RISK AND RISK MANAGEMENT

Risk

 threats, dangers, possibility of financial loss

 anything that could negatively impact the entity’s ability to meet its business objectives
 possibility that events will or will not occur and affect the achievement of strategies and business
objectives (could affect positively or negatively)
 exists whenever a future outcome or future event cannot be predicted with certainty and a range
of different possible outcomes or events might occur (for risk to exist there are two requirements.
Degree of uncertainty and the outcome must matter)

Note: your objective should define your risk

Organization Definition
International  Risk is the effect of uncertainty on objective and the effect is a
Organization for positive or negative deviation from what is expected
Standardization (ISO)
 Traditional risk definitions combine a potential event with
probability and severity

 ISO points out that risk is goal-specific

Institute of Internal  Risk is the possibility of an event occurring that will have an
Auditors impact on the achievement of objectives. Risk is measured in
terms of impact and likelihood. (event-specific)
Institute of Risk  Risk is a combination of the probability of an event and its
Management consequences. Consequences could either be positive or
negative (event-specific).

CATEGORIES OF RISK

Pure Risk Speculative Risk

 A downside risk
 Is a risk where there is a possibility that an
adverse event will occur. Events might turn
out to be worse than expected but they
cannot be better than expected
 Is a risk that can often be controlled either
by means of internal control or by
insurance.
 Also called as internal control risks or
operational risks
 A two-way risk
 Is a risk where the actual future event or
outcome might be either better or worse
than expected
 Cannot be avoided because risk must
be taken in order to make profits. As a
general rule, higher risks should be
justified by the expectation of higher
profits (although events might turn out
worse than expected) and a company
needs to decide what level of
speculative risks are acceptable.
Speculative risks are usually called
business risk and might also be called
strategic risk or enterprise risk.

Market Risk

 is the risk from changes in the market price of key items such as the price of key commodities
  market prices can go up or down and a company can benefit from a fall in raw material prices or
incur a loss from a rise in prices

Credit Risk

 is the risk of losses from bad debts or delays by customers in the settlement of their debts
 All companies that give credit to customers are exposed to credit risk.
 The size of credit risk depends on the amount of receivables owed to company and the credit
quality of the customers

Liquidity Risk

 Is the risk that the company will be unable to settle its liabilities when payment is due.
 It can occur when a company has no money in bank, is unable to borrow more money quickly,
and has no assets that it can sell quickly in the market to obtain cash.
 Companies can be profitable but still at risk from liquidity shortage

Technological Risk

 Is the risk that could arise from changes in technology or inadequacy of technological systems in
use.
 When a major technological change occurs, companies might have to make a decision about
whether or not to adopt new technology

Legal Risk

 which includes regulatory risk, is the risk of losses arising from failure to comply with laws and
regulations and also the risk of losses from legal actions and lawsuits

Health, Safety and Environmental Risk.

 Are risks to health and safety of employees, customers and the general public.
 Environment risks are risks of losses arising in the short term or long term from damage to the
environment – such as pollution or destruction of non-renewable raw materials

Reputation Risk

 Is the risk that a company’s reputation with the general public and customers or the reputation of
its product brand will suffer damage.
 Damage to reputation can arise in many different ways; incidents that damage reputation are
often reported by the media

Business Probity Risk

 Probity means honesty and integrity.

 Is the risk of losses from failure to act in an honest way

Risk Management (COSO Definition)

 Is a process applied in strategy setting across the enterprise designed to identify potential events
that may affect the entity and manage risks within the risk appetite to provide reasonable
assurance regarding the achievement of the entity’s objectives
 Is a corporate governance issue
Manage risk in creating, preserving and realizing value

Risk management process:

1. Identify
 Risk identification means company needs to understand what risks it face, both in
environment and markets (strategic risks) and internally (operational risks).
 This may be aided by creation of risk committee. These are committees of managers
from several departments or functions and helps in identification of risk
2. Assess
 Assess the importance of the risks in order to:
o Rank the risks in order of significance
o Identify the risks that are most significant
o Identify the risks where control measures are urgently needed

 This is the stage of actually assessing the risk and is also called the risk profiling or risk
mapping

 To assess each risk, it is necessary to consider the likelihood that losses will occur as a
consequence of the risk and the size or amount of loss (impact) when this happens

 Assessment may be done qualitatively or quantitatively

Sample Risk Map

5
4
3
Probability 2
1
1 2 3 4 5
Impact

High Impact High Impact

Low Probability High Probability
High Impact  Consider the need for  Take immediate action
control measures such as to control the risk
IMPACT OF insurance
POTENTIAL
LOSS
Low Impact Low Impact Low Impact
Low Probability High Probability
 Review Periodically  Consider the need for
control action

Low Probability Frequency High Probability Frequency

PROBABILITY OF FREQUENCY OF THE RISK MATERIALIZING

 3. Respond
 Action plan

4. Monitor

Risk Appetite (how much you are willing to accept)

 The amount of risk on a broad level, an organization is willing to accept in pursuit of value
 Affected by your risk capacity (how much you can accept)

Acceptable variation in performance

 The boundaries of acceptable outcomes related to achieving business objectives

 Tolerance

Tolerance
Target

Risk

Performance

RISK PROFILE RISK APPETITE RISK CAPACITY

Objectives

 Efficiency and effectiveness of operations

 Compliance with laws and regulations
 Reliability in financial reporting
Essentials of Risk Management

 Language – understand the same language

 Process – identify, assess, respond, and monitor
 Ratings – scaling method/qualitative/quantitative
 Response
o Risk diversification
 Do not put all your eggs in one basket
 To invest in a range of different business activities and build up a portfolio of
different business activities
 A diversification strategy by a company might be appropriate provided that its
management have the skills and experience to manage the portfolio of different
business activities
 A diversification strategy by a company is much riskier and less appropriate
when it takes the company into unrelated business activities
 Risk are not reduced significantly by diversifying into different activities where the
risks are similar so that if there is an adverse change in one business activity,
there is a strong probability that adverse changes will also occur in the other
activities

o Risk Transfer/risk sharing

 Involves collaborating with another person and sharing the risks jointly
 Common methods of risk sharing in business are partnerships and joint ventures

o Hedging
 Means creating a position (making a transaction) that offsets an exposure to
another risk

o TARA Framework
 Transfer/Share
 Avoid
 Reduce
 Accept

High
Transfer Avoid

Risk of lawsuit Transmission

Probability from students due to face to
face classes

Accept Reduce

Risk of damage Risk of damage

to classrooms to reputation
Low Impact High
 High
System-based System-based
detective preventive

Probability
People-based People-based
detective preventive

Low Impact High

Enterprise Risk Management Framework

portfolio view

Note: In COSO, risk management is under performance