2024/07/03

RISK
MANAGEMENT

LEARNING OUTCOMES

• Explain the concept of risk

• Explain the process of risk management
• Evaluate an organisation’s risk management programme
• Identify actions an organisation can implement to manage
risks

1
 2024/07/03

INTRODUCTION

Risk comes from not knowing what you are doing.

– Warren Buffet

• Rapid changes in an organisational environment lead to a higher exposure to

various types of risks than before.
• Aim of this chapter:
• First part – to explore organisational risk and the management of risk.
• Second part – corporate governance and the application of corporate
governance on the risk management process.
• Third part – corporate governance and organisational strategy.

THE CONCEPT OF RISK

• CIMA Official Terminology (2005):
• ‘Risk is a condition in which there exists a quantifiable dispersion in the possible outcomes from
any activity.’

• The International Federation of Accountants (1999) defines risk as:

• “Uncertain future events which could influence the achievement of the organisation’s strategic,
operational and financial objectives.”
• King IV Report:
• Risk is about the uncertainty of events as well as the likelihood that such events will
occur.
• Included in this definition of risk is the effect of the risk, both positive and negative,
on the achievement of the organisation’s objectives.

2
 2024/07/03

TYPES OF RISK

External risk
• Independent of the business as well as outside of the control of the organisation.
• Caused by the industry environment as well as macro-environmental risks, for example
the overall economic climate.
• Implementation of internal controls will not necessarily reduce or mitigate these risks.
Versus
Internal risk
• Inherent to the business environment that an organisation creates itself.
• Can be reduced by internal controls implemented by the organisation.

ORGANISATIONAL RISK IS MADE

UP OF THE FOLLOWING FIVE MAIN
TYPES OF RISK
1. Strategic risk
• External risk that can result in the organisation’s business plan becoming outdated due to factors
such as technological changes, new competitors or changes in customer preferences.

2. Compliance risk
• External risk when an organisation does not comply with all relevant laws and regulations leading to
penalties or even the business closing down.

3. Operational risk
• Internal risk an organization faces as a result of an unexpected failure in an organisation’s day-to-day
activities due to technical failure or human error.

3
 2024/07/03

4. Financial risk
• Either internal or external risk that impacts the flow of money to and from
the organization. It is risk that an organization may suffer significant
financial loss.
5. Reputational risk
• External risk which is dependent on the public’s view of the organization.
• Risk that an organisation’s reputation might be damaged, which could lead
to a loss of customer goodwill, demoralised employees and eventually
great financial loss for the organisation

RISK APPETITE VS RISK TOLERANCE

Risk appetite
• The organisation’s tendency to take appropriate levels of risk.
• The amount and type of risk an organisation will be willing to take.

• Dependent on the organisation’s strategic objectives.

• Will be clearly stated in an organisation’s risk appetite statement in the organisation’s Enterprise Risk
Management (“ERM”) Framework.
Risk Tolerance
• The risk that the organisation can actually cope with.

• Includes the amount of potential loss that the organisation can endure and still keep on functioning as it
should.

4
 2024/07/03

IDENTIFYING AND ASSESSING RISK

• In order to identify the risks, the industry in which the organisation operates in must be
fully understood and analysed, and the different types of risk must be kept in mind.
• Analysis of external environment leads to identification of external risk.

• Analysis of internal environment leads to identification of internal risk.

• It is not only important to identify the risk – the risk must also be assessed.
• Whether this risk will be acceptable for the organisation, or the extent of actions the
organisation will take in reaction to the risk, will depend on the organisation’s risk
appetite.

THE RISK MANAGEMENT PROCESS

10

5
 2024/07/03

1. Identify the risks

• Keep in mind the five different types of risk and their possible outcomes
• Identify the potential occurrences that might lead to a loss and add to the organisation’s
risk register.

11

2. Analyse the identified risks

• The risk register should describe the likelihood of each risk occurring and the
consequences of each possible risk.
• The nature of each risk should be fully understood

12

6
 2024/07/03

3. Evaluate the risks

• The likelihood and consequences of each risk are measured against the organisation’s risk
appetite and tolerance.
• Evaluate the impact-what will be the loss to the organisation?
• Rank the risks in the risk register based on either likelihood or impact.

13

4. Respond to the risks

• The highest ranked risks should be considered and a plan should be formulated to
mitigate these risks to an acceptable level.
• The plan must include ways of minimising the negative impact of risks on the business as
well as ways in which the possible opportunities arising from these risks can be
optimised.
• The plan of action must be added to the risk register.

14

7
 2024/07/03

5. Monitor the risks and review the outcomes

• The risk register that was prepared during the first four steps is applied to monitor the
risks that are occurring and to review the outcome of each risk.

15

EVALUATING THE ORGANISATION’S RISK

MANAGEMENT PROGRAMME
• The risk management process must be supported by sufficient policies, procedures,
processes and reporting mechanisms to enable the organisation to effectively apply the
process.
• An effective programme will enable the organisation to respond effectively and
timeously to any significant change in the environment.
• The policies and procedures must be consistent with the organisation’s stated mission
and objectives that form part of its strategy.
• The final measure of the effectiveness of an organisation’s risk management programme
lies in the effectiveness with which an organisation’s risks can be managed.

16

8
 2024/07/03

RESPONSE TOWARDS ORGANISATIONAL RISK

The following methods can be applied to manage the risks identified in the risk management
process:
• Avoid
• Transfer
• Mitigate
• Diversify
• Accept

17

1. Avoid
• Means not taking on the new project or expansion
• It also means the organisation will forgo the opportunity associated with the risk
• However, it is not possible to avoid all risks, the organisation will have to apply other
methods to manage risks.

18

9
 2024/07/03

2. Transfer
• The organisation may transfer the responsibility for the risk to another party.
• Can be complete or partial transfer
• Examples include taking out an insurance policy, outsourcing the function, engaging in a
joint venture or entering into a partnership with another party

19

3. Mitigation
• Is either trying to reduce the likelihood of the risk occurring or reducing the impact if
the risk does occur
• Likelihood of a risk occurring can be reduced by applying quality control procedures,
auditing or training
• Reduce the impact can be accomplished through adequate management of public
relations and proper emergency procedures

20

10
 2024/07/03

4. Diversification
• Means “not keeping all your eggs in one basket”
• Meaning the organisation can invest in various markets in different segments of the
economy

21

5. Acceptance
• If risk cannot be avoided, transferred, diversified or mitigated, the risk can be accepted
• Some risks are too unlikely to occur for the organisation to spend any money on
addressing them
• There should still, however, be an incident response plan or recovery plan to prepare the
organisation for dealing with the consequences should those risks occur

22

11