Risk Management Overview Flashcards
What is a Risk?
- An uncertain, random event that may occur, which may only be estimated in terms of consequences and likelihood (Institute of Internal Auditors).
- May delay or indermine achievement of objectives/goals.
- Also essential - help create and preserve value, and prevent stagnation.
What are the five Principal Risk Types?
- Financial (cash flow difficulties; fraud/theft; poor budgeting).
- Operational (poor service delivery; inadequate staff skills; H&S).
- Reputational (questionable activities; legalregulatory breaches; poor stakeholder relations).
- Governance and compliance (lack of board oversight; non-segregation of duties; non-compliance).
- Strategic (deviation from stated objectives).
What are an Organisation’s three key Internal Stakeholders?
- Employees.
- Management.
- Owners.
Who are an organisation’s six key External Stakeholders?
- Society.
- Government.
- Creditors.
- Shareholders.
- Customers.
- Suppliers.
To what extent do stakeholders want risk?
- Non-shareholding stakeholders: Generally reluctant to accept unnecessary risks.
- Shareholding stakeholders: Greater risk appetite due to:
- Asymetric returns re. usually profit on share sale/dividends while holding.
- Limited liability.
- Diversified portfolio of investments (reducing aggregate risk).
What risk considerations typically arise in an M&A scenario?
SUDS:
- Strategic (market position; growth prospects; product diversification).
- (Under)value (potential to increase target’s potential value).
- Defensive (merger/acquisition to prevent hostile take-over).
- Synergetic (value creation; efficiency; cross-selling).
What are six principal consequences of risk management failures?
- Insolvency.
- Brand value depreciation.
- Talent attribution.
- Loss of business opportunities.
- Operational disruptions.
- Regulatory/governmental scrutiny.
What are the chief advatanges and disadvantages of self-regulation?
- Advantages:
- Regulation agreed and enforced by regulated cohort.
- Reguation is appropriate and proportionate.
- Lower compliance costs.
- Disadvantages:
- Hard to sustain - more limited industry incentive to enforce.
- Self-regulatory arrangements often fail, prompting statutory regulation.
Why do stakeholder interests need to be reflected in risk management decisions?
Risk of market/organisational misconduct arising from:
- Asymmetric information: External stakeholders lack same information as internal organisational stakeholders.
- Opportunism: Exploitation of customer’s lack of prior information.
- Public good: Risk decisions could be taken that benefit organisations but not overall society.
What are potential impacts of excessive risk management?
- Excessive costs due to:
- Over-regulation;
- Ineffective regulation;
- Over-reduction of risk.
- Allied compliance costs - maintaining a compliance function / managing regulatory relationships.
- Lack of acknowledgement that no risk can be reduced entirely.
From what four sources are global risk management standards derived?
- Rules - direct legal requirements; contraventions enforced.
- Guidance - subject to organisational interpretation and application.
- Principles and outcomes-based regulation.
- Risk-based regulation.
What are the principal features of the International Standards Organisation risk management framework?
- ISO 31000:2018 principally relevant standard for risk management in all organisations.
- IEC 31010:2009 examines usage of risk assessment techniques and concepts.
- ISO 31050 provides guidance concerning the management of emerging risks to enhance resilience.
- ISO 19600:2014 provides for the improvement of compliance management systems.
- ISO 37301:2021 prescribes the development, implementation, evaluation, maintenance and improvement of an organisation’s compliance management systems, spanning organisational context, leadership, planning, support, operation, performance evaluation and improvement.
What are the principal features of the Centre of Sponsoring Organisations risk management framework?
- Two frameworks, promulgated in 2004 and 2017.
- Integration of risk management with stategy and performance.
- Five key tenets:
- Governance and culture;
- Strategy and objective-setting;
- Performance;
- Review and revision; and
- Information, communication and reporting.
- Encourage portfolio view of risk, recognising interdependencies to support better risk management and adherence to risk appetite.
What are key differences between COSO ERM and ISO 31000?
- COSO ERM:
i Lengthy
ii ERM-focussed, with financial reporting emphasis
iii Presupposes existence of risk
iv Risks v. opportunities
v Sequential RM process - ISO 31000:
i Short
ii General RM approach
iii Risks tiered to achievement of objectives
iv Opportunities also characterised as risk source
v Iterative RM approach
What are the key differences between enterprise risk management and traditional risk management?
Traditional:
- Insurable risks only;
- One dimensional impact assessment;
- Siloed, item-by-item risk management;
- Reactive and disjointed; and
- Loss-only consideration/loss prevention focus.
Enterprise:
- Insurance/non-insurable risks;
- Multi-dimensional impact assessment;
- Organisation-wide, multilateral risk assessment;
- Proactive and continuous;
- Loss and gain consideration, emphasising goals, value, culture and mindset.
