Professional Documents
Culture Documents
CHP 8 - Risk (SBL Notes by Sir Hasan Dossani)
CHP 8 - Risk (SBL Notes by Sir Hasan Dossani)
Chapter 8
Risk Management
Introduction
Introduction to Risk
▪ Risk means exposure to adverse consequences due to any uncertain event in future
▪ Risk management means how risks are identified, measured and managed by the company
▪ Risks also varies from industry to industry. For e.g. banks are more exposed to financial risks and
manufacturing organizations are more exposed to health & safety risks. Industry risks depends on:
Nature of product and industry (e.g. financial industry vs manufacturing industry)
Investment (e.g. capital-intensive industry)
Regulations (e.g. higher laws for banks)
Ecological aspects (e.g. oil & gas industry)
Technology (hi-tech industry)
▪ Financial Risk
Risk of reduction in revenue or profitability of the company or adverse effect from the way the business is
financially structured (e.g. high gearing), debt financing and management of working capital and cash
flows.
▪ Credit Risk
Risk that customers fail to pay their dues on time.
▪ Liquidity Risk
Risk that company does not have sufficient cash to pay off its current liabilities. This mainly arises from bad
working capital management.
▪ Market Risk
Risk of losses from capital markets from adverse changes of share prices of the company, e.g. difficulty in
raising capital to fund expansion plans
▪ Investment Risk
Risk that the value of investment may fluctuate adversely
▪ Reputation Risk
Risk of harm to organization’s image, brand, goodwill or reputation including negative publicity and
adverse public sentiments
▪ Political Risk
Risk of government instability or higher intervention in business activities
▪ Regulatory Risk
Risk of adverse changes in laws and regulations directly or indirectly affecting company operations
▪ Technology Risk
Risk from changes to technology essential to support the business e.g. plant and machinery, IT, software, e-
commerce, etc.
▪ Environmental Risk
Risk of liability or losses from any damage to the natural environment caused by the organization, e.g. risk
of oil spillage by an Oil Company. It includes depletion of scare resources, disposal of wastages and
emission / pollution / spillage.
▪ Fraud Risk
Risk of fraud by employees, customers, suppliers or other parties
▪ Probity Risk
Risk of company or its employees’ involvement in dishonesty, unethical behavior or corrupt business
practices, e.g. bribery or facilitation payments.
▪ Entrepreneurial Risk
Risk of associated with any new business venture or opportunity, new products or new markets
Terminologies
Risk assessment means MEASURING the ‘impact’ and ‘probability’ of each risk and then prioritizing those risks
accordingly.
Risk management means how the risks are IDENTIFIED, MEASURED AND MANAGED by the company. Risk
management is important as it protects the company from unforeseen adverse events in future. Directors who
fail to manage risks are failing in their duties to the shareholders.
Risk Appetite
Risk appetite is the amount of risk an organization is willing to take. It is based on the assumption that higher
risks have higher returns and lower risks have lower returns. Risk appetite varies from company to company
depending on its shareholders attitude towards risk. In other words, the organization needs to decide whether
it wants to be risk averse or risk seeker (called risk attitude – see below).
Risk appetite also affects organization’s Risk Policy and Controls e.g. higher the risk appetite, higher the
controls needed to manage the risks and protect the organization from adverse effects.
Risk Attitude
Risk Averse organizations have lower risk appetite as they are more cautious and wants to minimize risks.
Hence, they are willing to accept lower returns e.g. public sector or charitable organizations
Risk Seeker organizations have higher risk appetite as they are willing to take more risks in expectation of
higher returns
Operational risks arise from normal day-to-day operations and are more likely to affect some part of the
business and not the entire organization, such as procurement, manufacturing, warehousing, logistics, after
sales service, etc. Operational risks have immediate effects and hence have to be addressed urgently.
Correlation shows the relation between related risk. Positive correlation means that if one risk increases, then
the other risk will increase too (e.g. legal risk vs reputational risk). Negative correlation means that if one risk
increases, the other risk decreases (e.g. As more money is spent on reducing Environmental risk by taking
loans, there is an increase in the financial risk facing the company).
Risk Diversification
Risk diversification means that the company spreads risks across many areas. Risk can be diversified as follows:
The more the risk diversification, the lessor the impact of a particular risk.
Risk Capacity
Risk capacity means having resources available to deal with risks. A company cannot take high risks if they do
not have the resources to deal with risks. Risk capacities includes technical expertise, financial resources, etc.
ALARP Principle
As Low As Reasonably Practical
Most risks cannot be eliminated completely. The primary focus of risk management is to reduce the risk to a
tolerable level. Level of tolerable risk is a balance between the impact / likelihood of risk versus the cost to
mitigate the risk.
It is the role of the Board to decide the ALARP level for the business to operate at a safe level expected by
government, customers and public. The residual risk after ALARP level should be also be constantly monitored
as risks are dynamic in nature
Risk Management
Risk Management
Risk management means how the risks are IDENTIFIED, MEASURED AND MANAGED by the company. Risk
management is important as it protects the company from unforeseen adverse events in future. Directors who
fail to manage risks are failing in their duties to the shareholders.
Risk management strategy is linked with organizations corporate strategy. For e.g. if an organization is seeking
rapid growth, it is likely it will have to take more risks than an organization that is seeking to maintain its
current position.
Risk management is a continuous process as risks are dynamic in nature. Risk level changes over time
depending upon the external environment of the business. Also, it is important to update the ‘probability’ and
‘impact’ analysis so that risk management strategies can remain up to date and effective.
1. Control Environment
Commitment from top level. Risk management should be embedded in company’s culture and
values (already covered above)
2. Objective Setting
Company’s risk appetite / ALARP level to be determined in line the business strategies
3. Event Identification
Make list of all possible risks (both external as well as internal risks)
4. Risk Assessment
Assess the impact and probability of each risks and prioritize them in accordance with Expected
Value (EV)
5. Risk Response
Decides appropriate action to each risk based on EV (e.g. TARA Model)
6. Control Activities
Implement risk responses and actions effectively
8. Monitoring
Undertake ERM process regularly so that changes in risks can be incorporated / updated
Low High
Impact
Heat Maps
A heat map is a diagrammatic presentation of the various risks faced by the organisation. It shows all risks in
one picture and helps organization in prioritizing and focusing on high risks
High
Probability Medium
Low
Risk Register
A risk register is a formal document which lists all the risks which a company faces, along with its possible
impact and probability. This list helps to prioritize risks and to decide which risks need most attention. The
register can then be used as an objective and consistent basis to manage risk, committing sufficient resources
as necessary and providing a holistic view of how risk is being managed throughout organization.
Risk Committee
The Risk Committee is responsible for oversight of the risks which the company faces and ensuring that a sound
system of risk management and internal controls exists to deal with those risks. Risk Committee comprises of
majority of NEDs with some Executive directors, as specialist expertise of Executive directors can benefit the
committee.
Risk Manager
A risk manager is a person whose main role is to manage the entire risk management process of the
organization. He/she reports to Risk Committee. Key tasks include:
▪ Establishing overall risk management policies, systems and controls
▪ Suggesting risk appetite and ALARP levels to the Risk Committee
▪ Implementing risk management framework (COSO) and risk management strategies (TARA)
▪ Updating risk registers
▪ Embedding risk management in the organizational culture
▪ Compliance with risk management related regulations and statutes
▪ Reporting
Risk Audits
A risk audit provides an independent assessment of the risk management process and controls in place. Risk
audits can be done by external firm as well as internal audit department. Some regulations require mandatory
risk audits (e.g. SOX). Risk Audits includes four stages:
Risk audit by an external firm (as compared to internal audit dept) is more beneficial due to:
▪ More independence
▪ Fresh pair of eyes
▪ Brings external experience and best practices
▪ Avoid familiarity threat
▪ Enhance shareholder’s confidence
Risk
Practice Questions
P1 – Jun 2009 Q4: Risk Mgr | Framework | Risk Management (H&Z Company)
P1 – Dec 2015 Q3: Risk Committee | Risk Appetite | Type of Risks (Branscombe)