most projects contain myriad such risks (material prices, schedule durations, installation rates, etc.); the combined effect of numerous high-likelihood, low-consequence risks can significantly alter project outcomes. Commonly, risk management procedures accommodate this high-likelihood, low-consequence risks by determining their combined effect and developing cost and/or schedule contingency allowances to manage their influence (www.projectperfect.com).

Low-likelihood, high-consequence events, on the other hand, usually warrants individualized attention and management. At a minimum, low-likelihood, high-consequence events should be periodically monitored for changes either in their probability of occurrence or in their potential impacts (www.projectperfect.com).

2.2.2.3 High Risk Events

High-risk events are so classified either because they have a high likelihood of occurrence coupled with at least a moderate impact or they have a high impact with at least moderate likelihood. In either case, specific directed management action is warranted to reduce the probability of occurrence or the risk's negative impact (www.projectperfect.com).

	Negligible	Marginal	Critical	Catastrophic
Certain	High	High	Extreme	Extreme
Likely	Moderate	High	High	Extreme
Possible	Low	Moderate	High	Extreme
Unlikely	Low	Low	Moderate	Extreme
Rare	Low	Low	Moderate	High

2.2.3 Risk Response

Risk identification, assessment, and analysis exercises form the basis for sound risk response options. A series of risk response actions can help agencies and their industry partners avoid or mitigate the identified risks. Wideman, in the Project Management Institute standard Project and Program Risk Management: A Guide to Managing Risks and Opportunities, states that a risk may be the following; unrecognized, unmanaged, or ignored (by default), recognized, but no action taken (absorbed by a matter of policy), avoided (by taking appropriate steps), reduced (by an alternative approach), transferred (to others through contract or insurance), retained and absorbed (by prudent allowances) or handled by a combination of the above.

The above categorization of risk response options helps formalize risk management planning. The Caltrans Project Risk Management Handbook suggests a subset of strategies from the categorization defined by Wideman above. The Caltrans handbook states that the project development team must identify which strategy is best for each risk and then design specific actions to implement that strategy. The strategies and actions in the handbook include the following:

1. Avoidance. The team changes the project plan to eliminate the risk or to protect the project objectives from its impact. The team might achieve this by changing scope, adding time, or adding resources (thus relaxing the so-called triple constraint).

2. Transference. The team transfers the financial impact of risk by contracting out some aspect of the work. Transference reduces the risk only if the contractor is more capable of taking steps to reduce the risk and does so.

3. Mitigation. The team seeks to reduce the probability or consequences of a risk event to an acceptable threshold. It accomplishes this via many different means that are specific to the project and the risk. Mitigation steps, although costly and time consuming, may still be preferable to going forward with the unmitigated risk.

4. Acceptance. The project manager and team decide to accept certain risks. They do not change the project plan to deal with a risk or identify any response strategy other than agreeing to address the risk if it occurs.

Given a clear understanding of the risks, their magnitude, and the options for response, an understanding of project risk will emerge. This understanding will include where, when, and to what extent exposure will be anticipated. The understanding will allow for thoughtful risk planning (Traffic Management Act, 2005).

There are five types of strategies that are being used according to the level of risk that exists: risk avoidance, risk reduction, risk transfer, risk sharing and risk retention . Risk avoidance takes place when there are either poor arrangements or hazards that cannot be controlled, and hence, managers postpone the activity or offer an alternative one (Swarbrooke et al, 2003; Parkhouse, 2005; Beech and Cladwick, 2004). In risk reduction, all activities should be managed by capable and well-trained leaders, who have the experience and the competence to cope with possible risks (Swarbrooke et al, 2003; Beech and Cladwick, 2004; Outhart et al, 2003). Managers often employ the risk transfer method, in which the risk is transferred to insurance companies, to the clients or to third parties (Centner, 2005; Swarbrooke et al, 2003; Beech and Chadwick, 2004; Boyle, 2000). Finally, risk retention is a strategy during which mainly low risks are being accepted either unconsciously or because of incapability to transfer them to others.

A risk response plan should include the strategy and action items to address the strategy. The actions should include what needs to be done, who is doing it, and when it should be completed.

2.2.4 Risk Monitoring and Control

The final step is to continually monitor risks to identify any change in the status, or if they turn into an issue. It is best to hold regular risk reviews to identify actions outstanding, risk probability and impact, remove risks that have passed, and identify new risks ( www.clinicalgovernance.scot.nhs.uk).

Monitoring and control is not complete unless communication has occurred. Communication is the lynch-pin of effective project management and risk management. Communication within and among the team will be crisp, concise, complete, correct and timely as will the communication to upper management and executives. Effectiveness of the risk response actions will be monitored and reported regularly (Project Risk Management, 2010).

Risk monitoring and control is required in order to ensure the execution of the risk plans and evaluate their effectiveness in reducing risk, keep track of the identified risks, including the watch list, monitor triggers conditions for contingencies, monitor residual risks and identify new risks arising during project execution and updating the organizational process assets ( www.faculty.kfupm.edu.sa).

The purpose is to determine if risk responses have been implemented as planned, actions are as effective as expected or if new responses should be developed. Whether project assumptions are still valid, risk exposure has changed from its prior state, with analysis of trends, if a risk trigger has occurred, proper policies and procedures are followed or if new risks have occurred that were not previously identified ( www.faculty.kfupm.edu.sa)

2.2.4.2 Inputs to risk monitoring and control

Risk Management Plan: The Risk Management Plan is details how to approach and manage project risk. The plan describes the how and when for monitoring risks. Additionally the Risk Management Plan provides guidance around budgeting and timing for risk-related activities, thresholds, reporting formats, and tracking (www.anticlue.net).

Risk Register: The Risk Register contains the comprehensive risk listing for the project. Within this listing the key inputs into risk monitoring and control are the bought into, agreed to, realistic, and formal risk responses, the symptoms and warning signs of risk, residual and secondary risks, time and cost contingency reserves, and a watch list of low-priority risks (www.anticlue.net).

The Approved Change Requests: They are the necessary working methods and contracts. Changes can impact existing risk and give rise to new risk. Approved change requests need to be reviewed from the perspective of whether they will affect risk ratings and responses of existing risks, and or if a new risk is a result (www.anticlue.net).

Work Performance Information: Work performance information is the status of the scheduled activities being performed to accomplish the project work. When comparing the scheduled activities to the baseline, it is easy to determine whether contingency plans need to be put into place to bring the project back in line with the baseline budget and schedule. By reviewing work performance information, one can identify if trigger events have occurred, if new risk are appearing on the radar, or if identified risks are dropping from the radar (www.anticlue.net).

Performance Reports: Performance reports paint a picture of the project's performance with respect to cost, scope, schedule, resources, quality, and risk. Comparing actual performance against baseline plans may unveil risks which may cause problems in the future. Performance reports use bar charts, S-curves, tables, and histograms, to organize and summarize information such as earned value analysis and project work progress.

All of these inputs help the manager to monitor risks and assure a successful project/business ( www.anticlue.net)

2.2.4.3 Dangers of uncontrolled risk

Uncontrolled risks for any business/project may be summarized into financial loss due to product recall, customer defecation, fines, customer disfavour, bad publicity, workforce dissatisfaction, theft of money etc. While also, they can cause direct human sufferings like harm to staff and customers when caught with fire which appear accidentally within the company's premises ( http://portal.surrey.ac.uk).

Management of risk is an integral part of good business practice and quality management. Learning how to manage risk effectively enables managers to improve outcomes by identifying and analysing the wider range of issues and providing a systematic way to make informed decisions. A structured risk management approach also enhances and encourages the identification of greater opportunities for continuous improvement through innovation (http://portal.surrey.ac.uk).

Risk management techniques provide the personnel, at all levels, with a systematic approach to managing the risks that are integral parts of their responsibilities. Also, a number of studies have been undertaken to identify the benefits that can be expected by those implementing a structured approach to risk management (Newland, 1997). These benefits include; better informed and achievable business plans, schedules and budgets, increased likelihood of business growth, proper allocation of risk through the contract, identification of best risk owner, improved communication etc. It is of paramount importance for each business company, development project to have a working risk management plan that help top managers to early identify and treat risks that may negatively or positively affect the business/ project. However, almost all writings are from the developed world and there is little third world experiences shared in risk management.

Risk management challenges are implicit in a corporation's activities because risk events are typically uncertain. An effective risk management process helps a company's top leadership establish rules to prevent operating losses due to human error, employee carelessness, technological malfunction or fraud. To illustrate, a company's management may put into place internal controls and procedures as well as periodic internal audit reviews to ensure that employees comply with rules when performing duties. A risk management policy also may cover financial risks such as credit and market risks. Challenges that may arise in risk management processes may be significant if a corporation does not establish proper decision-making mechanisms, and internal controls are not adequate or functional. A functional procedure provides appropriate solutions to internal problems. An adequate policy instructs employees on how to perform tasks and report problems. Risk management challenges may include staff non-compliance with rules and regulations, technological problems due to software or hardware updates and inaccuracies that may exist in financial market data. Also, Challenges may relate to operational, technological or compliance risks ( www.ehow.com). Other challenges like market and credit risks are also common.

Very few organizations find enterprise risk management implementation easy. It requires a rare combination of organizational consensus, strong executive management and an appreciation for various program sensitivities. Despite the effort required, however, ERM is worth it because it forces most organizations to step back and identify their risks, which is one of the first steps to protecting capital and driving shareholder value. As boards and executive management evaluate ERM, however, they usually come away with more questions than answers. While each company faces specific concerns, the more challenging ERM issues are generally consistent across companies and are largely unrelated to industry, geography, regulation or competitive landscapes. By examining some of these common ERM challenges, as well as the creative solutions that have been applied by other organizations, management will be better equipped to develop and revamp their own enterprise risk management programs.

However, J. Negus (2010) insisted on 10 ERM challenges commonly found as the following: assessing ERM's value, privilege, defining risk, risk assessment method, risk assessment method, time horizon, multiple potential scenarios, ERM ownership, risk reporting as well as simulations and stress tests.

The issue: In an economy driven by positive return on investment, organizations often struggle to demonstrate sufficient ERM value to justify implementation costs. While traditional investment decisions are evaluated using common risk and reward metrics such as return on equity (ROE), return on assets (ROA) and risk adjusted return on capital (RAROC), ERM value drivers are less prescriptive. Despite growing guidance, ERM remains largely voluntary, resulting in a value proposition void of compliance language and regulatory encouragement.

The issue: An ERM program allows management to quantify the company's risks. As risk information becomes increasingly event-driven and dollar-based, company lawyers may raise issues regarding risk distribution to external regulators, auditors and constituents. Organizations must balance risk visibility and legal exposure.

The issue: One of the biggest challenges is establishing a consistent and commonly applied risk nomenclature. Any inconsistencies between risk definitions or methodologies are likely to jeopardize the program's success.

The issue: Enterprise risk assessments are performed using a variety of approaches and tools, including surveys, interviews and historical analysis. Each approach offers its own value and drawbacks that must be closely reviewed to determine organization suitability.

The issue: A key decision for many organizations is whether risks are assessed using qualitative or quantitative metrics. The decision is generally driven by the organization's industry, commitment to ERM, its view regarding privilege and overall cost.

The qualitative method provides management with general indicators rather than specific risk scores. Qualitative results are commonly presented as red, yellow and green light, or high, medium and low risks.

Qualitative risk assessments are frequently favored because they require less sophisticated risk aggregation methods, mathematical support and user training, which means lower implementation costs. Conversely, qualitative results are commonly criticized for their limited alignment with key financial statement and budgetary indicators. Additionally, some critics suggest qualitative results are generally more difficult to interpret, which limits management's ability to assign accountability and remediate.

The issue: The time horizon of ERM risk assessment is largely based on the organization's intent to use ERM risk results and its willingness to invest in risk management.

Many companies use ERM results for quarterly or year-end planning, while more sophisticated companies integrate ERM results into annual budgeting and longer-term strategic planning processes.

The shorter-term time horizon (less than 12 months) is generally preferred as it requires less user training, provides increased risk estimation accuracy and is generally less expensive than the longer-term alternative. The longer-term solution is applied where management values risk visibility beyond the annual financial reporting period and additional time to remediate. Regardless of the approach, the risk assessment time horizon must be consistent with intended ERM program objectives.

The issue: Consider the following scenario: The ERM team asks a respondent to assess the likelihood of counterparty default and its subsequent loss impact during the current fiscal year. The respondent determines that there is a 100% probability of at least one counterparty default with a low financial impact over the defined time horizon (high probability/low impact event). There is also a 5% probability of at least one counterparty default with a significant financial impact (low probability/high impact event) and several default scenarios with varying loss severity estimates (moderate probability/moderate impact).

This situation highlights an issue associated with basic risk assessment methods most risks have multiple event likelihoods and risk severities.

The issue: The question regarding who should "own" ERM is often unclear and commonly disputed at the board, audit committee and management levels.

While there is no one single industry practice with respect to organization structure, ERM administration should generally be held by risk management followed by internal audit, finance/treasury, legal and various supporting departments (e.g., compliance, strategic planning).

The issue: Organizations often struggle with two risk reporting issues: 1) what information should be shared with various internal and external constituents, and 2) how should risk be communicated.

The issue: Stress tests allow management to assess the degree that business operations may be negatively affected by prescribed events and gauge the organization's ability to respond. While the concept is intuitive, organizations often struggle to balance the need for meaningful simulation and stress tests against a nearly infinite number of potential scenarios. Similarly, organizations frequently struggle to identify and predict unknown or unlikely risks (also known as black swans or game changers).

All business institutions should have a vibrant risk culture. A healthy risk culture gives employees a stake in risk management. Employees' basic principles, values, and attitudes as well as their understanding of how to deal with risk shape a company's risk culture. An appropriate risk culture is necessary for corporate risk management procedures to work effectively (www.rsmi.com). This requires that employees directly involved in internal controls be fully aware of risks. For the company's internal control system to fulfill its purpose, employees must operate within a well-established, enterprise-wide risk culture. The tone at the top, the ethical atmosphere that the organisation's leadership creates is fundamental. This is imperative for all employees to become `risk aware' to evidence and ensure compliance ( www.safetrac.com). A risk aware culture is required to support and pervade the work ethic.

2.5.1 Creating risk awareness culture

Risk management consultants play a key role in helping companies prevent fraud by installing an effective and vibrant risk culture in companies. A healthy risk culture gives employees a stake in risk management. Employees' basic principles, values, and attitudes as well as their understanding of how to deal with risk shape a company's risk culture.

An appropriate risk culture is necessary for corporate risk management procedures to work effectively. The compliance requires that employees directly involved in internal controls be fully aware of risks. For the company's internal control system to fulfill its purpose, employees must operate within a well-established, enterprise-wide risk culture. The tone at the top the ethical atmosphere that the organisation's leadership creates is fundamental. But exemplary leadership does not automatically lead to an effective risk culture, nor does it guarantee a properly functioning internal control system.

Annual reports typically convey the impression that companies have implemented effective risk management procedures. But risk culture is often neglected as an integral part of corporate risk management. E. Schein (1984) developed a model of corporate culture whereby, three elements determine the risk culture of an enterprise: Basic assumptions, values, and artifacts and creations.

Basic assumptions are the foundation of corporate culture. They are the invisible matters of organisational and environmental relations that are commonly taken for granted. Employees' perceptions, thoughts, and feelings about risks shape a company's risk culture.

Values determine employees' moral and behavioural standards. Principles, unwritten guidelines, and taboos that employees respect come from these values. Often these values are only partially visible from employees' outward conduct.

Artifacts and creations are the tangible components of a company's risk management system. They include a risk manual, a risk manager, risk committee, published risk principles and guidelines, an IT-based risk reporting system, and a printed risk report included in the annual report as well as employee risk workshops. Such items are clearly visible and allow risk managers to understand the existing risk culture of an enterprise. The presence or absence of artifacts and creations enable managers to evaluate and shape the company's risk culture.

According to O. Bungartz,( 2010), a plan for shaping risk culture in an enterprise should contain four steps; creating a team to lead the process, evaluating the existing risk culture, determining what the desired risk culture should look like and devising and implementing an action plan to build the new risk culture.

Management should appoint a person independent of the enterprise (possibly an external risk management consultant) to lead the risk culture team. Members can include not only top management and the risk-controlling department, but also board members and internal/ external auditors.

Ultimately, employees should diagnose their company's risk culture free of external forces imposing views on them. However, the members of the risk culture team should be responsible for discovering the employees' views on the existing risk culture and what it should become.

The team should speak with all company employees so the entire staff is sensitised to the risk-culture topic. Standardised and anonymous questionnaires usually elicit more honest responses to questions about the «risk appetite» of the company. The independent coordinator and the members of the risk-culture team should prepare an analysis workshop for selected upper management and cultural leaders to help uncover the invisible basic assumptions that are fundamental to the enterprise's values. In addition to the analysis workshop, the risk culture team should individually interview each member of top management to promote high interactivity and frankness. These interviews prompt senior managers to think deeply about the range of possibilities for shaping a new risk culture. The members of the risk culture team then conduct a critical review of the existing culture based on the results of the enterprise-wide survey, the analysis workshop, and the individual interviews (Oliver Bungartz, 2010).

The profile of the target culture will be based on the same factors that were used to evaluate the existing culture. Reorientation of the company culture is possible only if there is a compelling reason and a shared understanding of the need for cultural change among managers and employees. The foremost goal of cultural reorientation is to sensitise every employee to the necessity of conscious handling of corporate risks (Oliver Bungartz, 2010).

The fourth step in the risk culture programme is the formulation of an actionable plan to realise the new cultural vision. Senior management is responsible for implementing and monitoring this plan. New orientation patterns are accompanied by new signals and formats as well as an update of artifacts and creations. Securing «buy in» from employees is crucial to the success of the action plan. They must know their input was instrumental in creating new policies and that their continued involvement is essential. Transparency and communication are key to making this happen. All employees must understand that they each have a continuing role to play. Management should reward risk sensitive behaviour that helps build the target culture and dissuades unethical behaviour. Once the action plan begins to initiate cultural change in the enterprise, it is common to see unanticipated consequences. Erroneous trends (such as irritated employees or adverse cultural developments) can surface that require monitoring and correction. A new risk culture is vulnerable to undesired changes. Management must therefore continuously observe and evaluate newly implemented risk-culture measures. The figure overleaf summarises the factors and effects of an appropriate risk culture (Oliver Bungartz, 2010).

2.6 Current trend of risk management

Over the past years, it was seen how events have altered the perception of risk management, both inside and outside an organization. There are three broad trends that have resulted from the exposure this area has had recently: vertical transparency, a strengthening of risk cultures and data control.

Pressure on firms to prove the robustness of internal risk controls and the perceived failure of the credit rating agencies are just two of the factors that have driven an increase in the number of chief risk officers in western world. This is particularly important as investors are now demanding greater transparency to ensure that risk profiles are being properly monitored. Vertical transparency within the institution is therefore demanded since, as this external messaging is the responsibility of the board, the CRO requires clear bilateral communication between them (http://blogs.sungard.com).

It's also been crucial to strengthen the risk culture right across an institution. Metrics produced by the risk management function need to be used in the decision-making process all across the trading floor. This is vital for two reasons. First, limits tend to be set centrally, with an enterprise view in mind, whereas a trader has local limits with little or no enterprise-wide visibility. The second reason is related to the efficiency of the calculations. Exposing the methods and data used as well as the outputs from the risk process allows traders to see that the correct parameters were employed. This removes objections to risk related decisions and further allows traders to understand the backdrop to the risk limitation process.

Data control was long seen as the cornerstone of the risk management process has now taken on an even greater level of importance. Recent market events have created a skewed set of correlated, downward sloping data that will take a while to work through the system. The effect of this is that close attention has to be paid to the input data and historical stress scenarios. Multiple data sets are likely to be needed in order to capture risks appropriate for both current and future states. (http://blogs.sungard.com)

The emphasis on risk management has moved from increasing product complexity towards more fundamental concerns. This change of focus has gone a long way to helping ensure that there is no repeat show.

It has been crucial to strengthen the risk culture right across an institution. Data produced by the risk management function need to be used in the decision-making process. Finally, data control, long seen as the cornerstone of the risk management process, has now taken on an even greater level of importance. Recent market events have created a skewed set of correlated, downward sloping data that will take a while to work through the system (http://blogs.sungard.com)

Risk management seems to be on the minds of everyone these days, there is no surprise that risk management is changing, and the risks involved in risk management are rising. So, here are some of the emerging trends in risk management.

Liquidity Risk Overview

Liquidity risk management has taken the forefront in risk management plans. Liquidity issues can especially be seen within the technology and financial parts of most businesses. Within liquidity risk, there are three main areas:

Funding Risks: Funding risk means that the business does not have enough cash to run the business. This is a huge worry for anyone within risk management. Funding liquidity risk can affect how well your organization operates. It has become a major risk management priority within any risk management plan.

Market Risks: Market risk usually comes in the form of items within a portfolio, items that can't ever be sold, or products that can't be sold in the market for their stated worth.

Counter party Risks: Counter party risk can almost be considered consumer-driven in many cases. For example, if your client stops paying you for something that they've bought, they have not fulfilled their obligations to you. With the recent crisis of late, companies have had to really consider these emerging risk management trends and implement risk policies. It has to become part of their overall business strategy in order to thrive in the new and more challenging environments of today (www.brighthub.com).

CHAPTER THREE: RESEARCH METHODOLOGY

This chapter presents methodology describing how the study was conducted. It includes; research design, Study population, sample and sample size, methods of data collection, methods of data analysis and anticipation of the study.

Research methodology refers to a philosophy of research process. It includes the assumptions and values that serve a rationale for research and the standards or criteria the researcher uses for collecting and interpreting data and reaching at conclusions (Martin and Amin, 2005:63). In other words research methodology determines the factors such as how to write hypothesis and what level of evidence is necessary to make decisions on whether to accept or reject the hypothesis.

3.1. Study area

This study was carried out in a private business company dealing with house and road construction and electrical ware repair. It is located in Kigali City in Rwanda, precisely in Nyarugenge District. It employs 101 staff.

3.2. Research design

A research design represents a plan of how particular study should be conducted. It is concerned with the type of data that will be collected and the means used to obtain them (Nieswiadomy; 1993). (Oswala E.C, 2001:52) refer to research design as the overall plan to use and follow in answering the research questions. Thus it involves deciding on what type of research questions to use and the answers to them while considering the best way to gather data required for the study. This is a case study research. This refers to a method based on an in-depth investigation of a single individual, group, or phenomenon (Robert K. Yin: 2009). The researcher also used triangulation of both quantitative and qualitative research methods for collecting and analyzing data to describe and interpret it into information.

3.3. Study population

A research study population is also known as a well-defined collection of individuals or objects known to have similar characteristics. (Oswala E.C, 2001:55) refer to population as the number of persons or objects covered by the study or with which the study is concerned. In other words, it is a set of people or items under consideration in a study. In this research, all employees of the EKJ&CIE form the research population through which the sample was drawn from. The total population number was 105 employees among which four of them were top managers.

3.4. Sample and Sample size

A sample is a small group of cases drawn from and used to represent the large group or whole population under investigation. Therefore sample size is the number of people or objects in the selected sample (Manheim JB and Rich, 1999:448).

Sampling is the process of selecting elements from the total population in such a way that the sample elements selected represent the total population. Thus in research the sample should be a representation of the total population such that as much as possible, most characteristics of the population should be represented in the sample selected (Martin, E. Amin 2005:67). The researcher used two different samples according to the required data related to the objectives of the study. On one hand, the researcher purposively chose two of the top managers for interview in order to collect information related to the risk management plans used, challenges they face and the current trend of risk management. Any manager who would be available especially the risk operation manager was considered. On the other hand, the researcher made another sample drawn from the rest of employees from which he intended to get information related to the employees' awareness on risk management. This information was obtained from a distributed questionnaire to that sample which was obtained from this formula below:

The confidence interval or margin of error is 10% or .1 where as the confidence level is 90%

To get that sample, the researcher had a list of all employees arranged in alphabetical order excluding 4 top managers. A systematic sampling method was used whereby a starting number was randomly chosen then an interval was determined by N/n=K. It is 101/50=2
the starting number was randomly chosen between 1 and 2, then each K+1 was picked up until all 50 names were found.

3.5. Research tools

These are means of gathering information, which includes receiving, retrieving, accessing, abstracting, and extracting information from information sources.

During this research study, Data were collected using the following techniques; questionnaire, interview and observation approaches.

Questionnaire technique: This is a set of written questions that is given to a number of respondents in order to collect information. The questionnaire comprised of both open and closed ended questions. The researcher used this technique in order to collect data from ordinary employees on their awareness on risk management.

Interview technique: this refers to a conversation through which a researcher interviews a person to get appropriate information in relation to the study. In this particular study, the researcher interviewed two administration managers of EKJ&CIE in order to get information related to the risk management plans used, challenges and the current trend of risk management in EKJ&CIE.

Observation: This is a process of using necked eye to carefully watching phenomena for a period of time. This technique helped the researcher on field when collecting data regarding risk prevention in assessing whether technicians wear personal protective equipments at work.

3.6. Data analysis

This is a process of turning data into information; the process of reviewing, summarizing, and organizing isolated facts (data) such that they formulate a meaningful response to a research question.

To analyse and interpret data into information, the researcher used qualitative analysis by grouping interview responses according to research objectives, then, tables and corresponding charts were used to enable the researcher to analyse quantitative data obtained from questionnaire results.

3.7 Ethical considerations

These are variously defined and differentiated; as, for example, a series of obligations to society which all researchers must fulfil.

In our study, respondents were made aware of the ethical responsibilities. Participants were informed that participation was voluntary and they could withdraw from the study at any time without any consequences. All participants were treated with respect and dignity and they remained anonymous throughout the study. Respondents were explained the purpose of research and were assured that their answers would be kept confidential.

CHAPTER FOUR: PRESENTATION OF RESEARCH FINDINGS AND ANALYSIS

3.0 Introduction

This chapter is comprised of two sections: Section A presents the quantitative data which corresponds to the first objective while section B presents the qualitative data that corresponds to the last three objectives.

The results of the quantitative data in section A are presented in the form of tables and their corresponding charts. The qualitative results are presented in section B. This section describes the interview of participants, the emerged themes and then presentation of the results. In the presentation of the findings, verbatim quotations from interviews were used to illustrate response. For anonymity and confidentiality of the participants, the participants were given cryptogram as R₁ to R₂.

3.1 Section A: Quantitative Data

These results respond to the first objective which was to explore the level of awareness of EKJ&CIE employees in relation with risk management.

Gender	Number	Percentage
Males	39	78
Females	11	22
Total	50	100

The table above and chart below show that among 50 respondents, 39 or 78% were males while 11 or 22% were females. This inequality explains that there are few female technicians employed by this company which may have an impact on decision making whereby men are more represented than females.

Chart 4.1.1 Distribution of Respondents by Gender

Also, the reason as to why males out number females is that, in Rwanda, males tend to study engineering related courses than females, and therefore have more chances of being employed than females. It means that males are more influential than females in all matters regarding their activities thus the female contribution may be little for instance while planning for risk management, the campany may set only those set by men thus women related risks may be neglected.

Age	Number	Percentage
< 20	0	0
20-29	35	70
30-39	9	18
40-49	6	12
Total	50	100

The table 4.1.2 above and collesponding chart below explain the distribution of respondents according to their age groups. Generally, 35 emloyees which are 70% are between 20 and 29 years of age, followed by 9 employees or 18% who are between 30 and 39 years of age. Those aged between 40 and 49 are 6 or 12 % of respondents while nobody above 50 years or below 20 years of age.

This explains how the company employs young aged personnel mainly because its main works are technical and require physical fitness and agility.

Chart 4.1.2 Distribution of Respondents by age

As far as risk management is concerned, this age distribution on one hand has a positive impact on the company in the way that young people are the ones fit to perform energy requiring activities such as construction works and are less exposed to work related deseases such as low back pains etc. again as the majority are below 30 years of age, the campany has great opportunity to employ them for long time which may be good for the management to use less money for new recruitments and medical expences because normally people of this age group do not fall sick frequently compared to older people. On the other hand, this age distribution may play a negative impact on the company in the way that this group may be the one with little job experience which expose them to incidents/accidents risks more than older employees, furthermore this may also affect the overall quality of the company's work. If not controlled, this group (20-29) may tend to negliget the use personal protective equipments because they feel capable to work with much agility and speed but this may expose them to minor as well as major injuries which may cause a huge loss of human resources, financial and reputation to the company.

Education level	Number	Percentage
Primary	11	22
Secondary	19	38
Advanced diploma	12	24
Bachelor degree and above	8	16
Total	50	100

The table 4.1.3 above and coresponding pie chart below show the distribution of education among respondents. No illeterate respondent, 22% have a primary education level, 38% have a secondary level, 24% with advanced diploma while 16% have bachelor degree and above.

This distribution shows a positive thing whereby no illiterate personel employed by the company which is good for the company management in relation with risk management because every body is able to read the campany's manual of internal rules and regulations and can report any incident through writing to the management.

Chart 4.1.3 Distribtion of respondents by education

Again, it is easy to train all employees especially in local language if all of them cannot understand and well speak english. Once the administration has risk manmagement plans, it will be easy for it to train employees eventhough those with primary education still lack some knowledge but at least have a certain level of basic education.

It is easier to them to cope with challenges and if trained on risk management, their level of awareness will vary but not as much as training illeterate people.

Marital status	Number	Percentage
Single	33	66
Married	16	32
Divorced	0	0
Separated	0	0
Widow(er)	1	2
Total	50	100

The table 4.1.4 above and chart 4.1.4 below indicate the distribution of respondents in relation with their marital status. Among respondents, 66% were single, 32% were married, 2% are widow, no separation or divorce. This means that one one hand, the company is likely to have problems in matters of employee retention because the majority of them are single and this category is not stable at work as they keep searching for green pastures. On the other hand, only 2% are widow(er) and there are no divorce or separation. This is an advantage for the company because there might be less psychological problems related to marriages etc. which means less hours lost on such problems. Again, 32% are married which means that these people have a focus while working, this is a positive point on the company because this category of people is likely to be prudent on work and avoid hazardious and dangerous actions which may cause injuries and deaths to them as they are other responsibilities at home more than their fellow single employees.

Chart 4.1.4 Distribution of respondents by marital status

As far as risk management is concerned, married people are more cautious than singles which may on one hand limit the quality of work if needs some risky ingeniousity and on the other hand, it helps the company to avoid risks related to precipited works and more people have other responsibilities, more they learn rules and regulations, policies, procedures and guidelines to follow in order to perform work correctly. Married employees are more ethical than unmarried ones while single employees are the ones likely to steal the company or do not comply with regulations. In matters related to risk awareness, there is no evidence stating whether any category may be aware more than another.

Marital status	Number	Percentage
Administration	6	12
Technicians	40	80
Cleaners	4	8
Total	50	100

The table 4.1.5 above and thecoresponding piechart 4.1.5 belowe illustrate the respondents answers according to their occupations; the majority are technicians with 80% while 12% were working in administration and 8% were cleaners.

Chart 4.1.5 Distribution of respondents by occupation

As far as risk management is concerned, majority of them are technicians because of the nature of the campany's work. These are more exposed to physical injuries at the field work than their fellow administrators and cleaners which means they need personal protective equipments and need more trainings in prevention of risks and accidents at work more than other categories of employees. Administrators on the other side need trainings in financial risk management and human resource management. All of them need to be informed on risk management whereby each category need to be trained in risks related to the nature of their works.

Years	Number	Percentage
< 1	19	38
1-5	23	46
6-10	6	12
11+	2	4
Total	50	100

The table 4.1.6 and the coresponding chart below show that among respondents, only 4% have experience above 11 years, 12% are between 6 and 10 years, 46% between one and five years while 38% have less than one year of working experience. This explains in relation with risk management that when employees are more experienced on their jobs are also experienced with potential risks thy are likely to encounter like falls, burns, electrocution etc.

Chart 4.1.6 Job experience of Respondents

These people are coutious at work and have less risks of being injured than less experienced employees. Again, experienced personel know better rules and regulations than new comers on job and this is a good point on behalf of the company. However, less experienced employees have difficulty to comply with work lawas.

According to the figures shown, it is abvious that a high number of respondents (46%) have between one and five years of experience which means they need more traings on risk management than those with a lot of working experience.

Trainings	Number	Percentage
Trained	46	92
Not trained	4	8
Total	50	100

According to training in Risk management, 92% have had it in relation to their domains of work at least once while 8% have not had any. This is a good point for the company as it tries to train its employees. The remaining should also be trained as well, as every body has a risk at some degrees. Employees will be better informed and may reach to good achievements such as business plans, appropriate schedules and budgets, increased likelihood of business growth, proper allocation of risk, identification of best risk owner, improved communication etc.

Chart 4.1.7 Training(S) on Risk Management

Type of risk	Number of Respondents	Percentage
Technological risks	31	62
Financial risks	8	16
Security risks	4	8
Physical risks	40	80
Political risks	3	6
All of them	3	6

The table and graph 4.1.8 indicate what respondents answered on type of riks they are likely to face in relation to their jobs. 80% face physical risks (injuries), 62% face technology related risks, 16% face financial risks, 8% may encounter security related risks, 6% face political risks while 6% showed to face all of them.

Chart 4.1.8 Types of risks likely to be encountered by respondents

These answers show that a high number is likely to meet physical risks which is because of the nature of work whereby majority are technicians on field working in construction and electricity. However another high number including the same technicians also face risks related to technology, these risks vary according to the nature or type of work, administrators/financials face money fraud using high technology which may cause a huge loss to the company, engineers and technicians face technological risks. Other few numbers face financial, political ,security risks while 6% reported to face all kind of risks.

As these results show, there is a need of appropriate personal protective equipments in order to minimize risks of injuries and deaths of employees. Also, it is of paramount importance for the company to properly use the information technology in data management and buy modern materials used in construction and electrical related activities and train employees to use them. This will reduce these risks which were mentioned by a high number.

Security and political risks are not the least problems because if security is not enough, nothing can be operational, theft issues can cause loss of properties etc. that is why the management should consider all these factors.

Table 4.1.9 Training on risk management in relation to which a respondent faces

Trained	Number	Percentage
Yes	31	62
No	19	38
Total	50	100

The table and pie chart 4.1.9 show that among respondents, 62% have had training on risks related to which the respondent is likely to encounter while 38% did not have it. This shows a big gap in training in this company which may hinder its growth. But, it may be caused probably by the newness of a big number of employees or lack of structured training plan within the campany. When employees are not trained, they are likely to meet those risks and will not be able to manage them accordingly. This may cause huge financial expenses to the company while training would cost less and minimise risk occurences. Again, it is a lot of benefits to the dcompany when employees are aware of possible risks they may encounter while on work. This enable them to take appropriate measures especially for prevention and/or foer mitigation which is a double advantage on both employees and the company's management.

Chart 4.1.9 Training on risk management

Employees face few risks and even if they occur, they know how to handle them, while on the side of the management, they spend less money on risks because a lot of them are preventable and the company creates a good reputation when its employees work in a good environment. That is why the campany's owners should schedule regular trainings to all employees in their respective domains of work.

Table 4.1.10 Response on whether respondents have met risks that could put life in danger

Has met risk(s)	Number	Percentage
Yes	37	74
No	13	26
Total	50	100

The table and graph 4.1.10 show that among the respondents, 37 or 74 % have met risks that could life in danger while 13 or 26% have not. This explains that there are protective measures against injuries and deaths to employees but still, a quarter of them have had once their life in danger.

Chart 4.1.10 Response on whether respondents have met risks that could put life in danger

The company should invest more so that these risks be minimized more and get other solutions to mitigate those inevitable ones through trainings, buying more and appropriate equipments.

Risk management	Number	Percentage
Well managed	21	56.77
Not well managed	12	32.43
Not at all managed	4	10.80
Total	37	100

According to how risks were managed, about 57% were well managed, 32% not well managed, 11% not at managed at all. This explains that there is still a gap in risk management especially in risk response or treatment.

Chart 4.1.11 How risks were managed?

Even though a half of issues were well managed, this is not enough in risk management because 11% which report that they were not managed all may cause a serious problem to the company including financial loss, injuries and/ or deaths to the human resources, theft, and loss of reputation and yet this could have been prevented before.

In other words, the company should set a strong risk management plan including all phases namely; risk identification whereby no stone should be left behind, risk quantification and analysis, risk response and risk monitoring and control. This plan will help the company to manage almost all risks with fewer costs compared to expenses used on a surprised issue.

Need Protective equipment	Number	Percentage
Yes	44	88
No	6	12
Total	50	100

The table and corresponding chart above show that 44 or 88% of respondents needed protective equipment while 12% do not need it. This is true because in construction and electrical repair areas, the technician shhould wear personal protective equipment (PPE). The purpose of personal protective equipment is to protect the body from various injuries resulting, for example, from mechanical, chemical, and thermal hazards. Protective equipment should not be worn just at the moment of interacting with hazard, but rather personal protective equipment should be worn long before the employee is going to come into contact with hazard.

Chart 4.1.12 Need of protective equipment

Having the protective equipment in place continually will ensure maximum safety is achieved. Even though the use of PPE in unsafe construction is mandated legally, it should be considered as more than mere rules to be followed in order to avoid civil or criminal liability.

Use of protective equipment	Number	Percentage
Yes	25	56.8
No	19	43.2
Total	44	100

These table and chart 4.1.13 show that PPE were used by 25 respondents or 57% while 19 or 43% were not using them. This is a problem for the company because technicians are exposed to various injuries. It is not known wether their none use is due to unvailability or employees ignorance on importance of PPE use. Nevertheless, it is a must to wear PPE while working in hazard areaa such as construction sites.

Chart 4.1.13 Use of protective equipment

According to safety standards, the exterior of construction sites shall be barricaded with construction fencing, chain link fencing or warning tape. Inside, signs shall be posted conspicuously particularly on restricted areas. Also, there should be signs indicating the kind of PPE to wear when entering specific areas. Amongst the most common PPE needed when entering construction sites are, hard hats, safety glasses, long trousers, safety vest, and steel toe boots. These PPE should be worn at all times when inside the construction area. When the working elevation is high, the appropriate fall protection gear should be used.

It should be recalled to all technicians that the use of PPE will eventually help them. It saves life. A construction worker utilizing complete PPE will be greatly shielded against common mishaps that happen in their workplace. It can also lessen the risks of serious injury or even death. That is why the company should avail adequate PPE, train all employees on how they are used and when and make it the use of PPE a policy among other policies governing the company.

Status	Number	Percentage
Good	30	68.18
Not good	14	31.82
Total	44	100

The table and chart 4.1.14 illustrate the status of protective equipments. 30 respondents or 68% were in good status while 32% were not good.

Figure 4.1.14 Status of personal protective equipment

This is a threat to employees using defective PPE which means they are exposed to injuries at work. That is why the company should provide suitable PPE to all employees and set a policy which states clearly on that with clear responsibilities to technicians such as to attend and comply with training, instruction and information, to check the condition of their PPE , to store, clean and maintain their PPE and to report losses, defects or other problems with PPE and to their supervisorsupervisors such as to ensure adequate information and training is provided to those who require PPE, to ensure that PPE is properly stored, maintained, cleaned, repaired and replaced when necessary because without proper maintenance, protective equipment will not be able to offer the same level of protection.

	Number	Percentage
Yes	0	0
No	14	28
Don't know	36	72
Sub Total	50	100

The table and chart 4.1.15 show that 72% of respondents do not know whether there are risk management plans in the company, 28% knows that there not while no one cofirmed their existence.

Chart 4.1.15 Existence of Risk Management plans

It shows that there is a gap in communication which is too bad to the company. However, it is abvious that there are no risk management plans in the company, which is a big handicap for its management. RMP should be present and functional in order to avoid preventable destructive risks and enjoy benefits like to provide an assurance that the company/organization has identified its highest-risk exposures and has taken steps to properly manage these. To ensure that the company/organisation's business planning processes include a focus on areas where risk management is needed and to establish a process across the organisation that will integrate the various risk control measures that the Organisation already has.

Table 4.1.16 Knowledge on whether the company has internal rules and regulations

	Number	Percentage
Yes	35	70
No	0	0
Don't know	15	30
Sub Total	50	100

The table and graph 4.1.16 indicate that 70% of respondents know the existence of internal rules and regulations within the company while 30% do not know, no one denied their existence. It indicates that there is still a problem with internal communication whereby every employee should get oriented and read carefully internal rules and regulations of the company. These spell out in simple and concrete terms the standards of professional ethics applying to company staff members. These standards are to be regarded as the professional values and culture the Organisation wants to promote and uphold. They help employees to get information on their rights and what they are supposed to provide for the employer.

Chart 4.1.16 Knowledge on whether the company has internal rules and regulations

This helps the employee to avoid mistakenly actions related to ignorance of the policies and procedures utilized in the organization.

Insurance	Number	Percentage
Yes	50	100
No	0	0
Don't know	0	0
Sub Total	50	100

The table and graph 4.1.17 indicate that all respondents (100%) know that they are insured. This indicate a great performance on the side of the company because insurance is one of risk response type whereby injured or sick employees may get treated or compansatedwith less costs on behalf of the company and the employee. Health insurance is a subject that assumes great relevance and importance in these times. Making ends meet is a struggle in itself but not having the means to get a health insurance would be like committing a big financial mistake. The risk involved is losing all the savings in the bank account to counter a sudden medical emergency. Which is why buying a health insurance makes complete sense for the employer and for the employee.

Chart 4.1.17 Insurance among Respondents

Respondents suggested the following to the top management committee of their enterprise; keep insuring employees, buy updated equipments, improve the use of IT, regular trainings in Risk management, trainings in financial management, trainings in Health and Safety and raining in each respondent's domain.

4.2 Section B: Qualitative Data

The researcher arranged appointments with the participants for the interviews after the researcher and the participants had agreed to conduct the interviews in one of the company office rooms.

The room in which the interviews were to be conducted was assessed prior to commencing to ensure that there are no possible interruptions and distractions to the quality of recordings. The researcher purposively selected 2 administrative managers and interviewed each one alone.

The interviews took an average of forty five minutes each. The interviews were conducted in English since it was the preferred language by the participants.

The interviews were guided after developing an interview guide. After clearly explaining the procedure, purpose and ensuring the participants their ethical values and anonymity, the researcher also asked for permission from the participants to use a tape recorder while conducting the interview. The interview begun by the researcher explaining some of terminologies that were to be used such as risk, risk management plan, personal protective equipment and they were then asked a question to open the discussion.

Interview Question	Response
	Respondent 1	Respondent 2
Existence of written Risk management Plans	No	No
Does EKJ&CIE have a Risk management Officer?	No	No
Benefits of having a Risk management Plan	-To identify potential risks -To prevent financial losses -To avoid hazardous works -To avoid government penalties -To avoid money theft -Employees retention	-Good allocation of resources, -Good management of money, -Prevention of theft, -Prevention of staff injuries, -Death prevention

The interview results above are related to the first objective whereby the researcher wanted to identify risk management plans used in EKJ&CIE. According to both interviewee answers, the company has neither written risk management plans nor risk management officer. However, both interviewees understand the benefits of having risk management system in the business whereby both state that benefits vary from identifying potential risks, preventing them to risk treatment. Nobody mentioned regular monitoring and control. Nevertheless, it is obvious that respondents have good ideas on risk management plan even though; it is not formally structured and documented in the company management system. But, the fact of having idea on risk management plans and their benefits is not enough alone, there should be a formal way of doing things, each employee should adhere too if the company wants to grow with time and hire a risk management officer because, risk management is particularly vital for any business especially private businesses, since some common types of losses such as theft, fire, flood, legal liability, injury, or disability can destroy in a few minutes what may have taken entrepreneur years to build. Such losses and liabilities can affect day to day operations, reduce profits, and cause financial hardship severe enough to cripple or bankrupt the business. EKJ&CIE management should employ a full time risk manager to identify risks and take the necessary steps to protect the firm against risks otherwise; the responsibility for risk management is likely to fall on the business owner.

Interview Question	Response
Interview Question	Respondent 1	Respondent 2
How does your company identify and treat risk?	-No structured risk management plan -Managers and Supervisors sit and solve the problems that seem to be imminent.	- There is no regular way of identifying risks but when there is an obvious risk, managers sit and find out how can prevent the occurrence.
How does the company deal with health and safety of employees?	-Availing helmets, gloves, appropriate shoes and aprons to staff working on building sites and repairing electrical wires and -Health insurance	- Equipment for protection, -Training on protection against injuries -Health insurance.
How do you control the company's financials?	-Two accountants available -Annual internal auditing	-External auditing, -Good accounting unit -Regular monitoring of ins and outs using information technology.
Does the institution have rules and regulations/Guidelines that all employees have to comply with?	Yes	Yes
Does the institution have a problem/incident reporting system?	No	No

According to the question asking how the management identify potential risk that the company may be victim of, both respondents agree that there is no formal way of doing it, but when there is an imminent problem, the management sits together and try to find out solution. As we know risk management is proactive and not reactive that is why they current way of identifying risks in EKJ&CIE is not proper, there is a high probability of being surprised by uncertain and harmful events to the business because these were not investigated by qualified people on time. Therefore, there should be a risk management system through which all possible risks are identified via brainstorming for instance, categorized and prioritised. Potential risk exposures are quantified and risk mitigation plans are planned for each specific risk.

Asking on how the company deals with health and safety to employees, they all mentioned the provision of PPE, insurance and trainings on protection against injuries.

All workers have a right to work in places where risks to their health and safety are properly controlled. Health and safety is about stopping the employee getting hurt at work or ill through work. The employer is responsible for health and safety. Again insuring employees is a responsibility from the employer which is positive.

On how the company controls the company financials, they have accountants; they carry out internal and external auditing and regular monitoring of ins and outs using information technology. Normally, financial risks arise from some sources; from the organization's exposure to changes in market prices, such as interest rates, exchange rates, and commodity prices, Financial risks arising from the actions of, and transactions with other organizations such as vendors, customers, and counterparties in derivatives transactions and financial risks resulting from internal actions or failures of the organization, particularly people, processes, and systems. The company is advised to diversify its activities as one of financial risk management process. Diversification among counterparties may reduce the risk that unexpected events adversely impact the organization through defaults. Diversification among investment assets reduces the magnitude of loss if one issuer fails. Diversification of customers, suppliers, and financing sources reduces the possibility that an organization will have its business adversely affected by changes outside management's control. Although the risk of loss still exists, diversification may reduce the opportunity for large adverse outcomes. The company has internal rules and regulations but does not have incident reporting system which normally serves as a way of reporting any incident or accident happened at work and find out solutions and preventive measures in the future.

Interview Questions	Response
	Respondent 1	Respondent 2
What potential risks does your company face?	-High competition of similar companies -Changes in technology -High financial demands to compete for bigger works -Theft of data, - Health safety to technicians	- Financial loss, -Desertion of qualified employees -Injuries and death of technicians -Equipment damage -Business collapse
Is your institution technologically and physically secure?	-Probably, because it has well built office. -We have competent staff -We are not totally secure technologically	-Not totally but we are not under high threat, we try by all means to keep the business as safe as possible.

As far as challenges are concerned, both respondents indicate high competition with bigger companies that perform similar works, changing technology, theft, injuries to employees, financial loss etc. To know whether the company is technologically and physically secure; no one disagreed or agreed, there probable technological insecurity but the company is not under high threat. That is why it should reinforce the IT system and recruit a risk management officer in order to deal with all potential risks highlighted by respondents.

Interview Question	Response
	Respondent 1	Respondent 2
*Do your employees get regular trainings on Risk management*	- Not regular	Not regular
*What is the future of risk management in your company?*	-To employ qualified people in Risk Management for the bright future of our business	-Hiring a consultant to explain at large the role of risk management. -Developing strong risk management plans in the near future
*Do you have anything else you might like to add, specifically related to the topic discussed on or anything else?*	-Trainings in Risk Management by PSF - More IT usage -More workshops in accounting and administration -Thank you	- Thank you for this great moment we shared.

The company provide some courses on risk management but not on regular basis. They should be done regularly in order to equip each and every employee with adequate knowledge in risk management.

On the future of risk management in EKJ&CIE; R₁suggestedto employ qualified people in Risk Management for the bright future of the business while R₂ wanted to hire a consultant to explain at large the role of risk management so that they can develop strong risk management plans in the near future. In addition, R₁ suggested an improvement in utilising information and technology management system, providing more workshops in finance, accounting and administration.

CHAPTER FIVE: CONCLUSION, SUMMARY AND RECOMMENDATIONS

4.0 Introduction

This chapter presents the summary of the findings, conclusions and recommendations regarding the study carried out on risk management in private institutions using a case study of EKJ&CIE enterprise. The important findings of this study are outlined in this chapter. Finally, recommendations are provided based on the findings of this study.

4.1 Summary of the findings

The overall aim of this study was to find out how risk management is carried out in EKJ&CIE. Furthermore, the study explored whether this enterprise has structured risk management plans how it identifies and treats risks, which challenges it meets while performing risk management and assessed the level of employees' awareness in relation with risk management.

5.1.1 Risk management plans

Results from both interviewees show that there are no structured and written risk management plans but still employees have some knowledge about risk as confirmed by both interviewees, every employee gets some trainings on risks related to his/her domain of work but these are still insufficient compared to what should be done.

Even though, the enterprise does not have formal risk management plans which state how it should identify, quantify, treat, monitor and control risks, we cannot conclude that risk is meaningless to this company rather they feel it but need trainings on risk management so that the management can establish a strong risk management plan and get all related benefits.

Both interviewees confirmed the absence of risk management officer but mentioned some positive activities performed within the company which relate much with risk management such as the action of being aware of risks that face the enterprise such as high competition, money theft, injuries and death of employees working in electrical and building domains, financial loss, loss of data among others. Again both have knowledge on benefits of having risk management plans whereby both mentioned like:

2. Avoiding hazardous works, government penalties related to not paying taxes on time

This statement goes hand in hand with other literatures which state some common benefits as those above mentioned (Newland K.E.1997)

It was observed that the company has weakness in identifying risks where as both interviewees stated that there is no regular way of identifying risks unless there is a tangible risk that the company is likely to encounter soon. Literatures state that Management of risk is an integral part of good business practice and quality management. Learning how to manage risk effectively enables managers to improve outcomes by identifying and analysing the wider range of issues and providing a systematic way to make informed decisions. A structured risk management approach also enhances and encourages the identification of greater opportunities for continuous improvement through innovation ( http://portal.surrey.ac.uk).

5.1.2 Challenges to risk management

The company face a number of challenges which range from financial to health related but as said above they are neither quantified nor communicated formally as it should be in the formal way of risk management. These challenges are mainly:

4. Safety related risks for technicians who work in electricity domain who can be electro shocked while repairing wires,

To overcome these challenges, a strong data control system should be put in place, revise business plans of the company, train all employees on risks they are facing in their regular works and provide high quality protective equipment to any employee/technician in need.

5.1.3 Trends of risk management

Both respondents had positive plans regarding the future of risk management in the company but did not explain in terms of time and effort to be invested in order to hire the chief risk manager who will help the company to make the system operational. However, they are planning to hire a consultant to make it more clear which is a green light to the installation of the system in the near future.

These results respond to the question asking the level of awareness of EKJ&CIE employees in relation with risk management.

Results show that the majority of employees were males and aged below 30 years of age and majority are single. On education basis a half of them have secondary diploma and advanced degree, this is probably due to the nature of their work of technicians which do not require higher qualifications rather vocational skills and physical fitness which explains the supremacy of males, young age of the majority of these employees and this explains the reason why many of them are single and have less job experience as 80% of respondents are between less than a year and five years of experience.

Respondents showed indirectly that they are aware of risks and ways of risk management whereby: 92% of respondents confirmed to have had trainings related to risk management, 84% and 80% expressed their concern about physical and technological risks they were likely to meet during their day to day jobs, 74% had been once at risk which could put their life in danger and rated the level of satisfaction on how that threatening risk was managed.

Also, respondents demonstrated their need of protective equipment by 88% but this number dropped to nearly 57% with no convincing reasons as the management confirmed their existence, probably this drop was due to the quality of these protective materials as expressed by respondents whereby only 68% appreciated their status as good while 32% rated them as not good. This drop may be explained by the fact that probably those with poor quality equipment are the ones who do not use them.

Respondents admitted by 72% that they don't know whether there are risk management plans within the company but, nearly the same percentage confirmed the existence of rules and regulations that govern the company. This shows some lack of communication between the top management and on ground staff concerning administration issues or negligence on part of technicians.

All respondents (100%) know that they are insured in Rwanda Social Security Fund and have health insurance which helps them to pay less when they are sick or their close relatives. This is a positive point either on their behalf but on the side of the company management too because it is a motivating factor is among employee retention factors too.

5.2 Conclusion

The importance of risk management in projects can hardly be overstated. Awareness of risk has increased as we currently live in a less stable economic and political environment.

Making a sound business case for having a strong risk management program has long been an elusive challenge for many organizations. The question still remains unanswered, «How much value should be placed on preventing loss from a disaster that might never happen?» However it is generally agreed that the consequences of risk management failure can be dire. There is a clear imperative for many companies to develop a strong, consistent, enterprise wide risk management programme, as most prevalent business risks will either remain at current levels or increase.

In pursuing this goal, companies, now more than ever, would do well to begin by identifying their top drivers, then pinpointing the top threats to those revenue drivers, and distinguishing between those that are predominantly downside risks and those that are predominantly variable risks.

While both categories of risk deserve attention, companies may discover the effectiveness of their risk management programs are most effective if they devote more of their attention to controlling risk rather than transferring it to insurance companies. And the risks that can be most directly controlled are downside risks, the very risks that are most likely to threaten company's top revenue drivers. When downside risks are dealt with first through prevention and control, it enables senior management to deal more aggressively with variable risks. In short they become more proactive and strategic with their risk management approach.

Because companies indicate that they expect having trouble finding the time, budget and people necessary to implement or maintain a strong risk management program, senior management must demonstrate leadership in championing and funding this initiative. The number one consequence of poor risk management is loss of competitiveness.

By implementing an effective risk management program, companies protect their ability to compete. Nothing is more fundamental to business success.

From observation, interviews carried out and questionnaire launched among respondents, the researcher advises the following recommendations:

2. There is a need of regular trainings on risk management at each level of employees

1. The government should sensitise private businesses on the importance of risk management

2. The government should provide to private businesses more workshops on risk management.

Boyle, T. (2003). Health and Safety: Risk Management. Suffolk: IOSH Services Ltd

Cox, L.A. Jr., 'What's Wrong with Risk Matrices?', Risk Analysis, Vol. 28, No. 2, 2008

Fone Martin and Peter C. Young.(2000). Public Sector Risk Management. British library

Hubbard, Douglas (2009). The Failure of Risk Management: Why It's Broken and How to Fix It. John Wiley & Sons.

Manheim JB (1995): Empirical Political Analysis, Research Methods in Political Science;
Longman New York.

Martin E. Amin (2005): Social Science Research; Conception, Analysis & Methodology.

Nieswiadomy, R.M. (1993). Foundations of Nursing Research. Second ed. Connecticut:
Appleton & Lange.

Edgar Schein, (1984). Coming to a New Awareness of Organisational Culture,» Sloan
Management Review, Winter 1984).

Outhart, T., Barker, R., Colquhoum, M. and Crabtree, L. (2003). Leisure and Recreation for
Vocational A level: formerly Advanced GNVQ. London: Collins Educations

Parkhouse, B.L. (2005). The Management of Sport. Its Foundation and Application. NY:
McGraw - Hill International

Robert K. Yin. (2009) Case Study Research: Design and Methods. Fourth Ed. SAGE
Publications. California

Swarbrooke, J., Beard, C., Leckie, S. and Pomfret, G. (2003). Adventure Tourism. The new
frontier. Oxford: Elsevier Science Ltd

Centner, T.J. (2005). Examining Legal Rules To Protect Children From Injuries In Recreational and Sport Activities. Journal of Safety Research. Vol. 36, No. 1, pp. 1

GNVQ (2000). Advanced Leisure and Recreation. Oxford: Oxford University Press 24 SMIJ - VOL. 3, Number 1, 2007

4. United States Dept. of Labor -- Bureau of Labor Statistics, Census of Fatal Occupational Injuries, Table A-6, Washington, DC, 2003.

APPENDICES

Appendix A. Budget

Period	Requirements	COST (USD)
JANUARY - MARCH 2011	Research proposal: Ø Plain papers Ø Communication fee Ø Transport & accommodation fee Ø Printing	10 10 100 15
APRIL-MAY 2011	Data collection & analysis: · Printing · Photocopy · Transport & Accomodation fees · Communication fee	15 5 50 100 10
MAY-JUNE 2011	Compilation and submission of report v Last printing v Transport & accommodation fee	20 100
Total		435 USD

Thank you Sir/Madam for this great opportunity you offered to me in order to interact with you for this moment. I am Sam NOHELI, a student at Kabale University in the Republic of Uganda, i am completing a master degree in Project planning and management. My research topic is RISK MANAGEMENT IN EKJ&CIE.

Questions related to risk management plans, challenges and current trends of risk management plans.

5. How does the company deal with health and safety of employees as well as customers?

8. Does the institution have rules and regulations/Guidelines that all employees have to comply with?

14. Do you have anything else you might like to add, specifically related to the topic discussed on or anything else?

Appendix C: Sample questionnaire

Dear respondent, this questionnaire is for academic purpose only. It intends to guide the researcher about Risk management in ETs KAZOZA & Cie (EKJ&CIE). Your answers will remain strictly confidential and haven't any use with the company's administration. You are requested not to put your names and to respond correctly. Thank you.

Gender: Male Female
Age:............
Marital status: Single
Married
Divorced
Separated
Widow(er)

6.0 Have you ever meet any risk at work which could endanger your life at the work place? Yes No

12.0 Does the company has internal policies and procedures/Guidelines to be followed by all employees at work? Yes No I don't know

15.0 What could you advise the top management to improve in order to well manage risks?.................................................................................................................

NB: The interviewee wished not to mention his post and name that is why he was nicknamed Respondent₁ (R₁) in answers he gave below.

R₁: Thank you very much for the question; the company does not have written risk management plans but it organizes different trainings about risks in relation with types of works done by the company in financial management, electrical and in construction.

R₁: No, the company does not have a risk management officer until now but as it is continuing to grow, but surely we will have this post in the near future.

R₁: Ok, as it is called Risk plan, it means it helps the enterprise to identify earlier negative events which may kill the business and find out how these can be sorted out, any way that is my idea on risk management!

As i was saying, the benefits of having risk management plan are many including preventing financial losses, avoiding hazardous works, avoiding government penalties related to not paying taxes on time for instance, avoid money theft, employees retention etc.

R₁: thank you for such question; by the way risks are there and sometimes you can avoid them, on our concern, our company faces risks especially, high competition of similar companies which have updated technologies, high financial means to compete for bigger works, risk of theft of data, loss from delayed pays from clients, safety related risks for technicians who work in electricity domain who can be electro shocked while repairing wires, injuries due to high fall from building of technicians etc.

R₁: The company deals with health and safety by availing helmets to builders, gloves and appropriate shoes and aprons to staff working on building sites and repairing electrical wires and everybody has health insurance, i guess we have tried to comply with national policies on this issue and we do this so that our employees be in good working environment and we make sure they do not export they do not go with acquired experience elsewhere think it is another sort of motivation on their part too .

R₁: The Company's financials are controlled in the way that we have two accountants and there is internal auditing done each year.

R₁: Ah! As I said earlier, we do not have structured risk management plan probably because this issue seems to be new in traditional business and i think there are no many qualified people in this domain because actually they are not common. So on our part, we have no formal way to do that but we try to solve risks which seem to materialise soon (you know?) by sitting together especially managers and heads of technicians and try to sort it out before it harms our business but this is not regularly done i wish it would be.

Q8: Does the institution have rules and regulations/Guidelines that all employees have to comply with?

R₁: Yes, the company has internal rules and regulations that every employee must follow on while on duty and these are communicated each new employee.

R₁: Probably, because it has well built office and we have competent administration staff but, you never know as we are connected to the worldwide through internet, we are not totally secure technologically as even great state institutions in Europe and USA are exposed to theft by hackers.

R₁: Ok, there are not regular but we try our best such that each employee gets training on risks related to his work for instance: data protection for financial workers, engineering related accidents etc.

R₁: Yes, they wear protective equipments and we try to avail those with good quality even though they are expensive.

R₁: We are going to put emphasis on it as far as we get qualified people in that domain because we are realizing its importance in business, it will depend on decisions made by the management meeting but i am sure we are obliged to do so because as far as the world is pushing forward, business risks are also increasing and with high competition we have to identify all those risks so that we can seek adequate solutions which will enable us to push forward within all those difficulties.

Q14: Do you have anything else you might like to add, specifically related to the topic discussed on or anything else?

R₁: First of all i wish that the Private Sector Federation (PSF) sensitise and train enterprises on risk management, IT usage and more workshops in accountancy and administration and thank you for this moment we shared together.

NB: The interviewee is the administration manager and he was nicknamed Respondent₂ (R₂) in the interview below.

R₂): Oh not yet but it does not mean that Risks are not considered seriously in our business company, but as you know in business things do not grow in one day or one year, it takes time and money, we hire people to train our staff but we hope to hire a consultant for that if things positively go on.

R₂This staff did not exist before but i think he/she will be the one in charge of risk management plans once established.

R₂Oops, there are many ranging from the appropriate allocation of resources, good management of money, prevention of theft, staff injuries, why not deaths and so on.

R₂: Financial loss, desertion of qualified employees, injuries and death of technicians, equipment damage, business collapse etc.

R₂: We make sure every technician has equipment for protection, we train them how to protect against injuries and everyone has health insurance.

R₂: We get audited by external auditing firm, we have good account unit and we try to monitor our ins and outs using the information technology.

R₂: Normally, the company does not have a regular way of doing such things but when there is an obvious risk we are seeing in front, we as managers sit together and find out means with which we can prevent the occurrence.

Q8: Does the institution have rules and regulations/Guidelines that all employees have to comply with?

R₂: Not totally but we are not under high threat, we try by all means to keep the business as safe as possible.

R₂:well, we try our best so that an employee gets some knowledge of possible risks he/she may encounter in his/her daily work and sometimes we benefit it from the Private Sector Federation.

R₂: All we try is to keep the staff safe and healthy; we try our best and avail appropriate equipments to our technicians like plastic gloves, plastic boots, glasses and aprons.

R₂: Well, as means will be available, we shall hire a consultant to explain at large the role of risk management and within sometime i cannot precise; we will have a strong risk management system.

Q14: Do you have anything else you might like to add, specifically related to the topic discussed on or anything else?

Risk management in Etablissement Kazoza et Compagnie-Rwanda

DECLARATION

APPROVAL

Signature:.....................................

DEDICATION

ACKNOWLEDGEMENTS

TABLE OF CONTENTS

LIST OF TABLES

LIST OF FIGURES

LIST OF ABBREVIATIONS

ABSTRACT

CHAPTER ONE: BACKGROUND TO THE STUDY

1.1 Background to the study

1.2 Statement of the problem

1.4.2 Specific objectives of the study

1.7 Definitions of terms

CHAPTER TWO: LITERATURE REVIEW

2.0 Introduction

2.1 Overview of Risk Management

2.2 Risk management plan

2.2.1 Risk Identification

2.2.1.1 Objectives of Risk Identification

2.2.1.2 Risk Identification Process

2.2.2. Risk Quantification

2.2.2.1 Low Risk Events

2.2.2.2 Moderate Risk Events

2.2.2.3 High Risk Events

2.2.3 Risk Response

2.2.4 Risk Monitoring and Control

2.2.4.2 Inputs to risk monitoring and control

2.2.4.3 Dangers of uncontrolled risk

2.5.1 Creating risk awareness culture

2.6 Current trend of risk management

Liquidity Risk Overview

CHAPTER THREE: RESEARCH METHODOLOGY

3.1. Study area

3.2. Research design

3.3. Study population

3.4. Sample and Sample size

3.5. Research tools

3.6. Data analysis

3.7 Ethical considerations

CHAPTER FOUR: PRESENTATION OF RESEARCH FINDINGS AND ANALYSIS

3.0 Introduction

3.1 Section A: Quantitative Data

Chart 4.1.1 Distribution of Respondents by Gender

Chart 4.1.2 Distribution of Respondents by age

Chart 4.1.3 Distribtion of respondents by education

Chart 4.1.4 Distribution of respondents by marital status

Chart 4.1.5 Distribution of respondents by occupation

Chart 4.1.6 Job experience of Respondents

Chart 4.1.7 Training(S) on Risk Management

Chart 4.1.8 Types of risks likely to be encountered by respondents

Chart 4.1.9 Training on risk management

Chart 4.1.10 Response on whether respondents have met risks that could put life in danger

Chart 4.1.11 How risks were managed?

Chart 4.1.12 Need of protective equipment

Chart 4.1.13 Use of protective equipment

Figure 4.1.14 Status of personal protective equipment

Chart 4.1.15 Existence of Risk Management plans

Chart 4.1.16 Knowledge on whether the company has internal rules and regulations

Chart 4.1.17 Insurance among Respondents

4.2 Section B: Qualitative Data

CHAPTER FIVE: CONCLUSION, SUMMARY AND RECOMMENDATIONS

4.0 Introduction

4.1 Summary of the findings

5.1.1 Risk management plans

5.1.2 Challenges to risk management

5.1.3 Trends of risk management

5.2 Conclusion

APPENDICES

Appendix A. Budget

Appendix C: Sample questionnaire