identifying risk Flashcards
Risk
Risk exists whenever future outcomes cannot be predicted with certainty.
Business Risk
A business risk threatens achievement of a company’s goals. Business risks can arise from internal
or external sources.
Types of Business Risks:
There are two major types of Risks:
Pure Risk
Speculative Risk
What is pure risk?
Pure risk refers to risks that are beyond human control and result in a loss or no loss. There is no
possibility of financial gain.
Examples of Pure Risks
*Errors or negligence by staff members
Malfunctioning of machines or IT system
Terrorist attack, Fire, Flood and other natural disaster affecting business.
What is Speculative risk?
Speculative risk is risk that is taken on voluntarily and can result in either a profit or loss.
Speculative risks are thus considered controllable risks.
Examples of Speculative Risks:
Investment activities (e.g. launch of new product, new business, investing in stocks)
Sports betting,
Compliance
risk
It is a risk that company may not comply
with laws, regulations and standards. This
may result in payment of fines or losing
customers.
e.g
If a manufacturing company’s employees don’t follow
government safety regulations while building
machines, their behavior can be a compliance risk for
the company
Legal Risk
It is the risk that people may file legal cases
against company, which company may
lose.
e.g
If company does not fulfil contracts, or there is a
dispute with parties.
Reputational
Risk
It is the risk that public opinion may
change about company. It results in lack of
confidence of public and investors.
e.g
A clothing company prints an offensive image on a
shirt, and the story goes viral on social media, causing a
wave of negative news coverage. This may result in
drop of sales.
Security Risk
It is the risk that a company does not
follow appropriate Cybersecurity
Strategies.
e.g
If an insurance company has a weak policy for
employee passwords, this can pose a security risk for
the company. A hacker can release sensitive data, which
can hurt the company’s reputation or impact profits
Financial Risk
Financial Risk occurs when a company has
poor financial management.
e.g
Examples of financial risk includes:
Interest Rate Risk
Commodity Price Risk
Exchange Rate Risk
Liquidity Risk
Default Risk
Competition
Risk
A competition risk can happen when a
competitor takes an increasing share of the
market for a product or service.
e.g
Business A sells printers. Business A may experience a
competition risk when a competitor, Business B, uses
technological innovations to sell printers with more
capabilities to Business A’s customers.
Physical Risk
Physical risks are threats to a company’s
physical assets due to fire, natural disaster,
theft, poor training.
e.g
A media company owns a building that houses a
newspaper staff and a printing plant. The building can
be prone to fires if employees of the printing plant fail
to properly inspect and maintain printing equipment.
The lack of maintenance and inspections can pose a
physical risk to the building, its equipment and the
company’s employees.
Benefits of Risk Management
- Increased changes of achieving objectives.
- Proactive Management.
- Compliance with legal requirements.
- Awareness to identify and treat risk throughout the organization.
- Improved controls
- Improved Governance
- Reliable basis for decision making
Responsibility of Risk Management:
In Pakistan, SECP’s Code of Corporate Governance states that directors should report on Risk
Management and Compliance issues.
Risk management happens at Board level as well as at operational level.
Risk Committee:
Large companies establish a Risk Committee (which is a sub-committee of Board of Directors)
which is responsible to identify risks, monitor risks and report effectiveness of risk management to
Board.
Box-ticking Approach:
In this approach, certain procedures are performed on every item to eliminate risk (e.g. scanning
every passenger on air-port)
Risk-based Approach:
Management assumes that some risk is unavoidable. Management looks for only those items which
have high risk, to reduce risk to acceptable level.
: Scope ISO31000
ISO 31000 provides general guidance on how to manage risk. This guidance can be applied to any
industry, any company, any level
Risk ISO31000
Effect of uncertainty on objectives
Risk management ISO31000
Coordinated activities to direct and control an organization with regard to risk
Control ISO31000
Measure that maintains and/or reduce risk
Principles
The principles are the foundation for managing risk and should be considered when establishing
the organization’s risk management framework and processes.
- Integrated:
Risk management is an integral part of all organizational activities. - Structured and comprehensive:
A structured and comprehensive approach to risk management contributes should be
adopted. - Customized:
The risk management Framework and Process can be customized according to
organization’s objectives. - Inclusive:
All stakeholders should be involved in the risk management. This will improve awareness of
risk management, and well informed risk management. - Dynamic:
Risks can change due to internal and external changes in organization. Risk management
should consider these management. - Best available information:
Risk management should be based on timely, clear information. Any limitation or
uncertainty regarding information should also be considered. - Human and cultural factors:
Human and cultural factors should also be considered at each level and stage. - Continual improvement:
Risk management is a continuous process which is improved through learning and
experience.
Section 5: Framework
The purpose of the risk management framework is to assist the organization in integrating risk
management into significant activities and functions.
Framework development includes Integrating, Designing, Implementing, Evaluating and Improving
risk management across the organization. This requires support from Leadership
- Leadership and
Commitmen
Top management should ensure that risk management is integrated into all
organizational activities. They should:
• Customize and implement all components of the framework;
• Make a policy that establishes risk management approach.
• Allocate necessary resources to risk management.
• Assign authority and responsibilities at appropriate levels within
the organization.
- Integration
Risk management should be integrated in every part of organization. Every
department and everyone in the organization is responsible for managing
risk. However, it can be customized.
- Design
It means planning a risk management strategy according to needs of
organization. This component includes following steps:
1. Understanding the organization
2. Showing commitment to risk management
3. Assigning roles and responsibilities
4. Allocating resources
5. Establishing communication and consultation between stakeholders
- Implement
This means putting the plans in action. It includes:
• Setting objectives and deadlines
• Clearly defining the decision-making process
• Evaluating and making changes to the decision-making process
where appropriate
• Ensure that arrangements are clearly understood and practiced.
- Evaluate
This means looking whether risk management system is working as it
should be.
It includes:
Comparing performance of risk management system with goals.
Determining whether risk management system is appropriate
or needs amendments.
- Improve
This means improving the risk management system on continuous basis. It
includes:
taking corrective actions to remove deficiencies in risk management
system.
Addressing new risks arising due to internal and external changes.
Risk Management Process:
Risk management process includes following activities:
communicating and consultation
establishing the Scope, context and criteria
assessing, treating, monitoring, reviewing, and reporting risk
Communicating
and Consultation
Communication means promoting awareness and understanding of
risk.
Consultation means obtaining feedback and information to support
decision-making.
Scope, context and
criteria
The organization should define the scope of its risk management
activities.
The organization should establish risk management in the context
of internal and external environment in which organization
operates.
The organization should specify criteria as to how to evaluate
significance of risks, and which risks to take and which not to take.
Purpose of this step is to customize the risk management process.
Risk Assessment
Risk assessment is the overall process of risk identification, risk analysis
and risk evaluation.
Risk Identification:
The purpose of risk identification is to identify risks that may
prevent an organization from achieving its objectives.
Risk analysis
Risk analysis includes consideration of risk sources, probability,
impact, existing controls and their effectiveness.
Risks may have:
o Low Probability, Low Impact.
o Low Probability, High Impact
o High Probability, Low Impact
o High Probability, High Impact
Risk Evaluation:
Risk evaluation involves comparing the results of the risk analysis
with the established risk criteria to determine whether Residual
Risk is tolerable or additional action is required.
Risk Treatment
The purpose of risk treatment is to select and implement options for
addressing risk.
Options for treating risk may involve one or more of the following:
• avoiding risk (by discontinuing activity giving rise to risk), or take
risk;
• removing the risk source;
• changing the likelihood;
• changing the consequences;
• sharing the risk with others (e.g. through contracts, buying
insurance);
• retaining the risk by informed decision.
Monitoring and
Review
It includes analyzing results and providing feedback. Its purpose is to
ensure effectiveness of risk management process
Recording and
Reporting
The risk management process and its outcomes should be documented and
reported through appropriate mechanisms.
