Chapter 5: Introduction to Risk Management

Question 1

What is the definition of risk?

Answer 1

Risk is ‘the possibility that an event will occur and adversely affect the achievement of objectives’.

Question 2

What is the definition of an opportunity?

Answer 2

Opportunity is ‘the possibility that an event will occur and positively affect the achievement of objectives’.

Question 3

What is uncertainty?

Answer 3

Uncertainty is the ‘inability to predict outcomes because of a lack of information’ (not the same as risk)!

Question 4

What is business risk?

Answer 4

Business risks arise from the nature of the entity’s business, its industry and the conditions it operates in.

Question 5

Give some examples of business risk.

Answer 5

Strategy risk
 choosing and implementing the wrong corporate strategy.
Enterprise risk
 success or failure of a business operation.
Product risk
 customers do not buy the anticipated amount of product.
Economic risk
 unexpected changes in economic conditions.
Property risk
 losing property or losses arising from accidents.

Question 6

What does financial risk include?

Answer 6

Financial risk includes:
 Controllable financial risks – gearing risk, credit risk and liquidity risk
 Uncontrollable financial risk – market risk

Question 7

Give some examples of financial risk.

Answer 7

Gearing risk
 increased interest charges due to high debt levels.
Credit risk
 economic loss suffered due to default of a customer.
Liquidity risk
 unexpected shortage of cash.
Market risk:
 exposure to changes in market prices or rates

Question 8

What is operational risk?

Answer 8

Operational risk arises from the actual losses incurred because of inadequate or failed internal processes, people and systems, or because of external events.

Question 9

Give some examples of operational risk.

Answer 9

Process risk
 company’s processes are ineffective or inefficient.
People risk
 arising from staff constraints, incompetency or dishonesty.
Systems risk/cyber risk
 arising from information and communication systems.
Event risk
 loss due to single events that are unlikely but serious.
Cyber risk and Event risk can be broken down into a number of other individual risks.

Question 10

What is cyber risk?

Answer 10

Cyber risk is the risk of financial loss, business disruption or reputation damage that are a consequence of accidents and poor systems integrity.

Question 11

What are some examples of cyber-attacks?

Answer 11

Phishing
 bogus emails that ask for personal or security information.
Webcam manager
 where the user’s webcam is taken over.
File hijacker/ransomware
 where the user’s files are hijacked and held to ransom.
Keylogging
 where criminals record what users type.

Question 12

How do you categorise event risk?

Answer 12

Event risk can be broken down into the following categories:
Disaster risk
 catastrophe occurs such as a fire, flood etc.
Regulatory risk
 new laws or regulations are introduced.
Reputation risk
 risk of damage to the business’s reputation.
Systemic risk
 failure by a participant in the business’s supply chain.

Question 13

What is the process of risk management?

Answer 13

Risk management is ‘the identification, analysis and economic control of risks which threaten the assets or earning capacity of a business’.

• Risk awareness and identification leads to
• Risk assessment and measurement, leads to
• Risk response and control, leads to
• Risk monitoring and reporting (links back to the top)

Question 14

What is risk identification? What are some techniques to identify these?

Answer 14

Risk identification involves ‘identifying the whole range of possible risks and the likelihood of losses occurring as a result of these risks.’

Techniques to identify risks:
 PEST/SWOT analysis
 External advisors
 Interviews/questionnaires
 Internal audit
 Brainstorming

Question 15

What are the types of loss?

Answer 15

There are five different categories of loss which can be considered.
Business risks arise from the nature of the entity’s business, its industry and the
conditions it operates in.
Property loss
 possible loss of assets.
Liability loss
 loss occurring from legal liability to third parties.
Personnel loss
 due to injury, sickness and death of employees.
Pecuniary loss
 as a result of defaulting debtors.
Interruption loss
 being unable to operate.

Question 16

How do you measure risk? What are other terms that should be considered?

Answer 16

Gross risk = Probability × Impact
 Probability – measures likelihood.
 Impact – measures the size of loss

Others terms which should be considered when measuring risk are:
Exposure is a measure of the way in which a business is faced by risks.
Volatility is a measurement of the variability of a risk factor.

Question 17

How do you assess each risk?

Answer 17

With a risk assessment map.

The map measures Impact against Probability.
Risks which have low likelihood and low impact may be accepted by the company as the cost of managing the risk, e.g. by introducing controls, may exceed the benefit gained.

Question 18

What is a risk averse attitude?

Answer 18

An investment would be chosen if it has more certainty but possibly a lower return than an alternative less certain, potentially higher return investment.

Question 19

What is a risk neutral attitude?

Answer 19

An investment would be chosen according to its expected return, irrespective of the risk.

Question 20

What is a risk-seeker attitude?

Answer 20

An investment would be chosen on the basis of it offering higher levels of risk, even if its expected return is lower than an alternative no-risk investment with a higher expected return.

Question 21

What outlines general risk responses?

Answer 21

The TARA model

Transfer (Sharing)
 Transfer risk to a third party
 e.g. insurance, hedging.

Avoidance
 Avoid downside by not undertaking/ terminating risky
activities
 Usually lose upside potential as well.

Reduction
 Retain the activity but take action to limit risk to
acceptable levels
 Mitigating controls:
 Preventative
 Corrective
 Directive
 Detective. 

Acceptance (Retention)
 Tolerating losses when they arise
 For small risks could be cheaper than insurance (‘self insurance’).

Question 22

The Corporate Governance Code requires listed companies to:

Answer 22

 Determine the nature and extent of any risks the company is willing to take in
order to achieve its objectives.
 Report risk management issues.

Question 23

What is some Additional board disclosure required by the Corporate Governance Code?

Answer 23

 That they are responsible for the company’s systems of internal control.
 That systems have been designed to manage, not eliminate, risk.
 How the board have dealt with the internal control aspects of significant
problems highlighted in the accounts.
 Any weaknesses in internal control that have resulted in material losses.

Question 24

What is a crisis?

Answer 24

A Crisis is an unexpected event that threatens the wellbeing of a business, or a significant disruption to the business and its normal operations which impacts on its customers, employees, investors and other stakeholders

Question 25

Give some examples of crisis.

Answer 25

 Natural event e.g. earthquake causing physical disruption
 Industrial accident e.g. building collapse or fire
 Product or service failure e.g. produce recall or health scare
 Public relations disaster e.g. unwelcome media attention or adverse publicity
 Business crisis e.g. loss of key supplier or customer
 Management crisis e.g. hostile takeover bid or loss key management
 Legal/regulatory crisis e.g. new regulation increases costs

Question 26

What is crisis management?

Answer 26

Crisis management involves identifying a crisis, planning a response to the crisis and confronting and resolving the crisis.y

Crisis management should consider contingency plans and crisis prevention.

Question 27

What is business resiliance?

Answer 27

Business resilience considers an organisation’s ability to manage and survive against planned or unplanned shocks and disruptions to operations.

Question 28

What is the first axis outlined by The Chartered Governance Institute (ICSA) for understanding
an organisations resilience?

Answer 28

1: Processes and functions to protect the organisation:

Risk management
 Business continuity
planning
 Security
 IT disaster recovery
 Health and safety
 Crisis management
 Internal audit
 Governance

Question 29

What is the second axis outlined by The Chartered Governance Institute (ICSA) for understanding
an organisations resilience?

Answer 29

2. General organisational characteristics driving resilience:

 Employee trust in management
 Customers trust in the organisation
 Ability to innovate
 Clear values
 Values linked to behaviour
 Effective risk management
 Morale
 Leadership involvement

Question 30

What are changes to the business environment?

Answer 30

The business environment is highly dynamic and changes occur constantly. The ability to handle significant shocks and limit the detrimental impacts is the concept of business resilience.

Changes can be both internal (planned) and external.

 External changes – e.g. strict new laws, severe economic recession, political
uncertainties and disruptive technologies.
 Planned changes – e.g. major overseas investment, closure of significant
operations, launch of new strategic direction.

Question 31

What are the common features of resilient organisations?

Answer 31

The ICSA identified the following common features of resilient organisations:
 Diversified resources to facilitate adaptability to deal with changes
 Strong internal and external network of relationships
 Rapid and decisive response to emerging crisis
 Self review and adaptation to meet changing circumstances.

Question 32

What are some barriers to resilience?

Answer 32

However, many organisations face challenges in achieving resilience through a lack
of expertise, lack of input from leadership and a lack of cohesive thinking between
departments within organisations.

Question 33

How do you measure resilience?

Answer 33

The ICSA proposed these
four key metrics to measure resilience.
 Compliance – with their own internal policies and standards.
 Completeness – the breadth of their readiness i.e. can they handle multiple issues at once.
 Value – qualitative and quantitative measures of achieving specific outcomes.
 Comparability/capability – testing and reviewing processes and procedures response to potential shocks.

Question 34

What is cyber resilience?

Answer 34

Cyber resilience is the ability of an organisation to ensure its data and information is reliable, available, has integrity and is adequately protected from unauthorised access.

Implementing robust cyber-security measures to minimise the risks of successful cyber-attacks is an important element of cyber resilience.

Back-up plans should be in place to ensure businesses can continue and all critical data can be recovered should an unexpected outage occur.

Question 35

What is an important part of cyber resilience?

Answer 35

An important element of any cyber resilience strategy is an information security
plan, this would include the following key areas:
 Securing systems and device configurations
 Network security
 User privileges
 Home and mobile working
 Removable media controls
 User education and awareness
 Web services
 Legal requirements
 Compliance
 Incident management
 Monitoring

Question 36

What is a disaster?

Answer 36

A Disaster is when ‘the business’s operations, or a significant part of them, break down for some reason leading to potential losses of equipment, data or funds’

Question 37

What are the types of disaster?

Answer 37

 A major crisis causing a breakdown in operations and resultant losses
 An event which results in serious consequences.

Question 38

What are the main components of a disaster recovery plan?

Answer 38

The main components of a plan are:
 define responsibilities
 prioritise actions
 establish back-up and standby arrangements
 communicate with staff
 establish PR
 risk assessment.