Aldersgate College Corporate Governance, Business Ethics, Risk and

School of Business Management and Accountancy Management Internal Control

Module 7: RISK MANAGEMENT

After studying the chapter, you should be able to.

1. Define risk management.

2. Explain briefly the basic principles of risk management.
3. Describe the elements of risk management
4. 5Define the relevant risk terminologies.
5. Describe the potential treatments or approaches in managing risks.
6. Explain the areas of risk management.
7. Describe the steps in the risk management process.
8. Familiarize yourself with the SEC requirements in dealing with enterprise-wide risk management

INTRODUCTION
Effective corporate governance cannot be attained without the organization mastering the art of risk management.
And risk management is recognized as one of the most important competencies needed by the board of directors of
modern organization, large as well as small and medium sized business firms.
The levels of risk faced by business firms have increased because of the fast growing sophistication of organization,
globalization, modern technology and impact of corporate scandals. In addition, therefore to compliance with legal
requirements, top management should consider adequate knowledge of risk management.

RISK MANAGEMENT DEFINED

Risk management is the process of measuring or assessing risk and developing strategies to manage it. Risk
management is a systematic approach in identifying, analyzing and controlling areas or events with a potential for
causing unwanted change. Risk management is the act or practice of controlling risk. It includes risk planning,
assessing risk areas, developing risk handling options, monitoring risks to determine how risks have changed and
documenting overall risk management program.
As defined in the International Organization of Standardization (ISO 31000'. Risk Management is the identification,
assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize,
monitor and control the probability and/or impact of unfortunate events and to maximize the realization of
opportunities.

It is through risk management that risks to any specific program are assessed and systematically managed to reduce
risk to an acceptable level. Risks can come from uncertainty in financial market, project failures, legal liabilities, credit
risks, accidents, natural causes and disasters as well as deliberate attack from adversary or events of uncertain or
unpredictable root- cause.
BASIC PRINCIPLES OF RISK MANAGEMENT

The International Organization of Standardization (ISO) identifies the basic principles of risk management.

Risk management should:

1
Aldersgate College Corporate Governance, Business Ethics, Risk and
School of Business Management and Accountancy Management Internal Control

1. create value — resources spent to mitigate risk should be less than the consequence of inaction, i.e., the
benefits should exceed the costs
2. address uncertainty and assumptions
3. be an integral part of the organizational processes and decision-making
4. be dynamic, iterative, transparent, tailorable, and responsive to change
5. create capability of continual improvement ano enhancement considering the best available information and
human factors

6. be systematic, structured and continually or periodically reassessed PROCESS OF RISK MANAGEMENT

According to the Standard ISO 31000 "Risk management — Principles and Guidelines on Implementation, "the
process of risk management consists of several steps as follows:

1. Establishing the Context. This will involve

a. Identification of risk in a selected domain of interest
b. Planning the remainder of the process.
c. Mapping out the following:
i. the social scope of risk management
ii. the identity and objectives of stakeholders
iii. the basis upon which risks will be evaluated, constraints.
d. Defining a framework for the activity and an agenda for identification'.
e. Developing an analysis of risks involved in the process.
f. Mitigation or Solution of risks using available technological, human and organizational
resources.
2. Identification of potential risks. Risk identification can start with the analysis of the source of problem or with
the analysis of the problem itself. Common risk identification methods are:
a. Objective-based risk
b. Scenario-based risk
c. Taxanomy-based risk
d. Common-risk checking
e. Risk charting

3. Risk assessment. Once risks have been identified, their potential severity of impact and the probability of
occurrence must be assessed. The assessment process is critical to make the best educated decisions in
prioritizing the implementation of the risk management plan.

ELEMENTS OF RISK MANAGEMENT

In practice, the process of assessing overall risks can be difficult, and balancing resources to mitigate between risks
with a high probability of occurrence but lower loss versus a risk with high loss but lower probability of occurrence
can often be mishandled. Ideal risk management should minimize spending of manpower or other resources and at
the same time minimizing the negative effect of risks.

For the most part, the performance of assessment methods should consist of the following elements:
1. identification, characterization, and assessment of threats
2. assessment of the vulnerability of critical assets to specific threats
3. determination of the risk (i.e. the expected likelihood and consequences of specific types of attacks on specific

2
 Aldersgate College Corporate Governance, Business Ethics, Risk and
School of Business Management and Accountancy Management Internal Control

assets)
4. identification of ways to reduce those risks
5. prioritization of risk reduction measures based on a strategy

RELEVANT RISK TERMINOLOGIES

I. Risks Associated With Investments

Although a single risk premium must compensate the investor for all the uncertainty associated with the
investment, numerous factors may contribute to investment uncertainty. The factors usually considered with
respect to investments are
• business risk
• financial risk
• liquidity risk
• default risk
• interest rate risk
• management risk
• purchasing power risk.

BUSINESS RISK

Business risk refers to the uncertainty about the rate of return caused by the nature of the business. The
most frequently discussed causes of business risk are uncertainty about the firm's sales and operating
expenses. Clearly, the firm's sales are not guaranteed and will fluctuate as the economy fluctuates or the
nature of the industry changes. A firm's income is also related to its operating expenses. If all operating
expenses are variable, then sales volatility will be passed directly to operating income. Most firms, however,
have some fixed operating expenses (for example, depreciation, rent, salaries). These fixed expenses
cause the operating income to be more volatile than sales. Business risk is related to sales volatility as well
as to the operating leverage of the firm caused by fixed operating expenses.
DEFAULT RISK

Default risk is related to the probability that some or all of the initial investment will not be returned. The degree of
default risk is closely related to the financial condition of the company issuing the security and the security's rank in
claims on assets in the event of default or bankruptcy. For example, if a bankruptcy occurs, creditors, including
bondholders have a claim on assets prior to the claim of ordinary equity shareholders.
FINANCIAL RISK

The firm's capital structure or sources of financing determine financial risk. If the firm is all equity financed,
then any variability in operating income is passed directly to net income on an equal percentage basis. If the
firm is partially financed by debt that requires fixed interest payments or by preferred share that requires
fixed preferred dividend payments, then these fixed charges introduce financial leverage. This leverage
causes net income to vary more than operating income. The introduction of financial leverage causes the
firm's lenders and its stockholders to view their income streams as having additional uncertainty. As a result
of financial leverage, both investment groups would increase the risk premiums that they require for
investing in the firm.
INTEREST RATE RISK

3
Aldersgate College Corporate Governance, Business Ethics, Risk and
School of Business Management and Accountancy Management Internal Control

Because money has time value, fluctuations in interest rates will cause the value of an investment to
fluctuate also. Although interest rate risk is most commonly associated with bond price movements, rising
interest rates cause bond prices to decline and declining interest rates cause bond prices to rise.
Movements in interest rates affect almost all investment alternatives. For example, as a change in interest
rates will impact the discount rate used to estimate the present value of future cash dividends from ordinary
shares. This change in the discount rate will materially impact the analyst's estimate of the value of a share
of ordinary share.

LIQUIDITY RISK

Liquidity risk is associated with the uncertainty created by the inability to sell the investment quickly for cash. An
investor assumes that the investment can be sold at the expected price when future consumption is planned. As the
investor considers the sale of the investment, he or she faces two uncertainties: (1) What price will be received? (2)
How long will it take to sell the asset? An example of an illiquid asset is a house in a market with an abundance of
homes relative to the number of potential buyers. This investment may not sell for several months or even years. Of
course, if the price is reduced sufficiently, the real estate will sell, but the investor must make a selling price
concession in order for the transaction to occur.
In contrast, a government Treasury bill can be sold almost immediately with very little concession on selling price.
Such an investment can be converted to cash almost at will and for a price very close to the price the investor
expected.
The liquidity risk for ordinary equity shares is more complex. Because they are traded on organized and active
markets, ordinary equity shares can be sold quickly. Some ordinary equity shares, however, have greater liquidity
risk than others due to a thin market. A thin market occurs when there are relatively few shares outstanding and
investor trading interest is limited. The thin market results in a large price spread (the difference between the bid
price buyers are willing to pay and the ask price sellers are willing to accept). A large spread increases the cost of
trading to the investor and thus represents liquidity risk. Investors considering the purchase of illiquid investments —
ones that have no ready market or require price concessions —will demand a rate of return that compensates for the
liquidity risk.

MANAGEMENT RISK

Decisions made by a firm's management and board of directors materially affect the risk faced by investors. Areas
affected by these decisions range from product innovation and production methods (business risk) and financing
(financial risk) to acquisitions. For example, acquisition or acquisition-defense decisions made by the management of
such firms materially affected the risk of the holders of their companies' securities.
PURCHASING POWER RISK

Purchasing power risk is perhaps, more difficult to recognize than the other types of risk. It is easy to observe the
decline in the price of a stock or bond, but it is often more difficult to recognize that the purchasing power of the
return you have earned on an investment has declined (risen) as a result of inflation (deflation). It is important to
remember that an investor expects to be compensated for forgoing consumption today. If an individual is invested in
peso-denominated assets such as bonds, Treasury bills, or savings accounts during the period of inflation, the real or
inflation adjusted rate of return will be less than the nominal or stated rate of return. Thus, inflation erodes the
purchasing power of the peso and increases investor risk.
II. Risks Associated With Manufacturing, Trading And Service Concerns

A. Market Risk

4
Aldersgate College Corporate Governance, Business Ethics, Risk and
School of Business Management and Accountancy Management Internal Control

• Product Risk
o Complexity o Obsolescence o Research and Development o
Packaging o Delivery of Warranties
:
• Competitor Risk
o Pricing Strategy o Market Share o Market
Strategy
B. Operations Risk
• Process Stoppage
• Health and Safety
• After Sales Service Failure
• Environmental
• Technological Obsolescence
• Integrity
o Management Fraud o Employee Fraud o Illegal Acts
C. Financial Risk
• Interest Rates Volatility
• Foreign Currency
• Liquidity
• Derivative
• Viability
D. Business Risk
• Regulatory Change
• Reputation
• Political
• Regulatory and Legal
• Shareholder Relations
• Credit Rating
• Capital Availability
• Business Interruptions

5
Aldersgate College Corporate Governance, Business Ethics, Risk and
School of Business Management and Accountancy Management Internal Control

III. Risks Associated with Financial Institutions

Financial Non-Financial
• Liquidity Risk • Operational Risk
• Market Risk o Systems
o Currency
* Information Processing
o Equity ■ Technology
o Commodity o Customer satisfaction
• Credit Risk o Human Resources
o Counterparty o Fraud and illegal acts
o Trading o Bankruptcy
o Commercial • Regulatory Risk
■ Loans o Capital Adequacy
■ Guarantees o Compliance
• Market Liquidity Risk o Taxation
o Currency Rates o Changing laws and policies
o Interest Rates • Environment Risk
o Bond and Equity Prices o Politics
• Hedged Positions Risk o Natural disasters
• Portfolio Exposure Risk o War
• Derivative Risk o Terrorism
• Accounting Information Risk • Integrity Risk
o Completeness o Reputation
o Accuracy • Leadership Risk
• Financial Reporting Risk o Turnover
o Adequacy o Succession
o Completeness

POTENTIAL RISK TREATMENTS

ISO 31000 also suggests that once risks have been identified and assessed, techniques to manage the risks should
be applied. These techniques can fall into one or more of these four categories:
• Avoidance
• Reduction
• Sharing
• Retention

Risk Avoidance
This includes performing an activity that could carry risk. An example would be not buying a property or
business in order not to take on the legal liability that comes with it. Avoiding risks, however, also means losing
out on the potential gain that accepting (retaining) the risk may have allowed. Not entering a business to avoid
the risk of loss also avoids the possibility of earning profits.

Risk Reduction

6
Aldersgate College Corporate Governance, Business Ethics, Risk and
School of Business Management and Accountancy Management Internal Control

Risk reduction or optimization involves reducing the severity of the loss or the likelihood of the loss from
occurring. Optimizing risks means finding a balance between the negative'risk and the benefit of the operation
or activity; and between risk reduction and effort applied. Outsourcing could be an example of risk reduction if
the outsourcer can demonstrate higher capability of managing or reducing risks.

Risk Sharing
Risk sharing means sharing with another party the burden of loss or the benefit of gain, from a risk, and the
measures to reduce a risk.

Risk Retention
Risk retention involves accepting the loss dr benefit of gain from a risk when it occurs. Self insurance falls in this
category. All risks that are not avoided are transferred or retained by default. Also, any amounts of potential loss over
the amount insured is retained risk. This is acceptable if the chance of a very large loss is small or if the cost to
insure for greater coverage involves a substantial amount that could hinder the goals of the organization.
AREAS OF RISK MANAGEMENT
As applied to corporate finance, risk management is the technique for measuring, monitoring and controlling the
financial or operational risk on a firm's balance sheet.

The Basel II framework breaks risks into market risk (price risk), credit risk and operational risk and also specifies
methods for calculating capital requirements for each of these components.

The most commonly encountered areas of risk management include

1. Enterprise risk management
2. Risk management activities as applied to project management
3. Risk management for megaprojects
4. Risk management of information technology
5. Risk management techniques in petroleum and natural gas

SEC Requirement Relative to Enterprise Risk Management of Publicly- Listed Corporation

SEC Code of Governance Recommendations 2.11 and corresponding explanation provide the following
“The Board should oversee that a sound enterprise risk management (ERM) framework is in place to
effectively identify, monitor, assess and manage key business risks. The risk management framework should
guide the Board in identifying units/business lines and enterprise-level risk exposures, as well as the
effectiveness of risk management strategies.
Risk management policy is part and parcel of a corporation’s corporate strategy. The Board is responsible
for defining the company’s level of risk tolerance and providing oversight over its risk management policies
and procedures. ”

Principle 12 which deals with strengthening the Internal Control System and Enterprise Risk Management
Framework states that

“To ensure the integrity, transparency and proper governance in the conduct of its affairs, the company should
have a strong and effective internal control system and enterprise risk management framework.”

7
Aldersgate College Corporate Governance, Business Ethics, Risk and
School of Business Management and Accountancy Management Internal Control

RISK MANAGEMENT FRAMEWORK

The Board should oversee that a sound enterprise risk management (ERM) framework is in place to effectively
identify, monitor, assess and manage key business risks. The risk management framework should guide the Board in
identifying units/business lines and enterprise-level risk exposures, as well as the effectiveness of risk management
strategies.
Subject to a corporation’s size, risk profile and complexity of operations, the Board should establish a separate Board
Risk Oversight Committee (BROC) that should be responsible for the oversight of a company’s Enterprise Risk
Management system to ensure its functionality and effectiveness. The BROC should be composed of at least three
members, the majority of whom should be independent directors, including the Chairman. The Chairman should not
be the Chairman of the Board or of any other committee. At least one member of the committee must have relevant
thorough knowledge and experience on risk and risk management.
Subject to its size, risk profile and complexity of operations, the company should have a separate risk management
function to identify, assess and monitor key risk exposures.

STEPS IN THE RISK MANAGEMENT PROCESS

To enhance management's competence in their oversight role on risk management the following steps may be
followed:

1. Set up a separate risk management committee chaired by a board member.

• Creation of a risk management committee as board level will demonstrate the firm's commitment to
adopt an integrated company-wide risk management system

2. Ensure that a formal comprehensive risk-management system is in place.

• This fully documented formal system will provide a clear vision of the board's desire for an effective
company-wide risk management as well as awareness of the risks, internal and external, that the
company faces.

3. Assess whether the formal system possesses the necessary elements.

• The key elements that the company-wide risk management system should possess are
a) goals and objectives
b) risk language identification
c) organization structure and
d) the risk management process documentation.
• The risk organizational structure should include formal charters, levels of authorization reporting lines
and job description.
• The risk management process shall include the following steps:
a) Assessment risks: Identification; Determination of their source,
b) Development actions plans: Reduce, avoid, retain, transfer or exploit
c) Implementation of action plans
d) Monitoring and reporting risk management performance.
e) Continuous improvement risk management
4. Evaluate the effectiveness of the various steps in the assessment of the comprehensive risks faced by the
business firm.
• Risk assessment step which includes risks identification and

8
Aldersgate College Corporate Governance, Business Ethics, Risk and
School of Business Management and Accountancy Management Internal Control

determination of their sources and measurement, represents the foundation for the rest of the
procedures. This step is performed by responsible managers,i.e., finance officers, production
managers marketing managers and human resource managers.
• This process culminates in the presentation of the risk profile or risk map to the board of directors.

5. Assess if management has developed and implemented the suitable risk management strategies and evaluate
their effectiveness.
• The risk profile highlights all the significant possible risks identified, prioritized and measured by the
risk management system.
• Strategies are developed to manage and resolve these identified
risks. These will include the process, people, management
feedback methodologies and systems.
• Strategies may include avoidance, reduction, transfer,
exploitation and retention of risks.
6. Evaluate if management has designed and implemented risk management capabilities.

• Directors must continue to monitor and assess if management has been implementing designed risk
management capabilities.
• Risk management capabilities include processes, people, reports,
methodologies and technologies needed. These components should be complete, and aligned
for the risk management
structure to function effectively.
7. Assess management's efforts to monitor overall company risk management performance and to improve
continuously the firm's capabilities.

• Risk management performance must be monitored on a continuing basis and organization must
be ready to innovate their approaches to be in line with the changing lines.
• Monitoring is done by all concerned parties such as senior managers, process owners and risk
owners.
• An independent reviewer can also be appointed to validate results.

8. See to it that best practices as well as mistakes are shared by all. • This involves regular communication of
results and feedbacks to all concerned.

• These should be an open communication channel to ensure that all risk management participant
particularly senior management, are informed of risk incidents or threat of risk incident. This will go
a long way towards attaining the company's risk management vision.

9. Assess regularly the level of sophistication of the firm's risk management system.

• Hire experts when needed.

Post Test:

1. What is “Risk Management”?

2. What is the basic approach in managing risks?

9
Aldersgate College Corporate Governance, Business Ethics, Risk and
School of Business Management and Accountancy Management Internal Control

3. How does ISO 31000 define “Risk Management”?

4. What are the basic principles of risk management?

5. Enumerate the steps in the ISO 31000 risk management process?

6. What are the elements of the risk management process?

7. What are the key elements that the company-wide risk management system should possess?

Activity/Assignment/Web Search
1. Explain the difference in attitude to risk between European and US Companies.

2. What is the advantage of defining the categories into which risks fall?

3. Explain how the following types of risk catalyst might trigger risk
a. Technology
b. Organizational charge
c. Processes
d. People
e. External factors

4. The typical areas of financial risk include the following except

a. Poor brand management
b. Treasury risks
c. Accounting decisions and practices
d. Fraud

5. What are the stages in managing the enterprise wide risk?

6. What factors should be considered when setting and reviewing financial strategy?

7. What are some of the financial tools that can be applied in making strategic financial decision affecting
profitability?

8. Enumerate and explain at least (7) practical technique to improve profitability.

10