RISK MANAGEMENT

Michelle_Michy

Lecture4-Riskmanagement.pptx

Home >Education homework help >RISK MANAGEMENT

BM7037-15: Corporate Governance, Ethics & Risk Management Risk Management

(There are internet links in this presentation that you should explore.)

Learning outcomes

At the end of the lecture, you’ll be able to:

Critically define ‘risk’ and distinguish it from other things

Critically explore a given organisation’s risk appetite

Evaluate an organisation’s risk management processes against best practice

Critically explore interrelationships between risk management and corporate governance

What is risk?

“Uncertainty of outcome, whether positive opportunity or negative threat, of actions and events”

(HM Treasury, ‘The Orange Book’, 2004, p.9)

“An uncertain event or set of events that, should it occur, will have an effect on the achievement of objectives.”

(PRINCE2 2017, p.120)

“An unrealised future loss arising from a present action or inaction”

(Kaplan)

1️⃣

What is risk?

Is:

Uncertain – not, then, known (known as ‘dis-benefits’ in PRINCE2)

Uncertain – in that we might never realise it as a risk! (Particularly if we don’t even try)

Uncertain – and we might try to measure its probability

Impactful – whether that’s minimal, moderate, or severe

Impactful – in one or several respects: Strategic, operational, etc.

Possibly beneficial, known as ‘upside risk’ (if we ignore Kaplan def.)

As it can be terminal (think Carillion; also here) but can also give a competitive advantage, it should not be overlooked by management.

Risk ‘appetite’

You go to a casino. Would you rather:

Wager £10 to possibly win £100?

Wager £100 to possibly win £10,000?

Do neither, and keep your money?

2️⃣

Risk ‘appetite’

Investments often are expressed in terms of risk-reward

Organisations are also on this risk-seeking to risk-adverse continuum.

Risk ‘appetite’

All organisations have a risk appetite, however:

They may not be consciously aware of it

It may not be expressed/articulated anywhere

It may not be known across the organisation

It may not inform decision-making (consistently, across the organisation)

See COSO Report (2014)

Risk ‘appetite’

Try to think of 2 types of firm:

One which is high-risk-taking and one which is low-risk-taking.

Why do they take this approach?

Risk management

There are lots of risk management models. They all broadly include the same elements:

Risk…

Identification

Assessment (probability/impact)

Planning (responses)

Monitoring (responsibilities)

This process is cyclical.

Risk-related activities should be recorded, including lessons.

3️⃣

Risk management: 1/4 Identification

‘Risk workshop’: Brainstorming.

Also: Previous lessons, checklists, prompt-lists, breakdown structures

External auditing can help – a fresh view

(Can be compulsory; think SOX)

Risk management: 1/4 Identification

Risks can be classified:

Business or operational: relating to activities carried out within an entity, arising from structure, systems, people, products or processes.

Country: associated with undertaking transactions with, or holding assets in, a particular country. Risk might be political, economic or stem from regulatory instability. The latter might be caused by overseas taxation, repatriation of profits, nationalisation or currency instability.

Environmental: these risks may occur due to political, economic, socio-cultural, technological, environmental and legal changes.

Risk management: 1/4 Identification

Risks can be classified…continued:

Financial: relating to the financial operations of an entity and includes:

credit risk: a loss may occur from the failure of another party to perform according to the terms of a contract

currency risk: the value of a financial instrument could fluctuate due to changes in foreign exchange rates

interest rate risk: interest rate changes could affect the financial well being of an entity

liquidity (or funding) risk: an entity may encounter difficulty in realising assets or otherwise raising funds to meet financial commitments.

Reputational: this is damage to an entity's reputation as a result of failure to manage other risks.

Strategic risk: these are risks stemming from the entity's strategy and pose the greatest threat to the achievement of the strategy.

Risk management: 2/4 Assessment

Needs to be assessed against the firm’s risk appetite

Often, a ‘heat map’ is used…see HBR article

BUT these have received criticism for:

Subjectivity

Error of symmetry

Risk aversion

Category prioritization reversal

Take your time to get your understanding of these right

Risk management: 3/4 Planning

Answers the question: How do we respond to this risk?

- Can be a response now or if/when it happens

- Might involve a cost

- Also includes who is responsible for monitoring response (if not a ‘now’ response) and who implements it (which might be someone different)

Risk management: 3/4 Planning

(Back to risk management models…)

Responses can include:

Avoid/exploit

Reduce/enhance

Transfer

Prepare contingency plans…see also ‘TARA’

For explanations of these, see p.132 of PRINCE2 manual

Risk management: 4/4 Implement

Simply the matter of putting the plans into practice

Might be based on an organisation-, entity-, department-

or project-wide strategy/standard/approach/plan

Most organisations of any size will have, as a minimum, a strategy, identified persons responsible, and a risk register to record all that

…insurance providers may also insist on such things, of course

Risk and Governance

Boards are ultimately responsible for organisations, and so are responsible for risk:

Including clarifying/setting/‘enforcing’ the ‘appetite’; and

Controlling risks within tolerances

Often there is a ‘risk committee’ of the board, but sometimes combined with audit (e.g. BT PLC). Main roles:

Raising risk Awareness

Establishing policies for risk management

Processes for identifying, reporting and monitoring risk

Reporting to the Board, recommending changes to the risk appetite as appropriate

4️⃣

Risk and Governance

Risk managers:

Usually a member of the Risk Committee

Focuses on implementation of Risk Management policies

Reports to, and is supported and monitored by the risk management committee

Have an operational emphasis

Risk management only works in organisations if it’s part of the culture/day-to-day – included in JDs, proper internal control, embraced and supported by senior management/the board,

Part 4 of UKCGC is titled ‘Audit, Risk and Internal Control’

Other things to explore

ERM – Enterprise Risk Management

ALARP

Questions?