Chapter 2 - Risk management Flashcards
Risk management definition
The process of understanding and managing the risks that the organisation is inevitably subject to in attempting to achieve its corporate objectives
Compare traditional view and new approach to risk management
The traditional view has been one of protecting the organisation from loss through conformance procedures and hedging techniques - this is about avoiding the downside risk
The new approach is about taking advantage of the opportunities to increase overall returns within a business - benefiting from the upside risk
What is ERM?
Enterprise Risk Management (ERM) is the term given to the alignment of risk management with business strategy and the embedding of a risk management culture into business operations
List down key principles of ERM
- consideration of risk management in the context of business strategy
- risk management is everyone’s responsibility, with the tone set from the top
- the creation of a risk aware culture
- a comprehensive and holistic approach to risk management
- consideration of broad range of risks (strategic, financial, operational and compliance)
- a focused risk management strategy, led by the board (embedding risk within an organisation’s culture)
The Committee of Sponsoring Organisations (COSO) ERM Framework is represented as a three dimensional matrix. List them down
- objectives
- components
- different organisational levels
List four objectives of COSO ERM
- strategic
- operations
- reporting
- compliance
List four organisational levels of COSO ERM
- subsidiary
- business unit
- division
- entity
List eight components of COSO ERM
- Internal Environment
- objective setting
- event identification
- risk assessment
- risk response
- control activities
- information and communication
- monitoring
List benefits of effective ERM
- enhanced decision-making by integrating risks
- the resultant improvement in investor confidence, and hence shareholder value
- focus of management attention on the most significant risks
- a common language of risk management which is understood throughout the organisation
- reduced costs of finance through effective management of risk
IFAC highlighted two aspects of risk management which link risk aversion and risk seeking activities. They are:
A Compliance and strategy
B Conformance and performance
C Compliance and conformance
D Performance and strategy
B Conformance and performance
The COSO outlined six key principles of ERM. Identify which are/is included:
A Consideration of risk management in the context of business strategy
B The creation of a risk aware culture
C Consideration of a narrow range of risks, mainly financial
D Risk management is the responsibility of the Risk Committee
E A comprehensive and holistic approach to risk management
A, B, E
A risk management strategy needs to be developed to ensure that the risk exposures of the organisation are consistent with its risk appetite. At the very least, the risk management capability within the organisation should be sufficient to:
- review its internal control system, at least annually (and whether it is adequate)
- ensure that controls are properly implemented
- monitor the implementation and effectiveness of controls
Define risk appetite
Risk appetite can be defined as the amount of risk an organisation is willing to accept in pursuit of value. This may be explicit in strategies, policies and procedures, or it may be implicit.
What determines risk appetite
It is determined by:
- risk capacity - the amount of risk that the organisation can bear and;
- risk attitude - the overall approach to risk in terms of the board being risk averse or risk seeking
What is residual risk
Residual risk is the risk a business faces after its controls have been considered
List down risk appetite factors and explain each of them
- Nature of product being manufactured. A high risk of product failure in certain products must be avoided due to serious consequences of such an event. However, for other products, customers may not even notice the difference.
- The need to increase sales - The strategic need to move into a new market will result in the business accepting a higher degree of risk than trying to increase sales or market share in an existing market.
- The background of the board - some board members may accept increased risk personally and this may be reflected in the way they manage the company
- Amount of change in the market - Operating in a marketplace with significant change will mean that the board have to accept a higher degree of risk
- Reputation of the company - if the company has a good reputation then the board will accept less risk - as they will not want to lose that good reputation
The amount of risk an organisation is willing to accept in the pursuit of value is knows as:
A Risk map
B Risk appetite
C Risk culture
D Risk thermostat
B
The Institute of Risk Management (IRM) developed a risk management process containing three elements. List them down and define
1) Risk assessment is composed of the analysis and evaluation of risk through the process of identification, description and estimation
2) Risk reporting is concerned with regular reports to the board and to stakeholders setting out the organisation’s policies in relation to risk and enabling the effective monitoring of those policies
3) Risk treatment (risk response) is the process of selecting and implementing measures to modify the risk.
Explain risk identification process and responsibles
The risk identification process will be controlled by a risk committee or risk management specialists. The risks identified in the process should be recorded in a risk register, which is simply a list of the risks that have been identified, and the measures (if any) that have been taken to control each of them.
List and explain risk register headings
- The risk title - stating what the risk might be
- The likelihood of the risk - possible measured numerically if a scales has been set
- The impact of the risk should it arise.
- The risk owners name will be given - usually a manager or director
- The date the risk was identified will be detailed
- The date the risk was last considered will be given
- Mitigation actions should be listed. i.e. what the company has done so far to reduce the risk. This might include training, insurance, further controls added to the system, etc
- An overall risk rating might be given
- Further actions to be taken in the future
- The action lead name will be detailed. i.e. who is responsible for making sure that these future actions are implemented
- A due date
- A risk level target might be given. i.e. a score lower than that given in step 8. This might mean that by implementing a control, the risk rating es expected to lower from say 8 to 2.
Risk registers normally include which of the following: (Select all that apply)
A Risk level before controls are implemented
B Risk level after controls are implemented
C Responsibility for managing risks
D The total cost of a control being implemented
A B and C. Total cost usually not detailed
List some of the risk identifications
- Pest/Swot analysis
- External advisors
- Interviews/Questionnaires
- Internal audit
- Brainstorming
Why risk quantification is needed and how can it be done?
It is important in understanding the extent and significance of the exposure. This can be done by measuring the impact of the risk factor on the total value of the company, or on any individual item such as cash flow or costs.
List some of risk quantification techniques
- Expected values and standard deviation
- Volatility
- VaR
- Regression analysis
- simulation analysis
Write Expected value formula
Probability x probable loss
When is the risk greater? If the standard deviation is bigger or smaller?
Bigger
How does VaR help investors?
Value at Risk (VaR) allows investors to assess the scale fo the likely loss in their portfolio at a defined level of probability. It is becoming the most widely used measure of financial risk and is also enshrined in both financial and accounting regulations.
VaR is based on the assumption that investors care mainly about the probability of large loss. The VaR of a portfolio is the maximum loss on a portfolio occurring within a give period of time with a given probability
A bank has estimated that the expected value of its portfolio in two weeks’ time will be $50 million, with a standard deviation of $4.85 million.
Calculate and comment upon the VaR of the portfolio, assuming 95% confidence level.
At the 95% confidence level the value at risk is = 1.645 x 4.85 = $8 million (1.645 is the normal distribution value for one-tailed 5% probability level - this can be taken from normal distribution tables).
There is thus a 5% probability that the portfolio will fall to $42 million or below.
What is regression analysis and its drawback
This can be used to measure a company’s exposure to various risk factors at the same time. This is done by regressing changes in the company’s cash flows against the risk factors (changes in interest rates, exchange rates, prices of key commodities such as oil). The regression coefficients will indicate the sensitiveness of the company’s cash flow to these risk factors.
The drawback with this technique is that the analysis is based on historical factors which may no longer be predictors of the company in future.
What is simulation analysis?
This is used to evaluate the sensitivity of the value of the company, or its cash flows, to a variety of risk factors. These risk factors will be given various simulated values based on probability distributions, and the procedure is repeated a number of times to obtain the range of results that can be achieved.
What is the drawback(s) of the quantification of risk?
Once a risk has been quantified, there is a problem - whether anyone really knows what it means. Unless you are a trainee or qualified accountant, that is unlikely, hence risk are often left unquantified.
Explain steps in risk mapping, who creates, what are the quadrants of the map and etc.
The board, the Risk Committee, the Audit Committee and senior management from various departments will all be involved in the preparation of the map.
The map identifies whether a risk will have a significant impact on the organisation and links that into the likelihood of the risk occurring. The approach can provide a framework for prioritising risks in the business. Risks with a significant impact and a high likelihood of occurrence need more urgent attention that risks with a low impact and low likelihood of occurrence.
A well-structured risk map will highlight where there are gaps in assurance over significant risk areas. Also, duplicated or potentially burdensome assurance processes may be identified. Risks can be plotted on a diagram.
Give an example drawing of a risk map
Example for an audit firm:
- High impact, High probability: Loss of non-audit work from existing clients
- High impact, Low probability: Loss of audit clients within the next two years
- Low impact, High probability: New audit regulations for the profession
- Low impact, Low probability: Increase in salaries above the general rate of inflation
Management of risks involves actions to ensure that:
- exposure to severe risks is minimised
- unnecessary risks are avoided
- appropriate measures of control are taken
- the balance between risk and return is appropriate
Risk management methods and their explanation
- Avoid risk - a company may decide that some activities are so risky that they should be avoided. This will always work but it is impossible to apply to all risks in commercial organisations as risks have to be taken to make profits.
- Transfer risk - in some circumstances, risk can be transferred wholly or in part to a third party. A common example of this is insurance. It does reduce/eliminate risks but premiums have to be paid.
- Pool risks - risks from many different transactions can be pooled together: each individual transaction/item has its potential upside and its downside. The risks tend to cancel each other out, and are lower for the pool as a whole than for each item individually. For example, it is common in large group structures for financial risk to be managed centrally.
- Diversification - is a similar concept to pooling but usually relates to different industries or countries. The idea is that the risk in one area can be reduced by investing in another area where the risks are different or ideally opposite. A correlation coefficient with a value close to -1 is essential if risk is to be nullified.
Explain spreading the risk by portfolio management.
- Backward integration - refers to the development concerned with the inputs in to the organisation, e.g. raw materials, machinery and labour.
- Forward integration - refers to the development into activities that are concerned with the organisation’s outputs such as distribution, transport, servicing and repairs.
- Horizontal integration - refers to the development into activities that compete with, or directly complement, an organisation’s present activities. An example of this is a travel agent selling other related products such as travel insurance and currency exchange services.
What is unrelated diversification?
This is development beyond the present industry into products and/or markets that may bear no clear relationship to their present portfolio. Where appropriate an organisation may want to enter into a completely different market to spread its risk.
list and explain problems with diversification
- If diversification reduces risk, why are there relatively few conglomerate industrial and commercial groups with a broad spread of business in their portfolio?
- Many businesses compete by specialising, and they compete successfully in those areas where they excel.
- therefore, it is difficult for companies to excel in a wide range of diversified businesses. There is a possible risk that by diversifying too much, an organisation might become much more difficult to manage. Risks could therefore increase with diversification, due to loss of efficiency and problems of management.
- Many organisations diversify their operations, both in order to grow and to reduce risks, but they do so into related areas such as similar industries or the same industry but in different parts of the world.
- Relatively little advantage accrues to the shareholders from diversification. There is nothing to prevent investors from diversifying for themselves by holding a portfolio of stocks and shares from different industries and in different parts of the world.
What is TARA mnemonic?
It is a risk management methods:
- Transfer (High impact, low prob)
- Avoid (High and High)
- Reduce (High prob and low impact)
- Accept (Low and Low)
Is risk reporting significant? What should it include?
Risk report is not form part of UK annual reports. It is an important disclosure requirement. Managers of a business and external shareholders, will require information regarding the risks facing the business. A risk reporting system would include:
- A systematic review of the risk forecast (at least annually).
- A review of the risk strategy and responses to significant risks.
- A monitoring and feedback loop and action taken and assessments of significant risks.
- A system indicating material change to business circumstances, to provide ‘early warning’.
- The incorporation of audit work as part of the monitoring and information gathering process.
Risk reports should show gross and net risk. Explain
The gross risk = an assessment of risk before the application of any controls, transfer or management responses, and
the net risk (or residual risk) = an assessment of risk, taking into account the controls, transfer and management responses i.e. after any controls have been implemented,
to facilitate a review of the effectiveness of risk responses
What company needs to do if the residual risk is too great?
- not expose itself to the risk situation, or
- put in place better controls over the risk
the amount of residual risk a company can bear is ultimately a management decision. It is possible to measure that residual risk, possibly as a proportion of profit/capital/turnover, in order to help management make that judgement.
Explain risk management roles and responsibilities
- BoD - ultimately responsible for risk management. Define risk appetite for organisation
- Audit committee - board committee with responsibilities for reviewing internal control systems and working with internal and external auditors
- Possibly a risk committee - board committee with direct responsibility for risk management
- risk management group, led by the risk manager - Group of senior and middle management with operational responsibility for carrying out the risk management process; report into the board, via the audit or risk committee; identification of risks; monitor the effectiveness of the overall process, and make recommendations for improvement
- Internal audit - involved in the review of internal controls. Support management in the risk management process.
What are the main aims of the risk (management) committee?
- raising risk awareness and ensuring appropriate risk management within the organisation
- Establishing policies for risk management
- Ensuring that adequate and efficient processes are in place to identify, report and monitor risks.
- Updating the company’s risk profile, reporting to the board and making recommendations on the risk appetite of the company.
What are the typical activities carried out by a risk manager?
- provision of overall leadership for risk management team
- identification and evaluation of the risks affecting an organisation from that organisation’s business, operations and policies
- implementation of risk mitigation strategies including appropriate internal controls to manage identified risks
- seeking opportunities to improve risk management methodologies and practices within the organisation
- monitoring the status of risk mitigation strategies and internal audits, and ensuring that all recommendations are acted upon
- Developing, implementing and managing risk management programmes and initiatives including establishment of risk management awareness programmes within the organisation
- maintaining good working relationships with the board and the risk management committee
- ensuring compliance with any laws and regulations affecting the business
- implementing a set of risk indicators and reports, including losses, incidents, key risk exposures and early warning indicators
- liaising with insurance companies, particularly with regards to claims, conditions and cover available
- depending on specific laws of the jurisdiction in which the organisation is based, working with the external auditors to provide assurance and assistance in their work in appraising risks and controls within the organisation
- again, depending on the jurisdiction, producing reports on risk management, including any statutory reports