Risk-management as a foundation of organisation success Flashcards
What are the 3 roles of risk-management in organisations?
- Reducing uncertainty
- Anticipation and resilience
- Supporting the internal control environment
THE ROLE OF RISK-MANAGEMENT IN ORGANISATIONS - REDUCING UNCERTAINTY
How can risk-management reduce uncertainty? (3)
How does this help an organisation?
Can be used as an information-gathering tool:
1. Collect data on past risk events to build a clearer picture of what can occur
2. Trend analysis and risk modelling
3. Scenario analysis = asking ‘what if’ questions and imagining worst case
Sufficient information gathering can help estimate probability and impact with a relatively high degree of confidence
THE ROLE OF RISK-MANAGEMENT IN ORGANISATIONS - ANTICIPATION AND RESILIENCE
What are the 2 main contexts that risk-management can be applied in?
RISK-MANAGEMENT AND ANTICIPATION
Why is anticipation of risks important in risk-management?
What is the major problem?
RISK-MANAGEMENT AND RESILIENCE
From time to time, organisations will encounter risk events that they did not foresee.
In the face of high levels of uncertainty, organisations need to invest in resilience by doing what 3 things?
A. Helps anticipate and predict risk events to reduce the probability of negative events and increase positive ones
B. Helps organisations respond effectively to, and recover quickly from, risk events that have not been anticipated = resilience
Because risks are identified, assessed, and monitored before they are controlled:
*Identification = used to highlight range of risks exposed to
* Assessment and monitoring = help prioritise scare control resources
*Controls = used to manipulate probability and impact to achieve a more favourable outcome/reduce exposure to negative outcome
Problem = not all risks can be anticipated = risks may be unknown, or where known might be impossible to accurately calculate probability and/or impact
- Responding quickly to mitigate the immediate effects of unanticipated events as they unfold (effective crisis management)
- Recovering quickly from the aftermath of an unanticipated event to ensure that the organisation is able to maintain its operations and achieve its objectives (business continuity management)
- Reviewing past unanticipated events in order to improve future resilience (organisational learning)
RISK-MANAGEMENT AND RESILIENCE
What is a black swan event?
Name 3 examples.
Why can black swan events occur on a regular basis? (3)
Black swan event = an event or occurrence that deviates beyond what is normally expected of a situation and is extremely difficult to predict = typically random and unexpected
2007-8 financial crisis, terrorist attacks, volcanic eruptions
A. Growing population
B. Increasing reliance on technology
C. Interconnected economies and markets
THE ROLE OF RISK-MANAGEMENT IN ORGANISATIONS - SUPPORTING THE INTERNAL CONTROL ENVIRONMENT
Risk events due to a breakdown in internal control arrangements can be/do what 3 things?
What are the 3 specialist internal control management tools?
(1) be costly, (2) damage reputation, and (3) divert attention from strategic and operational priorities E.g., VW emissions scandal
- Risk-based compliance reviews = assess whether employees and managers are complying with applicable laws and regulations (e.g., H&S or environmental)
* more detailed and frequent reviews conducted in areas where the consequences of non- compliance are high or where RM activities suggest there is a higher risk of non-compliance - Internal audits = help ensure policies and procedures are designed and implemented in an effective way and to check that operational processes are working efficiently
* often identify failure in design or application of controls
* may incorporate compliance reviews to investigate the degree of compliance
* more detailed and frequent IA in areas of high risk - External audits = auditors annually review whether the financial reporting controls are adequate (to ensure ARA are accurate and free from material financial misstatements)
*broader review of governance and internal control environment = help external auditor provide a more accurate opinion on whether the organisation is likely to continue as a going concern
* effective RM by auditor should minimise the risk of not detecting material financial misstatements and minimise wrong opinions
LINKING RISK TO STRATEGY
Why are many organisations incorporating the management of strategic risks within their overall risk-management frameworks? (2)
However, why is the scope of strategic risk-management practices often too narrow?
What is required? (4)
(1) growing demand for more effective RM practices to cope with rapidly changing business environment
(2) changes in regulatory or industry-standard-related compliance that put organisations under great public and regulatory scrutiny, e.g., anti-money laundering
Many organisations focus on assessing and managing risks that arise from a chosen strategy or different components of a strategy
There remains a further need to strengthen the strategic-risk framework to better connect different decision-making steps, including
(A) The initiation of a strategic review
(B) The assessment of alternative strategies (including their overall fitness)
(C) The execution of a strategy
(D) Monitoring and managing risks that arise from a chosen strategy
LINKING RISK TO STRATEGY - THE ROLE OF THE BOARD
What are the 2 things Boards are responsible for?
What are the 2 benefits for an organisation of linking risk to strategy?
Boards are responsible for:
1. Formal approving the risk appetite statement
- Setting the strategy that must be reflective of the organisational values and behaviours (corporate culture).
A. Linking risk to strategy allows for a clearer assessment of aggregate risks related to a particular strategy
B. It enables board-level discussions on whether alternative strategies present a more attractive risk/return choice for an organisation
LINKING RISK TO STRATEGY - THE ROLE OF THE BOARD
How have Boards have been taking a more significant role in linking organisational risks to the strategy? (4)
By incorporating new processes and behaviours, for example by:
- Challenging management on key risk appetite assumptions and definitions
- Encouraging management to discuss risks in relation to strategy
- Hiring independent external advisors to evaluate risks
- Providing strategic advisory guidance to management
CREATING VALUE THROUGH RISK
How can risk-management create value? (3)
What is meant by exploitation of day-to-day risk?
Name an example.
(1) reduces the likelihood and impact of negative outcomes
(2) increases the probability and impact or positive outcomes
(3) generates additional rewards for the organisations = identifies risk-taking opportunities by understanding key drivers of revenue growth, operational efficiency, asset and investment efficiency, balance-sheet optimisation, and stakeholder expectations
Usually refers to optimisation opportunities found within the existing risk-management framework, based on the current strategy
E.g., an organisation may decide to roll out secure remote business communication tools to allow its employees to carry out their duties in a flexible and operationally efficient manner, while managing the downside risk of data loss or disruption
CREATING VALUE THROUGH RISK - STRATEGIC RISK TAKING
What is strategic risk taking?
What does it often require?
Is strategic risk taking a more risky alternative versus exploiting day-to-day risks?
Name 2 examples of strategic risk-taking, one good, and one bad.
What are the 4 most common barriers that hold organisations back from strategic risk taking
= the willingness by an organisation to make strategic business decisions that may lead to an increase in its total value
Strategic risk-taking activity often requires a recalibration of the existing risk-management framework so that it remains fit for purpose
Yes
(1) Facebook bought Instagram when it wasn’t revenue generating. Integrated into Facebook revenue-generating model and added value of $99 billion
(2) Hewlett-Packard bought Autonomy Corporation plc and suffered $9 billion loss mostly due to accounting misrepresentations that had inflated the original value of the acquired company
- Corporate culture = management does not support strategic risk-taking initiatives
- Lack of risk prioritisation = organisations place higher priority on managing day-to-day risks at an expense of missing the bigger picture
- Failure to perform adequate due diligence = organisations fail to properly conduct risk/benefit analysis that would make management and boards comfortable about taking strategic risks
- Lack of a designated risk manager to stay on top of emerging trends and navigate different strategic risk-taking ideas throughout the organisation
CREATING VALUE THROUGH RISK - ADVERSE RISK TAKING
In some instances, excessive risk-taking may sometimes lead to what?
What is excessive risk taking often linked to?
What is risk attitude?
How does an organisation promote a particular risk attitude?
Organisations that promote excessively high-risk-taking behaviours and/or have inadequate compliance monitoring and training procedures are at risk of what?
Usually by who?
Name an example.
Lead to an organisation assuming greater and less justifiable risks that can erode or completely destroy its value
*Excessive risk-taking is often linked to the corporate culture of an organisation through its organisational risk attitude
Risk attitude = a chosen state of mind or a response to a risk event
Through culture that supports allowable behaviours in response to a risk event, and has consequences for differing behaviours
At risk of having their value significantly eroded or destroyed
Usually by very few people that put their own personal interests above those of an organisation
Enron bankruptcy shows how a corporate culture that encourages excessive risk-taking can lead to the demise of an organisation
* Had a 64 page code of ethics in place but Enron failed to adequately monitor or prevent behaviours that were not aligned with its code
CREATING VALUE THROUGH RISK - THE ROLE OF THE BOARD
What is the role of the board in the context of creating value through risk? (3)
To ensure boards can provide effective oversight, management should do what?
(1) understand different value-creation initiatives available to an organisation and be comfortable with choosing initiatives that are presented to them by management
(2) whenever boards have a knowledge gap in evaluating a specific risk-taking opportunity, they should address this gap e.g., hire a 3rd party subject matter expert
(3) utilise their depth and breadth of knowledge and experience to actively assess value-creative risk-taking opportunities
Management should present information in a receptive manner and seek timely advice and guidance from the board members
THE REGULATORY VIEW OF RISK
Which sector globally has to deal with the most prescriptible regulatory risk framework?
Who developed this regulatory risk framework and why?
Name an example.
What are the 2 approaches that can be used?
The banking sector
Developed by the Basel Committee on Banking Supervision (BCBS) to strengthen regulation, supervision and RM practices in banks
E.g., Basel III = regulators require a riskier bank to hold more capital to compensate for potential losses
To calculate their minimum risk-based capital requirements, banks are allowed to either use (1) an internal approach which takes into account their own estimated risk parameters (subject to regulatory approval) or (2) a standardised approach
THE REGULATORY VIEW OF RISK
What 5 requirements do banks have to comply with?
Banks must comply with additional requirements:
1. The liquidity coverage ratio (LCR), which covers short-term liquidity requirements (up to 30 days); and
- The net stable funding ratio (NSFR), which focuses on the longer-term funding profile of a bank (one year)
- Stress tests = measure banks’ resilience to severe macroeconomic shocks
- A test that tests vulnerabilities in the organisational business model by making banks come up with scenarios that would make their operations unviable (e.g., PRA’s annual reverse stress test)
- A test that focuses on the ability of banks to wind down their businesses (also referred to as ‘living wills’) (e.g., PRA’s solvent wind down (SWD) test)
