Chapter 5: Introduction to Risk Management Flashcards
What is the definition of risk?
Risk is ‘the possibility that an event will occur and adversely affect the achievement of objectives’.
What is the definition of an opportunity?
Opportunity is ‘the possibility that an event will occur and positively affect the achievement of objectives’.
What is uncertainty?
Uncertainty is the ‘inability to predict outcomes because of a lack of information’ (not the same as risk)!
What is business risk?
Business risks arise from the nature of the entity’s business, its industry and the conditions it operates in.
Give some examples of business risk.
Strategy risk
choosing and implementing the wrong corporate strategy.
Enterprise risk
success or failure of a business operation.
Product risk
customers do not buy the anticipated amount of product.
Economic risk
unexpected changes in economic conditions.
Property risk
losing property or losses arising from accidents.
What does financial risk include?
Financial risk includes:
Controllable financial risks – gearing risk, credit risk and liquidity risk
Uncontrollable financial risk – market risk
Give some examples of financial risk.
Gearing risk
increased interest charges due to high debt levels.
Credit risk
economic loss suffered due to default of a customer.
Liquidity risk
unexpected shortage of cash.
Market risk:
exposure to changes in market prices or rates
What is operational risk?
Operational risk arises from the actual losses incurred because of inadequate or failed internal processes, people and systems, or because of external events.
Give some examples of operational risk.
Process risk
company’s processes are ineffective or inefficient.
People risk
arising from staff constraints, incompetency or dishonesty.
Systems risk/cyber risk
arising from information and communication systems.
Event risk
loss due to single events that are unlikely but serious.
Cyber risk and Event risk can be broken down into a number of other individual risks.
What is cyber risk?
Cyber risk is the risk of financial loss, business disruption or reputation damage that are a consequence of accidents and poor systems integrity.
What are some examples of cyber-attacks?
Phishing
bogus emails that ask for personal or security information.
Webcam manager
where the user’s webcam is taken over.
File hijacker/ransomware
where the user’s files are hijacked and held to ransom.
Keylogging
where criminals record what users type.
How do you categorise event risk?
Event risk can be broken down into the following categories:
Disaster risk
catastrophe occurs such as a fire, flood etc.
Regulatory risk
new laws or regulations are introduced.
Reputation risk
risk of damage to the business’s reputation.
Systemic risk
failure by a participant in the business’s supply chain.
What is the process of risk management?
Risk management is ‘the identification, analysis and economic control of risks which threaten the assets or earning capacity of a business’.
- Risk awareness and identification leads to
- Risk assessment and measurement, leads to
- Risk response and control, leads to
- Risk monitoring and reporting (links back to the top)
What is risk identification? What are some techniques to identify these?
Risk identification involves ‘identifying the whole range of possible risks and the likelihood of losses occurring as a result of these risks.’
Techniques to identify risks: PEST/SWOT analysis External advisors Interviews/questionnaires Internal audit Brainstorming
What are the types of loss?
There are five different categories of loss which can be considered.
Business risks arise from the nature of the entity’s business, its industry and the
conditions it operates in.
Property loss
possible loss of assets.
Liability loss
loss occurring from legal liability to third parties.
Personnel loss
due to injury, sickness and death of employees.
Pecuniary loss
as a result of defaulting debtors.
Interruption loss
being unable to operate.
How do you measure risk? What are other terms that should be considered?
Gross risk = Probability × Impact
Probability – measures likelihood.
Impact – measures the size of loss
Others terms which should be considered when measuring risk are:
Exposure is a measure of the way in which a business is faced by risks.
Volatility is a measurement of the variability of a risk factor.
How do you assess each risk?
With a risk assessment map.
The map measures Impact against Probability.
Risks which have low likelihood and low impact may be accepted by the company as the cost of managing the risk, e.g. by introducing controls, may exceed the benefit gained.
What is a risk averse attitude?
An investment would be chosen if it has more certainty but possibly a lower return than an alternative less certain, potentially higher return investment.
What is a risk neutral attitude?
An investment would be chosen according to its expected return, irrespective of the risk.
What is a risk-seeker attitude?
An investment would be chosen on the basis of it offering higher levels of risk, even if its expected return is lower than an alternative no-risk investment with a higher expected return.
What outlines general risk responses?
The TARA model
Transfer (Sharing)
Transfer risk to a third party
e.g. insurance, hedging.
Avoidance
Avoid downside by not undertaking/ terminating risky
activities
Usually lose upside potential as well.
Reduction Retain the activity but take action to limit risk to acceptable levels Mitigating controls: Preventative Corrective Directive Detective.
Acceptance (Retention)
Tolerating losses when they arise
For small risks could be cheaper than insurance (‘self insurance’).
The Corporate Governance Code requires listed companies to:
Determine the nature and extent of any risks the company is willing to take in
order to achieve its objectives.
Report risk management issues.
What is some Additional board disclosure required by the Corporate Governance Code?
That they are responsible for the company’s systems of internal control.
That systems have been designed to manage, not eliminate, risk.
How the board have dealt with the internal control aspects of significant
problems highlighted in the accounts.
Any weaknesses in internal control that have resulted in material losses.
What is a crisis?
A Crisis is an unexpected event that threatens the wellbeing of a business, or a significant disruption to the business and its normal operations which impacts on its customers, employees, investors and other stakeholders