Chapter 5: Introduction to Risk Management Flashcards
What is the definition of risk?
Risk is ‘the possibility that an event will occur and adversely affect the achievement of objectives’.
What is the definition of an opportunity?
Opportunity is ‘the possibility that an event will occur and positively affect the achievement of objectives’.
What is uncertainty?
Uncertainty is the ‘inability to predict outcomes because of a lack of information’ (not the same as risk)!
What is business risk?
Business risks arise from the nature of the entity’s business, its industry and the conditions it operates in.
Give some examples of business risk.
Strategy risk
choosing and implementing the wrong corporate strategy.
Enterprise risk
success or failure of a business operation.
Product risk
customers do not buy the anticipated amount of product.
Economic risk
unexpected changes in economic conditions.
Property risk
losing property or losses arising from accidents.
What does financial risk include?
Financial risk includes:
Controllable financial risks – gearing risk, credit risk and liquidity risk
Uncontrollable financial risk – market risk
Give some examples of financial risk.
Gearing risk
increased interest charges due to high debt levels.
Credit risk
economic loss suffered due to default of a customer.
Liquidity risk
unexpected shortage of cash.
Market risk:
exposure to changes in market prices or rates
What is operational risk?
Operational risk arises from the actual losses incurred because of inadequate or failed internal processes, people and systems, or because of external events.
Give some examples of operational risk.
Process risk
company’s processes are ineffective or inefficient.
People risk
arising from staff constraints, incompetency or dishonesty.
Systems risk/cyber risk
arising from information and communication systems.
Event risk
loss due to single events that are unlikely but serious.
Cyber risk and Event risk can be broken down into a number of other individual risks.
What is cyber risk?
Cyber risk is the risk of financial loss, business disruption or reputation damage that are a consequence of accidents and poor systems integrity.
What are some examples of cyber-attacks?
Phishing
bogus emails that ask for personal or security information.
Webcam manager
where the user’s webcam is taken over.
File hijacker/ransomware
where the user’s files are hijacked and held to ransom.
Keylogging
where criminals record what users type.
How do you categorise event risk?
Event risk can be broken down into the following categories:
Disaster risk
catastrophe occurs such as a fire, flood etc.
Regulatory risk
new laws or regulations are introduced.
Reputation risk
risk of damage to the business’s reputation.
Systemic risk
failure by a participant in the business’s supply chain.
What is the process of risk management?
Risk management is ‘the identification, analysis and economic control of risks which threaten the assets or earning capacity of a business’.
- Risk awareness and identification leads to
- Risk assessment and measurement, leads to
- Risk response and control, leads to
- Risk monitoring and reporting (links back to the top)
What is risk identification? What are some techniques to identify these?
Risk identification involves ‘identifying the whole range of possible risks and the likelihood of losses occurring as a result of these risks.’
Techniques to identify risks: PEST/SWOT analysis External advisors Interviews/questionnaires Internal audit Brainstorming
What are the types of loss?
There are five different categories of loss which can be considered.
Business risks arise from the nature of the entity’s business, its industry and the
conditions it operates in.
Property loss
possible loss of assets.
Liability loss
loss occurring from legal liability to third parties.
Personnel loss
due to injury, sickness and death of employees.
Pecuniary loss
as a result of defaulting debtors.
Interruption loss
being unable to operate.
How do you measure risk? What are other terms that should be considered?
Gross risk = Probability × Impact
Probability – measures likelihood.
Impact – measures the size of loss
Others terms which should be considered when measuring risk are:
Exposure is a measure of the way in which a business is faced by risks.
Volatility is a measurement of the variability of a risk factor.
How do you assess each risk?
With a risk assessment map.
The map measures Impact against Probability.
Risks which have low likelihood and low impact may be accepted by the company as the cost of managing the risk, e.g. by introducing controls, may exceed the benefit gained.
What is a risk averse attitude?
An investment would be chosen if it has more certainty but possibly a lower return than an alternative less certain, potentially higher return investment.
What is a risk neutral attitude?
An investment would be chosen according to its expected return, irrespective of the risk.
What is a risk-seeker attitude?
An investment would be chosen on the basis of it offering higher levels of risk, even if its expected return is lower than an alternative no-risk investment with a higher expected return.
What outlines general risk responses?
The TARA model
Transfer (Sharing)
Transfer risk to a third party
e.g. insurance, hedging.
Avoidance
Avoid downside by not undertaking/ terminating risky
activities
Usually lose upside potential as well.
Reduction Retain the activity but take action to limit risk to acceptable levels Mitigating controls: Preventative Corrective Directive Detective.
Acceptance (Retention)
Tolerating losses when they arise
For small risks could be cheaper than insurance (‘self insurance’).
The Corporate Governance Code requires listed companies to:
Determine the nature and extent of any risks the company is willing to take in
order to achieve its objectives.
Report risk management issues.
What is some Additional board disclosure required by the Corporate Governance Code?
That they are responsible for the company’s systems of internal control.
That systems have been designed to manage, not eliminate, risk.
How the board have dealt with the internal control aspects of significant
problems highlighted in the accounts.
Any weaknesses in internal control that have resulted in material losses.
What is a crisis?
A Crisis is an unexpected event that threatens the wellbeing of a business, or a significant disruption to the business and its normal operations which impacts on its customers, employees, investors and other stakeholders
Give some examples of crisis.
Natural event e.g. earthquake causing physical disruption
Industrial accident e.g. building collapse or fire
Product or service failure e.g. produce recall or health scare
Public relations disaster e.g. unwelcome media attention or adverse publicity
Business crisis e.g. loss of key supplier or customer
Management crisis e.g. hostile takeover bid or loss key management
Legal/regulatory crisis e.g. new regulation increases costs
What is crisis management?
Crisis management involves identifying a crisis, planning a response to the crisis and confronting and resolving the crisis.y
Crisis management should consider contingency plans and crisis prevention.
What is business resiliance?
Business resilience considers an organisation’s ability to manage and survive against planned or unplanned shocks and disruptions to operations.
What is the first axis outlined by The Chartered Governance Institute (ICSA) for understanding
an organisations resilience?
1: Processes and functions to protect the organisation:
Risk management Business continuity planning Security IT disaster recovery Health and safety Crisis management Internal audit Governance
What is the second axis outlined by The Chartered Governance Institute (ICSA) for understanding
an organisations resilience?
- General organisational characteristics driving resilience:
Employee trust in management Customers trust in the organisation Ability to innovate Clear values Values linked to behaviour Effective risk management Morale Leadership involvement
What are changes to the business environment?
The business environment is highly dynamic and changes occur constantly. The ability to handle significant shocks and limit the detrimental impacts is the concept of business resilience.
Changes can be both internal (planned) and external.
External changes – e.g. strict new laws, severe economic recession, political
uncertainties and disruptive technologies.
Planned changes – e.g. major overseas investment, closure of significant
operations, launch of new strategic direction.
What are the common features of resilient organisations?
The ICSA identified the following common features of resilient organisations:
Diversified resources to facilitate adaptability to deal with changes
Strong internal and external network of relationships
Rapid and decisive response to emerging crisis
Self review and adaptation to meet changing circumstances.
What are some barriers to resilience?
However, many organisations face challenges in achieving resilience through a lack
of expertise, lack of input from leadership and a lack of cohesive thinking between
departments within organisations.
How do you measure resilience?
The ICSA proposed these
four key metrics to measure resilience.
Compliance – with their own internal policies and standards.
Completeness – the breadth of their readiness i.e. can they handle multiple issues at once.
Value – qualitative and quantitative measures of achieving specific outcomes.
Comparability/capability – testing and reviewing processes and procedures response to potential shocks.
What is cyber resilience?
Cyber resilience is the ability of an organisation to ensure its data and information is reliable, available, has integrity and is adequately protected from unauthorised access.
Implementing robust cyber-security measures to minimise the risks of successful cyber-attacks is an important element of cyber resilience.
Back-up plans should be in place to ensure businesses can continue and all critical data can be recovered should an unexpected outage occur.
What is an important part of cyber resilience?
An important element of any cyber resilience strategy is an information security plan, this would include the following key areas: Securing systems and device configurations Network security User privileges Home and mobile working Removable media controls User education and awareness Web services Legal requirements Compliance Incident management Monitoring
What is a disaster?
A Disaster is when ‘the business’s operations, or a significant part of them, break down for some reason leading to potential losses of equipment, data or funds’
What are the types of disaster?
A major crisis causing a breakdown in operations and resultant losses
An event which results in serious consequences.
What are the main components of a disaster recovery plan?
The main components of a plan are: define responsibilities prioritise actions establish back-up and standby arrangements communicate with staff establish PR risk assessment.
