Session 13

Assessing Risk

FOCUS
This session covers the following content from the ACCA Study Guide.

C. Identifying and Assessing Risk

1. Risk and the risk management process
b) Define and describe management responsibilities in risk management.
3. Identification, assessment and measurement of risk
a) Identify, and assess the impact upon, the stakeholders involved in
business risk.
b) Explain and analyse the concepts of assessing the severity and probability
of risk events.
c) Describe and evaluate a framework for board level consideration of risk.
h) Explain and evaluate the concepts of related and correlated risk factors.

Session 13 Guidance
Read through section 1 a couple of times to grasp the importance and approaches to risk management
techniques; learn the two key groupings in the risk management process (s.1.4).
Understand the four elements of the COSO framework used in the evaluation and analysis of
risk (s.2).

(continued on next page)

P1 Governance, Risk and Ethics Becker Professional Education | ACCA Course

Ali khan - [email protected]

VISUAL OVERVIEW
Objective: To explain the process of assessing risk.

RISK MANAGEMENT PROCESS

• Elements
• Risk Management Standard
• COSO Framework
• Key Groupings

ANALYSIS AND EVALUATION

IMPACT ON STAKEHOLDERS
• Internal Environment
• Strategic Objectives
• Event (Risk) Identification
• Risk Assessment
• Risk Register

Session 13 Guidance
Revisit the influence of stakeholders and remember that Mendelow's grid can be used to
estimate stakeholder power and, thus, how the effect on stakeholders from a risk event will
affect the company.

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 13-1

Ali khan - [email protected]

Session 13 • Assessing Risk P1 Governance, Risk and Ethics

1 Risk Management Process

1.1 Elements
Many examples exist of risk management systems and processes
that have been developed by organisations. In general, a risk
management process should, at the very least, incorporate the
following elements:

THREATS TO ACHIEVING
CORPORATE OBJECTIVES




IDENTIFY

?
MONITOR EVALUATE
REVIEW ANALYSE
FEEDBACK ASSESS

MANAGE
APPROACH
AND ACTION

13-2 © 2014 DeVry/Becker Educational Development Corp. All rights reserved.

Ali khan - [email protected]

P1 Governance, Risk and Ethics Session 13 • Assessing Risk

1.2 Risk Management Standard

The Institute of Risk Managers (IRM), the Association of Insurance
and Risk Managers (AIRMIC) and the National Forum for Risk
Management in the Public Sector (ALARM) jointly published
a Risk Management Standard in 2002, within which the risk
management process was diagrammatically shown as:

The Organisation's
Strategic Objectives

Risk Assessment

Risk Analysis
Risk Identification
Risk Description
Risk Estimation

Risk Evaluation

Formal
Audit
Risk Reporting
Threats and Opportunities

Decision

Risk Treatment

Residual Risk Reporting

Monitoring

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 13-3

Ali khan - [email protected]

Session 13 • Assessing Risk P1 Governance, Risk and Ethics

1.3 COSO Framework

COSO has expanded the risk assessment layer of its internal
control framework to develop the Enterprise Risk Management
(ERM) model. There are many
diagrammatic
representations of
C the risk management
S
EGI N cycle. When
O
RAT A TI N
G
considering risk, the
I CE
ST PE
R
RT N examiner expects
O PO IA
RE PL an understanding
M
CO on the elements of

SUBSIDIARY
BUSINESS UNIT
Intern identifying, assessing,
al Env
ir
onme managing, reviewing
Objec nt
tive S and feedback.
etting
ENTITY LEVEL

Event
Ident DIVISION
ificati
Risk A on
ssess
ment
Risk R
espon
se
Contr
ol Act
Inform ivities
ation
& Com
munic
Monit ation
oring

1.4 Key Groupings

Broadly there are two key groupings in the risk management
process:
 Assessing (analysing and evaluating) risks to identify key
risks; and
 Developing strategies to manage, control and monitor those
risks (see Session 14).

13-4 © 2014 DeVry/Becker Educational Development Corp. All rights reserved.

Ali khan - [email protected]

P1 Governance, Risk and Ethics Session 13 • Assessing Risk

2 Analysis and Evaluation

According to COSO's ERM model there are four elements in the
analysis and evaluation of risk:*
1. Internal environment
2. Objective setting *These elements
are inter-related and
3. Event identification cannot be considered
4. Risk assessment. in isolation. As
explained in s.2.5, the
risk register is a tool
2.1 Internal Environment used to document,
 The internal environment encompasses the firm's risk tone, control and provide
how its managers, employees and other stakeholders react necessary support
to risk and how risk is embedded within the firm and its in analysing and
environment. evaluating risk.

 Factors include risk capacity, risk appetite, risk

management philosophy, oversight procedures, integrity,
ethical values, competence, authority, responsibility,
organisation and development. (Risk capacity and risk
appetite are detailed in Session 14.) Risk capacity—the
 The internal environment influences how strategies and maximum amount
objectives are established; business activities structured; and type of risk
risks identified, assessed and acted upon; and the design and that an entity could
functioning of control activities, information, communication take under current
circumstances. This is
and monitoring activities.
determined by various
2.1.1 Risk Management Philosophy constraints, such as
capital and human
 This is driven by an entity's board and pervasive through resources, expertise
everything managers, staff and connected stakeholders and regulatory
do, from developing strategy to implementing day-to-day requirements (e.g.
operations. if capital resources
increase and/
 It reflects the entity's values, culture and operating style and or regulatory
how risk management is applied (e.g. how risks are identified, requirements are
what risks are accepted and how they are managed).* relaxed, risk capacity
can increase).
Risk appetite—the
amount of risk,
taking into account
*In the COSO framework it is crucial that the risk management risk capacity, that an
philosophy is uniform across the entire entity, especially, for entity is prepared to
example, where elements of the entity operate under different accept in pursuit of
cultural influences. value. It reflects the
entity's management
philosophy and in turn
2.1.2 Board of Directors influences the entity's
culture and operating
 Effective board structures (e.g. as emphasised under good style.
corporate governance including NEDs and committees) will
ensure effective risk management.
 It does not matter how well a business is run; every entity
is vulnerable to risk so an effective board is critical to risk
management.

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 13-5

Ali khan - [email protected]

Session 13 • Assessing Risk P1 Governance, Risk and Ethics

2.1.3 Integrity, Ethical Values and Corporate Culture

 Risk management cannot rise above the integrity and ethical
values espoused and enacted by management and employees
who design, create, administer and monitor the entity's
activities.
 Although the board and management may determine official
policies, corporate culture determines what happens (rather
than what should happen) and which rules are obeyed, flexed,
broken or ignored.
 Basing risk management on what should happen is far less
effective than understanding exactly which ethical values are
applied and how corporate culture operates.

2.1.4 Organisational Structure

 The organisational structure provides the framework to plan,
execute, control and monitor activities. It may be centralised,
decentralised, based along functional, industry, product,
geographical lines or a mix.
 Risk management needs to recognise the complexity or
simplicity of the entity's structure, its interdependencies and
its internal and external factors.

2.1.5 Authority and Responsibility

 The degree to which delegation is encouraged throughout the
organisation and the limits to which individuals and teams
are encouraged to use initiative. Alignment of authority and
accountability is often used to encourage initiative.
 The boundaries of authority and responsibility need to be set
to ensure that objectives are understood as well as being
achieved.
 The internal environment is greatly influenced by the extent
that individuals (from the CEO to the doorman) recognise that
they are, and will be, held to account.

Illustration 1 Bank of Ireland

As part of their ethical and risk management standards, many

entities forbid access to unauthorised websites. In May 2004,
Michael Soden, CEO of the Bank of Ireland, resigned after a regular
internal check revealed that he had broken the institution's rules on
Internet use by accessing a pornography site.
"I now understand and accept that in doing this I breached the
policies of the Bank of Ireland. I have made it a central part of
my tenure as group chief executive to set the highest standards
of integrity and behaviour and to do so in an environment of
accountability, transparency and openness."

13-6 © 2014 DeVry/Becker Educational Development Corp. All rights reserved.

Ali khan - [email protected]

P1 Governance, Risk and Ethics Session 13 • Assessing Risk

Example 1 Enron

A significant energy company was generally thought to have effective enterprise risk
management due to its high-powered and respected senior managers, prestigious
board of directors, innovative strategies, well-designed information systems and
control activities, extensive policy manuals prescribing risk and control functions
and comprehensive reconciling and supervisory routines.

Required:
Explain why the company earned the distinction of becoming one of the
largest bankruptcies in US (let alone world) history.
Solution

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 13-7

Ali khan - [email protected]

Session 13 • Assessing Risk P1 Governance, Risk and Ethics

2.2 Strategic Objectives

 As strategic risk is the risk that an entity may not be able
to carry out its strategy and achieve its objectives, then
developing a strategy and setting objectives is a precondition
to identifying, assessing and analysing risks.
 A top-down approach to objective setting is crucial.
For example:

Mission statement

Strategic objectives for entity as a whole

Strategy formulated covering whole entity

Strategy formulated for each entity business unit

Tactical objectives for each business unit

Operational activity objectives for each function and employee

13-8 © 2014 DeVry/Becker Educational Development Corp. All rights reserved.

Ali khan - [email protected]

P1 Governance, Risk and Ethics Session 13 • Assessing Risk

Example 2 Objectives

Objectives and decision-making are usually classified as strategic, tactical

and operational.

Required:
Describe the general characteristics of each classification.
Solution
1. Strategic:

2. Tactical:

3. Operational:

 As the process moves from a strategic level to the operational

level, critical success factors may be established for each
business unit, function, department, individual or any other
unit.*

*Objectives can be many and varied (e.g. cash flow objectives,

reporting, compliance, environmental, investment) and each entity
will need to establish a specific set of objectives as no one set will be
appropriate as a standard for each entity.

 Having set the mission statement, strategic objectives and

critical success factors, the risks to achieving the strategy and
objectives should be identified. Similar processes should be
applied at each level (i.e. tactical and operational).

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 13-9

Ali khan - [email protected]

Session 13 • Assessing Risk P1 Governance, Risk and Ethics

2.3 Event (Risk) Identification

A risk event is essentially any external or internal matter which
can have a positive or negative effect on the entity achieving its
objectives. Events may be expected (e.g. routine and recurring)
or unexpected, but predictable.

2.3.1 Identification Techniques

 Beyond the development of a sound understanding of strategic
and operational objectives, identifying events that may affect
the achievement of those objectives requires a detailed
understanding of the entity, its markets and the legal, social,
political, economic, technological, environmental and cultural
environments in which it operates.
 Examples:
 Commodity price and exchange rate fluctuations, availability
and cost of capital.
 Flood, fire, earthquake, global warming, pollution,
destruction of raw materials.
 Government elections, new laws and regulations, tax
changes, political differences.
 Changing demographics, work/life balance, terrorism,
change in school leaving age, change in education priorities.
 Improvement in electronic commerce, emerging
technologies, loss of data.
 Upstream/downstream effect of suppliers/customers (supply
chain management).
 Events at the operational/activity level should also be
considered so as to focus attention on the specific units and
functions of the entity. Examples:
 Changes in customer demands, lifestyle indicators, new
*Obviously there will
competitor products, new suppliers, locking in/locking out to
always be risks which
suppliers/customers. are unexpected and
 Workplace accidents, fraud, dated work practices, renewal unpredictable (i.e.
of agreements, strikes, increased sick leave, need for "always expect the
preventative maintenance. unexpected"). Entities
 Change management, outsourcing, changes in market cannot plan for all
share, inefficiency, increasing customer complaints, risks; there will always
be the unknown.
production problems, loss of repeat business.
What is important,
 IS security breaches, systems downtime, denial of service, however, is once the
updating of websites. unknown becomes
 As each entity is unique and operates under different known how does the
circumstances, management must select the techniques which entity respond? A key
are appropriate to its risk management philosophy and which element in reputation
risk is the response to
ensure robust event identification capabilities. Without such
crystallisation of the
capabilities, entities will not be able to assess and respond to unknown.
risks, especially unexpected risks.*

13-10 © 2014 DeVry/Becker Educational Development Corp. All rights reserved.

Ali khan - [email protected]

P1 Governance, Risk and Ethics Session 13 • Assessing Risk

Illustration 2 Risk Identification

Because of alarm over an increase in the number of patient deaths

during and shortly after surgical procedures, the World Health
Organisation conducted a survey across hospitals in a number
of countries to identify the root causes. From this survey a one-
page checklist was developed and field tested. This has resulted in
dramatic declines in major patient complications (30%) and deaths
(40%) during or after surgical procedures.
"Operating theatres are high-risk environments. By using the checklist
for every operation we are improving team communication, saving
lives and helping ensure the highest standard of care for our patients."
—UK Health Minister Lord Ara Darzi, 2009

Example 3 Event Identification

Suggest FIVE techniques that could be used by entities to identify potential risk events.

Solution

1.

2.

3.

4.

5.

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 13-11

Ali khan - [email protected]

Session 13 • Assessing Risk P1 Governance, Risk and Ethics

2.3.2 Event Interdependences and Correlation

 The effects of events on an entity are highly unlikely to be
in isolation. One event can easily trigger another event;
linkage is when the occurrence of one risk may lead to
another risk materialising or becoming active—a domino
effect. Management must understand the relationship between
events. The relationship may be simultaneous or there may
be significant lead time between the connected events. The
events may be in the same unit/function, or an event could
affect different units of an entity in different ways.
 The probability and impact of two unrelated risks occurring
at the same time must be assessed. Thus, the whole may be
greater than the sum of the parts.
 The correlation between risks can be positive or negative—
positive when the risks move together (both increase or
decrease) and negative when the risks move in opposite
directions.*
*It is not necessary
 Increasing exposure to an environmental risk (e.g. chemical
that movements of
spill or leakage) will usually also result in an increase risk exactly mirror
in reputational risk—positive correlation. If both risks each other (e.g. in
materialise the organisation will have to bear clean up monetary terms) just
costs and repair its damaged reputation. Both risks decline that vary together.
if the potentially environmentally damaging activity is
discontinued
 If a company borrows money to spend, for example, on
reducing its carbon emissions, its environmental risk is
reduced. However, financial risk increases due to the
increase in gearing—negative correlation.
 Hedging illustrates negative correlation—the movement in
value of the hedged item is offset by an opposite movement
in the hedging instrument.
 Risk management must therefore consider not only single,
mutually exclusive risks but also the risk of multiple linked and
correlated risks.

Illustration 3 Correlated Risks

As economies enter into recession, many businesses cut back

on capital and human investment—thereby reducing exposure
to liquidity and solvency risks. When emerging from recession,
however, such companies often find that they are unable to take
advantage of the opportunities available (e.g. due to obsolete
equipment, lack of infrastructure, lack of experienced employees,
etc)—thereby increasing their exposure to the risk of losing a
competitive advantage.

13-12 © 2014 DeVry/Becker Educational Development Corp. All rights reserved.

Ali khan - [email protected]

P1 Governance, Risk and Ethics Session 13 • Assessing Risk

2.3.3 Event Categories

 Event categories are designed to:
 enable management to identify links and the effect of each
event (horizontally) across the entity (group, business
divisions, units, etc) and (vertically) in each operating unit;
 gain a better understanding of the relationship, interaction
and "cross impact" of events (i.e. how the likelihood of an
event changes when another event actually occurs);
 identify possible gaps in the event categorisation
framework; and
 identify those events which will have a negative effect and
those which will have a positive effect.*
 Many entities initially group potential events into categories
(e.g. political, environmental, law and regulatory, technology,
HR). These categories also can be grouped under, for *One event (e.g.
example, external and internal factors. exchange rate change)
may be negative in
 A further categorisation may be based on objectives, starting one business unit but
at the top with strategic objectives and then working down to positive in another.
the operational objectives. Therefore the overall
effect on the entity
2.4 Risk Assessment needs to be considered
and an appropriate
 Having established a strategy and strategic and operational approach developed—
objectives and identified potential events which may affect event correlation
objectives, risk assessment allows entities to consider the across a group.
effect (e.g. severity, consequences and hazard) each event
may have on achieving objectives and its likelihood (i.e. a risk
profile).
 In measuring or estimating impact and probability, the criteria
used may be quantitative, qualitative or a combination. The
methodologies used must be appropriate to the entity and
should be consistently applied.
 Examples of risk assessment techniques include:
 Benchmarking—focuses on specific events or processes,
comparing measures and results using identified metrics.
Often used to assess probability and the effect of potential
events across a specific industry.
 Probabilistic modelling (e.g. value at risk, cash flow at
risk, earnings at risk). Risk is assessed using historic data
or simulated outcomes reflecting assumptions of future
behaviour. Often used to assess expected or average
outcomes versus extreme or unexpected effects.
 Non-probabilistic modelling (e.g. sensitivity measures,
stress tests, scenario analysis, "gut" feeling). Extensive use
is made of subjective assumptions in estimating the impact
of events without quantifying an associated likelihood.
 The Risk Management Standards (IRM, AIRMAC, ALARM)
provide several examples on how impact and probability may
be measured.

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 13-13

Ali khan - [email protected]

Session 13 • Assessing Risk P1 Governance, Risk and Ethics

2.4.1 Impact/Consequences (Applies to Threats

and Opportunities)

• F inancial impact to exceed $x

High • Significant impact on strategy or operational activities
• Significant stakeholder concern

• F inancial impact between $x and $y

Medium • Moderate impact on strategy or activities
• Moderate stakeholder concern

• F inancial impact less than $y

Low • Low impact on strategy or operational activities
• Low stakeholder concern

 $x and $y, significant, moderate and low will need to be

defined/quantified, as well as the areas of the strategy and
operational activities.
 A stakeholder analysis (Mendelow) would also need to be
carried out to identify which stakeholders would be affected
and how.
 Where past data (internal and external) is used to quantify the
financial effect, the source of the data should be reliable.
 Many situations require subjective judgements concerning
uncertainty. Different managers will have different levels of
"uncertainty subjectiveness" and different confidence in their
ability in making subjective decisions. Care must therefore be
taken to ensure that subjective judgements are appropriately
made for the entity as a whole.

• L
 ikely to occur each year or more than a 25% chance
High
of occurrence (probable?)

• L
 ikely to occur in a 10-year time period or less than a
Medium
25% chance of occurrence (possible?)

• N
 ot likely to occur in a 10-year period or less than a
Low
2% chance of occurrence (remote?)

 Where a percentage chance of occurrence is used, the time

frame would need to be quantified—is this every year, over
a five-year period or perhaps a 25-year period? Is the
time frame in line with the strategic horizon? In the above
example, 10 years appears to be the strategic horizon.

 Where the time frame is relatively short, care should be taken

to ensure to include significant risk events that may occur
beyond the time frame. The more objective the criteria used,
the more robust the risk assessment—the more subjective,
the greater the degree of uncertainty and estimation.

13-14 © 2014 DeVry/Becker Educational Development Corp. All rights reserved.

Ali khan - [email protected]

P1 Governance, Risk and Ethics Session 13 • Assessing Risk

Example 4 Objectivity

For each of the following, identify if the matter can be objectively or subjectively assessed.

Solution

1. The closure of a factory will cost $1m.

2. Failure to meet a delivery deadline will

result in the loss of the client.

3. A nuclear accident will occur this year in

the UK.

4. Revolution in the Middle East will result in

the closure of our business.

5. There is a 25% chance that global warming

will result in a 50% increase of sales.

2.4.2 Mapping
 A 2x2 "likelihood-consequences" matrix of the likelihood and
impact of risks provides a relatively simple tool for mapping
(graphing) and ranking the various assessments of risk:*

*Likelihood may
instead be labelled risk
probability and hazard
is an alternative label
for consequences or
Low impact, High impact, impact.
high likelihood high likelihood

Low impact, High impact,

Likelihood

low likelihood low likelihood

Impact

 The area considered to be high impact, high likelihood need not

be as precisely quantified as in the above diagram. Each entity
will need to consider what could be a critical area. For example:

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 13-15

Ali khan - [email protected]

 Session 13 • Assessing Risk P1 Governance, Risk and Ethics

Critical area

X X
X X X X X
X X X X
X X
X X
X X X X

X
X X X X
X
X
Likelihood

X X
X

Impact

2.5 Risk Register

 Entities that are subject to complex risk profiles will use a
risk register (usually computer-based, whether spreadsheet
based or a database management system in a complex risk
management model) to record, prioritise and track each risk
through the risk management process.
 The risk register is effectively an essential part of the project
management process (e.g. to access and recommend potential
takeover targets) tracking each stage of the project (from
start to finish, identification through to monitoring) and being
reactive or proactive as events are completed or developed.
 A typical register will record (and be updated as the risk cycle
progresses):
 Name of risk
 Risk owner/accountable party
 Scope/description (events, size, type, number)
 Inter-dependencies (i.e. relationship with other potential
risks)
 Nature (e.g. strategic, operational, financial, compliance)
 Stakeholders (e.g. use of Mendelow grid)
 Quantification of risk (i.e. probability and significance)
 Risk tolerance/appetite
 Key risk management/control activities
 Monitoring approach (including use of controls)
 Gaps, issues and actions
 Processes, initiatives, objectives affected by risk
management approach
 Standard and tailored reporting (e.g. residual risk).

13-16 © 2014 DeVry/Becker Educational Development Corp. All rights reserved.

Ali khan - [email protected]

P1 Governance, Risk and Ethics Session 13 • Assessing Risk

3 Impact on Stakeholders
 The roles and claims of stakeholders have been discussed in
previous sessions. *Stakeholder power
and the use of
 In simple terms, the impact of risk on stakeholders is that Mendelow's grid have
they will not be able to pursue their claims on the entity. already been discussed
 As the definition of stakeholders implies a two-way as potential sources of
relationship ("… can affect and be affected by …") stakeholder event indicators.
claims also should be considered as potential events that could
lead to threats and opportunities to the entity's strategy.*

Example 5 Stakeholder Risk

Describe the impact of risk on FIVE stakeholders.

Solution
Stakeholder Impact of Risk

1.

2.

3.

4.

5.

In the examination, the examiner will expect you to use scenario

analysis, experience and common sense in identifying stakeholders
and the impact certain risks will have on them. Wrote learnt
examples are unlikely to gain a pass mark.

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 13-17

Ali khan - [email protected]

 Summary
 Two key groupings in the risk management process include:
1. Assessing (analysing and evaluating) risks to identify key risks.
2. Developing strategies to manage, control and monitor those risks (see Session 14).
 Assessing (COSO ERM) involves four elements:
1. Internal environment
2. Objective setting
3. Event identification
4. Risk assessment.
 A risk register or matrix may be used to record, prioritise and track each risk through the
risk management process.
 Mendelow's grid can be used to estimate stakeholder power and, thus, how the impact on
stakeholders from a risk event will affect the company.

Session 13 Quiz
Estimated time: 10 minutes

1. List the basic elements of the COSO risk management framework. (1.3)

2. Explain the concept of an entity's "risk tone". (2.1)

3. Define "risk capacity" and "risk appetite". (2.1)

4. List the techniques used to identify risk events. (2.3)

5. List the contents of a risk register. (2.5)

13-18 © 2014 DeVry/Becker Educational Development Corp. All rights reserved.

Ali khan - [email protected]

 Session 13

EXAMPLE SOLUTIONS
Solution 1—Enron
Despite its high external reputation, Enron's internal environment was
significantly flawed. Management participated in, practiced and allowed
many highly questionable business practices. Their sheer arrogance
allowed them to think of themselves as "the smartest guys in the room"—
anywhere, any time.

Solution 2—Objectives
 Strategic decisions:
 affect the whole organisation;
 are often subjective (as the future cannot be known until it happens);
 may be based on a number of different scenarios (to enable appropriate
reaction as events unfold—being proactive rather than reactive);
 are often about long-term planning, but not always (the strategic
horizon may be five years, it may be 20 years, or it may be on a
rolling basis);
 have a higher level of risk than other decisions (because of the many
variable and unpredictable factors that such decisions may be based
on, such as the future political, economic, social and technological
(i.e. "PEST") environment);
 are usually complex;
 are unlikely to be recurring; and
 provide the framework and guidance for tactical decision-making.
 Tactical decisions:
 implement the requirements of the strategic plan;
 affect significant parts of the organisation;
 are based on a mixture of internal and external information, with the
emphasis often on internal information;
 are usually (but not always) based on financial analysis;
 use a mix of qualitative and quantitative data;
 are related to the short- and medium-term;
 are often recurring processes, although in different contexts (e.g.
setting quality standards for different departments); and
 provide the rules for operational decision-making.
 Operational decisions:
 affect day-to-day routine operations;
 are immediate (or very short-term);
 are basically concerned with control rather than planning;
 have a low level of risk/uncertainty (as they are derived from set
rules and procedures;
 are often repetitive;
 can easily be programmed;
 use internal information; and
 follow rules set by tactical decision-making.

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 13-19

Ali khan - [email protected]

Solution 3—Event Identification
 Establishing or purchasing an event inventory. Basically detailed
listings of potential events common to entities in a particular industry
developed through past experience (e.g. events related to the project
management in the construction industry).
 Internal analysis—interviews with experienced managers,
brainstorming, scenario analysis, internal audit reports, regulator
reports, incident investigation and analysis, key event feedback to
managers, checklist analysis.
 External analysis and monitoring—external advisers/consultants/
lobbyists, market research, survey reports, industry benchmarking,
tracking competitors, legal changes, economic changes, political
changes, social trend analysis, emerging technologies, stakeholder
analysis and feedback.
 Facilitated workshops—brainstorming, questionnaires, what-if scenarios.
 Leading event indicators—the monitoring of key procedures and
processes (e.g. reports, variance analysis, checklists, electronic
tracing) to enable identification of events (e.g. late schedule
repayments indicating possible default or increase in maintenance
costs indicating possible breakdown of equipment).
 Business studies—internal/external influences.
 Process flow analysis—fully map a process (e.g. manufacture of
motor vehicles) identifying the complete sets of inputs, tasks,
responsibilities and outputs. Consider the internal and external
factors that affect inputs or activities in the process and identify
events that could affect the achievement of the process objectives.
 Trends and root causes—use data sets and data mining to identify
trends and potential causes. Once a root cause has been identified,
this is the event to be sorted.
 Hazard and operability studies (HAZOP)—a methodology for
identifying and dealing with potential problems in industrial
processes, particularly those which would create a hazardous
situation or a severe impairment of the process.

Solution 4—Objectivity
1. The closure of a factory will cost $1m—objective impact
measurement as the costs of closure can be measured with
reasonable certainty (e.g. redundancy, impairment to assets,
cancellation of contracts).
2. Failure to meet a delivery deadline will result in the loss of
the client—depends on known facts about the client and the
effect on that client of failing to meet the deadline. If this is a
general statement it is subjective. If already threatened by the
client it is an objective impact.
3. A nuclear accident will occur this year in the UK—subjective
likelihood. A nuclear accident may be military, civilian, in
a power station or a research laboratory. May be minor or
major—many "may be" thus subjective.
4. Revolution in the Middle East will result in the closure of our
business of selling clothes to the general public—subjective.
Location and final outcome are unknown. The product is one
that is highly unlikely to be affected by political factors, but
may be (for an unknown length of time) by economic factors.
5. There is a 25% chance that global warming will result in a
50% increase of sales—subjective. On what data can such
assumptions be made?

13-20 © 2014 DeVry/Becker Educational Development Corp. All rights reserved.

Ali khan - [email protected]

Solution 5—Stakeholder Risk
Stakeholder Impact of Risk

Shareholder Decrease in wealth through lower share price and dividend income.
Potential for takeover or liquidation.
Directors Loss of reputation, loss of compensation related to performance,
criminal or civil proceedings if risk event was caused by a direct result
of their illegal actions (e.g. bribery, fraud, money laundering).
Managers As above plus loss of promotion possibilities. In addition they may
become demotivated due to poor performance of the business unit or
function in which they work. May result in further risk as manager
pursues own interests or seeks employment elsewhere.
Employees Similar to above. May be higher exposure to health and safety issues.
For all employees, ultimate impact will be loss of employment.
Customers Possible impacts include loss of after-sales service, warranties, lower
quality of goods and service, loss of supplier.
Suppliers Loss of contract to supply customer, potential bad debts, need to
extend credit terms (effect on cash flows), lawsuit from customer.
Government Possible effects include loss of tax revenue (profits, VAT and employee),
increase in economic support to the entity, statutory redundancy
payments and increase in unemployment benefits (both direct and
indirect through the multiplier-effect on suppliers and customers).
Banks Bad debt risk (non-payment of loan and interest), reduced value of
collateral (may result in margin calls, for example). In some cases
may increase the entity's requirement for capital.

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 13-21

Ali khan - [email protected]