14: Risk Management Flashcards
Define risk
The ability to quantify the chance of something happening, perhaps using past data as a guide
Define uncertainty
The inability to predict the outcome from an activity due to a lack of information
How can risk be categorised
Downside risk (pure risk): the possibility that the outcome will be worse than expected I.e. somethitn will go wrong
Upside risk (speculative risk or opportunity): the possibility that something could go better than expected I.e. a best case scenario
What is risk management
The process of identifying and assessing risks and the development, implementation and monitoring of a strategy to respond to those risks.
What are considerations for risk management ?
- Profit potential vs risk
- stakeholders each have own appetite for risk
- risk must be balanced against all factors, as seen in corporate governance rules
What is the risk management process?
1.Establish risk management group and set goals
2. Identify risk areas
3. Understand and assess scale of risk
4. Develop risk response strategy
5. Implement strategy and allocate resources
6. Implementation and monitoring of controls
7. Review and refine process, and repeat
What is a risk register?
Recordings of risk, mitigations in place and planned responses.
Recording included:
- description
-nature
-parties affected
-likelihood/jmpaxt
- tolerance/appetite
- treatment/control
- potential action
What are the four ways of expressing risk appetite
Defenders - prefer low risk, secure markets, tested solutions
Prospectors - prefer results, entrepreneurial and pro-active (happy to take risks)
Analysers - enjoy a core of stable products and markets as a source of earnings. Consider moving to new market, follow change but not initiate.
Reactors - no consistently defined strategy but somehow muddle through, oblivious to risk
What are some influences on risk appetite
Expectations of shareholders
Organisational attitudes
Regulatory framework
Nature of ownership
When identifying risks what should we consider?
- broad theories of internal/external environment and changes in them e.g. pestel/porters five forces
- activities and process of org
- culture within org
- potential for unexpected outside events
How can entity risks can be classified/categorised? 5
Strategic risk - long term objectives, potential variability of returns as a result of strategy.
Operational risk - issues from day to day activities
Hazard risk - exposure to natural events, actions of employees, disastrous events
Financial risk - hearing, exposure to credit, liquidity, interest/exchange rates etc
Compliance risk - potential that org fails to comply with laws or regulations
Risk analysis matrix
P156 book
Trade off between frequency/likelihood and impact/severity
Loss of staff
Loss of Customers
based on their level
Risk evaluation and addressing risk matrix
Same axis
Based on actions you take e.g. control, abandon, retain/accept, transfer
How can risk be transferred
Insurance
Financial hedging
Pass risk up or down supply risk
Seeking a joint venture to share risk
How can risk be reduced
Prefent
Detect
Correct
Direct
What ways can organisation monitor risk
Regular review of projects against specific costs and completion milestones to see if they are on
track or not.
Systems of notification and reporting of incidents (e.g. accidents at work, near misses of
aircraft).
Employing an internal audit function (e.g. financial, systems security, compliance with health
and safety).
Employment of compliance monitoring staff.
Ongoing skills assessment and medical examinations of staff and managers to assure
competence and fitness to work.
Practices and drills to confirm readiness (e.g. fire drills, evacuations, disruption to operations).
Use of embedded IT ‘intelligent agents’ to monitor risks (e.g. bad debts, unusual costs or
revenue entries, attempts to access restricted files).
Intelligence gathering on occurrences elsewhere (e.g. experiences of frauds, equipment
failures, outcomes of legal cases).
Monitoring of the regulatory framework of the industry to ensure compliance
What is essential for effective risk communication?
- Everyone in risk management process is familiar with importance, risk priorities and their role
- Org shares what it has learnt (identified risks) with other departments. Also with other orgs to avoid disruption
- all levels of management regularly updated
What needs to be reported on risk management
Board as a minimum should disclose the existence of a process for managing risks, how the board reviewed the process and that the process accords with the Turnball guidance.
Should also include:
An acknowledgement that board is responsible for system of IC, that system is designed to manage risk not eliminate and a summary of process.
What are consequences of risk management failure?
Failure to manage risk may result in the following consequences:
Litigation from persons affected by an activity of the organisation and/or its staff
Fines from regulatory bodies
Loss of assets due to theft or damage
Costs of rectification of errors
Revenues lost due to breakdowns
Loss of reputation
Loss of faith in management
What is business continuity planning
Process in which a business details how and when it will recover and restore operations interrupted by a rare, but massive, risk event
Give examples of crisis management and disaster recovery plans
- securing interim management and staff
- replacement of lost inventory
- restoration of IT systems and data
- Management of PR issues
