STRATEGIC LEVEL

Subject Risk Management (P3)

Akila Gunarathna
Lecturer MBA(UK), ACMA, CGMA, ACCA Affiliate, B.Sc. Engineering (Hons), Dip in Banking & Finance (IBSL)

Module Risk Brief

Code P3/AG/22
 Risk Brief
Section 01
• 2 main Objectives of risk taking: To gain competitive advantage and to increase financial
return.
• Speculative Risk can be both upside and downside (Ex: Increasing gearing is speculative
as risk increases and tax benefit also increases).
• Risk: Expected impact of uncertain future events on objectives of the company.
• Business Risk can be Strategic, Product, Commodity, Product Reputation, Operational,
Contractual Inadequacy, fraud and false representation by employee.
• Economic Risk: Inflation, Unemployment, International trade, exchange rate, demand
• Financial Risk: Credit Risk, Currency Risk, Interest Rate Risk, Gearing.
• Currency Risk: Transactional, Translational and Economic.
• Corporate Reputation Risk (Ethical Risk): Child labor, environment performance, social
performance, illegal immigrants.
• International Risk: Culture, Legal, Exchange Rate, Credit Control, Items in transit.
• Government increasing tax is changing regulation, Regulation Risk.
• Critical Risk in insurance industry is Environmental Risk.
• Value at Risk (VaR): Maximum loss occurring within a given period of time with a given
probability. It quantifies Past volatility.
• Residual Risk may be accepted if management feels the company can bear the risk
(Compared with company’s risk appetite).
• Risk Register need to be updated regularly (Monthly, Quarterly or yearly, but not
weekly).
• Risk Register content: Probability and likelihood of the risk, name of the risk owner, risk
mitigation technique, impact, residual risk, risk name, adequacy of the assurance.
• Purpose of Risk Register: Ensure that recognized risks are sufficiently managed.
• BOD define the Risk Appetite.
• Audit Committee: Risk Management and controls in the absence of risk committee.
• Risk Committee: Board committee directly responsible for risk management.
• Risk Management group: Handled at operational level, responsible for Raw material
processing and report to BOD via Audit committee.
• Internal Audit: Review Internal Controls (Doesn’t Implement controls).
• Employees: All should be aware of possible risk and committee to managers.
• Responsibility of Risk Management can’t be passed only to risk manager, but its
responsibility of all. Risk Management is part of overall business strategy.
• Risk Capacity: Amount of risk the company can bear
• Risk Attitude: Overall approach to risk
• Risk Appetite: Amount of risk an organization willing to accept in pursuit of value.
Depends upon company’s reputation, nature of the product, background of BOD, change
in the market, etc.
• Risk Response strategies: Transfer, Avoid, Reduce, Accept, Diversification, Risk Pooling,
Risk Sharing, etc.
• Accepting Residual Risk doesn’t mean that company is reckless.

P3SS2020 – Risk Brief - Akila Gunarathna 1

• Statistical Estimates are less applicable for severe consequences.
• Enterprise Risk Management Principles:
-Risk Management in Business strategy.
-Everyone’s responsibility, tine from the top.
-Risk Awareness culture.
-Comprehensive Holistic approach to Risk Management (Integrated approach).
-Broad range of risk.
-Focus on risk management strategy, lead by BOD.
• In ERM risk is not prioritized based on impact or likelihood.
• Need for an Internal Audit reduces when risk management is implemented.
• COSO MODEL Components:
1. Internal Environment.
2. Objective Setting (Objectives must be within the appetite).
3. Event Identification (Risk Identification).
4. Risk Assessment (Likelihood and Impact quantification).
5. Risk Response.
6. Control Activities (Customize based on risk responses).
7. Information and communication (Check whether controls are in practice).
8. Monitoring (Auditing).
• SWOT and PESTEL are Internal Proactive approaches.
• Expected Value: Maximize return irrespective of the level of risk.
• Treasury Department is a cost centre, hence not encouraged to speculate.
• Profits can be increased from one year to another, without altering Shareholders
Wealth.

P3SS2020 – Risk Brief - Akila Gunarathna 2

Section 02

• Internal Controls: Can be even financial, For effective and efficient operations, For
compliance with laws and regulations.
• Requirement- Efficient conduct of business, safeguard assets, prevent and detect fraud
and error, accurate and complete, timely preparation of financial information.
• COSO model components- Control environment Culture and organization structure),
Risk assessment (Controllable? Internal or External), Control activities (Authorizing,
Policies and procedures), Monitoring (Internal Audit), Information and communication.
• Internal Controls are embedded in operations, includes procedures for reporting
controls and the ability to respond to changing risks within and outside the company.
• Internal Controls are the methods to respond the risk (risk reduction, not risk
elimination).
• Sound Internal Controls will provide a reasonable assurance on achieving its business
objectives.
• In divisional organization structure, power is delegated to divisional heads while in
functional organization structure power lies with the head office (Should always report
to Head Office).
• Controls can be
-Detective (Audits, Bank reconciliation, inventory counts)
-Preventive (Segregation of duties, Physical access controls)
-Directive (Job description, training, policies)
-Corrective (Credit notes issue, reprocess Internal Controls)
• S-Segregation of duties
• P-Physical controls
• A-Authorization and approval (Segregate to 2 layers)
• M-Management Control (BOD review bi-annually or quarterly, Cross functional teams
review monthly or weekly)
• S-Supervision (Oversight of work – to make sure things doesn’t go wrong)
• O-Organization (Structure, delegations, teams, reporting lines)
• A-Arithmetic and Accounting (Calculations, Reconcile)
• P-Personal Controls (HR controls, Induction, Training, Recruitment, Non-Disclosure
Agreements)
• Ideal to segregate the duties between 3 people to Authorize, Handle the asset and
Record in the books.
• Non-functional Quantitative Controls- Balance Score Card, Activity Based Management,
Total Quality Management, Project Management controls, Key Performance Indicators.
• Non-functional Qualitative Controls- Physical controls, Strategic plans, Rules (Ex: UK
Bribery Act), Personal Controls, Incentives.
• Balance Score Card is a performance measurement system and Activity Based
Management is a costing and budgeting technique.
• Financial Internal Controls are used for Asset Safeguarding and Maintain Accounting
Records.
• In manufacturing, a good is considered as Work_In_Progress until it passes the Quality
Inspection Stage.

P3SS2020 – Risk Brief - Akila Gunarathna 3

• Internal Controls benefits: Risk reduction, Achieve business objectives.
• Costs involved with Internal Controls: Time to design, Implementation costs, Training
costs, Software upgrades, Monitoring and Review.
• Internal Controls should be independent of the method of data processing and good
Internal Controls can’t turn a Poor manager to a good one and can’t turn the profits
good.
• Internal Audit should be used to check the detailed operation of controls.
• Portable plants are the small assets like USBs.
• Performa Invoice- Issued by manufacturer conforming order acceptance.
• Moment the goods leave premises, sale is recorded.
• Purchase Order- Invoice with final order of what we need.
• 3 Way Matching- Issue Purchase Order (PO), Receive Goods Receive Note (GRN)-
Essential to enter an invoice to the system, Receive Invoice.
• For gifts, raise PO with Nil value.
• Receivables can have a Credit balance if the customer has paid an advance or might due
to an error.
• Managing Credit Risk: Credit checks, Credit limits, Insuring, Debt factoring without
recourse (Total risk is transferred to the agent).
• Revenue Cycle- Orders delivered fully to customers, goods supplied to customers who
pay fully.
• Purchase Cycle- Purchased with Reliable and competitively priced suppliers.
• Payroll Cycle- Employee payments, payments to other authorities (Ex: Tax).
• Adequate cash forecasting should be carried out to ensure that commitments are
recorded, and overdraft limits are not exceeded (At least for the next 3 months).
• Compare bank pay slips with initial receipts records.
• For authorizations always better if one party is from finance department.
• Provisions for inventory is made if the inventory is not in a good condition.
• Head-Office setting a selling price is a sales control.
• Fixed Asset Registers- Periodically checked, authorize acquisitions and disposals.
• Arithmetic and Accounting measures are not controls to check the safeguards of the
assets.
• Business justification is required on promotional expenses.
• Clerks should not make journal adjustments, unless someone is supervising.
• Having no documents indicate, but not evidence.
• Pre-Costing: Costing done when pricing an order, Post-Costing: Costing done after the
production. Difference is Planning variance.
• Risk Manager- Implementing Risk Management Framework and controls, Compliance
with regulations.
• Internal Auditors- Check whether the controls are effective or not.
• External Auditors- No direct responsibility involved with risk management, just to check,
identify and include in the management letter.
• BOD- Strategic Decisions, Decisions only taken by directors (Long term finances,
Dividend payments), Corporate Governance issues like Balance of Eds and NEDs in
board, Succession Planning, 3 committees.
• Managers- Specific responsibility in their functional area.

P3SS2020 – Risk Brief - Akila Gunarathna 4

• Supervisors- Controls over Operational matters (Work force safety, Reduce chance of
fraud, Responsible for weak Internal Controls leading to fraud).
• BOD consider whether weakness in Internal Controls need to be addressed (Cost vs
Benefit).
• Owner’s support is needed for small businesses to implement internal controls.
• Small businesses with many branches: Keep formalized budgeting control at Head
Office, Delegate to branch managers, Open Head Office for any issue in branch.
• Senior Mangers often override controls (They have the authority and they monitor
controls).
• Threats to Control Environment: Senior Managers not producing receipts, Internal Audit
team not following the Internal Control Weaknesses.
• Regularly changing procedures to comply with legislation is not considered as a threat to
the control environment.
• Internal Audit add value to business and improve organization operations. It gives a
more holistic review of risk and control.
• Internal Auditors are not responsible for the execution of company activities. They might
advise management and BOD on how to execute responsibilities.
• Role of Internal Auditor: Monitor and review effectiveness off the control.
• Primary responsibility for providing assurance on risk and controls lies with
management.
• Scope of work, Authority and resources of Internal Audit should be reviewed annually.
• Work of the Internal Auditor will be sued by the External Auditor. Internal Auditor assist
External Auditor in carrying External Audit procedure.
• Attribute Standards for Internal Auditor: Independence (Access to NED/ Chairman),
Objective (Shouldn’t review a work where he was responsible earlier), Professional Care
(Relevant Competency).
• Performance Standards:
-Managing Audit (Scope decided by Audit Committee NEDs)
-Risk Management (Evaluate significant risk exposure)
-Governance (Auditor should be able to report any weakness in CG without any fear of
dismissal)
-Internal Audit work (Should analyse adequate information before conclusion).
-Communicating results (Communicate to appropriate persons, recommend action plans
with management letter).
• Benefits of outsourcing Internal Audit: Low cost initially, Increased independence, Risk
of staff turnover is passed, saves admin time.
• Drawbacks of outsourcing Internal Audit: Expensive in the long run, Unfamiliarity with
company culture, less control over standard of service, less flexible, conflict of interest if
provided by external auditor.
• Efficiency measures for Internal Audit: Cost per Audit report, number of audit days,
number of audit reports.

P3SS2020 – Risk Brief - Akila Gunarathna 5

 External Audit Internal Audit
Required by law for listed companies Decided by BOD and Shareholders.
Appointed by Shareholders or BOD (Audit BOD via Audit Committee
Committee)
Report to Shareholders NEDs in Audit Committee
Opinion True and Fair View Adequacy of Internal Controls
Scope Unlimited Prescribed by NEDs in Audit
Committee

• Findings of the internal Audit are inputs to External Audit plan.

• Fraud identification is a responsibility of the BOD.
• Transaction Audit: Check sample of transactions against documentary evidence.
• Risk Based Audit- Check risky areas and plan for them.
• Post Completion Audit (PCA): Evaluate investments after done with it for a reasonable
time to identify variances, general lessons, etc.
• Disadvantages of PCA: Costly and time consuming, use as a blame, requires good data
collection, not a solution for all business problems.
• Managers may not undertake projects with high risk even they are within the risk
appetite.
• Post Implementation Review (PIR): Done during system implementation to check if the
system works as expected.
• PCA of an IT system is similar to PIR.
• Decision to outsource or Inhouse considers Effectiveness of that operation.
• Environment report in annual report is accompanied by auditor’s statement.
• Management Audit- Independent appraisal of the effectiveness of managers.
• System Based Audit- Appraising whether the objective of the system or achieved or not
(Ex: Sales Ledger System, EPOS system, Non-Current Asset Recording Register)
• Objectives of Audit Planning: How much resources are required? How to get evidence?
How to achieve objectives?
• Compliance test: Test of controls (Effectiveness of test procedures)
• Substantive test: Test of transactions (Analytical review, checking the numbers)
• If compliance test is not passed, substantive tests are conducted during the audit.
• Examining the minutes of the last board meeting is not a compliance test.
• Audit Risk for financials:
-Inherent Risk (From the nature of the business and its environment).
-Control Risk (Weak controls related to financial statements).
-Detection Risk (Auditor is weak to detect).
• Sampling Risk: Sample being exceptional item than the entire population.
• ISO 14001 is a Quality Audit, Compliance Audit as well as an Environment Audit.
• Internal Auditor should do a Post Implementation Review to see how its
recommendations are implemented.
• If residual risk is not reduced by recommendations the controls are not worth
implementing.
• Internal Controls should be introduced in a way that staff morale is not damaged.
• Even there’s no fraud occurred yet, having Internal Controls would prevent future
frauds.

P3SS2020 – Risk Brief - Akila Gunarathna 6

 Section 03
• Strategy: Where to compete? How to compete? How to achieve sustainable competitive
advantage?
• Strategic Business Units can be established based on products, locations, etc.
• Rationale model: No sustainability, encourages creativity (Strategic options).
• Risk of using 3Es: Wrong measures, Conflict between measures, some measures aren’t
easy to measure.
• Strategic planning and their risks:
- Traditional: Risk of objectives not capturing market considerations (Unrealistic
Objectives).
- Market Lead: Risk of incorrect future estimates (Market Changes).
- Resource Based: Risk of making the products complicated and not producing what
market wants.
• Cost Focus can ultimately be a cost leader in one day of it expands their customer base.
• Sustainability issue will arise for Focus Strategy.
• Differentiation may suffer in recession due to high marketing cost involved in increasing
brand image.
• Lowest Risk is with Market Penetration and Highest Risk is with Diversification.
• Franchising: Can control centrally. Licensing: Unable to control.
• Inorganic growth is expensive, while organic growth takes time.
• Sources of Business stress: Workforce strikes, Cyber-attacks, economic cycles, change in
consumer preferences, Product obsolete.
• Scenario Planning: Encourage creative thinking, prepare contingency plans, time
consuming, not all scenarios will materialize, increase cost. Bounded rationality, risk of
self-fulfilling prophecy.
• In a developed country, strategy is affected if the “National Government” changes,
changes in local infrastructure won’t affect, development technology affects.
• Reducing Research and Development cost is unhealthy for high-tech companies.
• If competitors provide an equivalent product to the market, then use product
development.
• When cash-free stores are introduced, sales would get reduced initially due to the
resistance.
• Risks arising for a UK company from Brexit: new legislation, export limits, availability of
raw materials of normally imported, No direct currency risk.
• Essence of Game theory: Try to collaborate when making strategic decisions, if tis possible
for communication.
• Getting benefits in personal level is not accepted, reasonable dealings in business level
are accepted.
• Corporate Governance (CG): System by which organizations are directed and controlled
in the interest of Shareholders and Other Stakeholders.
• UK (principle based): Leadership, Effectiveness, Accountability, Remuneration, Relations
with Shareholders.
• US (Rules based): Sarbanes Oxley Act (SOX).
• Criterion to select NEDs: Can’t have material business relationships within the last 3 years,
employee in the last 5 years(For our company),Cross directorships in other companies,

P3SS2020 – Risk Brief - Akila Gunarathna 7

 Receive other remuneration than Director fee, Family ties with Executive Directors,
Significant stake in business, Served in more than 9 years in the board.
• NEDs can held meetings with chairman without the presence of Executive Directors.
• One Ned should be directly available to Shareholders if they have concerns.
• Main function of NEDs: Safeguard the interest of Shareholders.
• Audit Committee: At least 3 NEDs, implement policy in getting Non-Audit services from
External Auditor, Recommend, appoint, remuneration and terms for External Auditor is
set, facilitate whistle-blowing, Appointment and termination of Head of Internal Audit,
Carryout PCA review, Decide annually whether the company needs an Internal Audit
function, 1 member with recent financial experience should be there.
• Remuneration Committee: Remuneration of CEO, Chairman, senior managers and all
executive Directors. Should not give the share option to NEDs. If given, exercise date of
the shares should be dated at least one year after the termination.
• Conditions in SOX:
- Auditors are restricted in providing additional services.
- Essential to have an Audit committee.
- Audit partners must change every 5 years.
- Detailed off balance sheets.
- Directors are prohibited to trade shares in sensitive times,
- Financial Statements vouched by CEO and CFO.
- Annual reports have an IC system.
• Agency Problem: Directors acting on their own interest rather than Shareholders. To
ensure goal congruence, bonuses are linked with long term non-financial measures, not
with short term profit targets.
• Main Aim of External Risk Reporting: Provide re-assurance to stakeholders that risks are
being appropriately identified and managed.
• CSR: Company should be sensitive to the needs of all stakeholders, align company’s core
values with the values of the society.
• Brand: What organization promises (Organization can control0
• Reputation: How the people think (Hard to control)
• Strategic Alignment: Delivering what you promise and what customers expect.
• Transfer pricing can affect the reputation of a company due the reduction of global tax
liability.
• If products with faults are sold, go public about the fault and recall affected ones. Don’t
engage in false representation of the actual event.
• Product reputation of a company can be measured with product returns, customer
interviews, customer reviews.
• Reputation Risk Management: Long term planning, built into corporate culture, based
on assessment of issues likely to impact company.
• Paying staff at levels below the industry average is not directly affecting the reputation
of a company.
• Fraud may occur due to dishonesty, Opportunity or due the motive.
• Opportunity is eliminated by segregation of duties.
• Ponzi scheme (Pyramid Scheme): Offer more incentive for joining others than selling a
basic product.
• If cash is involved, the higher risk of committing a fraud.

P3SS2020 – Risk Brief - Akila Gunarathna 8

• Prevention, Detection and Response strategies are developed in companies to address
fraud.
• Prevention: Anti-fraud culture, risk awareness, whistleblowing, Internal Controls.
• Detection: Regular checks, whistle-blowers, warning signals.
• Internal Controls are the most effective controls for frauds.
• Fraud Recruitment Policy: Having a defined fraud policy that includes recruitment
issues, take references from previous employer.
• Primary responsibility of prevention and detection of fraud id with BOD.

P3SS2020 – Risk Brief - Akila Gunarathna 9

Section 04
• Cyber risk: Any risk of financial loss, disruption, reputation loss from some sort of failure
of its information tech (IT) systems.
• Sensitive Information: Personal Information, Business Information, Classified
Information.
• Pilot Changeover: Completely new system is implemented in one branch and the
learnings are applied when implementing to other branches (Not effective for branches
with distinct systems). Less expensive than parallel and low riskier than direct.
• Least disruptive changeovers: Parallel and Phased.
• Risk of failure in direct changeover can be reduced by data backup and testing.
• White hat hackers: Ethical hacking, Black Hat Hackers: Illegal.
• Malware types:
-Ransomware: Lock data and ask for money.
-Botnets: Use bots for different types of data gathering.
-Malvertising: Injecting malicious advertisements into legal online advertising networks
and web pages.
-Phishing: Emails with links sent by someone else pretending like a trustworthy source.
• Application Attacks:
-SQL Injection: Malicious SQL statements to our database and get its data or modify
them.
-Cross Site Scripting (XSS): Inserting a malicious code to a website and gather its clients’
data by sending it to clients’ devices from website.
-Distributed Denial of Service: Infinite traffic with many IP addresses and slowdown the
service.
• Social Engineering: Manipulation of people to make them perform specific actions or
reveal confidential information.
• Credit Cards details are not stored if payments are done through Direct Debit.
• VPN is a connection type and Cloud is a service provider.
• Methods of protection: Policies and policy management, software updates.
Configurations, security products (Anti-virus softwares), application software controls.
• Detection Strategies: Event monitoring, Intrusion detection and prevention systems,
threat monitoring, user reports.
• Primary functions of the response team: Minimise any losses, restore normal
operations as soon as possible, assist with any investigation, help to support decision
making (Keep Patient alive).
• Benefits of block-chains: Reduced cost of maintain ledgers, save time of staff, provide
absolute certainty over the ownership.
• If data is encrypted, only intended recipient is able to access.
• If there’s a news about cyber-attack, for a similar company, first check whether is it
possible in our systems (Risk Assessment).
• Network Configuration Management identifies components of IT system which haven’t
had software updates.
• Forensic Analysis:

P3SS2020 – Risk Brief - Akila Gunarathna 10

 -System Level Analysis- Looking for footprints on the sand (System operating
components, configuration changes, services enabled without authorization, fake
accounts created, etc.).
-Storage Analysis- Recovering deleted documents unethically.
-Network Analysis- Network traffic (What data is transferred can’t be seen, but who uses
network can be seen). Analyzing network traffic using 3 rd party cloud storage servers can
cause privacy issues.
• Reverse Engineering can be used to find what the malware trying to get.
• Penetration testing is used by white hat hackers to check the weaknesses of the current
system.
• Software level Security in 3 levels:
- Level 1- Prevent access
- Level 2- Notify appropriate parties
- Level 3- Automatic urgent action (Locking data)
• Digital Resilience: Doing more than the minimum to protect the company and comply
with regulations, but to integrate cyber-security into the business operations.
1. Identify all the issues.
2. Aim towards a well-defined target.
3. How best to deliver the new cyber security system.
4. Establish risk resource trade-offs (Select the best for organization)
5. Develop a plan that aligns business and technology.
6. Ensure sustained business engagement.
• For Insurance taken on Cyber Risks: Disclose process for identifying risk and the role of
insurance in company’s risk control.
• Endpoint Protection only works if the company’s network is regularly reassessed. Use of
IOT devices increase the importance of endpoint security.
• Business process controls, IT controls and Cyber Security controls are used to
strengthen the company’s defenses against cyber risk.
• AICPA components: Management Description, Management Assertion, Practioner’s
Opinion (Qualified CPAs opinion).
• AICPA 2 criterion: Attributes and Control.
• NIST 3 components: Implementation Tiers, Core, Profiles.
• AIC Triads: Availability (Online 24/7), Integrity (Only authorized people modify data),
Confidentiality (Limit access to unauthorized people).

P3SS2020 – Risk Brief - Akila Gunarathna 11