Risk Flashcards
Risk and Risk Appetite
Risk is a condition in which there exists a quantifiable dispersion in the possible results of an activity
Risk appetite is a measure of a company’s capacity and willingness to accept different risk
Objectives for an organisation should help deliver an organisations strategy, and should be consistent with its risk appetite
Attitude of some stakeholders groups to risk can influence companies strategy Shareholders Debt providers Employees Customers Government, regulatory and other bodies
Risk Manager
Need to combine technical skill in Credit, Market and Operational risk with leadership and persuasiveness
Responsibilities: (A) leadership if ERM (B) establishing and promoting ERM (C) developing policies (D) common risk management policies (E) establishing common risk language (F) dealing with insurance companies (G) implementing risk indicators (H) allocating resources based on risk (I) reporting to CEO
Categorising Risk
Risk by Scope
- Separating by strategic and operational risk
- Ensures they are considered by most appropriate level of management
Risk by Function
- Managed by managers with most appropriate expertise e.g. Legal managed by legal department
Risk Classification
Can be: • Fundamental - affect society in general • Particular - individual in control • Speculative - good or bad consequences • Pure - only outcomes harmful
Financial Legal Political Economic Environmental Technological Knowledge management Trade (incl FOREX) Reputation Organisational Fraud Property (incl Intellectual) Product Physical
Related Risk
Vary because of presence of another risk or where two risks have a common cause. Can have a Positive or Negative correlation
Risk Committee
- Board has overall accountability for risk management as part of its CG responsibilities
- Can delegate responsibility to line management
- 50:50 split between exec and NED
- Often chaired by CEO
- If no risk committee then falls upon audit committee
- Allows audit committee to focus on Financial risk
Five roles
(1) Agreeing and improving the organisations Risk Management Strategy
(2) Review reports on key risks prepared by departments on their operations
(3) Monitor overall risk exposure ensuring within limits set by main board
(4) Asses effectiveness of risk management systems and policies
(5) Approves statements or disclosures made to internal and external audiences
Risk Response
• TARA Transfer Accept Reduce Avoid
- Likelihood/consequence matrix allows matching suitable strategy to given risk
- High impact and consequence that cant be avoided - arises out of core business - use the ALARP principle (As Low As Reasonably Possible)
Gross risk and residual risk are compared to assess effectiveness of risk response
Risk Identification and Risk events
Continuous iterative process
Risk once identified is included in risk register (Formal collection of risk, response and responsible individuals)
Key aspect of Risk identification in COSO ERM framework is Risk Events
External Event - economic, political, technological
Internal Event - equipment, human error, difficulties with products
Trends and root causes
Escalation Triggers - levels being reached that require immediate action
Event Interdependencies - one triggering another
Risk Assessment (Key Steps)
Identification
- Types and categories
Analysis
- Who: everyone, how: top/bottom down, how often: monthly
Profiling
- Mapped on grid with a Risk Tolerance Boundary allowing prioritising its treatment of different risks
Quantification
- For risks that require more analysis
- Techniques include: sensitivity analysis and accounting ratios
Risk Consolidation
- Summarised in order to report to management
- Incorporates portfolio management. Consolidating may reduce overall risk via diversification and Hedging (in conjunction with other risk)
- Senior management will then judge priority of different risk ensuring in line with objectives and risk appetite
Risk Controls (method of reduction)
Operated at different levels
Corporate: policy, culture, governance
Management: planning and performance monitoring
Business Process: authorisation limits and reconciliation
Transaction: accuracy and completeness checks
SPAMSOAP (ideas for controls)
Segregation
Physical - secure assets
Authorisation - approvals of activities
Management - review accounts/audit
Supervision - day to day transactions through variance reports
Organisation - reporting lines, levels of authority and responsibility
Arithmetical - correct and accurate reporting and processing eg bank reconciliations
Personnel - training and qualifications, personal qualities, recruitment process
Benefits of Risk Management
- Predictability of Cash Flow
- Limitation of effects of bad news
- Increased shareholder confidence
- Weigh costs
Strategic vs Operational Risk
Strategic - relate to fundamental long term decisions directors take
Focussed on impact risk can have on company’s ability to survive
Types: Technology, Product, Resources, competition, investment, reputation
Operational Risk
Risk of loss from failure in internal business and control processes and affect day to day operations
Types: internal control, audit inadequacies, human error, fraud, business interruption, loss of key personnel
Differences relate to Scope of impact Source of risk Duration of impact Scale of financial and resource consequences
Control Environment
COSO and Turnbull
- ‘Tone at the top’
- Attitude, awareness and actions of management in relation to internal controls proving the background for the operations for other controls
COSO (what is Control Environment)
• Corporate culture/ tone of organisation
• Management style inc risk management philosophy
• Organisational structure
• Risk appetite
• Integrity and ethical values
TURNBULL (what makes a strong internal environment)
• Senior management commitment
• Clear strategy
• Strong business culture
• Clear definition of authority, responsibility and accountability
• Effective internal communication; adequate knowledge; skills and resources
Embedding Risk and Risk awareness
Risk Assessments evolved into consistent activity embedded across all processes, including:
- Systems and procedures
- Culture and values
Done by: • Tone at top - control environment • Training and development • Induction • Ethical guide • Bottom up identification (involvement in risk identification) • Key personnel persuasion