SBL Notes – JUNE 2020 Attempt

Sir Hasan Dossani – MHA

Chapter 8
Risk Management

Introduction
Introduction to Risk
▪ Risk means exposure to adverse consequences due to any uncertain event in future

▪ Risk management means how risks are identified, measured and managed by the company

▪ Risks varies from company to company, depending on:

 Size of the company (small, medium, large)
 Geographical location / region (single country, multinational, law and order, economy)
 Growth phase of the company (setup phase, growth phase, maturity phase)
 Business model / strategies (physical, online)
 Financing structure (capital, loan financing, gearing)

▪ Risks also varies from industry to industry. For e.g. banks are more exposed to financial risks and
manufacturing organizations are more exposed to health & safety risks. Industry risks depends on:
 Nature of product and industry (e.g. financial industry vs manufacturing industry)
 Investment (e.g. capital-intensive industry)
 Regulations (e.g. higher laws for banks)
 Ecological aspects (e.g. oil & gas industry)
 Technology (hi-tech industry)

Mirchawala College Chp 8 – Risk Management….. Page 1

 SBL Notes – JUNE 2020 Attempt
Sir Hasan Dossani – MHA

Various Types of Risks

▪ Business Risk
Risk that threatens the survival of the whole business and can lead to going concern issue. They can arise
from many sources, but mainly due to wrong strategies, decision or business model.

▪ Financial Risk
Risk of reduction in revenue or profitability of the company or adverse effect from the way the business is
financially structured (e.g. high gearing), debt financing and management of working capital and cash
flows.

▪ Credit Risk
Risk that customers fail to pay their dues on time.

▪ Liquidity Risk
Risk that company does not have sufficient cash to pay off its current liabilities. This mainly arises from bad
working capital management.

▪ Exchange Rate Risk

Risk of adverse movement in foreign currencies in which the organization deals with. For e.g. if it is
importing raw material in foreign currency or a foreign customer owes money in foreign currency.

▪ Interest Rate Risk

Risk of adverse changes in interest rates on borrowings or interest rates on investments / deposits

▪ Market Risk
Risk of losses from capital markets from adverse changes of share prices of the company, e.g. difficulty in
raising capital to fund expansion plans

▪ Investment Risk
Risk that the value of investment may fluctuate adversely

▪ Reputation Risk
Risk of harm to organization’s image, brand, goodwill or reputation including negative publicity and
adverse public sentiments

▪ Health & Safety Risk

Risk of harm, injury, disability, death or adverse health effects on people (e.g. employees, customers,
society) due to the operations of the company

Mirchawala College Chp 8 – Risk Management….. Page 2

 SBL Notes – JUNE 2020 Attempt
Sir Hasan Dossani – MHA

▪ Political Risk
Risk of government instability or higher intervention in business activities

▪ Regulatory Risk
Risk of adverse changes in laws and regulations directly or indirectly affecting company operations

▪ Legal and Compliance Risk

Risk of breaching any law or regulation leading to fines or possible shut down of operations

▪ Technology Risk
Risk from changes to technology essential to support the business e.g. plant and machinery, IT, software, e-
commerce, etc.

▪ Environmental Risk
Risk of liability or losses from any damage to the natural environment caused by the organization, e.g. risk
of oil spillage by an Oil Company. It includes depletion of scare resources, disposal of wastages and
emission / pollution / spillage.

▪ Fraud Risk
Risk of fraud by employees, customers, suppliers or other parties

▪ Intellectual Property Risk

Intellectual property is the knowledge, skills, designs, secrets, formula, etc. that the company’s staff has
built over the passage of time. Intellectual property risk is key employees leave the organization and joining
a competitor.

▪ Probity Risk
Risk of company or its employees’ involvement in dishonesty, unethical behavior or corrupt business
practices, e.g. bribery or facilitation payments.

▪ Entrepreneurial Risk
Risk of associated with any new business venture or opportunity, new products or new markets

Mirchawala College Chp 8 – Risk Management….. Page 3

 SBL Notes – JUNE 2020 Attempt
Sir Hasan Dossani – MHA

Terminologies

Risk Awareness, Assessment & Management

Risk awareness means ability to IDENTIFY the risks associated with any activity or investment.

Risk assessment means MEASURING the ‘impact’ and ‘probability’ of each risk and then prioritizing those risks
accordingly.

Risk management means how the risks are IDENTIFIED, MEASURED AND MANAGED by the company. Risk
management is important as it protects the company from unforeseen adverse events in future. Directors who
fail to manage risks are failing in their duties to the shareholders.

(More details below)

Risk Appetite
Risk appetite is the amount of risk an organization is willing to take. It is based on the assumption that higher
risks have higher returns and lower risks have lower returns. Risk appetite varies from company to company
depending on its shareholders attitude towards risk. In other words, the organization needs to decide whether
it wants to be risk averse or risk seeker (called risk attitude – see below).

Risk appetite also affects organization’s Risk Policy and Controls e.g. higher the risk appetite, higher the
controls needed to manage the risks and protect the organization from adverse effects.

Risk Attitude
Risk Averse organizations have lower risk appetite as they are more cautious and wants to minimize risks.
Hence, they are willing to accept lower returns e.g. public sector or charitable organizations
Risk Seeker organizations have higher risk appetite as they are willing to take more risks in expectation of
higher returns

Strategic Risks & Operational Risks

Strategic risks arise from the overall strategic position of the company, such as type of industry and markets,
competitors’ strategies, business model (e.g. Online), etc. They affect the entire organization, hence are
managed at Board level. However, strategic risks take time to affect the company i.e. it does not have an
immediate effect.

Operational risks arise from normal day-to-day operations and are more likely to affect some part of the
business and not the entire organization, such as procurement, manufacturing, warehousing, logistics, after
sales service, etc. Operational risks have immediate effects and hence have to be addressed urgently.

Mirchawala College Chp 8 – Risk Management….. Page 4

 SBL Notes – JUNE 2020 Attempt
Sir Hasan Dossani – MHA

Risk Perception – Objective Risks & Subjective Risks

Risk perception is the ‘belief’ that a particular risk may happen. Some risks can be assessed with high degree of
certainty using historic data and scientific tools, hence these risks can be ‘objectively’ assessed. Some risks
cannot be assessed objectively, e.g. the risk is theoretically present but has never occurred in the past. For e.g.
earthquake or natural disasters. It is difficult to assess their probability and impact. Hence subjective risk
perception presents a dilemma to the Board on how to deal with such risks, as the costs for mitigating such
risks are high.

Related and Corelated Risk

Related risks mean that two or more risks are related with each other or may have a common cause. E.g. if an
organization breaches any law and pays fine (legal risk), then its reputation will get adversely affected
(reputational risk). In this case, legal risk is independent variable and reputational is dependent variable.

Correlation shows the relation between related risk. Positive correlation means that if one risk increases, then
the other risk will increase too (e.g. legal risk vs reputational risk). Negative correlation means that if one risk
increases, the other risk decreases (e.g. As more money is spent on reducing Environmental risk by taking
loans, there is an increase in the financial risk facing the company).

Risk Diversification
Risk diversification means that the company spreads risks across many areas. Risk can be diversified as follows:

▪ Product diversification (having multiple products)

▪ Industry diversification (operating in more than one industry, either related or unrelated)
▪ Geographical diversification (variety of cities and countries)

The more the risk diversification, the lessor the impact of a particular risk.

Risk Capacity
Risk capacity means having resources available to deal with risks. A company cannot take high risks if they do
not have the resources to deal with risks. Risk capacities includes technical expertise, financial resources, etc.

Mirchawala College Chp 8 – Risk Management….. Page 5

 SBL Notes – JUNE 2020 Attempt
Sir Hasan Dossani – MHA

ALARP Principle
As Low As Reasonably Practical

Most risks cannot be eliminated completely. The primary focus of risk management is to reduce the risk to a
tolerable level. Level of tolerable risk is a balance between the impact / likelihood of risk versus the cost to
mitigate the risk.

It is the role of the Board to decide the ALARP level for the business to operate at a safe level expected by
government, customers and public. The residual risk after ALARP level should be also be constantly monitored
as risks are dynamic in nature

Mirchawala College Chp 8 – Risk Management….. Page 6

 SBL Notes – JUNE 2020 Attempt
Sir Hasan Dossani – MHA

Risk Management
Risk Management
Risk management means how the risks are IDENTIFIED, MEASURED AND MANAGED by the company. Risk
management is important as it protects the company from unforeseen adverse events in future. Directors who
fail to manage risks are failing in their duties to the shareholders.

Risk management strategy is linked with organizations corporate strategy. For e.g. if an organization is seeking
rapid growth, it is likely it will have to take more risks than an organization that is seeking to maintain its
current position.

Risk management is a continuous process as risks are dynamic in nature. Risk level changes over time
depending upon the external environment of the business. Also, it is important to update the ‘probability’ and
‘impact’ analysis so that risk management strategies can remain up to date and effective.

Advantages of Risk Management

Risk management leads to extra costs. However, there is no incremental revenues from risk management. The
advantage of risk management is indirect in nature, i.e. it helps in prevention of major exposure, business
interruption and losses. Following are the advantages of risk management:

▪ Identifies risks which prevents organization from achieving its objectives

▪ Helps in avoiding or mitigating those risks
▪ Prevents business disruptions or slowing down of operations
▪ Prevents reputational loss
▪ Prevents penalties
▪ Allows organizations to grow in a controlled and safe manner

Risk Mitigation Techniques

▪ Embedding risk in organization’s culture
▪ Enterprise Risk Management (ERM) framework
▪ Risk management strategies (TARA Framework) and heatmaps
▪ Risk Registers
▪ Risk committee
▪ Risk manager
▪ Risk audits
(All covered below)

Mirchawala College Chp 8 – Risk Management….. Page 7

 SBL Notes – JUNE 2020 Attempt
Sir Hasan Dossani – MHA

Embedding Risk In Org’s Culture

Risk awareness is not sufficient at board of directors level only. It needs to be embedded across the entire
organization. It is not an activity but a mental approach which should be built into the Org’s culture. Following
are the ways in which risk awareness and management can be embed in an organization:

▪ Commitment from top level (place high importance)

▪ Create a risk focused environment
▪ Have a formal Risk committee
▪ Adopt ERM framework, implement internal controls, have risk audit
▪ Human resources / employees:
 Orientation of new employees upon joining (induction training)
 Include in individual’s Job Description
 Regular trainings and workshops
 Periodic performance appraisal
 Appreciate and reward good risk behaviors

Enterprise Risk Management Framework

▪ Most organizations adopt COSO’s ERM Framework to manage their risks
▪ Committee of Sponsoring Organizations (COSO) – Enterprise Risk Management (ERM) Framework
▪ ERM Framework links business strategies with risk management across all level of the. It is designed to
identify risks and how to manage them within the risk appetite of the organization. ERM Framework
comprises of EIGHT stages:

1. Control Environment
Commitment from top level. Risk management should be embedded in company’s culture and
values (already covered above)

2. Objective Setting
Company’s risk appetite / ALARP level to be determined in line the business strategies

3. Event Identification
Make list of all possible risks (both external as well as internal risks)

Mirchawala College Chp 8 – Risk Management….. Page 8

 SBL Notes – JUNE 2020 Attempt
Sir Hasan Dossani – MHA

4. Risk Assessment
Assess the impact and probability of each risks and prioritize them in accordance with Expected
Value (EV)

5. Risk Response
Decides appropriate action to each risk based on EV (e.g. TARA Model)

6. Control Activities
Implement risk responses and actions effectively

7. Information & Communication

Regular training of employees and communication with key stakeholders

8. Monitoring
Undertake ERM process regularly so that changes in risks can be incorporated / updated

Risk Management Strategies (TARA Model)

Transference: Transfer risk to third party, e.g. insurance, outsourcing or franchising
Avoidance: Eliminate risk by totally avoiding activities which causes risk
Reduction: Reduce the impact and probability of the risk by implementing controls
Acceptance: Accept the consequence of the risk, should it happen. Normally adopted for small risks

High Reduce Avoid

Probability
Low Accept Transfer

Low High
Impact

Mirchawala College Chp 8 – Risk Management….. Page 9

 SBL Notes – JUNE 2020 Attempt
Sir Hasan Dossani – MHA

Heat Maps
A heat map is a diagrammatic presentation of the various risks faced by the organisation. It shows all risks in
one picture and helps organization in prioritizing and focusing on high risks

High

Probability Medium

Low

Low Medium High

Impact

Risk Register
A risk register is a formal document which lists all the risks which a company faces, along with its possible
impact and probability. This list helps to prioritize risks and to decide which risks need most attention. The
register can then be used as an objective and consistent basis to manage risk, committing sufficient resources
as necessary and providing a holistic view of how risk is being managed throughout organization.

Mirchawala College Chp 8 – Risk Management….. Page 10

 SBL Notes – JUNE 2020 Attempt
Sir Hasan Dossani – MHA

Risk Committee
The Risk Committee is responsible for oversight of the risks which the company faces and ensuring that a sound
system of risk management and internal controls exists to deal with those risks. Risk Committee comprises of
majority of NEDs with some Executive directors, as specialist expertise of Executive directors can benefit the
committee.

Roles of the Risk Committee:

Relating to Risk Management Process
▪ Implement formal risk management process / ERM framework
▪ Advice board on risk appetite and ALARP levels
▪ Embed risk management in organization culture
▪ Identify key risks and recommend risk management procedures and controls
▪ Monitor overall risk exposure of the company and ensure it remains within limits set by the board
▪ Ensure risk management procedures and controls are effective
▪ Informing board and shareholders of any significant change to company’s risk profile
▪ Monitor performance of Risk Manager

Relating to Internal Controls

▪ Review and implement internal control systems, policies and procedures
▪ Assess effectiveness of internal controls
▪ Review Internal Controls Report sent to Shareholders
▪ Provide early warning to the board of emerging weakness in the internal control system

Advantages of Having a Separate Risk Committee:

▪ More focused and specialized
▪ More time can be spent by committees as full board has limited time
▪ Higher involvement by NEDs (e.g. in audit or remuneration committees)
▪ Board can focus more on strategic and business matters
▪ Increases shareholder confidence

Mirchawala College Chp 8 – Risk Management….. Page 11

 SBL Notes – JUNE 2020 Attempt
Sir Hasan Dossani – MHA

Risk Manager
A risk manager is a person whose main role is to manage the entire risk management process of the
organization. He/she reports to Risk Committee. Key tasks include:
▪ Establishing overall risk management policies, systems and controls
▪ Suggesting risk appetite and ALARP levels to the Risk Committee
▪ Implementing risk management framework (COSO) and risk management strategies (TARA)
▪ Updating risk registers
▪ Embedding risk management in the organizational culture
▪ Compliance with risk management related regulations and statutes
▪ Reporting

Risk Audits
A risk audit provides an independent assessment of the risk management process and controls in place. Risk
audits can be done by external firm as well as internal audit department. Some regulations require mandatory
risk audits (e.g. SOX). Risk Audits includes four stages:

1. Risk identification (e.g. maintenance of risk registers)

2. Risk assessment (impact & probability)
3. Review of controls (effectiveness of internal controls put in place to mitigate the risk)
4. Report (issue report to management commenting on the quality and effectiveness of the risk
management process and identifying shortcomings / recommendations)

Risk audit by an external firm (as compared to internal audit dept) is more beneficial due to:
▪ More independence
▪ Fresh pair of eyes
▪ Brings external experience and best practices
▪ Avoid familiarity threat
▪ Enhance shareholder’s confidence

Mirchawala College Chp 8 – Risk Management….. Page 12

 SBL Notes – JUNE 2020 Attempt
Sir Hasan Dossani – MHA

Benefits of Accepting Some Risks

In order to grab new opportunities and increase profitability, some extra risks need to be taken. Organizations
are now seeking higher risks to benefit from higher rewards. Hence risk management is being used to take
higher risks to increase the probability of positive outcomes and profitability.

Look for more & Assess Very

Competitive High
build on these Carefully
Advantage
Accept All
Low Avoid
opportunities
Low High

Risk

Practice Questions
P1 – Jun 2009 Q4: Risk Mgr | Framework | Risk Management (H&Z Company)

P1 – Dec 2015 Q3: Risk Committee | Risk Appetite | Type of Risks (Branscombe)

P1 – Mar/Jun 2017 Q4: Embed in Culture | ALARP | Mitigation Tech (RMBE)

Mirchawala College Chp 8 – Risk Management….. Page 13