Chapter 2 - Managing Risks Flashcards
Role of directors in implementing strategy in a risk approach
- Responsibility for determining risk management strategy and monitoring risk and internal controls
- Considers:
* Control environment = Management approach to risk, attitudes and culture, philosophy and org structure
* Internal control procedures = Policies and procedures established to achieve specific objectives
Role of risk committee in implementing strategy in a risk approach
- Set up by the board if board does not wish to take responsibility for risk management
1. Ensure system exists
2. Set risk policy
3. Assess risks
4. Review internal audit work
5. Review risk register
6. Advise board - If there is no risk committee, audit committee may take responsibility for risk management instead
Role of risk manager (chief risk officer) in implementing strategy in a risk approach
- Supports board’s risk responsibilities and combines technical skills in managing risks with leadership and persuasive skills
1. Leadership of enterprise risk management
2. Establishing and promoting enterprise risk management
3. Developing common risk management policies
4. Establishing a common risk language
5. Dealing with insurance companies
6. Implementing risk indicators
7. Allocation of resources based on risk
8. Reporting to the CEO/board/risk committee as appropriate
UK corporate governance code compromises:
- Description of work of audit committee
- Explanation of boards responsibilities
- Confirmation that board has assessed comp’s emerging and principal risks, description of these risks and how they were identified and managed
- How board reviewed effectiveness of risk management and internal control systems
- Assessment of comp’s going concern status and whether material uncertainties exist
- Explanation of comp’s prospects
Sarbanes-Oxley Act requires comp’s to:
- Report on entity’s internal controls, assessment of their effectiveness
- Need to be independently verified
Limitations on risk disclosures:
- Board may be less wiling to disclose info due to commercial confidentiality
- Directors may also fear that disclosures about certain risks will be misinterpreted
- Directors may be motivated to include matters included in reports of competitors or those identified as best practice to demonstrate how they are managing the risks
- Risks may also materialise or change over the year – have control systems been developed to meet changes
- Reputation risks – disclosures may focus on threats to reputation that may have large impact on business (particularly product safety)
What is risk appetite?
- Org’s willingness to accept risk in pursuit of value
* Range org chooses to actively pursue
What is risk universe?
All possible performance outcomes that org will experience from its current strategy
What is risk tolerance?
- Range of tolerable risks within extremes of risk universe
* Measure of what org does not wish to go beyond
What is risk capacity?
Collection of tangible and intangible assets at an org’s disposal that allows it to take risks and absorb losses
Attitudes toward risk:
- Risk aversion:
* Focuses on risk level
* Org’s are willing to tolerate risk up to a point provided they receive acceptable return or risk is two-way or symmetrical (both positive and negative outcomes) - Risk seeking:
* Focuses on return level
* Activity should be undertaken if it results in higher returns
How can we identifying conditions that leads to risk?
- Physical inspection
- Enquiries (e.g. about extent of product quality controls)
- Monitoring changes in legislation/ regulation
- Checking a copy of every letter + memo issued for early indication of major changes and new projects
- Brainstorming with representatives of different departments
- Checklists ensuring risk areas are not missed
- Benchmarking internally and externally
- Human reliability analysis
TARA Model:
Low frequency, High severity = Transfer
Low frequency, Low severity = Accept
High frequency, Low severity = Control/ reduce
High frequency, High severity = Avoid/ abandon
Risk Transfer:
- Insure risk or implement contingency plans.
- Risks can be transferred to internal departments, suppliers, customers or insurers
- Reduction of severity of risk will minimise insurance premiums
Risk sharing = partly held by org, partly transferred to someone else (insurance policy)
Risk avoidance:
- Take immediate action
- Change major suppliers
- Abandon activities