Business Analysis, Risk

identification & initial

assessment
Contents
1. RI
2. RI tools
3. RI techniques
4. RA
5. Risk register, concepts and mapping
6. Emerging risks
7. Bias
Risk identification
RI
1. Business analysis

2. Identify risks

3. Obtain agreement with stakeholders

4. Evaluate risks

5. Produce risk register

6. Review risk register

4
RI
1. Business analysis

 Clear business objectives

 Analyze operation & its wider environment (legislative, regulatory & economic)

 Company’s structure & system of internal controls

 Current & projected accounts & accounting ratios

 Market info (e.g. competitors actions & market share)

 Resources available to company

5
RI
2. Identify the risks

 Identify up & down side risk structurally

 Review findings of business analysis

3. Obtain agreement (with other stakeholders)

 Risks faced, relations b/w them, & identify individuals who will be responsible for each risk & its management

4. Evaluate the risks

 Calculate likelihood & severity over a given time frame

 Both on gross & net of existing controls

 Priority of implementation of risk controls

6
RI
5. Produce a risk register

 Record the results of this process in one place

6. Review the risk register regularly

 Update the changes in risk & reflect current risks.

7
RI - Benefits
 Enhances awareness & transparency of risks
 Transfer of knowledge
 Improve understanding across the org.
 Acts as a firm base for subsequent risk analysis, quantification & prioritization
 Enhances quality of reporting to the BAM
 Helps improves business decision making

8
RI - Need
 Need senior sponsorship of RM program
 Be consistent on the standards used overtime
 Ensure quantitative & qualitative data to develop a comprehensive risk profile for org.
 Integrate RI with the entire RM process
 Demonstrate added value (on top of meeting regulatory requirements)

9
RI tools
RI tools
1. SWOT analysis

2. Risk checklist

3. Risk Prompt List

4. Risk taxonomy

5. Case studies

6. Process analysis

11
RI tools
1. SWOT analysis

 Framework for generating ideas in a structured & comprehensive ways

 Consider strengths , weakness , opportunities , & threats

2. Risk checklist

 List of risk identified in the past or from external source

 Info is relevant & up to date

3. Risk prompt list

 Categories of risk (industry wide level)

 Situations / events of risk

 Risk trigger questions

 PEST (political, economic, social & tech) risks

12

 ESI (environmental, legal & industry) risks

RI tools
4. Risk taxonomy

 Classifying risks & breaking them down into components

 Ensure common understanding of terms of RI

 Less project specific than a checklist

 Less industry specific than an industry prompt list

5. Case studies

 Help understand impact of risks in specific context

6. Process analysis

 Flow charts to show process & links

 RI at each stage

13
RI tools
 Advantages

 Provide a clear structure for RI process

 Improve the quality of the output (vs. a less structured process)

 Disadvantage

 Results may still not be comprehensive

 Bias n the process or participants

14
RI techniques
RI techniques
1. Brainstorming

2. Independent group analysis

3. Surveys

4. Gap analysis

5. Delphi technique

6. Interviews

7. Working groups

16
1) Brainstorming
 Process

 Group of people generating ideas in a free form way

 Facilitated by an external consultant

 Requires all participants to be in the same location at the same time

 Potential disadvantage:

 If poorly run, can lead to group think

 Uneven participation can lead to an incomplete or biased identification of risks

 Mitigation:

 Participants should come from various departments across org. & have different backgrounds

 Outsiders can bring fresh ideas even in specialist areas

17
2) Independent group analysis
 Process

 Each risk presented & discussed within group

 Rank each of the risk independently

 Results are combined to form an overall ranking

 Potential disadvantage:

 Unbalanced group may produce a biased list of risk & rankings

18
3) Surveys
 Process

 Use online surveys to generate a wide range of responses cheaply

 No collusion between participants

 No requirement for everyone to be at same place

 Potential disadvantage:

 Problem of framing of questions

 Poor response rates

 Survey is not flexible (e.g. MC is easier to analyze but limit range of possible responses)

 Mitigation:

 Run pilot surveys to help improve design

19
4) Gap analysis
 Process

 Identify company’s current & desired risk exposures

 Line manager is best to identify current risk

 Board is best to identify desired risk

 Potential disadvantage:

 Difficult & costly to engage the Board

20
5) Delphi technique
 Process

 Communication technique where participants answer questionnaires in 2 or more rounds

 After each round, a facilitator provides an anonymous summary of output from the previous round
as well as the reasons they provided for their judgement

 Participants then revise their earlier answers in light of replies of other members of the panel

 Intention is to decrease range of answers & the group will converge towards a consensus

 Potential disadvantage:

 Time consuming & costly

21
6) Interview
 Process

 Individuals are interviewed & the results collated by an independent external reviewer

 Can immediately clarify on responses

 Potential disadvantage:

 Time consuming & expensive

 Restrictions on the number of interviews

 Having multiple interviewers can lead to inconsistencies

22
7) Working group
 Process

 Small no. of interested individuals are tasked with considering a specific risk (or group of risk)

 Members are normally specialists

 Scope can extend to analysis of RI, esp. if they are unquantifiable

 Potential disadvantage:

 RI will be narrow rather than comprehensive

 Specialist might want to work at a higher level of precision than the cost is justified

23
RI techniques
Factors to consider on techniques:
 1. Who

 Input from all areas of business to identify risks & dependencies

 Select a diverse mix of people (role, experience & seniority)

 2. How

 Workshop, questionnaires

 Workshop types e.g. brainstorming

 External help in facilitation of workshops or design of questionnaires

24
Risk Assessment
RA
 Foundation setting
 Deep dives, risk quantification & management
 Business & EMR integration

 Likelihood / Severity
 See if the probability (or severity) of the risk event falls within some pre-set categories
 Check level of accuracy required
 Extent to which accurate estimation of the probabilities (severity) can be done

 Quantification
 Can use different probability distribution depending on the data available
 Score frequency & severity:
 0-25%, 25%-50%, etc
26
 Low/mid/high, etc
 Multiply together for a risk rating
RA
 Step 1: Foundation setting

 Get executive sponsorship

 Organize & plan for resources (e.g. accountabilities & deadlines)

 Define a risk taxonomy

 Build a customized RI & RA tool

 Educate / train project teams & management

 Lack of senior management buy-in & participation

 Bad resources planning & allocation

 Insufficient preparation lead to an inefficient or ineffective process

27
RA
 Step2: RI & RA

 Understand business objective , risk appetite , regulatory & policy requirements

 Top down (e.g. interviews)

 Bottom-up (e.g. workshops)

 Prioritize risks

 Lack of clear business objectives or risk appetite

 Focusing on consequences rather than causes of risk

 Inconsistent estimate of frequency & severity

28
RA
 Step3: Deep dives, risk quantification & management

 Detailed assessments of the top risks (prioritized from step 2.)

 Produce risk tolerance statements & track KRIs

 Determine RM strategies

 Calculate total cost of risk (for pricing purpose)

 Lack of prioritization of key risk

 Insufficient risk quantification

 RA not translated into value adding action

29
RA
 Step4: Business & EMR integration

 Link RA with both strategic planning & review processes

 Integrate RA into everyday business operations (e.g. pricing & K allocation)

 Conduct scenario analysis & stress testing

 Report on risk

 Creating & maintaining loss/events databases

 Establish appropriate risk-escalation policies

 Restricting integration to low level reports

 Failure to fundamentally change the business attitude to RM

30
Risk register, concepts
and mapping
Risk register
1. Labeling or numbering system to risk can be identify easily

2. Category of risk

3. Description of each risk (that is clear & understandable to all)

4. Initial assessment of the likelihood & impact over an applicable time frame

5. Risk response action (retain, remove, reduce, or transfer)

6. Individual involved in monitoring & RM (Risk owner)

7. Version control information (e.g. when was the last update & by whom)

32
Risk concepts
1. Exposure: Max loss in an event
2. Volatility: Variability within range of possible outcomes (for market risk it is σ of returns)
3. Probability: Likelihood of event
4. Severity: Loss in case of event occurring
5. Time horizon: Length of exposure to risk & recovery from risk
6. Correlations: Degree of different risks behavior similar to common events
7. Capital:
 Manage cash flow (working K)
 Help in growth (development K)
 Cover unexpected loss (risk K)

33
Risk mapping
 Plots each risk on the risk map
 Axes are the frequency & severity
 Combinations of low & high
 Technique is used to illustrate the effect that each risk might have on an org.
 Need to include all risks faced by the org.
 A is the current level & A’ is the residual level
 Probability axis doesn’t have to be continuous, can be broad like low/mid/high

34
Risk mapping - benefits
 Get people across org. to talk about risk
 Improves people’s understanding of the risk it faces
 Improves effect of its RM activities
 Shows which risk require further attention
 Excellent visual tool for reporting to the Board
 Show inherent risk & residual risk to show effectiveness of risk control

35
Risk mapping – Heat mapping
 X axis is control environment rating & Y axis is Risk level

 Control environment rating

 Highly effective
 Effective
 Moderately Effective
 Need improvement
 Need significant improvement

 Risk level
 Insignificant
 Low
 Moderate
 Severe
36
 Critical
Control environment rating

Control effectiveness Highly effective Effective Moderately Needs Needs significant

rating effective improvement improvement

Tolerance levels Within established Within established Some established levels Some established Significant exceptions (or
levels levels with few exceptions levels with material no levels established)
exceptions

Risk controls Tested & functioning Tested & functioning Functioning effectively; Functioning Controls are not in place
effectively effectively but not fully tested effectively; but not or not functioning
fully tested effectively

Risk & return link Explicitly established Implicitly established Some Some None

Metrics & dashboard Comprehensive Developed but not full Some are in place Minimum Minimum or none
reporting

37
Emerging Risks
Emerging risks
 Types of emerging risks
 Change in nature of an existing or known risk (uncertainty & ambiguity increases)
 Change in underlying effectiveness of RM approaches of an existing or known risk
 Development of a new risk (no explicit allowance made in existing framework)

 Importance
 Knowledge of such risks will influence corporate strategy
 May affect the profitability of the organization
 May yield opportunities for a new product

39
Emerging risks – Interrelated trends
1. Globalization: Increased interdependence of the world’s economies & market
2. Technology: New operational risks from technology driven business
3. Changing market structures: As markets are deregulated & privatized
4. Restructuring: Effects of M&A, joint ventures, outsourcing & business re-engineering

40
Emerging risks - examples
 ER of past are known risks today (e.g. cost of GA rates, health damage from asbestos)
 Significant shift in power between world economies (& collapse of previously secure nations)
 Contagion in asset markets
 Claims from unexpected sources
 Nanotech, Cyber, Mobile phone use
 GMO food
 Terrorism (shifts in level & sources)
 Climate change
 Prolonged power blackouts
 Emerging infectious & pandemic diseases
 Unexpected changes in mortality or longevity
 Change in ways information is stored & distributed due to social media
 Unexpected behavior of financial guarantees embedded products
 Non linear dependencies between current known risks 41
Emerging risks - IT
1. Cyber security
 Crime involving use of computer over a network
 Financial theft: e.g. hacker accessing bank accounts to steal money
 Data theft: customer data, confidential business information or proprietary technology
 Attempts to disrupt a business: e.g. Denial of service attacks
2. Cloud computing
 Shares similar risk to outsourcing
 Reduce amount of control over data & increases reliance on RM capabilities of the 3 rd party provider
3. Social media
 Rise of social media like Facebook & Twitter offer issues as part of emerging risks.
 Virus & malware on corporate network
 Reputation risk if there is careless or malicious communication from employees on websites
 Employees become distracted by social media (productivity reduces)

42
Emerging risks - RI
 Need a more holistic view to identify ER
 Need to consider all possible impacts of the new risk

 Ways of RI
1. Horizon Scanning
2. Weighing different underlying evidence
3. Additional source of uncertainty

43
Emerging risks - RI
 Horizon Scanning
 Systematic search for potential developments over the longer term
 Emphasis on changes that are at the edges of current thinking
 Requires input from experts that understand the underlying drivers
 Rely on relevant external sources (e.g. academic journals)

 Weighing different underlying evidence

 Need to assess ER from different angles & sources
 Need to weight RM decisions according to the credibility & reliability of underlying evidence
 Continue to monitor developments of past decisions
 Beware of alarmist media reports (provides warning but not use as basis of decision making)

44
Emerging risks - RI
 Additional source of uncertainty
 Future legal approaches to ER
 Capacity of company to mitigate ER
 Analysis of trends in ER
 Monitor regulatory & lobbying activity in the sector by relevant experts
 Keep dependencies in mind as changes can lead to reduction in diversification

45
Bias
Bias
 Risks not being identified, assessed or reported in a true & honest way
 Can be due to lack of supportive risk culture (or sub optimal culture)
 Often in the context of project appraisal

Sources
 Intentional bias:
 Deliberate underestimation of risk to achieve a specific personal goal

 Unintentional bias:
 Inaccurate RA due to lack of experience or time

 Encountering bias:
 Reporting to Board about the ongoing risks facing the enterprise
 Project appraisal where risk champions tend to minimize the risks in hope of getting approval

47
Bias of a project appraisal
 Insufficient care to RI or analysis of risk
 Omission of key risks (Accidental or deliberate)
 Incorrect assumptions of independence
 Underestimate likelihood due to inadequate past experience
 Deliberately over optimistic CFs
 Not accounting for future economic cycle
 Inadequate attention to ERs
 Not considering impact on sponsor’s other businesses
 Credit taken for benefits not directly attributable to the project
 Assumptions not correspond with BAM’s view
 Spreadsheets error lead to failures of logic

48
Bias - Behavioral
 Study of unintentional bias in finance
 Looks at how a variety of mental biases & decision making errors affect financial decisions
 Relates to psychology that underlies & drives financial decision making behavior

3 types of behavioral bias

1. Overconfidence:
 People tend to overestimate their own abilities, knowledge & skills
2. Anchoring:
 People based perceptions on past experience or “expert” opinion
3. Representative heuristics:
 People find more probable those things that they find easier to imagine

49
Bias - avoid
 Built in checks & balances
 Validate the appraisal work (esp. cash flow) by competent & independent checking
 Reference where possible to the outcomes of similar projects
 Build additional K cost: Load in a % to the capital cost based on past experience
 Reduce estimated return
 A large contingency allowance in K cost

50