Risk-management as a foundation of organisational success Flashcards
Risk-management and anticipation (2)
- Important to anticipate and predict risk events so that the probability of negative events can be reduced, and positive ones increased
- Not all risks can be identified (anticipated), and even if they can, their probability and impact may be difficult to quantify with accuracy or affect
Risk-management and resilience (2)
- Black swan events are hard to predict and cannot be quantified => cannot be anticipated
- Risk-man can help orgs respond effectively to, and recover quickly from, risk events that have not been anticipated = resilience
3 ways in which orgs may invest in resilience (names of types)
- Effective crisis management
- Business continuity management
- Organisational learning
Investing in resilience - what is effective crisis management?
Responding quickly to mitigate the immediate effects of unanticipated events as they unfold
Investing in resilience - what is business continuity management?
Recovering quickly from the aftermath of an unanticipated event to ensure the org is able to maintain its operations and achieve its objectives
Investing in resilience - what is organisational learning?
Reviewing past unanticipated events in order to improve future resilience
Negatives of risk events due to a breakdown in internal control arrangements (3)
- Very costly
- Damage reputation
- Divert attention from strategic and operational priorities
Other than through regular risk-man activities, 3 specialist internal control management tools that can be used to strengthen internal control
- Risk-based compliance reviews
- Internal audits
- External audits
Strengthening internal controls - risk-based compliance reviews (2)
- Most orgs assess whether employees are complying with applicable laws and regulations
- More detailed and frequent reviews conducted in areas with higher risk of non-compliance or consequences of non-compliance are higher
Strengthening internal controls - internal audits (2)
- Conducted by most orgs to check effectiveness and efficiency or operational processes
- Can identify failures in design or application of risk controls
Strengthening internal controls - external audits (2)
- External auditors review annually whether fin. reporting controls are adequate
- Many go beyond fin. reporting to review broader governance and internal control environment, as this impacts financial statements as well (espec. going concern statement)
What do orgs generally focus on re. the link between risk and strategy?
Assessing and managing the risks that arise from a chosen strategy or different components of a strategy
A strengthened risk-man framework would include: (4)
- Initiation of a strategic review
- Assessment of alternative strategies
- Execution of a strategy
- Monitoring and managing risks arising from a chosen strategy
Advantages of linking risk to strategy: (2)
- Allows for clearer assessment of aggregate risks related to a particular strategy
- Enables board-level discussions on whether alternative strategies present a more attractive risk/return choice for an org
5 new processes and behaviours boards are incorporating into more significant role in linking risks to strategy:
- Challenging management on key risk-appetite assumptions and definitions
- Seeking more comprehensive assurances on how non-financial risks are monitored, inc. quantification
- Encouraging management to discuss risks in relation to strategy
- Hiring independent external advisors to evaluate risks of sizeable acquisitions
- Connecting internal audit function to strategic planning and risk-man functions
Difference between day-to-day risk taking and strategic risk taking
Day-to-day risk-taking = optimisation opportunities found within existing risk-man framework based on current strategy
Strategic risk-taking = making strategic business decisions that may leaf to an overall increase in total value, often requiring a recalibration of existing risk-man framework
Real world example of successful positive risk taking
Facebook’s acquisition of instagram when it was not revenue making for USD1 billion.
Now its revenue is USD5 billion and it has a valuation of USD100 `billion
4 barriers holding orgs back from strategic risk-taking:
Corporate culture - management does not support strategic risk-taking
Lack of risk prioritisation - higher priority placed on day-to-day risks at expense of missing the bigger pictures
Failure to perform adequate due diligence - management and board uncomfortable to take strategic risks due to improperly conducted risk/benefit analysis
Lack of designated risk manager to stay on top of emerging trends and navigate strategic risk-taking ideas
Org’s with which two risk related characteristics are most likely to see their value significantly eroded or destroyed?
- Promote excessively high-risk-taking behaviours
- Have inadequate compliance monitoring or training procedures
Which sector has to deal with most prescriptive regulatory risk framework?
Banking
