KOLEJ UNIVERSITI TUNKUABDUL RAHMAN

FACULTY OF ACCOUNTANCY, FINANCE AND BUSINESS

SEMESTER DECEMBER 2017/2018
BBMF 3073 RISK MANAGEMENT
TUTORIAL 2 (WEEK 3)

1. Why is risk management important in the public sector?

Risk management is important because it enables the public sector to become more
reactive to changes and able to make better decisions on operating more effectively in the
future and improved internal efficiency. For example, the company build a customer
database for their business and use the database to provide information to the customer to
prevent the loss of the customer. The company can start computerising in their daily work
to improve efficiency.

2. Outline the five (5) basis for poor risk management.

- Looking only at the inward facing project risks and without considering risks to the
organization business as a whole. For example, the company bought a second hand car
for their business and only realize the maintenance fee, and did not realize the risk when
the car broke down causing the business fail to continue process efficiently.
- Just listing the risks without prioritizing them or considering the extent to which
risks are correlated with each other. The company have found out the risk but did not
settle the risk that is urgent or can settle with other risks that they found out. For example,
the company ‘s server are old and causing their service are not efficient provided to the
customer may having the possible of losing customers. The company can change the
server for settling the risk when the system broke down to prevent the loss of customers.
- Failure to understand the ultimate risks of not meeting the business objectives. The
logistics company just having maintenance on their old lorry and did not do the
depreciation account in preparation for buying a new lorry
- Just depend on the contract or its penalty clauses to mitigate the risk. The company
think the contract can protect them so did not do any prevention when the customers are
bankrupt and cannot settle the fees.
- Failure to monitor the effectiveness of the Risk Management process or no
contingent plan. The company did not establish the risk they facing and causing the risk
 management cannot perform well in terms of prevention.

3. Discuss the role of corporate governance as the proponent to good enterprise risk
management system. (3 more points)

Corporate governance is a basic framework from which effective risk management takes
shape. Corporate governance defines the division of responsibility within the organization
for risk management, and determines the means with which, at each level, risk
management will be implemented.
To have a good enterprise risk management system, the corporate governance acts as a
catalyst to pressure good ERM. In addition to that, pressures adoption of sound risk
management and disclosure of all risk management approaches and provide a top down
monitoring on enterprise risk management.
One of the roles of corporate governance is to explain to the shareholders about the
organization's current status. This is because ERM normalizes the relations between the
BOD, top management and shareholders.
The role of corporate governance is also to ensure that the boundaries are set
appropriately, and the organization is conducting its business within those boundaries.
Lastly, monitoring and reviewing the risk management and internal control systems is
also part of the role of corporate governance as they should function effectively and
corrective action is taken where necessary.

4. Discuss the six (6) features of effective risk management.

● Risk management policies and benefits should be clearly communicated to all staff. For
example, an organization needs to have a safety policy and should communicate the
policy to all the employees.
● Senior management needs to support and promote risk management. The risk
management must begin from and be supported by the highest management level within
the organization. This includes the government level and the CEO.
● The department’s culture should support the nature of risk taking. As an example, the
finance department has its own role to manage an organization's liquidity risk.
● Risk management should be embedded in management processes. Every process, project,
or decision must incorporate risk management and clearly spell out all the risk
undertakings.
● The management of risk should be closely linked to the achievement of objectives. For
example, the ultimate goal of risk management in every business function is to maximize
the value of organization. Thus, risk management decisions should be appraised against
the standard of whether they will contribute to value maximization.
● Risks associated with other organizations should be also assessed and managed. For
instance, supplier risk management is necessary to identify and control the threats to an
organization’s earnings that are caused by the supply chain.

5. State the eight (8) areas of ERM and explain each area.
● Internal control environment: It covers management philosophy to risk, risk appetite,
integrity & ethical value, and environment in which they operate.
● Objective setting: The objectives of the organization should be reflected in the risk
appetite and how the objectives and risk is aligned.
● Event identification: Both internal and external events that affect the organization must
be identified and distinguished between risks and opportunities that could affect strategy
and achievement of objectives
● Risk assessment: Risks are analyzed considering likelihood and impact, as a basis for
determining how risks should be managed. The assessment employs a combination of
both qualitative and quantitative risk assessment methodologies.
● Risk response: Management selects how risk should be responded to. The options in
relation to the entity’s risk appetite, cost vs. benefit of potential risk responses, and degree
to which a response will reduce impact and/ or likelihood are being evaluated. Response
is then being selected and executed based on the evaluation of the portfolio risks and
responses.
● Control activities: Management sets and implements policies and procedures to ensure
the risk responses are effectively carried out. These activities occur throughout the
organization, at all levels and in all functions.
● Information and communication: In this area, effective communication should serve
both internal and external stakeholders.
 ● Monitoring: Risk management processes are being monitored and modifications are
made if necessary. This ensures that new measures are introduced so that the risk
treatment strategies remain relevant, and the overall risk control position is relative to the
potential costs of the risk.

6. What are the benefits of ERM? Discuss.

(a) Alignment of risk appetite & strategy. Risk appetite refers to the degree of risk where the
business is willing to accept. Management needs to consider the risk appetite of the organization
(shareholders) and then aligned with the business strategies as different company has different
priority. For example, for a warehouse, if the main risk is fire, then the first strategy will be to
have fire extinguishers.

(b) Link growth, risk and return. Risk is part of the value creation and management will seek
certain level of return for the undertaken risk.

(c) Choose best risk responses. ERM helps the organization select the best response method to
deal with risk.For example, choose risk responses that are within the company budget.

(d) Minimize surprises and losses. ERM helps the organization to reduce the occurrence of
unexpected problems.

(e) Identify and manage risk across the organization. Risk management is seen as everyone’s
responsibility, experience and practice is shared across the business and a common set of tools
and techniques are used. For example, COVID-19 is a new norm where everyone should be
responsible for managing the risk from this pandemic.

(f) Provide responses to multiple risks. One system for many uses. For example, everyone has
to wear a face mask at outdoor during pandemic.
 7. Discuss the seven (7) steps in the risk management process.

Step 1: Establish the context

- This process is to establish the strategic, organisational and risk management context in
which the rest of the process will be take place.
- The criteria against which the risk will be evaluated should be established and the
structure of the analysis is defined.

Step 2: Risk Identification

- This process is to identify what are the risk faced, how the risk arise, why the risks appear
and when the risk surface in order to form the basis for further analysis.

Step 3 : Risk Analysis

- The analysis should consider the range of potential consequences and how likely those
consequences are to occur.
- The consequences and likelihood may be combined to produce an estimated level of risk.

Step 4: Risk Evaluation

- A comparison is made on estimated risk against the pre-established criteria. This enables
risks to be ranked so as to identify management priorities.
- If the levels of risk established are low, then the risks may fall into an accepted
category and treatment may not be required.

Steps 5 : Risk Treatment

- This step which is the risk should be treated in term of priority. For example, accept those
risk is low priority like low risk and low impact.

Step 6: Monitoring and Reviewing the risks

- This step is to monitor and review the performance of the risk management system and
changes which might affect it.

Step 7: Communication and Consultation of the risk

- Communication and consult with internal and external stakeholders as appropriate at each
stage of the risk management process and concerning the process as a whole.