Risk Management

Value, Risk and Culture and Organizational Frameworks

Module 001 – Nature of Risk and Risk Culture

At the end of this module, you will be able to:

1. Know and understand the meaning of Risk.

2. Explain the nature of business risk.
3. Discover the causes of business risk.
4. Determine the right attitudes toward risk.

Business risk can be defined as uncertainties or unexpected events, which are

beyond control. In simple words, we can say business risk means a chance of
incurring losses or less profit than expected. These factors cannot be
controlled by the businessmen and these can result in a decline in profit or
can also lead to a loss.

Nature of Business Risk

Business risk is the possibilities a company will have lower than anticipated
profits or experience a loss rather than taking a profit. Business risk is
influenced by numerous factors, including sales volume, per-unit price, input
costs, competition, and the overall economic climate and government
regulations.

Figure 1.1- Types of Risk

https://kalyan-city.blogspot.com/2012/01/types-of-risk-systematic-and.html
1. Arises due to Uncertainties

Uncertainties mean when you are not sure of what is going to happen in
future. Common examples of uncertainties are: change in demand,
government policy, technology etc. Business risk is due to these
uncertainties.

2. Essential part of any Business

A risk is an important characteristic of business. No business can avoid risk

although the degree of risk may vary Risk can be reduced but cannot be
eliminated.

3. Degree of Risk Depends upon the Nature and Size of Business

The degree of risk depends upon the type of business; for example, a
business involved in fashion items bears more risk as compared to the
business involved in standardized goods. Similarly, a business operating at
large scale bears more risk as compared to small-scale business houses.

4. Profit is the Reward for bearing the Risk:

The business earns a profit because they are bearing risk.”No risk no gain”
larger the risk more is the profit. An entrepreneur bears risk with the
expectations of earning a profit.

Causes of Business Risk

Natural Causes

Nature is an independent phenomenon and human beings have no control

over it. Natural calamities like earthquake, flood, drought, famine etc. Affect
a business a lot and can result in heavy losses. The natural causes are such
type of uncertain factors that human beings cannot make any preparation
against.

Human Causes

Human causes are related to a chance of loss due to human being or

employees of the organization. The dishonesty of employees can bring heavy
losses for business e.g., the employees may leak a business secret to a
competitor and may commit fraud also bring heavy losses by wastage of
resources.

The employees may hamper the production by going on strikes, riots etc.
This can also lead to heavy loss of business condition. There can be price
fluctuations in the market, there can be a change in fashion, taste,
preferences, and demands of customers

Economic Causes

Economic causes are related to a chance of loss due to change in the market.
There can be a change in the degree of competition. All these have a direct
impact on the earnings of the business.

Even change in Government policy affects the business a lot. For example, in
1971 when Janata government came to power the Coca-Cola Company and
many other foreign companies were sent back to India

Physical Causes

All the causes which result in damage of assets are considered as a physical
cause, for example, change in technology may result in machinery being
outdated, use of old technology, mechanical defects may also result in
damage of assets such as the bursting of a boiler, accident to employee etc.

Types of Business Risk

The business risk can be classified into two major categories:

Insurable Risk

The risks which can be recovered are called insurable risks. The losses which
can be made good or losses for which company can get compensation from
the insurance company are called Insurable Risks. Generally, the natural and
physical risks are insurable risks, e.g., businessmen can take a fire insurance
policy to get protection from flood, earthquake or from the damage of assets
such as the bursting of boiler etc.
Non-insurable Risks

The risks for which no protection is available are called Non-insurable risks.
The businessmen cannot get compensation for a change in demand or loss
due to negligence or carelessness of employees. Whether the risk is insurable
or non-insurable, only the loss can be shared but the risk remains

Minimization of Risk

Business has many risks but it can also be avoided by adopting some
measures. Management can adopt the technique to minimize the chance of
occurring any particular event which form may cause the loss. All the risks
cannot be avoided but these can be minimized.

So such policies are adopted which reduce the loss. For example, there is a
greater risk to send the product by air then by train. So the risk can be
reduced by sending the product by train. Similarly, when you introduce a
new product, there is a greater risk, so you may refuse to avoid the risk.

Though a firm can never escape from a presence of any risk it can still
employ methods to avoid them. For instance, the firm can:

Avoid it from entering into a risky transaction;

Preventive measures can be taken like firefighting;

Transfer the risk to an insurance company by taking a policy:

Share risk with other enterprises by making the manufacturers agree to

compensate the losses in the case of falling prices.

What is Risk Culture?

Risk culture is the “set of encouraged and acceptable behaviors, discussions,

decisions and attitudes toward taking and managing risk within an
institution.” Developed in conjunction with research Protiviti conducted with
the Risk Management Association, this definition applies to all organizations,
whether public or private, for-profit or not-for-profit. Risk culture is the glue
that binds all elements of risk management infrastructure together, because it
reflects the shared values, goals, practices and reinforcement mechanisms
that embed risk into an organization’s decision-making processes and risk
management into its operating processes. In effect, it is a look into the soul of
an organization to ascertain whether risk/reward trade-offs really matter.

How Do We Evaluate Risk Culture?

Risk culture may be a formidable hurdle to improving risk management

performance, whether management realizes it or not. Because risk culture
often evolves as the organization evolves, it may make sense for
organizations to use self-assessment techniques, internal surveys, focus
groups and other techniques to understand the current state of risk culture in
the organization by considering the following:

Tone of the organization – This term refers to the collective impact of the
tone at the top, tone in the middle and tone at the bottom on risk
management, compliance and responsible business behavior.
Communications from the top have little impact if the organization’s
employees see and hear a different message every day from the managers to
whom they report. The greater the number of management layers in the
organization, the greater the risk of incongruities in the respective tones at
the top, middle and bottom. Likewise, the greater the risk of executive
management being unaware of serious financial, operational and compliance
risks that may be common knowledge to one or more middle managers and
rank-and-file employees. Information is often distorted as it moves up and
down the management chain, creating disconnected leaders.

Physical mechanisms driving risk culture – These tangible mechanisms

influence the tone of the organization and include many things comprising
the risk governance structure, including corporate value statements, code of
conduct and ethics programs, policies and procedures, risk committee
oversight activities, incentive programs, risk assessment processes, key risk
indicator reporting and performance reviews and reinforcement processes,
among other things. They also include the risk appetite dialogue of the
executive team and Board, as well as the decomposition of risk appetite into
risk tolerances and limit structures used day-to-day in executing the corporate
strategy.

Internal attributes driving risk culture – These attributes include the attitudes,
belief systems and core values that drive behavior and guide daily activities
and decision making throughout the organization, particularly with respect to
entrepreneurial pursuits. While not as easily “seen and touched” as physical
mechanisms, they warrant careful attention. For example, behaviors around
risk management and internal control accountabilities often manifest
themselves in how people clear audit issues, address control weaknesses,
escalate issues and resolve issues reported. The timeliness in which such
activities are carried out provides powerful “tells” regarding an
organization’s risk culture. So, too, does executive management’s reaction
(or lack thereof) to warning signs provided by independent risk management
functions.

External attributes driving risk culture – These attributes include regulatory

requirements and expectations of customers, investors and others. The extent
to which an organization seeks out these requirements and expectations and
aligns business processes through actionable improvements reveals a lot
about its resiliency.

Subcultures that might have an impact on risk management – Multiple

subcultures permit an institution, in response to a changing business
environment, to be more agile in solving problems, sharing knowledge and
serving customers that a so-called unitary culture may not address. On the
other hand, they can also lead to rogue, risk-taking behavior that can
ultimately harm the organization.

Relationship to overall culture – Risk culture does not operate in a vacuum.

The overall organizational culture influences it in many ways, and some
argue they are one and the same.

How Do We Improve Risk Culture?

As risk is about uncertainty in facing the future, it would seem logical that a
desirable risk culture would position the organization to be proactive as an
early mover that quickly recognizes a unique opportunity or risk and uses
that knowledge to evaluate its options, either before anyone else or along
with other firms that likewise seize the initiative. Such a culture would give
management the advantage of time, with more decision-making options
before shifts in the market invalidate critical assumptions underlying the
strategy. Another example of a desirable risk culture might be one that
maintains a healthy tension between the organization’s entrepreneurial
activities for creating enterprise value and its activities for protecting
enterprise value so that neither one is too disproportionately strong relative to
the other.

Once an initial assessment of the current risk culture is completed, executive

management should consider whether any organizational changes are needed
and take steps to implement those changes as directed by the Board. In
transitioning to a desired risk culture, executive management should try to
achieve the following:

Embed it in the organization – Risk culture should be effected through the

firm’s overall risk governance process; otherwise, it becomes a nebulous
appendage. To illustrate, accountabilities for risk management and desired
risk management behaviors should be reinforced through committee charters,
policies, job descriptions, limit structures, procedures and escalation
protocols.

Make it a priority at the highest levels – Executive management must support

the desired risk culture by demonstrating the desired behaviors through their
actions and decisions over time, as well as by periodically communicating
value contributed by the organization’s risk culture. For example, promoting
a warrior culture, fostering a “star system” with little or no accountability,
shooting the bearers of bad news, ignoring the warning signs escalated by the
risk management function and making decisions that everyone can see are
inconsistent with the desired risk culture all send the wrong message.

Undertake an integrated approach – Standing alone, such programs as

periodic policy communications, awareness campaigns and training strategies
are mere window dressings. When baked into a comprehensive program that
aligns performance expectations, roles, responsibilities and compensation
structures with appropriate risk taking, they reinforce critical aspects of the
desired risk culture for employees.

Periodically evaluate progress – Monitor employee behavior for new trends,

attitudes or perceptions requiring attention. Track quantitative and qualitative
measures of an effective risk culture using indicators such as:

Level of executive management sponsorship

Line of business ownership of risk management

Effectiveness of risk committee and governance processes

Evidence of key business decisions, taking risk and solvency into

consideration

Quality of Board discussions on risk issues and escalated matters

Use of risk appetite statement and tolerances in decision making

Alignment and incorporation of risk into strategic planning and direction

 Be alert for signs of change, for better or worse – As noted earlier, employee
surveys and focus groups are examples of tools that can provide insights
when evaluating risk culture. Reports from the independent risk management
function and internal audit are other sources. Consider the effects of changes
in strategy and the organization as well as the occurrence of external events,
including regulatory developments, when evaluating whether changes are
necessary to strengthen risk culture.

Every organization is different. That is why it is important to evaluate risk

culture and make necessary adjustments to shape it over time in response to
change.

Online Sources

https://www.toppr.com/guides/business-studies/nature-and-purpose-of-
business/nature-of-business-risk/

https://www.corporatecomplianceinsights.com/the-importance-of-risk-culture/