7.

Assessing & Managing Risk

Risk, Stakeholders and Culture

Risk definitions
Types of Risks in Business
q Strategic Risk – possible consequences of strategic decisions
q Market Risks q Operational Risks – potential losses that might arise in
q Product Risk business operations.
q Commodity Price Risk
q Product Reputation Risk (Eg: TATA Nano)
q Credit Risk Business Risk further categorized by:
q Currency Risk
q Interest Rate Risk q Generic: affects all business
q Political Risk q Specific : affects individual business
q Legal or Litigation Risk
q Regulatory Risk
Correlation between Risk
q Compliance Risk
q Technological Risk q Positive Correlation– means move in the
q Environmental Risk same direction. Eg. Environmental risk and
q Health & Safety Risk reputation risk.
q Business Probity Risk – related with governance q Negative Correlation – means move in
and ethics of the organization opposite direction. Eg. Huge investment in
q Derivate Risk Environmental Equipment means increased
q Entrepreneurial Risk – associated with new financial risk and decreased environmental
business or venture damage risk.
q Financial Risk – Gearing Risk or Liquidity Risk
Types of Risk

Business Risks
§ Risk arising from an adverse event or
(accident/natural disaster)
§ Risks arising from financial factors (financial risk).
Ø the volatility of earnings due to the financial policies of a business.
Ø Long-term financial risks are mainly caused by the structure of
finance; the mix of equity and debt capital
Ø Short-term financial risk may include
ü Interest rate risk
ü Currency risk
ü Credit risk
ü Liquidity risk

4
Types of Risk

Non-Business Risks
§ Political risk – the risk of government action which damages
shareholder wealth (eg exchange control regulations could
be applied that may affect the ability of the subsidiary to
remit profits to the parent company).
§ Economic risk – for example the risk of a downturn in the
economy.
§ Fiscal risk – including changes in tax policies which harm
shareholder wealth.
§ Operational risk – human error, breakdowns in internal
procedures and systems.
§ Reputational risk – damage to an organisation's reputation
can result in lost revenues or significant reductions in
shareholder value.

v Business risks also includes some operational risks.

v Business risk is a mixture of systematic and unsystematic risk.

5
Test Your Understanding 1
Test Your Understanding 3
Which of the following would normally be classified A company has performed a SWOT analysis and has
as an operational risk? identified two main threats:
A. The risk that a new product will fail - New legislation covering one their products; and
B. The risk of competitors cutting costs by - The bank asking for their loan to be repaid
manufacturing overseas immediately since the company failed to pay most
C. The loss of experienced supervisor recent installment.
D. Raw materials being wasted during the A. Financial Risk
production process due to untrained staff B. Political Risk
C. Reputation Risk
D. Economic Risk
Test Your Understanding 2
During the work on Worldcom and Enron, Arthur
Anderson (Chartered Accountants) failed to identify
serious irregularities in these companies. This led to
their demise. This was due to:
A. Business Risk
B. Political Risk
C. Environmental Risk
D. Reputation Risk
Risk, Stakeholders and Culture

To generate higher returns a business may have

to take more risk in order to be competitive.
§ Conversely, not accepting risk tends to make
a business less dynamic, and implies a
‘follow the leader’ strategy.
§ Incurring risk also implies that the returns
from different activities will be higher –
‘benefit’ being the return for accepting risk.
§ Benefits can be financial – decreased costs,
or intangible – better quality information.
§ In both cases, these will lead to the business
being able to gain competitive advantage.
Risk, Stakeholders and Culture

Understanding Stakeholder response to Risk

q The risk is something that we concern about.

q But the return that organization is expecting is possible only when it is ready to assume some kind
of risks.
q Thus, stakeholders´ group do not want to eliminate risk for an organization at all.
q They could have different attitude to different types of risks therefore stakeholders like
shareholders, customers, employees, governments all have an influence on the company’s
strategy.
Embedding Risks in Organization’s Culture and Values
Risk Management Process

Approach to Risk Management Process

1. Set Responsibilities
2. Set Risk Appetite
3. Identify risks
4. Assess Risks
5. Respond to risks
6. Monitor and review the process and adapt
if necessary
7. Start again

§ Risk management is therefore the process of reducing

the possibility of adverse consequences either by
reducing the likelihood of an event or its impact, or
taking advantage of the upside risk.
§ Management are responsible for establishing a risk
Management system in an organisation.
Risk Management Process
The Task of the Risk Committee
1. Set Responsibilities
v The Board has overall accountability for
risk management as a part of its Corporate
Governance responsibilities.
v The Board can delegate its responsibilities
to separate line manager or a separate risk
committee.

Risk Committee
v Set up by the Board
v Consist members of the Board
v The responsibility of risk management shall
be taken up by the audit committee in the
absence of risk committee.
Risk Management Process
1. Set Responsibilities…..
Risk Manager
Risk managers or analysts
ü specialize in identifying potential causes of accidents or
loss,
ü recommending and implementing preventive
measures, and
ü devising plans to minimize costs and damage
ü should a loss occur, including the purchase of insurance

Risk manager responsibilities as per COSO:

v Leadership of the enterprise risk management
v Establishing and promoting enterprise risk management
v Developing common risk management policies
v Establishing a common risk language
v Dealing with insurance companies
v Implementing risk indicators
v Allocations of resources based on risk
v Reporting to CEO/Board/Risk Committee as appropriate
2. Risk Appetite

v Different business will have different attitudes towards Factors influencing risk appetite
taking risks. Risk appetite normally depends on risk v Personal views of individuals who vary in their
attitude of management and risk capacity of attitudes
organization. v Response to shareholders demand
v Risk-averse businesses may be willing to tolerate risk up v Organizational influences – size, structure and
to a point provided they receive a acceptable return. stage of the development of the organization
v Risk-seeking businesses are likely to focus on v National influences
maximizing returns without worrying about the level of
risks.
Test Your Understanding 4
The amount of risk an organization is willing to accept in
the pursuit of value is known as their:
A. Risk map
B. Risk appetite
C. Risk Culture
D. Risk thermostat
3. Identify Risk Risk Factors – that could impact the successful implementation
Risk Identification is a continuous and iterative of the strategy or the achievement of the firm’s objective.
process. Identification of key risks will help to
evaluate their impact on organizations or
projects.
Methods of identifying risk may be:
Ø Brainstorming and workshops
Ø Stakeholder consultation
Ø Benchmarking
Ø Scenario analysis
Ø Results of audits and inspections
Ø Use of standard checklists
3. Identify Risk……
Strategic Risk & Operational Risk
3. Identify Risk……
Risk Register
Once risks are identified, described, estimated through
using one or other quantitative or qualitative
technique, and mapped according to their likelihood
and consequence, many organizations record their risks
in a Risk Register.
This may contain as much information as may be
considered useful for monitoring purposes. Examples of
data to be included in a risk register are:
v Risk number
v Risk Title
v Risk category
v Description of risk
v Date risk identified
v Name of person who identified risk
v Likelihood
v Consequences
v A monetary value, if such can be allocated to the risk
v Interdependencies with other risks.
4. Assess Risks
Risk assessment can be done through various Risk Maps
methods: Qualitative techniques visualizing risk mapping.
Risk quantification- calculate possible results or losses A Risk Map or Heat Map can be drawn, as a chart or graph,
and add on distributions and confidence limits, value using risks from a risk register and each series of risks can be
at risk, regression analysis, scenario planning, decision plotted on this map in order to decide on the best way to
trees, etc. manage them.
Risk rating – prioritizing in terms of likelihood and It is a chart with one scale for severity or impact of loss and
impact other scale for frequency or likelihood.
Sensitivity Analysis – "what-if" or simulation analysis
and is a way to predict the outcome of a decision given
a certain range of variables.
Expected Values – EV of loss = probability of loss
*impact or size of potential loss
EV = ∑PX where, p= probability of outcome occurring, x
= value of outcome
Accounting ratios – Debt ratios, gearing ratios, cash
flow ratio, liquidity ratios

Subjectivity
One problem with risk quantification is its subjectivity.
Example tossing of coin and getting head is objective
assessment but estimating the impact of risk of an
accident is heavily influenced by subjectivity.
5. Respond to Risk – TARA (4Ts)
Organization will consider following approaches
for the following combinations:
q Risk Transfer – low likelihood but high
impact. Eg: earthquake, fire, etc.
q Risk Avoidance/Terminate – high likelihood
and high impact. Eg: activity that causes loss
of specialist staff.
q Risk Reduction/Treat – high likelihood and
low impact. Eg: activity that causes loss of
lower level staff.
q Risk Acceptance/Tolerate – low likelihood
and low impact. Eg: activity that causes loss
of insignificant suppliers.

Test your Understanding 5

The death of, or serious injury to, a member of staff at work best fit which category on a risk map?
A. High likelihood, low consequence
B. High likelihood, low consequence
C. Low likelihood, high consequence
D. High likelihood, high consequence
5. Respond to Risk …….
Risk management process helps organization to
prioritize the risks but not cannot eliminate them
altogether.
Usually Gross Risks (risks without mitigation) and
Residual Risks (risk that remain once management
response to risk is give) are compared to assess
how effective such risk response action has been.

ALARP
Many risk cannot be avoided. However, they have to be
reduced to an acceptable level by incurring the costs of risk
mitigation like issuing safety equipment, hats, protective
glasses, etc.
The level of risk mitigation is a trade off between cost and the
assessment derived from the risk’s likelihood and impact.
The approach is sometimes termed as ALARP – as low as
reasonable practicable

Diversifying Risks
Managing portfolio of assets which may be positively or
negatively correlated or through forward or backward
integration or diversification in terms of product or market
(Ansof matrix).
6. Risk Monitoring
Review the process – wherein organization
Frequency of Review
might ask the following questions when
Normally an annual review can be done as a best practice of
assessing whether they managed risks well
governance.
enough or if there was something they could
However, considering the dynamic nature of risks like
have done differently:
terrorist attack or periodic economic uncertainty, review
may occur more frequently.
Frequency of review may varies in relation to size, structure
and development of an organization.

Adapt if necessary
If any improvements are identified during the review
process, the system of risk management should be updated
as soon as possible.

7. Start Again
The Process of risk management can begin again and will
continue to run in its course until the next iteration is
complete.
Risks don’t tend to go away so neither should the system for
managing them.
Thank You