Module 11 - Integrating Risk Management Into Strategy Setting and Execution

Question 1

Define “business context.”

Answer 1

“Business context” refers to trends, events, relationships and other factors that influence, clarify or drive change to current and future strategy and business objectives. Business context may be:

(a) Dynamic: New risks can emerge at any time, causing disruption and changing the status quo (e.g., a new competitor causes product sales to decrease or make a product obsolete).

(b) Complex: There are many interconnections and interdependencies (e.g., an entity has many operating units around the world, each with its own unique political regimes, regulatory policies and taxation laws).

(c) Unpredictable: Change may happen quickly and in unanticipated ways (e.g., currency fluctuations and political forces).

Question 2

Differentiate between an entity’s external and internal environments and external and internal stakeholders.

Answer 2

External and internal environments are part of the business context. An entity’s external environment is anything outside the entity that can influence its ability to achieve its strategy and business objectives. External environment categories include:

(a) Political
(b) Economic
(c) Social
(d) Technological
(e) Legal
(f) Environment

An entity’s internal environment is anything inside the entity that can affect its ability to achieve its strategy and business objectives. Categories include capital, people, process and technology.

Stakeholders are also part of the business context. External stakeholders are part of the external environment. They are not directly engaged in the entity’s operations, but they:

(a) Are affected by the entity (e.g., service providers, competitors)
(b) Directly influence the entity’s business environment (e.g., government, regulators)
(c) Influence the entity’s reputation, brand and trust (e.g., communities, interest groups).

Internal stakeholders are those people working within the entity who directly influence the entity (board directors, management and other employees).

Question 3

Explain how an entity’s business context affects its risk profile.

Answer 3

Business context incorporates the trends, events, relationships and other factors that may influence, clarify or change an entity’s current and future strategy and business objectives.

The impact of business context on an entity’s risk profile may be viewed in three stages: past, present and future performance. Looking back at factors that affected past performance can provide valuable information to use in shaping the current risk profile. Looking at current performance can show how current trends, relationships and other factors are affecting the risk profile. By thinking about what these factors will look like in the future, the entity can consider how its risk profile will evolve in relation to where it is heading or wants to head.

Question 4

Describe how an entity’s chosen risk appetite is applied within that entity’s risk management profile.

Answer 4

Risk appetite guides allocation of resources; the goal is to align resource allocation with the entity’s mission, vision and core values to create, preserve and realize value.

There is no standard or “right” risk appetite. Risk appetite is chosen with full understanding of the trade-offs involved. Management, with board oversight, continually monitors risk appetite at all levels and accommodates change when needed.

Question 5

Outline factors an entity may consider when determining its risk appetite

Answer 5

A variety of approaches can be used to determine risk appetite, including facilitated discussions, reviewing past and current performance targets, and modeling. An entity may consider any number of factors to help determine its risk appetite, including:

(a) Strategic parameters, such as new products to pursue or avoid, the investment for capital expenditures, and merger and acquisition activity
(b) Financial parameters, such as maximum acceptable variation in financial performance, return on assets or risk-adjusted return on capital, target debt rating and target debt/equity ratio
(c) Operating parameters, such as environmental requirements, safety targets, quality targets and customer concentrations
(d) Risk profile, which provides information on the entity’s current amounts of risk, how risk is distributed across the entity and the different categories of risk
(e) Risk capacity, which is the maximum amount of risk the entity can absorb
(f) Enterprise risk management capability and maturity, which provides information on how well enterprise risk management is functioning.

Question 6

Describe the intent of a “due diligence” review of alternative strategies.

Answer 6

An entity must evaluate alternative strategies as part of its strategy-setting process to assess the risk and opportunities of each option in the context of the entity’s resources and capabilities to create, preserve and realize value. This evaluation is often referred to as “due diligence.” The amount of effort expended and the level of precision required in evaluating alternative (or current) strategies varies depending on how significant the decision is, the resources and capabilities available and the number of strategies being evaluated. The more significant the decision, the more detailed the evaluation will be, perhaps using several approaches.

Question 7

Describe two key risk perspectives considered in a due diligence assessment of alternative strategies

Answer 7

Alternative strategies are assessed in the context of the entity’s resources and capabilities to create, preserve and realize value. This includes evaluating strategies from two different perspectives of risk:

(1) Whether the strategy aligns with the mission, vision and core values of the entity. If it does not, the entity may not achieve its mission and vision. A misaligned strategy increases risk to stakeholders because the value of the entity and its reputation may be affected.

(2) Potential risks of each strategy being considered. The identified risks collectively form a risk profile for each option; that is, different strategies yield different risk profiles. Management and the board use these risk profiles when deciding on the best strategy to adopt, given the entity’s risk appetite.

Question 8

Describe how bias can affect the due diligence process for evaluating alternative strategies.

Answer 8

Bias may prevent an entity from selecting the best strategy both to support the entity’s mission, vision and core values and to reflect the entity’s risk appetite. An entity should try to be unbiased—or mitigate any bias—when it is evaluating alternative strategies. The first step is to identify any bias that may exist during the strategy-setting process. The next step is to mitigate bias that is identified.

Question 9

Explain how business objectives and their related performance targets can influence an entity’s risk profile. Provide an example.

Answer 9

Alignment of business objectives to strategy supports the entity in achieving its mission and vision. If business objectives do not align, or only partially align, to the strategy, they may impede achievement of the mission and vision and may introduce unnecessary risk to the risk profile of the entity. The entity may use resources that would otherwise be more effectively deployed in executing other business objectives.

If business objectives do not align with the entity’s risk appetite, the entity may be accepting either too much or too little risk. Evaluation of a proposed business objective must consider the potential risks that may occur and determine the impact to the risk profile. If an entity finds that it cannot establish business objectives that support the achievement of strategy while remaining within its risk appetite or capabilities, a review of either the strategy or the risk profile is required.

Even if the business objective is aligned with strategy, setting inappropriate performance targets to evaluate their progress can also influence the risk profile. For example, aggressive growth targets heighten the risks in execution. Conversely, while conservative growth targets lower the risk of achieving the targets, they may also result in the targets no longer aligning with the achievement of the business objective.

Question 10

Explain the role of acceptable variation in performance using the following sample risk profile.

Answer 10

Unlike risk appetite, which is broad, acceptable variation in performance (illustrated here with the broken lines) is tactical and focused. It is expressed in measurable units (preferably in the same units as the business objectives), applied to all business objectives and implemented throughout the entity. In setting acceptable variation in performance, the entity considers the relative importance of each business objective and strategy. For instance, for objectives viewed as being highly important to achieving the entity’s strategy, or where a strategy is highly important to the entity’s mission and vision, the entity may set a lower level of acceptable variation in performance.

Knowing the acceptable variation in performance can enable management to enhance value to the entity. For example, the right boundary of acceptable variation should generally not exceed the point where the risk profile intersects risk appetite. Where the right boundary in this sample risk profile is below risk appetite, management may be able to shift its performance targets and still be within its overall risk appetite. The optimal point is where the right boundary of acceptable variation in performance intersects with risk appetite, as denoted by point A.

Operating within acceptable variation in performance provides management with greater confidence that the entity remains within its risk appetite and provides a higher degree of comfort that the entity will achieve its business objectives.

Question 11

Differentiate between exceeding variation and trailing variation.

Answer 11

Acceptable variation in performance considers both exceeding and trailing variation, sometimes referred to as “positive” or “negative” variation. Note that exceeding and trailing variation are not always set at equal distances from the target. The amount of exceeding variation and trailing variation depends on several factors, including the entity’s risk appetite. An entity with a lower risk appetite may prefer to have less performance variation compared to an entity with a greater risk appetite. The relationship between cost and acceptable variation in performance is also a factor that affects associated risk and opportunities. Typically, the narrower the acceptable variation in performance, the greater amount of resources required to operate within that level of performance. Consider airlines—Assume an airline lowers its acceptable variation in performance in on-time arrivals and departures. It could decide to stop serving several airports because its on-time performance does not fit within the revised (decreased) acceptable variation in performance. The airline would then need to weigh the cost implications of forgoing service revenue to realize a decreased variation in its performance target.

It is common for entities to assume that exceeding variation in performance is a benefit and trailing variation in performance is a risk. Exceeding a target does usually indicate efficiency or good performance, not simply that an opportunity is being exploited. But trailing a target does not necessarily mean failure: It depends on the entity’s target and how variation is defined.

Question 12

Explain the importance of having risk management processes that are linked to an entity’s operating model.

Answer 12

The process of identifying, assessing and responding to risk is undertaken across the entity and at all levels. Risks originating at a transactional level may prove to be as disruptive as those identified at the entity level. Risks may affect one operating unit or the entity as a whole. Risks may be highly correlated with factors within the business context or with other risks. Risk responses may require significant investments in infrastructure or may be accepted as part of doing business. Creating, preserving and realizing an entity’s value is enabled when the operating model includes a risk management process that includes these steps:

(a) Identifying new and emerging risks so risk responses can be deployed in a timely manner
(b) Assessing severity of risk, with an understanding of how the risk may change depending on the level of the entity
(c) Prioritizing risks, allowing for optimization of resource allocation in response to those risks
(d) Identifying and selecting responses to risk
(e) Developing a portfolio view to enhance the entity’s ability to articulate the amount of risk assumed in pursuing strategy and business objectives
(f) Monitoring entity performance and identifying substantial changes in the performance or risk profile of the entity.

Question 13

Outline inputs, approaches and outputs for steps in the overall risk assessment process.

Answer 13

An enterprise risk management process is iterative, with the inputs in one step of the process typically being the outputs of the previous step. This process is performed across all levels and with responsibilities and accountabilities for appropriate enterprise risk management aligned with severity of the risk.

1. Identifying Risk
2. Assessing risk
3. Prioritizing risk
4. Developing a portfolio view
5. Monitoring performance

Question 14

Describe the objective of the “identifying risk” step in the risk management process.

Answer 14

The objective of this step in the risk management process is to identify new, emerging and changing risks to the achievement of its strategy and business objectives. Entities undertaking the risk identification process for the first time must establish an inventory of risks and then, in subsequent identification processes, confirm existing risks as being still applicable and relevant. How often an entity goes through this process depends on how quickly new risks emerge. Where risks are likely to take months or years to materialize, the frequency at which risk identification occurs may be less than where risks are less predictable or may occur at a greater speed.

Also inherent in this step is identifying opportunities that emerge from risk. For example, changes in demographics and aging populations may be considered as both a risk to the current strategy of an entity and an opportunity for growth. Similarly, advances in technology may represent a threat to current distribution and service models for retailers as well as an opportunity to change how retail customers obtain goods (e.g., through online services). Where such opportunities are identified, they are communicated back to management to be considered as part of strategy and business objective setting.

Question 15

Outline types of new, emerging and changing risks, and explain the benefits of identifying these risks in the risk management process.

Answer 15

New, emerging and changing risks include those that:

(a) Arise from a change in business objectives (e.g., adopting a new strategy supported by business objectives or amending an existing business objective)
(b) Arise from a change in business context (e.g., changes in consumer preferences for environmentally friendly or organic products that have potentially adverse impacts on the sale of the company’s products)
(c) Pertain to a change in business context that may not have applied to the entity previously (e.g., a change in regulations that results in new obligations to the entity)
(d) Were previously unknown (e.g., the discovery of a susceptibility for corrosion in raw materials used in the company’s manufacturing process)
(e) Have been previously identified but have since been altered due to a change in the business context, risk appetite or supporting assumptions.

Identifying new and emerging risks, or changes in existing risks, allows management to look to the future and gives it time to assess the potential severity of the risks. In turn, having time to assess the risk allows management to anticipate the risk response or to review the entity’s strategy and business objectives as necessary.

Question 16

Describe the importance of precise risk identification and methods that can be used to enhance precision.

Answer 16

Precise risk identification is important because:

(a) It allows management to more accurately assess the severity of the risk.
(b) It helps management identify the typical root causes and impacts and, therefore, select and deploy the most appropriate risk response.
(c) It supports the aggregation of risks to produce the portfolio view.

Entities can enhance precision when identifying risk by:

(a) Articulating the difference between an actual risk and other considerations, those being:

• Potential root causes that could influence the severity of a risk
• Potential impacts of a risk being embedded in the description
• Potential impacts of ineffective or failed risk responses and controls.

(b) Using consistent or standard sentence structure that facilitates accurate assessment of the risk, differentiates between root causes, and impacts and supports aggregation of risks to produce a portfolio view.

Question 17

Explain the concept of “risk universe.” Provide an example.

Answer 17

Risks captured by the risk identification process are commonly referred to as a “risk universe”—a qualitative listing of the risk the entity faces. Depending on the number of individual risks identified, entities may structure the risk universe using a specific taxonomy, or hierarchy of risk types, that provides standard definitions and categories for different risks. This allows similar risks, such as strategic, financial, operational and compliance risks, to be grouped together. Within each category, risks can be further defined into more detailed subcategories. The risk universe can be updated to reflect changes identified by management. The risk universe is then input for the risk assessment step in the risk management process.

One example that can apply to all types of plans is “administration risk.”

Administration Risk: Risk associated with inefficient or insufficiently effective processes or organization in the administration of the plan

Question 18

Contrast the terms “inherent risk,” “target residual risk” and “actual residual risk.”

Answer 18

“Inherent risk” is the risk to an entity in the absence of any direct or focused actions by management to alter its severity. “Target residual risk” is the amount of risk that an entity prefers to assume in the pursuit of its strategy and business objectives, knowing that management will implement, or has implemented, direct or focused actions to alter risk severity. “Actual residual risk” is the risk remaining after management has taken action to alter its severity. Actual residual risk should be equal to or less than the target residual risk. Where actual residual risk exceeds target risk, additional actions should be identified that allow management to alter further risk severity.

Even when actual residual risk is assessed to be within target residual risk, management may wish to identify opportunities that can move the entity closer to the desired residual risk profile. Alternatively, management may identify risks for which unnecessary responses have been deployed. Redundant risk responses are those that do not result in a measurable change to the severity of the risk. Removing such responses may allow management to allocate resources put toward that response elsewhere.

Question 19

Describe the reasons that an entity measures the severity of a particular risk and factors considered in the measurement process.

Answer 19

The severity of the risk is determined in order to select an appropriate risk response, allocate resources and support management decision making and performance. Potential causes of different risks and the consequent severity of any impacts must be considered. Factors considered when assessing the severity of risk include:

(a) Size, nature and complexity of the entity and its risk appetite
(b) Level of assessment, either by entity or operational unit. Acceptable amounts of financial risk, for example, may be greater if those risks are assessed at an entity level compared to an operating unit.
(c) Risk impact. There may be a range of possible impacts associated with a risk; they may be positive or negative relative to the strategy or business objectives.
(d) Risk likelihood. The possibility of a risk occurring may be expressed in a variety of ways: qualitatively, quantitatively or frequency.
(e) Time horizon. The horizon used to assess risks should be the same as that used for the related strategy and business objectives. Because the strategy and business objectives of many entities focus on short- to medium-term time horizons, management often focuses on risks associated with those time frames. Specifically, when assessing risks of the mission, vision or strategy, some aspects may be longer term. As a result, management needs to be cognizant of the longer time frames and must not ignore risks that might emerge or occur further out.

Question 20

Explain the significance of bias in the assessment of risk severity.

Answer 20

Management should be aware of the potential for bias and identify and mitigate the effect of bias in the assessment process. Bias may result in the severity of a risk being under- or overestimated and limit how effective the selected risk response will be. Overestimating risks may result in resources being unnecessarily deployed in response, creating inefficiencies in the entity. Overestimating severity may also hamper the performance of the entity or affect its ability to identify new opportunities. Underestimating the severity of a risk may result in an inadequate response, leaving the entity exposed and at risk potentially outside of the entity’s risk appetite.

Question 21

Provide examples of criteria used for prioritizing risks.

Answer 21

Risk prioritization considers the severity of a risk by applying agreed-upon criteria and provides a basis for selecting responses to risks. Examples of criteria include:

(a) Adaptability: The capacity of an entity to adapt and respond to risks (e.g., responding to changing demographics such as the age of the population)

(b) Complexity: The scope and nature of a risk to the entity’s success. The interdependency of risks will typically increase their complexity.

(c) Velocity: The speed of onset at which a risk impacts an entity. The velocity may move the entity away from the acceptable variation in performance.

(d) Persistence: How long a risk impacts an entity (e.g., accounting for the immediacy of disrupted operations compared to the longer term impact to the entity’s reputation)

(e) Recovery: The capacity of an entity to return to acceptable variation in performance (e.g., continuing to function after a severe flood or other natural disaster). Recovery excludes the time taken to return to acceptable variation in performance, which is considered part of persistence, not part of recovery.

Question 22

Explain the significance of bias in the prioritization of risks.

Answer 22

Management must strive to prioritize risks and manage competing business objectives related to the allocation of resources free from bias. Competing business objectives may include securing additional resources, achieving specific performance measures, qualifying for personal incentives and rewards, or obtaining other specific outcomes. The prevalence of bias may increase in situations where there are competing priorities.

Question 23

Describe the key categories of risk response.

Answer 23

A risk response is selected and deployed for all risks identified. Risk responses fall within these categories:

(a) Accepting: No action is taken to affect the severity of the risk. This response is appropriate when the risk is already within risk appetite. A risk that is outside the entity’s risk appetite and that management seeks to accept will generally require approval from the board or other oversight bodies.

(b) Avoiding: Action is taken to remove the risk, which may mean ceasing a product line, declining to expand to a new geographical market or selling a division. Choosing avoidance suggests that the entity was not able to identify a response that would reduce the impact of the risk to an acceptable severity level.

(c) Pursuing: Action is taken that accepts increased risk to achieve increased performance. This may involve adopting more aggressive growth strategies, expanding operations or developing new products and services. When choosing to pursue risk, management understands the nature and extent of any changes required to achieve desired performance but does not exceed the target residual risk.

(d) Reducing: Action is taken to reduce the severity of the risk. This involves many everyday business decisions that reduce residual risk to a severity level that is aligned with the target residual risk profile and risk appetite.

(e) Sharing: Action is taken to reduce the severity of the risk by transferring or otherwise sharing a portion of the risk. Common techniques include outsourcing to specialist service providers, purchasing insurance products and engaging in hedging transactions. As with the reduce response, sharing risk lowers residual risk in alignment with risk appetite.

Question 24

What actions may need to be considered if a risk falls outside of an entity’s risk appetite and or within an acceptable variation in performance

Answer 24

(a) Reviewing the business objective: The entity chooses to review and potentially revise the business objective given the severity of identified risks and acceptable variation in performance. This may occur when the other categories of risk responses do not represent desired courses of action for the entity.

(b) Reviewing the strategy: The entity chooses to review and potentially revise the strategy given the severity of identified risks and risk appetite of the entity. As with reviewing business objectives, this may occur when other categories of risk responses do not represent desired courses of action for the entity.

Question 25

Outline the factors considered in the selection and deployment of risk responses, and describe the potential impact of selecting a single risk response.

Answer 25

(a) Business context

(b) Costs and benefits

(c) Obligations and expectations

(d) Risk priority

(e) Risk severity

(f) Risk appetite

Question 26

Explain how the costs and benefits of risk responses factor into decision making.

Answer 26

Management must consider the potential costs and benefits of a risk response. Generally, anticipated costs and benefits are commensurate with the severity and prioritization of the risk. Cost and benefit measurements for selecting and deploying risk responses are made with varying levels of precision. Costs comprise direct costs, indirect costs (where practicably measurable) and, for some entities, opportunity costs associated with the use of resources. Measuring benefits may be more subjective, because they are usually difficult to quantify. In many cases, however, the benefit of a risk response can be evaluated in the context of the achievement of strategy and business objectives. In some instances, given the importance of a strategy or business objective, there may not be an optimal risk response from the perspective of costs and benefits. In such instances, the entity can either select a response or choose to revisit its strategy and business objectives. In selecting the appropriate response, management must consider the expectations of stakeholders such as shareholders, regulators and customers. Management is also responsible for risk responses that address any regulatory obligations, which may not be optimal from the perspective of costs and benefits but comply with legal or other obligations.

Question 27

Explain the concept of a portfolio view of risk, and outline its benefits.

Answer 27

A “portfolio view” is a composite of risk the entity faces entitywide, which positions management and the board to consider the types, severity and interdependencies of risk and how they may affect the entity’s performance relative to its strategy and business objectives.

With a portfolio view, management is well-positioned to determine whether the entity’s residual risk profile aligns with the overall risk appetite. The same risk across different units may be acceptable for the operating units, but taken together may give a different picture.

Collectively, the risk may exceed the risk appetite of the entity as a whole, in which case additional or different risk responses are needed. Conversely, a risk may not be acceptable in one unit, but well within the range in another. For example, some operating units have higher risk than others, which results in overall risk falling within the entity’s risk appetite. In cases where the portfolio view shows that risks are significantly less than the entity’s risk appetite, management may decide to motivate individual operating unit managers to accept greater risk in targeted areas, striving to enhance the entity’s overall growth and return. Management determines whether the entity’s residual risk profile aligns with the overall risk appetite.

In developing the portfolio view, entities may observe risks that:

(a) Increase in severity as they are progressively consolidated to higher levels within the entity
(b) Decrease in severity as they are progressively consolidated
(c) Offset other risks by acting as natural hedges.

Question 28

Outline the benefits of stress testing the portfolio view of risk.

Answer 28

Undertaking stress testing, scenario analysis or other analytical exercises helps an entity to avoid or better respond to unexpected events and losses. The entity uses different techniques to assess the effect of changes in the business context or other variables on a business objective or strategy. By stress testing the portfolio, management can review:

(a) Assumptions underpinning the assessment of the severity of risk
(b) Behaviours of individual risks under stressed conditions
(c) Interdependencies of risks within the portfolio view
(d) Effectiveness of existing risk responses.

Question 29

Describe how monitoring performance can help an entity assess how risk has impacted the achievement of strategy and business objectives.

Answer 29

By monitoring performance, entities can determine answers to these questions:

(a) Has the entity performed as expected and achieved its target?

(b) What risks are occurring that may be affecting performance?

(c) Was the entity taking enough risk to attain its target?

(d) Was the estimate of the amount of risk accurate?

Question 30

Outline corrective action options available should an entity determine that its performance does not fall within its acceptable variation or that target performance results in a different risk profile than was expected.

Answer 30

Should an entity determine that its performance does not fall within its acceptable variation or that target performance results in a different risk profile than was expected, available options include:

(a) Reviewing business objective or strategy

(b) Reviewing strategy

(c) Revising target performance

(d) Reviewing severity of risk results

(e) Reviewing how risks are prioritized

(f) Revising risk responses

(g) Revising risk appetite

Question 31

Explain how an entity’s capabilities inform decisions for corrective action.

Answer 31

Part of monitoring performance is considering an entity’s capabilities and their effect on performance. An entity needs to know the reasons behind either underperformance or overperformance compared to established targets.

Corrective action may include reallocating resources, revising business objectives or exploring alternative strategies. The entity’s capacity for resources also informs decisions for corrective actions. For business objectives that affect the entity as a whole, the entity may choose to revise the objective instead of incurring the costs of deploying additional risk responses. Whenever significant deviations from the acceptable variation in performance occur, or where performance represents a disruption to the achievement of the entity’s strategy, the entity may revise its strategy.