Module 13: Business analysis, risk identification and initial assessment Flashcards
6-step process for risk identification and initial assessment
- ANALYSE THE BUSINESS operations and wider environment. Ensure that the business has clear objectives.
- IDENTIFY KEY RISKS to the business objectives in a structured way.
- AGREE ON THE RISKS faced, the relationships between them, and accountabilities for each risk and its management.
- EVALUATE the risks in terms of
— probability,
— severity and
— inter-dependency,
gross and net of existing controls. - Produce / update the RISK REGISTER, prioritising top risks for further analyses, quantification and risk mitigation.
- REVIEW the risk register regularly, especially in times of change.
6 Idea generation tools to help organisations identify risks
- SWOT analysis
- risk check lists
- risk prompt lists
- risk taxonomy
- case studies
- process analysis
7 Risk identification techniques
- brainstorming
- independent group analysis
- surveys
- gap analysis
- Delphi technique
- interviews
- working groups
7 Risk concepts
- exposure
- volatility
- probability
- severity
- time horizon
- correlation
- capital
Inherent risk
The risk to an entity
… in the absence of any actions
… that management might take
… to alter the risk’s likelihood or impact.
Residual risk
The remaining risk
… after management has taken action
… to alter the risk’s likelihood and impact.
It may also be a secondary risk resulting from taking another risk response action.
Risk map
Illustrates the effect that a risk might have on a company by ranking risk exposures by:
- SEVERITY on the X-AXIS and
- PROBABILITY on the Y-AXIS.
A risk map may also illustrate the results of control effectiveness by mapping both the inherent and residual risks.
Heat map
Plots severity against control effectiveness rating (to reveal where action needs to be taken).
Emerging risks
- either new risks, or changes in already known risks (or their control effectiveness)
- subject to high levels of uncertainty and ambiguity
- difficult to quantify using traditional risk assessment techniques
- important since they may represent a new business opportunity or have a significant impact on profitability, operations or strategy.
Emerging risks might be identified using horizon scanning.
Trends giving rise to emerging risk management challenges include (4)
- globalisation
- technology (cyber risk)
- changing market structures
- restructuring of businesses
3 examples of behavioural bias in financial decision-making
- overconfidence
- anchoring
- representative heuristics
The problem of bias can be reduced by (2)
- incorporating CHECKS AND BALANCES into the risk identification and assessment process
- introducing an OPTIMISM BIAS, where the capital cost is increased by a percentage based on past cost over-runs
Outline necessary conditions for an organisation to gain the benefits of risk identification and assessment
- have SENIOR SPONSORSHIP of the risk management programme
- be CONSISTENT ON THE STANDARDS used over time
- ensure quantitative and qualitative data is used so as to develop a COMPREHENSIVE RISK PROFILE for the whole organisation
- INTEGRATE risk identification with the entire risk management process
- DEMONSTRATE ADDED VALUE (not simply meet regulatory requirements).
Define SWOT analysis
This is a framework for generating ideas in a structured and comprehensive way.
A SWOT analysis considers --- Strengths, --- Weaknesses, --- Opportunities and --- Threats faced by the organisation, and can be used to establish what risks the company faces.
Define a risk checklist
A list of risks identified on past projects or initiatives the company has undertaken (experiential knowledge) or from an external source.
Care must be taken to ensure the information is relevant and up-to-date.
Define a risk prompt list
A list of the different categories of risk to consider and examples of each.
This may be produced at an industry-wide level by a supervisory authority.
Similarly risk trigger questions list situations and events that have previously emerged and that should be considered.
E.g. PEST(ELI) analysis
Define risk taxonomy
A structured way of classifying and breaking them down into components. This can help to ensure that those involved in the process have a common understanding of the terms used in risk identification.
It is probably less project-specific than a checklist and less industry-specific than an industry prompt list.
Define case studies
Examining case studies can help to understand the impact of risks in a specific context.
Define process analysis
By constructing flow charts that detail business processes, and the links between them, it is possible to identify the risks that arise at each stage.
This technique is particularly suited to operational risks.
State one potential advantage common to all risk identification tools, and one potential disadvantage common to all of these tools
A potential advantage of all of these tools is that they provide a clear structure for the risk identification process.
This may improve the quality of the output (compared to a less structured process), however the result may still not be comprehensive (eg due to bias in the process or the participants).
Cyber risk
Any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems.
Typically connected to:
- online activity
- internet trading
- technological networks
- storage of personal data
Define the risk identification technique:
brainstorming
Brainstorming involves gathering together a group of people and generating ideas in a freeform way.
It is often facilitated by an external consultant and requires all participants to be in the same location at the same time.
Define the risk identification technique:
independent group analysis
Each risk is presented by a member of the group and is then discussed by the group.
An agreed list of risks is ranked independently by each member of the group and the responses combined to form an overall ranking.
Define the risk identification technique:
surveys
Rather than gathering all the participants together, using online (or postal) surveys can generate a wide range of responses cheaply and without collusion between participants.
Define the risk identification technique:
gap analysis
A gap analysis is a particular type of questionnaire designed to identify the company’s current and desired risk exposures.
Although the Board may be best placed to identify the latter, line management may be involved in identifying the former.
Define the risk identification technique:
Delphi technique
The Delphi technique is a structured communication technique where the participants answer questionnaires in two or more rounds.
After each round, a facilitator provides an anonymous summary of the output from the previous round as well as the reasons they provided for their judgements.
The participants then revise their earlier answers in the light of the replies of other members of the panel.
The intention is that during the process the range of answers will decrease and the group will converge towards a consensus.
The technique aims to maintain anonymity and independence whilst addressing the difficulties of designing questionnaires and surveys.
Define the risk identification technique:
interviews
Individuals are interviewed and the results collated, normally by an independent, external reviewer.
Define the risk identification technique:
working groups
Small number of interested individuals are tasked with considering a specific risk (or group of risks).
The members of the group are normally specialists.
It may be extended to the analysis of the risks identified - especially if they are unquantifiable.
Problem of bias
Without a supportive risk culture, it is possible that risk are not identified, assessed or reported in a true and honest way.
This is known as the problem of bias.
11 Sources of bias
- Insufficient care may have been devoted to the identification or analysis of risks.
- Key risks may have been accidentally or deliberately omitted.
- Incorrect assumptions that certain risks are independent of each other may have concealed the true likelihood of “chain reactions” of adverse events.
- The likelihood of disasters occurring may have been underestimated because of inadequate past experience.
- Cashflows may have been guessed or, worse, deliberately biased towards optimism.
- Insufficient amount may have been taken of the future ups and downs of the economic cycle.
- The risks associated with new technologies may have been given inadequate attention.
- Not all the effects of the project on the sponsor’s other business may have been considered
11 Sources of bias
- Insufficient care may have been devoted to the identification or analysis of risks.
- Key risks may have been accidentally or deliberately omitted.
- Incorrect assumptions that certain risks are independent of each other may have concealed the true likelihood of “chain reactions” of adverse events.
- The likelihood of disasters occurring may have been underestimated because of inadequate past experience.
- Cashflows may have been guessed or, worse, deliberately biased towards optimism.
- Insufficient amount may have been taken of the future ups and downs of the economic cycle.
- The risks associated with new technologies may have been given inadequate attention.
- Not all the effects of the project on the sponsor’s other business may have been considered.
- Credit may have been taken for benefits not directly attributable to the project.
- The assumptions on which the estimates are based may not correspond with senior management’s views of the world in future.
- Arithmetic or spreadsheets may contain errors which lead to substantially incorrect evaluation, or there may be failures of logic in building the model.
Bias can similarly take place in reporting to the Board about the ongoing risks facing the enterprise as a whole.
Behavioural finance
The study of unintentional bias in finance.
The field looks at how a variety of mental biases and decision-making errors affect financial decisions.
It relates to the psychology that underlies and drives financial decision-making behaviour.
The key step which should be taken to minimise the risk of bias
To validate the appraisal work by competent and genuinely independent checking, and by reference where possible to the outcomes of similar projects undertaken previously.
DISADVANTAGE of the risk identification technique:
brainstorming
Poorly run brainstorming sessions run the risk of convergent thinking (or group-think) or uneven participation lading to an incomplete or biased identification of risks.
Participants should come from various departments across the organisation and have different backgrounds.
Even in specialist areas, “outsiders” can bring fresh ideas that can inspire the experts.
DISADVANTAGE of the risk identification technique:
Independent group analysis
An unbalanced group (eg too many marketing executives) may produce a biased list of risks and rankings.
DISADVANTAGE of the risk identification technique:
Surveys
There is the problem of framing - the risk that the way in which the question is asked influences the response.
Pilot surveys can help improve the survey design.
Surveys can also suffer from poor response rates.
The quality of a survey is only as good as the quality of both the design and the analysis of the response data.
DISADVANTAGE of the risk identification technique:
Gap analysis
It may be difficult and/or costly to engage The Board in such a process.
DISADVANTAGE of the risk identification technique:
Delphi technique
The technique is likely to be time-consuming and therefore costly, especially as an external expert facilitator is likely to be required.
DISADVANTAGE of the risk identification technique:
Interviews
Unlike surveys, immediate clarification can be sought, however this technique can be time-consuming (and hence expensive), leading to restrictions on the number of interviews conducted. Involving multiple interviewers can lead to inconsistencies.
DISADVANTAGE of the risk identification technique:
Working groups
If the members of the group are specialist, as is normal, then the identification will be narrow rather than comprehensive.
In addition, specialists may want to work at a higher level of precision than is cost justified.
7 Key elements in a risk register
- a labelling or numbering system so that risks can be identified easily
- the category of risk
- a description of each risk that is clear and understandable to all
- an (initial) assessment of the likelihood of the risk occurring, its impact, and perhaps the timeframe over which it is applicable.
- the risk response action, its cost and expected residual / secondary risks
- individuals involved in monitoring and managing the risk
- document control information, so it is clear when it was last updated and by whom
List 7 risk concepts
- exposure
- volatility
- probability
- severity
- time horizon
- correlation
- capital
Outline the risk concept:
exposure
The maximum loss that can be suffered if an event occurs.
Bear in mind that harm may not have an immediate monetary value (e.g. damage to brand name)
Outline the risk concept:
volatility
A measure of the variability within the range of possible outcomes.
When describing market risk, volatility is defined as the standard deviation of returns.
Outline the risk concept:
probability
the likelihood that an event occurs
Outline the risk concept:
severity
the loss that is likely to be incurred if an event occurs
severity is generally lower than exposure (which is the maximum loss).
Outline the risk concept:
time horizon
the length of time for which an organisation is exposed to risk or
the time required to recover from (or reverse the effects of) an event
Outline the risk concept:
correlation
correlation is the degree to which differing risks behave similarly in response to common events.
Risk concentration, the opposite of diversification, results in high risk correlations.
Outline the risk concept:
capital
A business holds capital to:
- manage its cashflow (working capital)
- facilitate growth / new ventures (development capital)
- to cover unexpected losses arising from exposure to risk (risk capital)
Outline the benefits of the risk mapping process
Risk mapping can be a useful process, since:
- it gets people together from across the organisation to talk about risks
- it improves the enterprise’s understanding of the risks it faces …
- … the effect of its risk management activities…
- … and which risks require further attention
- the final risk map is an excellent visual tool for reporting to the Board on risk.
Outline what factors might be used to rank risk controls according to their perceived effectiveness
- risk exposures are within tolerance levels
- controls are in place
- risks are linked to potential impact on return
- risk metrics / dashboard reporting is established
Discuss why emerging risks are important
- knowledge of such risks will influence corporate strategy
- they may affect the profitability of the organisation
- they may yield opportunities for a new product. E.g. a new potentially fatal disease may represent a risk to a life insurer’s existing life assurance business and an opportunity for a new protection product.
Outline 4 inter-related trends that give risk to emerging risk-management challenges
- globalisation - the increased interdependency of the world’s economies and markets
- technology - the new operational risks arising from technology-driven business.
- changing market structures - as markets are deregulated and privatised
- restructuring - the effects of mergers and acquisitions, joint ventures, outsourcing and business re-engineering
3 Areas of emerging IT risks
- cyber security
- cloud computing
- social media
3 Types of behavioural biases
- overconfidence
- anchoring
- representative heuristics
Why is risk capital important?
- the financial strength of a company will be judged by reference to the relative levels of risk and risk capital
- from a debtor’s perspective, risk capital provides protection against unexpected events and determines credit ratings
- from an equity-holder’s perspective, returns should be judged relative to the level of risk capital
- similarly, the allocation of risk capital to operational units enables risk-adjusted profitability to be determined and creates an “internal capital market” within the organisation.
Behavioural bias:
overconfidence
the problem that people tend to overestimate their own abilities, knowledge and skills.
Behavioural bias:
anchoring
the problem that people base perceptions on past experience or “expert” opinion
Behavioural bias:
representative heuristics
people find more probable those things that they find easier to imagine
4-stage process aimed at ensuring the risk identification and assessment process adds value to the business.
(Lam)
- FOUNDATION SETTING
- – gaining executive sponsorship
- – organising and planning of resources
- – defining a risk taxonomy
- – building customised risk identification and assessment tools
- – educating and training project teams and management - RISK IDENTIFICATION, ASSESSMENT AND PRIORITISATION
- – understanding business objectives, risk appetite as well as regulatory and policy requirements
- – undertaking risk assessments, both top-down and bottom-up
- – producing risk reports and risk maps
- – prioritising risks - DEEP DIVES, RISK QUANTIFICATION AND MANAGEMENT
- – more detailed assessments of the top risks
- – producing risk tolerance statements and tracking KRIs
- – determining risk management strategies and the total cost of risk (for pricing purposes) - BUSINESS AND ERM INTEGRATION
- – linking risk assessment with both strategic planning and business review processes
- – integrating risk assessment into everyday business operations
- – conducting scenario analysis and stress testing
- – reporting on risk
- – creating and maintaining loss/event databases
- – establishing appropriate risk-escalation policies
4-stage process aimed at ensuring the risk identification and assessment process adds value to the business.
(Lam)
- FOUNDATION SETTING
— gaining executive sponsorship
— organising and planning of resources
— defining a risk taxonomy
— building customised risk identification and assessment tools
— educating and training project teams and management
4-stage process aimed at ensuring the risk identification and assessment process adds value to the business.
(Lam)
- RISK IDENTIFICATION, ASSESSMENT AND PRIORITISATION
— understanding business objectives, risk appetite as well as regulatory and policy requirements
— undertaking risk assessments, both top-down and bottom-up
— producing risk reports and risk maps
— prioritising risks
4-stage process aimed at ensuring the risk identification and assessment process adds value to the business.
(Lam)
- DEEP DIVES, RISK QUANTIFICATION AND MANAGEMENT
— more detailed assessments of the top risks
— producing risk tolerance statements and tracking KRIs
— determining risk management strategies and the total cost of risk (for pricing purposes)
4-stage process aimed at ensuring the risk identification and assessment process adds value to the business.
(Lam)
- BUSINESS AND ERM INTEGRATION
— linking risk assessment with both strategic planning and business review processes
— integrating risk assessment into everyday business operations
— conducting scenario analysis and stress testing
— reporting on risk
— creating and maintaining loss/event databases
— establishing appropriate risk-escalation policies
PEST(ELI) analysis
one type of RISK PROMPT LIST covering - Political, - Economic, - Social - Technological - Environmental, - Legal - Industry risks.
