Accounting Information

Systems
1st Edition
Savage ● Brannock ● Foksinska

Chapter 2
Risks and Risk Assessments

This slide deck contains animations. Please disable animations if they cause issues with your device.

Copyright ©2022 John Wiley & Sons, Inc.

Chapter Preview
• The nature of risk
• Categorizing risk
• Prioritizing risk
• Responding to risk

Copyright ©2022 John Wiley & Sons, Inc. 2

Learning Objectives
2.1 Describe the nature of risk.
2.2 Classify risks into different risk categories.
2.3 Determine the quantitative value of risk.
2.4 Explain how businesses respond to risk.

Copyright ©2022 John Wiley & Sons, Inc. 3

Learning Objective 2.1
Describe the nature of risk.

LO 1 Copyright ©2022 John Wiley & Sons, Inc. 4

Understanding Risk
• It is essential for accounting professionals to understand
risk – including emerging trends in risk management
• Technology provides new ways to manage risk while also
creating risks related to its use
• Accounting professionals assess and address risk
constantly, both formally and informally

LO 1 Copyright ©2022 John Wiley & Sons, Inc. 5

Importance of Risk
• Anything that can possibly hinder the success of a business
achieving its goals or cause a loss is an unfavorable event,
and risk is the likelihood of an unfavorable event occurring
• Risks differ by business type, size, industry, and location
• If a company wants to be at the forefront of its industry, it
must be willing to accept calculated risk
• A risk-aware culture lets businesses proactively identify and
manage risk

LO 1 Copyright ©2022 John Wiley & Sons, Inc. 6

Optimal Level of Risk-Taking

ILLUSTRATION 2.1 There is a sweet spot for risk

LO 1 Copyright ©2022 John Wiley & Sons, Inc. 7

Applying Risks to a Business
• When considering risk, companies need to know where the
risk takes place within their organizational structures
• Companies consider risk at a business function level
o a high-level business area or department that performs
business processes to achieve company goals

LO 1 Copyright ©2022 John Wiley & Sons, Inc. 8

Different View of Risks
• Risk can relate to a single business event, business process,
business function, or the entire company at an entity level
o The more granular its identification, the more specific the
business can be in addressing it
• Businesses combine two views of risk to ensure optimal
risk management
o A portfolio view examines risk at the entity level, and a
profile view considers risk at the more granular level of a
business function, process, or event

LO 1 Copyright ©2022 John Wiley & Sons, Inc. 9

Enterprise Risk Management
• Risk can be viewed at the entity level, which means it is
looked at across the entire organization
• Enterprise risk management (ERM) is the comprehensive
process of identifying, categorizing, prioritizing, and
responding to a company’s risks

LO 1 Copyright ©2022 John Wiley & Sons, Inc. 10

The Four Steps of ERM

ILLUSTRATION 2.4 The four steps of ERM are identify, categorize, prioritize,
and respond
LO 1 Copyright ©2022 John Wiley & Sons, Inc. 11
Identifying Risks
• Accountants use critical thinking to analyze all possible
outcomes
• Identifying risks is a “worst-case scenario” exercise
• There are a number of ways to identify risks, such as
o conducting brainstorming exercises
o using data to investigate historic events to predict future
occurrences
o diagramming business processes to look for weaknesses
o developing assumptions about operations and risks

LO 1 Copyright ©2022 John Wiley & Sons, Inc. 12

A Risk Statement
• A risk statement contains two parts: the issue and the
possible outcome
• Risk statements come in many forms
o Some common keywords are “because,” “caused,” and
“possible”

LO 1 Copyright ©2022 John Wiley & Sons, Inc. 13

Let’s Chat! (1 of 4)
Is taking on significant business risk always negative? How
could a business benefit from taking on significant business
risk? Explain with examples.

LO 1 Copyright ©2022 John Wiley & Sons, Inc. 14

Learning Objective 2.2
Classify risks into different risk categories.

LO 2 Copyright ©2022 John Wiley & Sons, Inc. 15

Categorizing Identified Risks
• It is important to know how to classify risks because they can be
found at the entity level and across every business process
• Internal risks occur throughout a company’s operations and
arise during normal operations
o Most internal risks are preventable through careful risk
identification and management
• External risks are risks that come from outside the company
o While external risks are often unpredictable, companies still
prepare for them to the best of their abilities

LO 2 Copyright ©2022 John Wiley & Sons, Inc. 16

Internal Risks
• There are three major internal risk categories
o Operational risk
o Financial risk
o Reputational risk

LO 2 Copyright ©2022 John Wiley & Sons, Inc. 17

External Risks
External risks are less predictable and harder to control than
internal risks. The three external risks we discuss are
• compliance risk
• strategic risk
• physical risk

LO 2 Copyright ©2022 John Wiley & Sons, Inc. 18

Six Types of Risk & Examples

Soucrce Type Example

Internal Risks Operational Technology interruption
Financial Failed investments
Reputational Data breach making the news
External Risks Compliance Regulatory fines
Strategic Beaten by competitor
Physical Natural disasters

TABLE 2.2 Six Types of Risk and Examples

LO 2 Copyright ©2022 John Wiley & Sons, Inc. 19

Risk Inventory
• Once a company has identified and categorized risks, the
risks are compiled into a risk inventory, which is a listing of
all the business’s known risks
• Using an entity-wide risk inventory allows the ERM team to
map risks to business objectives, business processes, and
one another
• This is an essential part of approaching risk at the entity
level and creating a portfolio view

LO 2 Copyright ©2022 John Wiley & Sons, Inc. 20

Let’s Chat! (2 of 4)
Boeing grounded its best-selling plane, the 737 MAX, in March
2019 after two fatal crashes killed 346 people. These crashes, and
the subsequent grounding of planes, significantly damaged
Boeing’s reputation. Investigators linked faults with the plane’s
software design to both crashes. Boeing halted production in
January 2020 and has a large inventory of undelivered 737 MAX
planes in storage. Was this calamity a result of (1) an identifiable
internal risk or (2) the threat of an external risk? Explain why and
prepare a risk statement for this crisis, mapping it to a single
internal or external risk category.

LO 2 Copyright ©2022 John Wiley & Sons, Inc. 21

Learning Objective 2.3
Determine the quantitative value of risk.

LO 3 Copyright ©2022 John Wiley & Sons, Inc. 22

Prioritizing Risk
• Prioritizing risk is a crucial step for businesses because
o companies have limited resources—equipment, space,
people, and budgets—they must determine which risks those
resources should be used to address
• While many methods can be used to prioritize risk, the
most common is prioritizing by severity

LO 3 Copyright ©2022 John Wiley & Sons, Inc. 23

Evaluating Risk Severity
Risk severity is the likelihood of risks occurring and their
potential impact on the company
• Likelihood is the estimated probability of risk occurrence
• Impact is the estimation of damage that could be caused if the
risk occurs
• Likelihood and impact are measured on a scale of low to high

LO 3 Copyright ©2022 John Wiley & Sons, Inc. 24

Using Risk Formulas
• When a company uses only qualitative assessments,
multiple risks may have the same rankings
• the qualitative approach is first used to assign likelihood
and impact, and then a quantitative method is used to
score each risk
• A point value of 1-5 is applied to the likelihood and impact
rankings, with 1 being the lowest and 5 being the highest
value
o This allows a final risk score to be calculated by multiplying
the two numbers together
LO 3 Copyright ©2022 John Wiley & Sons, Inc. 25
Likelihood Risk Scale

ILLUSTRATION 2.8 Likelihood is scaled from one to five, based on the

probability of an outcome occurring

LO 3 Copyright ©2022 John Wiley & Sons, Inc. 26

Impact Risk Scale

ILLUSTRATION 2.9 Impact is scaled from one to five, based on the impact the
outcome could have on the business

LO 3 Copyright ©2022 John Wiley & Sons, Inc. 27

Risk Scores
• Risks with similar risk scores may be treated differently,
based on judgmental decision making
• Risk scores are often complex, using decimal points,
products, averages, and more to eliminate unnecessary
information
• Every company’s approach to risk calculations is different
o In other words, there’s no universally accepted best practice
for how these numbers are generated

LO 3 Copyright ©2022 John Wiley & Sons, Inc. 28

Creating Risk Matrices
• A risk matrix helps paint a clearer picture of risk than just a
number
• Heat map is a type of risk matrix that uses different colors
to represent values of data in a map or diagram format
o The different colors in the risk matrix heat map represent the
priority of a risk based on the risk score; green is lower
priority, and red is higher priority
o It provides a holistic, big-picture view of risk

LO 3 Copyright ©2022 John Wiley & Sons, Inc. 29

Risk Rankings on a Risk Matrix

ILLUSTRATION 2.10 Risk rankings appear on a colored heat map

LO 3 Copyright ©2022 John Wiley & Sons, Inc. 30

Let’s Chat! (3 of 4)
Say that the majority (96%) of a company’s customers pay
online via credit card, PayPal, or similar payment method.
One risk at this company is that an employee may manipulate
the accounts receivable balance. Identify the likelihood and
impact of this risk, using the risk levels high, medium high,
medium, medium low, and low. Assume that this area of the
business has strong controls in place that make it more
difficult for an employee to commit fraud.

LO 3 Copyright ©2022 John Wiley & Sons, Inc. 31

Learning Objective 2.4
Explain how businesses respond to risk.

LO 4 Copyright ©2022 John Wiley & Sons, Inc. 32

How Do We Respond to Risk?
• Risk management is a complex part of a business. It
requires critical thinking and decision-making skills to
understand the entire situation and come up with the
appropriate combination of risk responses
• Risk appetite is the amount of risk a company is willing to
take on at a particular time

LO 4 Copyright ©2022 John Wiley & Sons, Inc. 33

The Four Traditional Risk Responses

ILLUSTRATION 2.12 The four traditional risk responses are accept, mitigate,
transfer, and avoid

LO 4 Copyright ©2022 John Wiley & Sons, Inc. 34

Assess the Risk
• Inherent risk is the natural level of risk in a business
process or activity if there are no risk responses in place
o Inherent risk consists of two parts—likelihood and impact
• Residual risk is the remaining risk posed by a process or
activity once a plan to respond to the risk is in place

LO 4 Copyright ©2022 John Wiley & Sons, Inc. 35

Risk Acceptance & Risk Avoidance
• Accept the risk
o Risk acceptance occurs when an inherent risk is present but
the organization chooses not to act
• Avoid the risk
o Risk avoidance eliminates the risk by completely avoiding the
events causing the risk

LO 4 Copyright ©2022 John Wiley & Sons, Inc. 36

Risk Mitigation & Risk Transfer
• Mitigate the risk
o When a company decides to accept the risk but to minimize
its impact if it occurs, then the firm mitigates the risk
internally by implementing methods or procedures over
business processes and activities, or using other mitigation
tools to reduce the risk
o Risk mitigation is the most commonly used risk response
• Transfer the risk
o Risk transfer is the shifting of a risk to a third party

LO 4 Copyright ©2022 John Wiley & Sons, Inc. 37

Let’s Chat! (4 of 4)
• Q1: Distinguish between inherent risk and residual risk.
• Q2: Identify and briefly describe each of the four traditional
or common types of risk responses. Provide an example of
each that differs from examples provided in the chapter.

LO 4 Copyright ©2022 John Wiley & Sons, Inc. 38

Copyright
Copyright © 2022 John Wiley & Sons, Inc.

All rights reserved. Reproduction or translation of this work beyond that permitted in
Section 117 of the 1976 United States Act without the express written permission of the
copyright owner is unlawful. Request for further information should be addressed to the
Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies
for his/her own use only and not for distribution or resale. The Publisher assumes no
responsibility for errors, omissions, or damages, caused by the use of these programs or
from the use of the information contained herein.

Copyright ©2022 John Wiley & Sons, Inc. 39