Risk

The Turnbull guidance and other guidance

on control systems places great emphasis
on how control systems deal with risk.
• Risk is a condition in which there exists a quantifiable
dispersion in the possible results of any activity.
• Hazard is the impact if the risk materialises.
• Uncertainty means that you do not know the possible
outcomes and the chances of each outcome occurring.
• In other words, risk is the probability, hazard is the
consequences, of results deviating from expectations.
However, risk is often used as a generic term to cover
hazard as well.
 Types of risk
1. Fundamental risks are those that affect society in general, or broad groups
of people, and are beyond the control of any one individual. For example
there is the risk of atmospheric pollution which can affect the health of a
whole community but which may be quite beyond the power of an
individual within it to control.
2. Particular risks are risks over which an individual may have some measure
of control. For example there is a risk attached to smoking and we can
mitigate that risk by refraining from smoking.
3. Speculative risks are those from which either good or harm may result. A
business venture, for example, presents a speculative risk because either a
profit or loss can result.
4. Pure risks are those whose only possible outcome is harmful. The risk of
loss of data in computer systems caused by fire is a pure risk because no
gain can result from it.
Risk and business
• A key point to emphasise is that risk is bound up with doing
business.
• The basic principle is that 'you have to speculate to
accumulate'.
• It may not be possible to eliminate risks without
undermining the whole basis on which the business
operates, or without incurring excessive costs and insurance
premiums.
• Therefore in many situations there is likely to be a level of
residual risk which it is simply not worth eliminating.
There are some benefits to be derived from the management of risk,
possibly at the expense of profits such as:
• Predictability of cash flows
• Limitation of the impact of potentially bankrupting events
• Increased confidence of shareholders and other investors.

*However boards should not just focus on managing negative risks,

they should also seek to limit uncertainty and to manage speculative
risks and opportunities in order to maximise positive outcomes and
hence shareholder value.
 Risk and corporate governance
• One obvious link between risk and corporate governance
is the issue of shareholders' concerns, about the
relationship between the level of risks and the returns
achieved, being addressed.
• A further issue is the link (or lack of it) between directors'
remuneration and risks taken.
• If remuneration does not link directly with risk levels, but
does link with turnover and profits achieved, directors
could decide that the company should bear risk levels
that are higher than shareholders deem desirable.
• It has therefore been necessary to find other ways of
ensuring that directors pay sufficient attention to risk
management and do not take excessive risks.
• Corporate governance guidelines therefore require
directors to:
- Establish appropriate control mechanisms for dealing with
the risks the organisation faces
- Monitor risks themselves by regular review and a wider
annual review
- Disclose their risk management processes in the accounts
Nature of enterprise risk management
COSO FRAME WORK
• There are various frameworks for risk management,
but we shall be looking in particular at the framework
established by the Committee of Sponsoring
Organisations of the Treadway Commission (COSO).
• COSO published guidance on internal control–
Integrated Framework in 1992. It published wider
guidance on Enterprise Risk Management in 2004. In
2006 COSO issued Internal Control over Financial
Reporting – Guidance for Smaller Companies.
• This guidance was designed to supplement the
guidance in Internal Control – Integrated
Framework, in the light of the requirement in
section 404 of the Sarbanes-Oxley legislation
for management of public companies to
assess and report on the effectiveness of
internal control over financial reporting.
• Enterprise risk management is a process,
effected by an entity's board of directors,
management and other personnel, applied in
strategy setting and across the enterprise,
designed to identify potential events that may
affect the entity and manage risks to be within
its risk appetite, to provide reasonable
assurance regarding the achievement of entity
objectives.
 COSO states that enterprise risk management has
the following characteristics.
a) It is a process, a means to an end, which should
ideally be intertwined with existing operations and
exist for fundamental business reasons.
b) It is operated by people at every level of the
organisation and is not just paperwork. It provides
a mechanism for helping people to understand
risk, their responsibilities and levels of authority.
c) It is applied in strategy setting, with management
considering the risks in alternative strategies.
d) It is applied across the enterprise. This means it takes
into account activities at all levels of the organisation
from enterprise-level activities such as strategic
planning and resource allocation, to business unit
activities and business processes.
It includes taking an entity level portfolio view of risk.
Each unit manager assesses the risk for his unit.
e) It is designed to identify events potentially
affecting the entity and manage risk within its risk
appetite, the amount of risk it is prepared to
accept in pursuit of value. The risk appetite should
be aligned with the desired return from a strategy.
f) It provides reasonable assurance to an entity's
management and board. Assurance can at best be
reasonable since risk relates to the uncertain
future.
• Senior management ultimately consider these
unit risks and also interrelated risks.
Ultimately they will assess whether the overall
risk portfolio is consistent with the
organisation's risk appetite.
• Risk apetite is the amount of risk an
organization is willing to accept in pursuit of
strategic objectives.
• It is geared to the achievement of objectives in a number of
categories, including supporting the organisation's mission,
making effective and efficient use of the organisation's
resources, ensuring reporting is reliable, and complying with
applicable laws and regulations.
*An approach based on objectives contrasts with a procedural
approach based on rules, codes or procedures. A procedural
approach aims to eliminate or control risk by requiring
conformity with the rules. However a procedural approach
cannot eliminate the possibility of risks arising because of poor
management decisions, human error, fraud or unforeseen
circumstances arising.