Chapter 5 Introduction to risk management Flashcards
1.1 What is risk
Risk is the possible variation in an outcome from what is expected to happen. The COSO definition of risk is the possibility that an event will occur and adversely affect the achievement of objectives. Opportunity is the possibility that an event will occur and positively affect the achievement of objectives. Uncertainty is the inability to predict outcomes because of a lack of information.
2.1 Types of risk
There are business risks and non-business risks. Non-business risks include financial risk and operational risk (cyber risk and event risk).
Business risks arise from the nature of the entity’s business, its industry, and the conditions it operates in. strategy risk is choosing and implementing the wrong corporate strategy, enterprise risk is success or failure of a business operation, product risk is customers not buying the anticipated amount of product. Economic risk is unexpected changes in economic conditions and property risk is losing property or losses arising from accidents.
Financial risk includes controllable financial risks (gearing risk, credit risk and liquidity risk) and uncontrollable financial risk (market risk). Gearing risk is increased interest charges due to high debt levels, credit risk is economic loss suffered due to default of a customer, liquidity risk is the unexpected shortage of cash and market risk is exposure to changes in market prices or rates.
Operational risk arises from actual losses incurred due to inadequate or failed internal processes, people, and systems, or because of external events. Process risk is ineffective internal processes, people risk arises from staff constraints, incompetency, or dishonesty. Systems risk/cyber risk arises from information and communication systems. An event risk is a loss due to single events that are unlikely but serious.
Cyber risk includes phishing (emails asking personal or security information), webcam manger (user’s webcam taken over), file hijacker (user’s files are hijacked and held to ransom) and keylogging (criminals record what users type).
Event risk includes disaster risk (fire etc), regulatory risk (new laws or regulations introduced), reputation risk and systemic risk (failure by a participant in business supply chain).
3.1 Risk management
Is the identification, analysis and economic control of risks which threaten the assets or earning capacity of a business. The process is risk awareness and identification, risk assessment and measurement, risk response and control and risk monitoring and reporting.
4.1 Risk awareness and identification
Involves identifying the range of possible risks and likelihood of losses. Identify risks by PEST/SWOT analysis, external advisors, interviews, and internal audit. There are five categories of loss: property loss (loss of assets), liability loss (loss occurring from legal liability to third parties), personnel loss (due to injury, sickness, and death of employees), pecuniary loss (result of defaulting debtors) and interruption loss (unable to operate).
5.1 Risk assessment and measurement
Risk assessment considers the nature of each risk and the implications. Risk measurement identifies the likelihood of the risk occurring and quantifies the impact and calculating the amount of loss using expected values for gross risk. Gross risk is the potential loss associated with the risk, calculated by combining the impact and the probability of the risk before taking any control measures into account.
5.2 Measuring risk
Gross risk = probability x impact
Exposure is a measure of the way in which a business is faced by risks and volatility is a measurement of the variability of a risk factor.
5.3 Risk mapping
A risk assessment map is used to assess each risk, with either having a high or low impact and a high or low probability. Risks with low likelihood and low impact may be accepted by the company as the cost of managing the risk, introducing controls may exceed the benefit gained.
6.1 Risk response and control – attitudes to risk
- Risk averse attitude: investment chosen if has more certainty but possibly a lower return than an alternative less certain, potentially higher return investment
- Risk neutral attitude: investment chosen according to its expected return, irrespective of the risk
- Risk seeker attitude: investment chosen on the basis of it offering higher levels of risk, even if its expected return is lower than an alternative no-risk investment with a higher expected return
6.2 Risk responses
The TARA model provides an outline for general risk responses:
- Transfer (sharing): transfer risk to third party, for example insurance or hedging
- Avoidance: avoid downside by not undertaking risky activities
- Reduction: retain the activity but take action to limit risk to acceptable levels. Mitigating controls such as preventative, corrective, directive, and detective
- Acceptance (retention): tolerating losses when they arise, for small risks could be cheaper than insurance
7.1 Risk monitoring and reporting
Risk monitoring is needed to monitor the effectiveness of the current risk management process and to monitor whether the risk profile is changing. The corporate governance code requires listed companies to determine the nature of risks the company is willing to take in order to achieve its objectives and report risk management issues.
Additional board disclosure means they are responsible for a company’s internal systems of control, systems have bene designed to manage and not eliminate risk, how the board deal with internal control aspects of significant problems and any weaknesses in internal control that have resulted in material losses.
8.1 Crisis management
A crisis is an unexpected event that threatens the wellbeing of a business, or a significant disruption to the business and its normal operations. This can be a natural event, industrial accident, product or service failure, PR disaster, management crisis, business crisis and legal or regulatory crisis.
Crisis management involves identifying a crisis, planning a response, and confronting and resolving the crisis. Management should consider contingency plans and crisis prevention.
9.1 Business resilience
This considers an organisation’s ability to manage and survive against planned or unplanned shocks and disruptions to operations. The ICSA outlined two axes for understanding resilience:
- Processes and functions to protect the organisation: risk management, business continuity planning, security, IT disaster recovery, internal audit, crisis management, health and safety and governance
- General organisational characteristics driving resilience: employee trust in management and customer trust in organisation, ability to innovate, clear values, values linked to behaviour, effective risk management, morale, and leadership involvement
The ability to handle changes and limit the impacts is the concept of business resilience. Changes can be internal (planned) and external. External changes can be new laws, economic recession, political uncertainties, and disruptive technologies. Planned changes can be closure of operations and new strategic direction.
9.2 Resilient organisations
The ICSA identifies the common features of resilient organisations:
- Diversified resources to facilitate adaptability
- Strong internal and external network of relationships
- Rapid and decisive response to emerging crisis
- Self review and adaptation to meet changing circumstances
Organisations face challenges from resilience through lack of expertise, input from leadership and a lack of cohesive thinking between departments.
9.3 Measuring resilience
The ICSA has four metrics to measure resilience:
- Compliance: with own internal policies and standards
- Completeness: breadth of their readiness, can they handle multiple issues at once
- Value: qualitative and quantitative measures of achieving specific outcomes
- Comparability/capability: testing and reviewing processes and procedures response to potential shocks
9.4 Cyber resilience
Ability to ensure data and information is reliable, available, has integrity and is adequately protected from unauthorised access. Implementing cyber-security measures to minimise successful cyber-attacks is an important element. Back up plans should be in place to ensure all critical data can be recovered should an unexpected outage occur. The information security plan is an important element of cyber resilience and includes securing systems, network security, user privileges, home and mobile working, removable media controls, user education and awareness, web services, legal requirements, compliance, incident management and monitoring.
