Business risk

Material: parts of chapter 4

1
Outcomes

• At the end of this topic, you should be able to:

• Explain basic theory relating to risk management
• Identify business risks in a scenario
• Formulate actions/controls in response to those risks

2
The COSO framework for internal control

• The five internal control components/elements per the COSO

framework:
• The control environment – see p. 120 in the textbook Important: this is a
• Risk assessment by management – see p. 121 framework for
• Here we are talking about business risk, not audit risk management, not for
auditors
• Control activities – see p. 124
• Like sound document design, custody controls and segregation of duties
• Monitoring – see p. 126
• The information system and communication relevant to financial
reporting– see p. 121

3
Risks in a business

• Definition of business risk per ISA 315.12(b): “risk resulting from significant
conditions, events, circumstances, actions or inactions that could adversely affect
the entity’s ability to achieve its objectives and execute its strategies, or from the
setting of inappropriate objective and strategies”
• Basically circumstances (external or internally “created”) that could knock the entity’s
profitability if not properly addressed
• And possibly even make it fail
• Note how risks are worded in the textbook – see p. 129, for example
• Just about all of them ends with “resulting in financial losses for the entity”

4
Risk management

• Involves identifying risk, evaluating risk and responding to risk

• Identifying risk
• Per King IV, the board should consider the risks and opportunities flowing
from:
• The triple context in which the entity operates: economy, society and environment
• The six capitals that the entity uses and affects: financial, manufactured, intellectual,
human, social and relationship, and natural capital

5
Risk management
Types of risk

Reputational
Strategic risk Compliance risk Operational risk Information risk Financial risk
risk
• Risks relating to: • Risks relating to • Risks relating to • Risks relating to: • Risk relating to:
• What is sold compliance with the ability to • The information • The granting of
• Where it is sold laws and other execute plans needed to do credit
• How it is sold regulations business • The capital
• The structure
safeguarding of
such
information

Impact of social
media!

6
Risk management

• Evaluating risk
• Response will be determined by:
• Probability – the likelihood of the bad thing happening
• Consequences – the impact if it does happen
• Risk appetite and risk tolerance
• See p. 117

7
Risk management

• Responding to risk (p. 117)

• Risk responses available to management include the following:
• Tolerating or accepting the risk
• Transferring the risk
• Mitigating (reducing) the risk
• Controls
• Avoiding or terminating the activity or process that creates the risk
• Exploiting the opportunity created by the risk
• Combining or integrating some of the above responses

8
King IV

• What is King IV?

• Relevant recommended practices
• Principle 11: The governing body (board) should govern risk in a way that
supports the organisation in setting and achieving its strategic objectives
• The board should assume responsibility for risk governance by setting the direction for
how risk should be approached and addressed
• The board should treat risk as integral to the way it makes decisions and executes its
duties
• The board should approve policy that articulates and gives effect to its set direction on
risk
9
King IV

• Relevant recommended practices

• Principle 11
• The board should evaluate and agree the nature and extent of the risks
that the organisation should be willing to take in pursuit of its strategic
objectives
• And in particular:
• The organisation’s risk appetite
• The limit of the potential loss that the organisation has the capacity to tolerate

10
King IV

• Relevant recommended practices

• Principle 11
• The board should delegate to management the responsibility to implement and execute
effective risk management
• The board should exercise ongoing oversight of risk management
• The board should consider the need to receive periodic independent assurance on the
effectiveness of risk management

11
King IV

• Relevant recommended practices

• Principle 11
• The following should be disclosed in relation to risk:
• An overview of the arrangements for governing and managing risk
• Key areas of focus during the reporting period (objectives, key risks, unexpected risks, etc.)
• Actions taken to monitor the effectiveness of risk management and how the outcomes were addressed
• Planned areas of future focus

12
King IV

• Relevant recommended practices

• Principle 8
• The board of directors can form subcommittees to assist with its work
• The board should consider allocating the oversight of risk governance to a dedicated
committee (called the risk committee), or adding it to the responsibilities of another
committee (typically combined with the audit committee, then called the audit and risk
committee)
• This committee should have executive and non-executive members, with the majority
being non-executives

13
Disclosures
Risk info from Woolworths’s integrated report

Approach to risk management

Risk oversight

14
Disclosures
Risk info from Woolworths’s integrated report

• Reporting on risks
• External reporting on meta risks – see slide
17
• Internal reporting on group risk profile
• Internal reporting on entity risk profiles
• Internal reporting on business unit risk
registers

15
Disclosures
Risk info from Woolworths’s integrated report

Risk appetite and tolerance

Combined assurance

16
Disclosures
Risk info from Woolworths’s integrated report
• Top strategic risks (at group level)
1. David Jones performance
2. Fashion, beauty and home performance
3. Treasury and balance sheet With a likelihood rating
4. Cost of doing business (almost certain, likely,
5. Real estate optimisation possible, unlikely, or rare) for
6. Cyber risk each risk
7. South African socio-political environment
8. Digital disruption
9. Organisational change and talent management
10. Brand reputation

17
Disclosures
Risk info from Woolworths’s integrated report
• For each of the 10 risks, the following is then provided:

Influenced by

Impact on strategic objective

Mitigations

18
Business risk and the auditor

• The external auditor is concerned about not detecting material (significant)

misstatements in the financial statements
• If business risks are not addressed internally -> possible risk to the auditor, e.g.:
• Higher risk of business failure (going concern risk)
• Poor business performance -> pressure on management to make business performance look
better than it really is -> higher risk at financial statement level
• Risk at assertion level, e.g. credit granted without proper controls -> provision for doubtful
debts may be too low -> higher risk for valuation of receivables

19
Business risk and the auditor

Good controls work like a filter

Business risks
are like the gunk

Controls work
like a filter

The gunk that

remains could
create risk for
the auditor

20
The Chief Risk Officer, per Wikipedia

“The chief risk officer (CRO) or chief risk management officer (CRMO) of a firm or corporation is the executive accountable for
enabling the efficient and effective governance of significant risks, and related opportunities, to a business and its various
segments… CROs are accountable to the Executive Committee and The Board for enabling the business to balance risk and
reward. In more complex organizations, they are generally responsible for coordinating the organization's Enterprise Risk
Management (ERM) approach. The CRO is responsible for assessing and mitigating significant competitive, regulatory, and
technological threats to a firm's capital and earnings. The CRO roles and responsibilities vary depending on the size of the
organization and industry. The CRO works to ensure that the firm is compliant with government regulations…and reviews
factors that could negatively affect investments. Typically, the CRO is responsible for the firm's risk management operations,
including managing, identifying, evaluating, reporting and overseeing the firm's risks externally and internally to the
organization and works diligently with senior management such as Chief Executive officer and Chief Financial Officer.
The role of the Chief Risk Officer (CRO) is becoming increasing important in financial, investment, and insurance sectors…
James Lam, a noted risk professional, is credited as the first person to coin the term. Lam is the first person to hold that
position at GE Capital in 1993. The position became more common after the Basel Accord, the Sarbanes-Oxley Act, the
Turnbull Report.”
21
Executive perspectives on top risks for 2023 (and 2032),
per Protiviti’s Annual Risk Survey
For 2023 For 2032

1. Organization's succession challenges and ability to attract and retain top talent in a 1.Organization's succession challenges and ability to attract and retain top talent in a tightening talent

tightening talent market market

2. Economic conditions in markets we currently serve may significantly restrict growth 2.Adoption of digital technologies may require new skills in short supply

opportunities 3.Rapid speed of disruptive innovations enabled by new and emerging technologies and/or other

market forces may outpace ability to compete

3. Anticipated increases in labor costs may affect ability to meet profitability targets
4.Resistance to change may restrict the organization from making necessary adjustments to the
4. Resistance to change may restrict the organization from making necessary adjustments to
business model and core operations
the business model and core operations
5.Ensuring privacy and compliance with growing identity protection expectations may require
5. Uncertainty surrounding core supply chain ecosystem
significant resources
6. Changes in the overall work environment may lead to challenges in sustaining culture and
6.Existing operations and legacy IT infrastructure may not be able to meet performance expectations
the conduct of the business
as well as "born digital" competitors
7. Adoption of digital technologies may require new skills in short supply
7.Inability to utilize data analytics and "big data" to achieve market intelligence and increase
8. Organization's culture may not sufficiently encourage the timely identification and escalation
productivity and efficiency
of risk issues
8.Economic conditions in markets we currently serve may significantly restrict growth opportunities
9. Approach to managing demands on or expectations of a significant portion of workforce to
9.Regulatory changes and regulatory scrutiny may heighten, noticeably affecting how products or
work remotely or as part of a hybrid work environment
services will be produced or delivered
10. Organization may not be sufficiently resilient and/or agile to manage an unexpected crisis 10.
Anticipated increases in labor costs may affect ability to meet profitability targets

22