Chapter 2 - Risk management

Question 1

Risk management definition

Answer 1

The process of understanding and managing the risks that the organisation is inevitably subject to in attempting to achieve its corporate objectives

Question 2

Compare traditional view and new approach to risk management

Answer 2

The traditional view has been one of protecting the organisation from loss through conformance procedures and hedging techniques - this is about avoiding the downside risk

The new approach is about taking advantage of the opportunities to increase overall returns within a business - benefiting from the upside risk

Question 3

What is ERM?

Answer 3

Enterprise Risk Management (ERM) is the term given to the alignment of risk management with business strategy and the embedding of a risk management culture into business operations

Question 4

List down key principles of ERM

Answer 4

• consideration of risk management in the context of business strategy
• risk management is everyone’s responsibility, with the tone set from the top
• the creation of a risk aware culture
• a comprehensive and holistic approach to risk management
• consideration of broad range of risks (strategic, financial, operational and compliance)
• a focused risk management strategy, led by the board (embedding risk within an organisation’s culture)

Question 5

The Committee of Sponsoring Organisations (COSO) ERM Framework is represented as a three dimensional matrix. List them down

Answer 5

• objectives
• components
• different organisational levels

Question 6

List four objectives of COSO ERM

Answer 6

• strategic
• operations
• reporting
• compliance

Question 7

List four organisational levels of COSO ERM

Answer 7

• subsidiary
• business unit
• division
• entity

Question 8

List eight components of COSO ERM

Answer 8

• Internal Environment
• objective setting
• event identification
• risk assessment
• risk response
• control activities
• information and communication
• monitoring

Question 9

List benefits of effective ERM

Answer 9

• enhanced decision-making by integrating risks
• the resultant improvement in investor confidence, and hence shareholder value
• focus of management attention on the most significant risks
• a common language of risk management which is understood throughout the organisation
• reduced costs of finance through effective management of risk

Question 10

IFAC highlighted two aspects of risk management which link risk aversion and risk seeking activities. They are:

A Compliance and strategy
B Conformance and performance
C Compliance and conformance
D Performance and strategy

Answer 10

B Conformance and performance

Question 11

The COSO outlined six key principles of ERM. Identify which are/is included:

A Consideration of risk management in the context of business strategy
B The creation of a risk aware culture
C Consideration of a narrow range of risks, mainly financial
D Risk management is the responsibility of the Risk Committee
E A comprehensive and holistic approach to risk management

Answer 11

A, B, E

Question 12

A risk management strategy needs to be developed to ensure that the risk exposures of the organisation are consistent with its risk appetite. At the very least, the risk management capability within the organisation should be sufficient to:

Answer 12

• review its internal control system, at least annually (and whether it is adequate)
• ensure that controls are properly implemented
• monitor the implementation and effectiveness of controls

Question 13

Define risk appetite

Answer 13

Risk appetite can be defined as the amount of risk an organisation is willing to accept in pursuit of value. This may be explicit in strategies, policies and procedures, or it may be implicit.

Question 14

What determines risk appetite

Answer 14

It is determined by:

• risk capacity - the amount of risk that the organisation can bear and;
• risk attitude - the overall approach to risk in terms of the board being risk averse or risk seeking

Question 15

What is residual risk

Answer 15

Residual risk is the risk a business faces after its controls have been considered

Question 16

List down risk appetite factors and explain each of them

Answer 16

• Nature of product being manufactured. A high risk of product failure in certain products must be avoided due to serious consequences of such an event. However, for other products, customers may not even notice the difference.
• The need to increase sales - The strategic need to move into a new market will result in the business accepting a higher degree of risk than trying to increase sales or market share in an existing market.
• The background of the board - some board members may accept increased risk personally and this may be reflected in the way they manage the company
• Amount of change in the market - Operating in a marketplace with significant change will mean that the board have to accept a higher degree of risk
• Reputation of the company - if the company has a good reputation then the board will accept less risk - as they will not want to lose that good reputation

Question 17

The amount of risk an organisation is willing to accept in the pursuit of value is knows as:

A Risk map
B Risk appetite
C Risk culture
D Risk thermostat

Answer 17

B

Question 18

The Institute of Risk Management (IRM) developed a risk management process containing three elements. List them down and define

Answer 18

1) Risk assessment is composed of the analysis and evaluation of risk through the process of identification, description and estimation
2) Risk reporting is concerned with regular reports to the board and to stakeholders setting out the organisation’s policies in relation to risk and enabling the effective monitoring of those policies
3) Risk treatment (risk response) is the process of selecting and implementing measures to modify the risk.

Question 19

Explain risk identification process and responsibles

Answer 19

The risk identification process will be controlled by a risk committee or risk management specialists. The risks identified in the process should be recorded in a risk register, which is simply a list of the risks that have been identified, and the measures (if any) that have been taken to control each of them.

Question 20

List and explain risk register headings

Answer 20

1. The risk title - stating what the risk might be
2. The likelihood of the risk - possible measured numerically if a scales has been set
3. The impact of the risk should it arise.
4. The risk owners name will be given - usually a manager or director
5. The date the risk was identified will be detailed
6. The date the risk was last considered will be given
7. Mitigation actions should be listed. i.e. what the company has done so far to reduce the risk. This might include training, insurance, further controls added to the system, etc
8. An overall risk rating might be given
9. Further actions to be taken in the future
10. The action lead name will be detailed. i.e. who is responsible for making sure that these future actions are implemented
11. A due date
12. A risk level target might be given. i.e. a score lower than that given in step 8. This might mean that by implementing a control, the risk rating es expected to lower from say 8 to 2.

Question 21

Risk registers normally include which of the following: (Select all that apply)

A Risk level before controls are implemented
B Risk level after controls are implemented
C Responsibility for managing risks
D The total cost of a control being implemented

Answer 21

A B and C. Total cost usually not detailed

Question 22

List some of the risk identifications

Answer 22

1. Pest/Swot analysis
2. External advisors
3. Interviews/Questionnaires
4. Internal audit
5. Brainstorming

Question 23

Why risk quantification is needed and how can it be done?

Answer 23

It is important in understanding the extent and significance of the exposure. This can be done by measuring the impact of the risk factor on the total value of the company, or on any individual item such as cash flow or costs.

Question 24

List some of risk quantification techniques

Answer 24

1. Expected values and standard deviation
2. Volatility
3. VaR
4. Regression analysis
5. simulation analysis

Question 25

Write Expected value formula

Answer 25

Probability x probable loss

Question 26

When is the risk greater? If the standard deviation is bigger or smaller?

Answer 26

Bigger

Question 27

How does VaR help investors?

Answer 27

Value at Risk (VaR) allows investors to assess the scale fo the likely loss in their portfolio at a defined level of probability. It is becoming the most widely used measure of financial risk and is also enshrined in both financial and accounting regulations.

VaR is based on the assumption that investors care mainly about the probability of large loss. The VaR of a portfolio is the maximum loss on a portfolio occurring within a give period of time with a given probability

Question 28

A bank has estimated that the expected value of its portfolio in two weeks’ time will be $50 million, with a standard deviation of $4.85 million.

Calculate and comment upon the VaR of the portfolio, assuming 95% confidence level.

Answer 28

At the 95% confidence level the value at risk is = 1.645 x 4.85 = $8 million (1.645 is the normal distribution value for one-tailed 5% probability level - this can be taken from normal distribution tables).

There is thus a 5% probability that the portfolio will fall to $42 million or below.

Question 29

What is regression analysis and its drawback

Answer 29

This can be used to measure a company’s exposure to various risk factors at the same time. This is done by regressing changes in the company’s cash flows against the risk factors (changes in interest rates, exchange rates, prices of key commodities such as oil). The regression coefficients will indicate the sensitiveness of the company’s cash flow to these risk factors.

The drawback with this technique is that the analysis is based on historical factors which may no longer be predictors of the company in future.

Question 30

What is simulation analysis?

Answer 30

This is used to evaluate the sensitivity of the value of the company, or its cash flows, to a variety of risk factors. These risk factors will be given various simulated values based on probability distributions, and the procedure is repeated a number of times to obtain the range of results that can be achieved.

Question 31

What is the drawback(s) of the quantification of risk?

Answer 31

Once a risk has been quantified, there is a problem - whether anyone really knows what it means. Unless you are a trainee or qualified accountant, that is unlikely, hence risk are often left unquantified.

Question 32

Explain steps in risk mapping, who creates, what are the quadrants of the map and etc.

Answer 32

The board, the Risk Committee, the Audit Committee and senior management from various departments will all be involved in the preparation of the map.

The map identifies whether a risk will have a significant impact on the organisation and links that into the likelihood of the risk occurring. The approach can provide a framework for prioritising risks in the business. Risks with a significant impact and a high likelihood of occurrence need more urgent attention that risks with a low impact and low likelihood of occurrence.

A well-structured risk map will highlight where there are gaps in assurance over significant risk areas. Also, duplicated or potentially burdensome assurance processes may be identified. Risks can be plotted on a diagram.

Question 33

Give an example drawing of a risk map

Answer 33

Example for an audit firm:

1. High impact, High probability: Loss of non-audit work from existing clients
2. High impact, Low probability: Loss of audit clients within the next two years
3. Low impact, High probability: New audit regulations for the profession
4. Low impact, Low probability: Increase in salaries above the general rate of inflation

Question 34

Management of risks involves actions to ensure that:

Answer 34

• exposure to severe risks is minimised
• unnecessary risks are avoided
• appropriate measures of control are taken
• the balance between risk and return is appropriate

Question 35

Risk management methods and their explanation

Answer 35

1. Avoid risk - a company may decide that some activities are so risky that they should be avoided. This will always work but it is impossible to apply to all risks in commercial organisations as risks have to be taken to make profits.
2. Transfer risk - in some circumstances, risk can be transferred wholly or in part to a third party. A common example of this is insurance. It does reduce/eliminate risks but premiums have to be paid.
3. Pool risks - risks from many different transactions can be pooled together: each individual transaction/item has its potential upside and its downside. The risks tend to cancel each other out, and are lower for the pool as a whole than for each item individually. For example, it is common in large group structures for financial risk to be managed centrally.
4. Diversification - is a similar concept to pooling but usually relates to different industries or countries. The idea is that the risk in one area can be reduced by investing in another area where the risks are different or ideally opposite. A correlation coefficient with a value close to -1 is essential if risk is to be nullified.

Question 36

Explain spreading the risk by portfolio management.

Answer 36

• Backward integration - refers to the development concerned with the inputs in to the organisation, e.g. raw materials, machinery and labour.
• Forward integration - refers to the development into activities that are concerned with the organisation’s outputs such as distribution, transport, servicing and repairs.
• Horizontal integration - refers to the development into activities that compete with, or directly complement, an organisation’s present activities. An example of this is a travel agent selling other related products such as travel insurance and currency exchange services.

Question 37

What is unrelated diversification?

Answer 37

This is development beyond the present industry into products and/or markets that may bear no clear relationship to their present portfolio. Where appropriate an organisation may want to enter into a completely different market to spread its risk.

Question 38

list and explain problems with diversification

Answer 38

• If diversification reduces risk, why are there relatively few conglomerate industrial and commercial groups with a broad spread of business in their portfolio?
• Many businesses compete by specialising, and they compete successfully in those areas where they excel.
• therefore, it is difficult for companies to excel in a wide range of diversified businesses. There is a possible risk that by diversifying too much, an organisation might become much more difficult to manage. Risks could therefore increase with diversification, due to loss of efficiency and problems of management.
• Many organisations diversify their operations, both in order to grow and to reduce risks, but they do so into related areas such as similar industries or the same industry but in different parts of the world.
• Relatively little advantage accrues to the shareholders from diversification. There is nothing to prevent investors from diversifying for themselves by holding a portfolio of stocks and shares from different industries and in different parts of the world.

Question 39

What is TARA mnemonic?

Answer 39

It is a risk management methods:

1. Transfer (High impact, low prob)
2. Avoid (High and High)
3. Reduce (High prob and low impact)
4. Accept (Low and Low)

Question 40

Is risk reporting significant? What should it include?

Answer 40

Risk report is not form part of UK annual reports. It is an important disclosure requirement. Managers of a business and external shareholders, will require information regarding the risks facing the business. A risk reporting system would include:

1. A systematic review of the risk forecast (at least annually).
2. A review of the risk strategy and responses to significant risks.
3. A monitoring and feedback loop and action taken and assessments of significant risks.
4. A system indicating material change to business circumstances, to provide ‘early warning’.
5. The incorporation of audit work as part of the monitoring and information gathering process.

Question 41

Risk reports should show gross and net risk. Explain

Answer 41

The gross risk = an assessment of risk before the application of any controls, transfer or management responses, and
the net risk (or residual risk) = an assessment of risk, taking into account the controls, transfer and management responses i.e. after any controls have been implemented,

to facilitate a review of the effectiveness of risk responses

Question 42

What company needs to do if the residual risk is too great?

Answer 42

• not expose itself to the risk situation, or
• put in place better controls over the risk

the amount of residual risk a company can bear is ultimately a management decision. It is possible to measure that residual risk, possibly as a proportion of profit/capital/turnover, in order to help management make that judgement.

Question 43

Explain risk management roles and responsibilities

Answer 43

1. BoD - ultimately responsible for risk management. Define risk appetite for organisation
2. Audit committee - board committee with responsibilities for reviewing internal control systems and working with internal and external auditors
3. Possibly a risk committee - board committee with direct responsibility for risk management
4. risk management group, led by the risk manager - Group of senior and middle management with operational responsibility for carrying out the risk management process; report into the board, via the audit or risk committee; identification of risks; monitor the effectiveness of the overall process, and make recommendations for improvement
5. Internal audit - involved in the review of internal controls. Support management in the risk management process.

Question 44

What are the main aims of the risk (management) committee?

Answer 44

• raising risk awareness and ensuring appropriate risk management within the organisation
• Establishing policies for risk management
• Ensuring that adequate and efficient processes are in place to identify, report and monitor risks.
• Updating the company’s risk profile, reporting to the board and making recommendations on the risk appetite of the company.

Question 45

What are the typical activities carried out by a risk manager?

Answer 45

• provision of overall leadership for risk management team
• identification and evaluation of the risks affecting an organisation from that organisation’s business, operations and policies
• implementation of risk mitigation strategies including appropriate internal controls to manage identified risks
• seeking opportunities to improve risk management methodologies and practices within the organisation
• monitoring the status of risk mitigation strategies and internal audits, and ensuring that all recommendations are acted upon
• Developing, implementing and managing risk management programmes and initiatives including establishment of risk management awareness programmes within the organisation
• maintaining good working relationships with the board and the risk management committee
• ensuring compliance with any laws and regulations affecting the business
• implementing a set of risk indicators and reports, including losses, incidents, key risk exposures and early warning indicators
• liaising with insurance companies, particularly with regards to claims, conditions and cover available
• depending on specific laws of the jurisdiction in which the organisation is based, working with the external auditors to provide assurance and assistance in their work in appraising risks and controls within the organisation
• again, depending on the jurisdiction, producing reports on risk management, including any statutory reports