Chapter 2 - Managing Risks Flashcards
Role of directors in implementing strategy in a risk approach
- Responsibility for determining risk management strategy and monitoring risk and internal controls
- Considers:
* Control environment = Management approach to risk, attitudes and culture, philosophy and org structure
* Internal control procedures = Policies and procedures established to achieve specific objectives
Role of risk committee in implementing strategy in a risk approach
- Set up by the board if board does not wish to take responsibility for risk management
1. Ensure system exists
2. Set risk policy
3. Assess risks
4. Review internal audit work
5. Review risk register
6. Advise board - If there is no risk committee, audit committee may take responsibility for risk management instead
Role of risk manager (chief risk officer) in implementing strategy in a risk approach
- Supports board’s risk responsibilities and combines technical skills in managing risks with leadership and persuasive skills
1. Leadership of enterprise risk management
2. Establishing and promoting enterprise risk management
3. Developing common risk management policies
4. Establishing a common risk language
5. Dealing with insurance companies
6. Implementing risk indicators
7. Allocation of resources based on risk
8. Reporting to the CEO/board/risk committee as appropriate
UK corporate governance code compromises:
- Description of work of audit committee
- Explanation of boards responsibilities
- Confirmation that board has assessed comp’s emerging and principal risks, description of these risks and how they were identified and managed
- How board reviewed effectiveness of risk management and internal control systems
- Assessment of comp’s going concern status and whether material uncertainties exist
- Explanation of comp’s prospects
Sarbanes-Oxley Act requires comp’s to:
- Report on entity’s internal controls, assessment of their effectiveness
- Need to be independently verified
Limitations on risk disclosures:
- Board may be less wiling to disclose info due to commercial confidentiality
- Directors may also fear that disclosures about certain risks will be misinterpreted
- Directors may be motivated to include matters included in reports of competitors or those identified as best practice to demonstrate how they are managing the risks
- Risks may also materialise or change over the year – have control systems been developed to meet changes
- Reputation risks – disclosures may focus on threats to reputation that may have large impact on business (particularly product safety)
What is risk appetite?
- Org’s willingness to accept risk in pursuit of value
* Range org chooses to actively pursue
What is risk universe?
All possible performance outcomes that org will experience from its current strategy
What is risk tolerance?
- Range of tolerable risks within extremes of risk universe
* Measure of what org does not wish to go beyond
What is risk capacity?
Collection of tangible and intangible assets at an org’s disposal that allows it to take risks and absorb losses
Attitudes toward risk:
- Risk aversion:
* Focuses on risk level
* Org’s are willing to tolerate risk up to a point provided they receive acceptable return or risk is two-way or symmetrical (both positive and negative outcomes) - Risk seeking:
* Focuses on return level
* Activity should be undertaken if it results in higher returns
How can we identifying conditions that leads to risk?
- Physical inspection
- Enquiries (e.g. about extent of product quality controls)
- Monitoring changes in legislation/ regulation
- Checking a copy of every letter + memo issued for early indication of major changes and new projects
- Brainstorming with representatives of different departments
- Checklists ensuring risk areas are not missed
- Benchmarking internally and externally
- Human reliability analysis
TARA Model:
Low frequency, High severity = Transfer
Low frequency, Low severity = Accept
High frequency, Low severity = Control/ reduce
High frequency, High severity = Avoid/ abandon
Risk Transfer:
- Insure risk or implement contingency plans.
- Risks can be transferred to internal departments, suppliers, customers or insurers
- Reduction of severity of risk will minimise insurance premiums
Risk sharing = partly held by org, partly transferred to someone else (insurance policy)
Risk avoidance:
- Take immediate action
- Change major suppliers
- Abandon activities
Risk reduction:
- Take some action
- Risks cannot be avoided altogether, simply reduced to acceptable level
- Enhanced control systems to detect problems
- Contingency plans to reduce impact
- Risk mitigation through risk diversification + hedging
Other risk reduction strategies:
- Contingency planning:
* Information = gathered in advance
* Responsibilities = what is to be done and by whom
* Practice = simulations as realistic as possible and taken seriously by all involved and results should be monitored - Loss control:
* Physical devices = sprinklers, fire extinguishers
* Psychological factors = awareness + commitment - Procedural approach:
* Rules + regulations = statute & corporate governance guidance
* Codes = professional + ethical codes
* Detailed authorisation or operating procedures - Risk pooling + diversification
* Use portfolio theory to reduce overall risk levels
* Geographical diversification across countries at different stages in trade cycle
* Diversifying product base at different stages of product life cycle
* Expand portfolio of business activities by taking over businesses operating at other stages of supply chain
COSO Enterprise Risk Management Framework
- COSO believes that it is important to consider risk as part of strategy setting
- Governance & culture
- Strategy & objective setting
- Performance
- Review & revision
- Info, communication and reporting
What is the aim of ISO 31000 Risk Management?
- Aims to create and protect value
ISO 31000 - Risk Management Policies:
Design: (PACED)
* Proportionate to the level of risk faced
* Aligned with all other activities
* Comprehensive
* Embedded within the org
* Dynamic and responsive to emerging trends
Operation:
* Limitations in available info actively considered
* Influence of human and cultural factors
* Continual improvement through learning and experience
ISO 31000 - Risk Management Framework:
- Guidance on how to implement the principles
- Guidance on allocating roles, responsibilities and resources
- Guidance on establishing the org’s commitment to risk management
- The framework requires = design, implementation, evaluation and improvement
ISO 31000 - Risk Management Process:
- Process may have to be repeated to achieve org’s objectives as some risks may not stay managed
- Start of process = orgs scope, context and criteria for factors such as culture, attitudes, skills and objectives
- Process continues by assessing risks (identification, analysis + evaluation)
- Concludes with risk treatment
- Process supporting activities = communication and consultation, monitoring + review, recording and reporting
Three lines of defence:
- First line of defence:
* Management controls
* Internal control measures - Second line of defence:
* Financial control, Security, Risk management
* Quality, Inspection, Compliance
- The first and second line of defence is under the control + direction of senior management
- Third line of defence:
* Internal audit
* The third line of defence is outside scope of management – reports primarily to the board
What is the risk register and what is its function?
- Lists + prioritises the main risks, a monetary value should be allocated to each risk and interdependencies with other risks noted
- Also details who is responsible for dealing with risks and the actions taken
- Risk register is used for risk reporting and in allocating responsibility for managing, monitoring and reporting
- Reports should show risk levels before controls are implemented and residual risk after controls are taken into account
- Need to include comparisons of actual risks against predicted risks and feedback on action taken
Internal risk reporting:
- Covers all stages of the risk management system
- Needs to be carried out on a systematic, regular basis
- Reporting of high impact likelihood risks may occur daily
- Needs to ensure that significant changes in risk profile is notified quickly to snr management
- Reporting system should indicate significant changes in business environment
Evaluating dilemmas in a question:
- Identify key facts
- Identify relevant ethical issues and fundamental principles
- Consider alternatives and their consequences
- Make a recommendation
- Justify recommendation
- Public interest = collective well-being of the community an accountant serves
- Social (people) and environmental (planet) issues are affected by risk management
- Whistleblowing = raising concerns over alleged bribery and corruption within an org
- Need to consider all stakeholders in any dilemma faced