14: Risk Management

Question 1

Define risk

Answer 1

The ability to quantify the chance of something happening, perhaps using past data as a guide

Question 2

Define uncertainty

Answer 2

The inability to predict the outcome from an activity due to a lack of information

Question 3

How can risk be categorised

Answer 3

Downside risk (pure risk): the possibility that the outcome will be worse than expected I.e. somethitn will go wrong

Upside risk (speculative risk or opportunity): the possibility that something could go better than expected I.e. a best case scenario

Question 4

What is risk management

Answer 4

The process of identifying and assessing risks and the development, implementation and monitoring of a strategy to respond to those risks.

Question 5

What are considerations for risk management ?

Answer 5

• Profit potential vs risk
• stakeholders each have own appetite for risk
• risk must be balanced against all factors, as seen in corporate governance rules

Question 6

What is the risk management process?

Answer 6

1.Establish risk management group and set goals
2. Identify risk areas
3. Understand and assess scale of risk
4. Develop risk response strategy
5. Implement strategy and allocate resources
6. Implementation and monitoring of controls
7. Review and refine process, and repeat

Question 7

What is a risk register?

Answer 7

Recordings of risk, mitigations in place and planned responses.

Recording included:
- description
-nature
-parties affected
-likelihood/jmpaxt
- tolerance/appetite
- treatment/control
- potential action

Question 8

What are the four ways of expressing risk appetite

Answer 8

Defenders - prefer low risk, secure markets, tested solutions

Prospectors - prefer results, entrepreneurial and pro-active (happy to take risks)

Analysers - enjoy a core of stable products and markets as a source of earnings. Consider moving to new market, follow change but not initiate.

Reactors - no consistently defined strategy but somehow muddle through, oblivious to risk

Question 9

What are some influences on risk appetite

Answer 9

Expectations of shareholders
Organisational attitudes
Regulatory framework
Nature of ownership

Question 10

When identifying risks what should we consider?

Answer 10

• broad theories of internal/external environment and changes in them e.g. pestel/porters five forces
• activities and process of org
• culture within org
• potential for unexpected outside events

Question 11

How can entity risks can be classified/categorised? 5

Answer 11

Strategic risk - long term objectives, potential variability of returns as a result of strategy.

Operational risk - issues from day to day activities

Hazard risk - exposure to natural events, actions of employees, disastrous events

Financial risk - hearing, exposure to credit, liquidity, interest/exchange rates etc

Compliance risk - potential that org fails to comply with laws or regulations

Question 12

Risk analysis matrix

Answer 12

P156 book

Trade off between frequency/likelihood and impact/severity

Loss of staff
Loss of Customers

based on their level

Question 13

Risk evaluation and addressing risk matrix

Answer 13

Same axis

Based on actions you take e.g. control, abandon, retain/accept, transfer

Question 14

How can risk be transferred

Answer 14

Insurance
Financial hedging
Pass risk up or down supply risk
Seeking a joint venture to share risk

Question 15

How can risk be reduced

Answer 15

Prefent
Detect
Correct
Direct

Question 16

What ways can organisation monitor risk

Answer 16

Regular review of projects against specific costs and completion milestones to see if they are on
track or not.
 Systems of notification and reporting of incidents (e.g. accidents at work, near misses of
aircraft).
 Employing an internal audit function (e.g. financial, systems security, compliance with health
and safety).
 Employment of compliance monitoring staff.
 Ongoing skills assessment and medical examinations of staff and managers to assure
competence and fitness to work.
 Practices and drills to confirm readiness (e.g. fire drills, evacuations, disruption to operations).
 Use of embedded IT ‘intelligent agents’ to monitor risks (e.g. bad debts, unusual costs or
revenue entries, attempts to access restricted files).
 Intelligence gathering on occurrences elsewhere (e.g. experiences of frauds, equipment
failures, outcomes of legal cases).
 Monitoring of the regulatory framework of the industry to ensure compliance

Question 17

What is essential for effective risk communication?

Answer 17

• Everyone in risk management process is familiar with importance, risk priorities and their role
• Org shares what it has learnt (identified risks) with other departments. Also with other orgs to avoid disruption
• all levels of management regularly updated

Question 18

What needs to be reported on risk management

Answer 18

Board as a minimum should disclose the existence of a process for managing risks, how the board reviewed the process and that the process accords with the Turnball guidance.

Should also include:
An acknowledgement that board is responsible for system of IC, that system is designed to manage risk not eliminate and a summary of process.

Question 19

What are consequences of risk management failure?

Answer 19

Failure to manage risk may result in the following consequences:

Litigation from persons affected by an activity of the organisation and/or its staff
Fines from regulatory bodies
Loss of assets due to theft or damage
Costs of rectification of errors
Revenues lost due to breakdowns
Loss of reputation
Loss of faith in management

Question 20

What is business continuity planning

Answer 20

Process in which a business details how and when it will recover and restore operations interrupted by a rare, but massive, risk event

Question 21

Give examples of crisis management and disaster recovery plans

Answer 21

• securing interim management and staff
• replacement of lost inventory
• restoration of IT systems and data
• Management of PR issues