EDS3C2 - Business Control and

Systems

Types of Risks

Executive Diploma on Business and

Accounting

1
Risk – Levels of RM Sophistication
Contribution
Perform
(Opportunity Mgmt.)
 
Investment
Conform  
Enhance
(Control Mgmt.) 
Success

  
Acceptance Seek
Reform  Doubt
(Hazard Mgmt.)  Uncertainty Achievement of
 Tolerance  Minimize benefits
 Inhibit/ prevent
 Failure Auditing for
 Avoid Compliance

Fearful of
Requirements

Sophistication
1. REFORM : Awareness of non-compliance
2. CONFORM : Actions to ensure compliance
3. PERFORM : Achieve business opportunities
4. DEFORM : Inactivity caused by obsession 2
Risk Management – Risk Maturity
Level Description

Level 1 - Naive Unaware of RM

Don’t recognize the value of structured approaches to
deal with uncertainty

Insufficient attempt to learn from past, prepare for future
threats, uncertainties

Level 2 - Novice Aware of the benefits of RM – not implemented
efficiently

Experimenting with RM or has a RM process with
fundamental weaknesses

Level 3 - Normalized RM built into routine business processes

RM implemented throughout the organization

Generic RM processes are formalized and benefits are
understood at all levels of the organization

Might not be consistent

Level 4 - Natural Risk aware culture, with a proactive approach to RM

Consideration of risk is inherent to all routine processes

Risk information communicated and used to gain
competitive advantage. 3
Risk Management – Principles : should be
Principle Description

Proportionate Risk management activities must be proportionate to

the level of risk faced by the organization.

Aligned Risk management activities must be aligned with the

other activities in the organisation.

Comprehensive In order to be effective, the risk management

approach must be comprehensive.

Embedded Risk management activities need to be embedded

within the organization.

Dynamic Risk management activities must be dynamic and

responsive to emerging and changing risks.

4
Risk Management – Principles

 
Risk can be identified and Controlled.

 
What Risk Management should Deliver (CADE3)
1. Compliance with Laws and Regulations
2. Assurance regarding the management of significant Risks.
3. Decisions that pay full regard to risk considerations.
4. Efficiency, Effectiveness and Efficacy in operations, projects and strategy.

Less disruption to normal efficient operations, reduction of uncertainty in
 relation to change and improved decisions in relation to evaluation  and
selection of alternative strategies; i.e. Improved Organizational Decision
 Making 

 
Hazard Management – Outcome less Negative

 
Control Management – reduces the spread/ range of possible outcomes; uncertainty.
 
Opportunity Management – Outcomes more Positive

5
Hazard Risk – Management (7R 4T Process)

1. Recognition of Risks

2. Ranking of Risks

Information
3. Responding to Risks Feedback
  
Experience Tolerate
  
Feedback Treat
  
Transfer
 
 Terminate



4. Resourcing Controls

5. Reaction Planning

6. Reporting on Risk

7. Reviewing and Monitoring

6
Ranking of Risks - Assessment
Description Current Level of Risk Risk Rating Controls in Actions to
Place be taken
Likelihood Impact Overall
Rating

 Techniques

1. Questionnaires and Check Lists
2. Workshops and Brainstorming
3. Inspection and Audits
4. Flowcharts and Dependency Analysis
5. SWOT and PESTLE analysis
 Identify key dependencies of the company – what could impact them?

1. What can undermine them?
2. What would cause uncertainty for the key dependencies?
3. What events will enhance the state of the key dependencies?
 Important to quantify the risks, whenever possible.

 
Impact vs. Likelihood
7
Ranking of Risks - Assessment
Risk Rating = Likelihood x Impact

I
m
p
a
c
t

Low Impact + High Probability (Car Accident) vs. High Impact + Low Probability (Tsunami)8
Ranking of Risks - Priority
High

Risk 1

I Risk 2
m
p
a
c
Risk 4
t Risk 3
Risk 5

Low High
Likelihood
 
Risk 1 – Heart Attack, duplicates from China
 
Risk 2 – Earthquake, taking ill (Lecturer)
 
Risk 3 – Car Accident, taking ill (student)
 
Risk 4 – employees taking unauthorized leave
9
 Risk 5 – Cutting your finger when grating a coconut
Ranking of Risks - Classification

 
Time Frame, Nature of the risk, source of the risk, nature of the impact
 
To identify similar risks, structure responsibilities and risk management approach.
Time Frame Impact (after event Type of Risk Impact
taking place)
Short Term Immediate Mostly Hazard  Disruption to operations
Risks  Operational Efficiency

Continuity and monitoring of
routine operations

Medium Term Month – Year Mostly Control Effects the ability of the org. to
Risks maintain effective core
processes.

Management of tactics, projects,
change programmes, product
launches.

Long Term One – Five Years Mostly Effects the core processes that
Risks Opportunity develop and deliver efficacious
strategy

More lethal than risks effecting
10
operations and tactics.
Ranking of Risks –Classification (Standards, Frameworks)
Standard/ COSO IRM BS 31100 FIRM Risk PESTLE
Framework Scorecard

Classification  Strategic  Financial  Strategic  Financial  P

headings  Operations  Strategic  Programme  Infrastructure  E
 Reporting  Operational  Project  Reputational  S
 Compliance  Hazard  Financial  Marketplace  T
 Operational;  L
 E


 and political stability. 
Political : Tax policy, employment laws, environmental regulations, trade restrictions andreform, tariffs


Economic : Economic growth/decline, interest rates, exchange rates and inflation rate,
wagerates, minimum wage,working hours, unemployment (local and national), credit
 availability, cost of living, etc.

 
Sociological : Cultural norms and expectations, health consciousness, population growth rate,age
distribution, career attitudes, emphasis on safety, global warming.

Technological : Technology changes that impact your products or services, new Technologies,barriers to
 entry in given markets, financial decisions like outsourcing and supply chain.

 Legal : Changes to legislation that may impact employment, access to materials, quotas,resources,
imports/exports, taxation etc.
 
Environmental/ Ethical : Ecological and environmental aspects, although many of these
factors will be economic or social in nature 11
Ranking of Risks –Classification (FIRM)
Financial Infrastructure Reputational Marketplace

Description Risks that can impact Risks that will Risks that will Risks that will impact
the way in which impact the level of impact desire of the level of customer
money is managed efficiency and customers to deal or trade or expenditure
and profitability is dysfunction within trade and level and customer
achieved the core process customer retention retention

Internal or Internal Internal External External

External Risk

Quantifiable Usually Sometimes Not always Yes

Measurement Gains and losses Level of efficiency Nature of publicity Income from
(performance from internal in process and and effectiveness of commercial and
indicator financial control operations marketing profile marketing activities
Performance Procedures Process Perception Presence
Gap Failure in procedures Failure of Failure to achieve Failure to achieve
to control internal processes to the desired required presence in
financial risks operate without perception of the the marketplace
dysfunction organisation
Control  CapEx standards  Process Control  Marketing  Strategic and
Mechanisms  Internal Control  Loss control  Advertising business plans
 Delegation of  Insurance and  Reputation and  Opportunity
authority risk financing Brand assessment 12
protection
Ranking of Risks –Classification (personal issues)
Dependency Long Term Medium Term Short Tern

Financial Risks : Procedures gap: How well do your procedures manage your finances?

Investments  Pension arrangement  Share purchase  Betting habits

 Property purchase  Business opportunities  Insurance arrangements
Expenditure  Accommodation  Car purchase  Shopping behavior
 Holiday pattern  Rail season ticket  Travel arrangements
 Credit card ownership
Infrastructure Risks : Process gap: How well does your body facilitate your processes?

Health  Family history  Medical treatment  Exercise

 Personal lifestyle  Dieting  Alcohol and Drugs
 Vegetarianism  Weight gain  Illness / Accident
Emotional  Marriage and Children  Friendships  Hobbies
 Ethnic origins  Cosmetic Surgery  Sex
 Sexuality
Reputational Risks : Perception Gap: How are you perceived by your peer group?
Personal  Personality  Mood and temperament  Clothes
 Neighborhood  Charity work  Personal Hygiene
 Criminal Behavior  Charity Donations
Professional  Intelligence  Qualifications  Attending Trainings
 Behavior patterns  Redundancy  Continuous Learning
 Changing jobs
Marketplace Risks : Presence Gap : What is your presence in the marketplace?
Occupation  Career Selection  Society Memberships  Society Activities
 Education  Presenting training
Income  Ambition  Extra part-time work  Selling possessions
13
 Seniority  Sales of shares  Casual Work
Ranking of Risks –Significance

FIRM risk Scorecard Typical Benchmark test for significance


Financial Impact on Balance sheet of 0.25%

Profit and Loss impact of 2.5% annual profit

Infrastructure Disruption of normal operations by 0.5 days

Increased cost of operation exceeds 10% budget

Reputational Share price falls by 10%

Event is on National TV, radio or news papers

Marketplace Impact on Balance Sheet of 0.5% turnover

Profit and Loss impact of 1% annual profit

Lose projects worth 1 million to competition

14
Responding to Risks – 4Ts
High

Transfer Terminate
Risk to another party The activity of generating the risk

Impact

Tolerate Treat
The risk and its likely The risk to reduce the likely impact
impact or exposure

Low High
Likelihood

15
Risk – ISO 31000 Risk Management Process

16
Risk – IRM Risk Management Process

17
Risk – Risk Management Framework (RASP)

Risk Architecture Risk Strategy

 Roles  Objectives, Mandate
 Responsibilities  Commitment
 Communication  Appetite
 Activities and processes  Attitudes

 Risk Reporting structure Action to be taken

Risk Management Process

Risk Protocols
  
Rules and Guidelines
  
Policies and Procedures
  
Risk Management Methodologies
 
Tools and Techniques

18
Risk – Risk Architecture Audit Committee
The Board 
 Receive  reports from Group RM
routine
 committee

Overall responsibility for risk 
 
management Set audit Programme

Monitor progresswith audit
recommendations
Executive Committee

 Ensure risk management is 
embedded into all processes
 
Review group risk profile

Disclosures Committee
 Review and evaluate disclosure
Group risk management (RM) committee controls and procedures
 Formulation of strategy and policy  Information disclosed to
 Compile group risk register external parties
  
Receive reports from divisions
 
Track RM activity in the divisions

Divisional Management
 
Prepare and Maintain the divisional risk register
 
Reports for evaluation Set risk priorities for division
 
Monitor projects and risk improvements
 
Inform and Monitor Manage self-certification activities
 
Prepare reports and group RM committee
19
Risk – Risk Appetite

Type of Risk Maximum Exposure of Description

Management the risk
Hazard Mgmt. Hazard Tolerance The negative outcome which is tolerable to
the company
Control Mgmt. Control Acceptance Cost associated with controlling the risks

Opportunity Opportunity Investment Resources the company is willing to risk in

Mgmt. pursuit of opportunity risk

Risk Appetite= Hazard Tolerance + Control Acceptance + Opportunity Investment

20
Risk – Risk Appetite (Risk Averse)

High

Risk Universe
(Concern)

Impact Caution Zone

Comfort Zone

Low Likelihood High

21
Risk – Risk Appetite (Risk Aggressive)

High Risk Universe

(Concern)

Caution Zone

Impact

Comfort Zone

Low Likelihood High

22
Risk – Controls and Risks

High
Intermediary Inherent

Control 2
Control 1

Current

Impact
Control 3

Target

Low Likelihood High

23
Risk – Capacity

 
Risk Appetite – Risk level that is appropriate for the organization (decided by the board).

 
Risk Exposure – Actual risk the organization is taking.
 
Risk Capacity – How much risk the organization can afford to take.

Risk Capacity

 
Financial Strength

 
Robustness of its infrastructure

 
Strength of its brand and reputations
 
The competitive nature of the industry/ market place it operates

24