chapter 2 ‘A framework for board consideration of risk is shown below: Formulating a risk management strategy Arisk management strategy needs to be developed to ensure that the risk exposures of the organisation are consistent with its risk appetite, At | the very least, the risk management capability within the organisation should be sufficient to: * review its internal control system, at least annually (and whether it is adequate), * ensure that controls are properly implemented, and | * "monitor the implementation and effectiveness of controls. : | ! | However, the investment by the organisation in risk strategy should be | largely determined by the performance requirements of its business objectives and strategy. BUSINESS STRATEGY What the co} RISK APPETITE How much risk the RISK STRATEGY How risks will be anaged RESIDUAL RISK sk that canni be managed ATTITUDE Overall approach to risk. CAPACITY Maximum risk business can accept. |.“ Risk appetite can be defined as the amount of risk an organisation is willing to accept in pursuit of value, This may be explicit in strategies, Policies and procedures, or it may be implicit, It is determined by: > tisk capacity ~ the amount of risk that the organisation can bear, and = _ tisk attitude — the overall approach to risk, in terms of the board being risk averse or risk seeking The Way that the organisation documents and determines the specific Barts ofits risk strategy will have to link to the business strategy and objectives,k manage 52 + Overall the risk management strategy is concerned with trying to achieve the required business objectives with the lowest possible chance of failure, The tougher the business objectives, however, the more risks will have to be taken to achieve them. * Residual risk is the risk a business faces after its controls have been considered (see later in this chapter for more details). More on risk appetite To bring risk management into line with strategic management, an organisation should define the amount of risk it is prepared to take in the pursuit of its objectives. This willingness to accept risk can be stated in a mixture of quantitative and qualitative terms. For example + The board of directors might state how much capital they would be prepared to invest in the pursuit of a business objective and how much loss they would be willing to face in the event that results turn out badly, | * Risk can also be stated qualitatively, for example in relation to the organisation's reputation In practice, in a large organisation, there will be different levels of risk appetite for different operations or different profit centres/investment centres within the business. Risk appetite factors The factors, or business strategies, which could affect the risk appetite of the board of a company include: Nature of [A high risk of product failure in certain products (e.9. product being aircraft) must be avoided due to the serious manufactured consequences of such an event. This will, out of necessity, limit the risk appetite of the board with regard to these specific products. For other products the risk of failure will be less (e.g. a fizzy drink having [small changes from the normal ingredients — lcustomers may not even notice the difference). Additionally if a business is taking significant risks with part of its product range it may be limited in the risk it can take with other products. Theneedto —_| The strategic need to move into a new market will increase sales _|result in the business accepting a higher degree of risk than trying to increase sales or market share in fan existing market. At that stage the business will lappear to have a higher risk appetiteThe Some board members may accept increased risk background of | personally and this may be reflected in the way they the board manage the company Amount of Operating in a market place with significant change market have to accept a higher degree of risk. For example, change inthe _|(e.g. mobile telephones) will mean that the board | new models of phone have to be available quickly. | [Reputation of _ [if the company has a good reputation then the board the company __ |will accept less risk — as they will not want to lose {that good reputation. a Test your understanding The amount of risk an organisation is willing to accept in the pursuit of value is known as their: Risk map. Risk appetite Risk culture cgoa> Risk thermostat Features of a risk management strategy In a CIMA and IFAC (International Federation of Accountants) joint report in 2004 =~ Enterprise Governance — the following key features of a risk Management strategy were identified: ‘Statement of the organisation's attitude to risk — the balance between risk and the need to achieve objectives. The risk appetite of the organisation. The objectives of the risk management strategy. Culture of the organisation in relation to risk (and the behaviour the organisation expects from individuals with regard to risk-taking). Responsibilities of managers for the application of risk management strategy, Reference should be made to the risk management systems the Company uses (i.e. its internal control systems). Performance criteria should be defined so that the effectiveness of risk Management can be evaluated chapter 2isk management [Ey [Aiatternative risk management process 54 The Institute of Risk Management (IRM) developed a risk management process containing three elements: 1) Risk assessment is composed of the analysis and evaluation of risk through the process of identification, description and estimation. evaluation is used to make decisions about the significance of risks to the organisation and whether each specific risk should be | t | The purpose of risk assessment is to undertake risk evaluation. Risk | accepted or treated. (2) Risk reporting is concerned with regular reports to the board and to stakeholders setting out the organisation's policies in relation to risk and enabling the effective monitoring of those policies. (3) Risk treatment (risk response) is the process of selecting and implementing measures to modify the risk. | Following risk treatment therefore will be residual risk reporting, 3 Identifying, measuring and assessing risks Chapter 1 examined the different types of risks faced by an organisation. It is key, however, that businesses can identify the risks they face and evaluate the effect of the risks on the business. Some risks will be relatively easily borne by businesses, but others will be more difficult and more serious in their implications, Risk identification + The risk identification process will often be controlled by a risk committee or risk management specialists (see later in this chapter) + The risks identified in the process should be recorded in a risk register, which is simply a list of the risks that have been identified, and the measures (if any) that have been taken to control each of them, + There are a variety of methods that can be used by businesses to identify the risks that they face:The risk register is a very important and practical risk management tool that all companies should have these days. It takes several days, if not weeks, to produce, and needs to be reviewed and updated regularly — mainly annually (in conjunction with corporate governance guidelines). The risk register is often laid out in the form of a tabular document with various headings: ( 1), The risk title — stating what the risk might be. (2) The likelihood of the risk — possibly measured numerically if'a scale has been set e.g. 1 is unlikely, 5 is highly likely (3) The impact of the risk should it arise. Again this might be graded from, say, 1 (low impact) to 5 (high impact). The risk owners name will be given — usually a manager or director. The date the risk was identified will be detailed The date the risk was last considered will be given Mitigation actions should be listed i.e. what the company has done pe far to reduce the risk. This might include training, insurance, urther controls added to the system, etc.56 ha (8) An overall risk rating might be given e.g. 12€"10, so that management can immediately see which risks are the ones they should be concentrating on. (9) Further actions to be taken in the future will be listed (if any) (10) The ‘action lead’ name will be detailed i.e. who is responsible for making sure that these future actions are implemented (11)A due date will be stated €” by when the action has to be implemented. (12)A risk level target might be given i.e. a score lower than that given in step 8 above. This might mean that by implementing a control, the tisk rating is expected to lower from, say, 8 to, say 2 (the targetrisk level) For example, using the steps detailed above, one row of a tabulated risk register might show: (1) Loss of personal data i.e. unsecure use of mobile devices could result in personal identifiable information being lost, stolen or unauthorised access gained. ) Likelihood = 3 (3) Impact = 5 (4). Risk owner = Mike Smith (IT manager) ) 14.42 (6) 2.2.14 (7) Staff receive training every 2 years which highlights the risks. All laptops are encrypted. Regular audits are undertaken. Any incidents are reported to the Audit Committee. (8) Overall risk rating = 7 (9) Encryption technology to be implemented which meets industry standard, (10) Mike Smith (11)31.7.14 (12)Risk level target = 37] Tost your understanding 4 (1) [More on risk identification Risk registers would normally detail which of the following: (Select all that apply.) Risk level before controls are implemented Risk level after controls are implemented Responsibility for managing risks voo> The total cost of a control being implemented Some of the common methods of risk identification include: PEST (Political, Economic, Social, Technological) and SWOT (Strengths, Weaknesses, Opportunities, Threats) are very well known and familiar business analysis tools. These models can be used to assess risks by providing a framework to identify and think about the risks in the organisation. PEST/SWOT analysis External advisors Companies may employ external risk consultants who will advise on key risks and processes that can be used to limit and control those risk Consultants have access to other businesses and as a result may have pools of knowledge not available internally. Interviews/questionn: The company may conduct interviews or send questionnaires to key business managers asking them to indicate principal risks. Internal audit One of the functions of internal audit should be to provide recommendations on controlling risk. As part of their work therefore, internal audit assess where the organisation faces risk ww chapter 2 57Risk management Brainstorming The business may decide to use more informal brainstorming meetings to assess the risks they face. These meetings have the advantage of accessing many different viewpoints. Any of these methods identify risks but at the end of the process it is important that the organisation determines what its principal risks are. These principal risks will then determine the controls that need to be put in place and the systems that have to be introduced to control and manage the risks. Quantification of risk exposures Quantification of risk is important in understanding the extent and significance of the exposure. This can be done by measuring the impact of the risk factor (such as exchange rates) on the total value of the company, or on any individual item such as cash flow or costs. Risks that are identified should be measured and assessed. The extent to which this can be done depends on the information available to the risk manager. In some companies, particularly in the banking and insurance industries, many risks can be measured statistically, on the basis of historical information. In many other situations, the measurement and assessment of risk depends on management judgement. Some quantitative techniques include: expected values and standard deviation volatility value at risk (VaR) regression analysis simulation analysis.Expected values and standard deviation + Some risks can be measured by the use of expected values. Expected value = = prob X where prob = probability, X = outcome Se eee an ae Expected value of risk er ee When statistical estimates are available for the probabilities of different outcomes, and the value of each outcome, risk can be measured as an expected value of loss or gain. : Expected value of loss = p * L Where: pis the probability that the outcome will occur Lis the loss in the event that the outcome does occur. Example The finance director of a company has to prepare an assessment of credit risk for a report to the board. The company has annual credit sales of $12 million, and customers are given 60 days, (two months,) credit. Experience shows that irrecoverable debts written off amount to 1.5% of total annual credit sales * 10% of irrecoverable debts written off are subsequently recovered by legal action. Required: (a) Whatis the credit risk exposure of the company? (b) What is the expected loss each year due to credit risk?Risk management 60 ll Solution | (@) The total exposure to credit risk can be expressed either as the total annual credit sales ($12 million) or the exposure to unpaid debts at any point in time ($12 million x 2/12 = $2 milion). | | (b) Fora full year the expected value of loss is = $12 million x 1.5% * | 90% = $162,000. “The standard deviation is a measure of the dispersion of the possible values of a given factor, such as cash flow, from the expected value or mean. Thus the standard deviation provides a measure of volatility — the greater the standard deviation, the greater the risk involved. Volatility + Another way of assessing risk might be looking at potential volatility, For example, a company might calculate an expected value based on a range of probabilities but also assess the potential variation from that expected outcome (range or standard deviation), Test your understanding 5 — Volatili The following are the forecast purchases of raw materials in a future | month: tegration) | £200,000 30% probability £250,000 50% probability | £300,000 20% probability Calculate the upside and downside volatility from expected purchases. | Value at risk Value at Risk (VaR) allows investors to assess the scale of the likely loss in their portfolio at a defined level of probability, Itis becoming the most widely used measure of financial risk and is also enshrined in both financial and accounting regulations. VaR is based on the assumption that investors care mainly about the probability of a large loss. The VaR of a portfolio is the maximum loss on 4 portfolio occurring within a given period of time with a given probability (usually small)Calculating VaR involves using three components: a time period, a confidence level and a loss amount or percentage loss Statistical methods are used to calculate a standard deviation for the possible variations in the value of the total portfolio of assets over a specific period of time. Making an assumption that possible variations in total market value of the portfolio are normally distributed, itis then possible to predict at a given level of probability the maximum loss that the bank might suffer on its portfolio in the time period Abank can try to control the risk in its asset portfolio by setting target maximum limits for value at risk over different time periods (one day, one week, one month, three months, and so on) VaR may be calculated as standard deviation x Z-score (where the Z- score can be found from the normal distribution tables). Normal distribution Normal distributions can be found when we measure things such as: + Exam results + Staff performance gradings + The heights of a group of people eto Annormal distribution has the following characteristics: ‘The mean is shown in the centre of the diagram and the curve is symmetrical about the mean. This means that 50% of the values will be below the mean and 50% of the values will be above the mean Note: The mean, median and mode will all be the same for a normal distribution. How far the values spread out from the mean is the standard deviation. This can be seen in the following diagram: chapter 2Risk management 62 STANDARD DEVIATION The total area under the curv equal to 1. If we can think of a standard normal distribution curve with three standard deviations as follows: 4 Zz 3 2 -1 0 1 #2 «3 In general 68% of values are within one deviation (between -1 and 1), —_| 95% of values are within two standard deviations (between -2 and 2) and | 99.7% of values are within three standard deviations (between -3 and 3). From this we can see that if we look at a set of data which fits a normal distribution the majority of values will occur closer to the mean, with fewer and fewer occurring the further from the mean we move. A standard normal distribution has: amean of 0 a standard deviation of 1 Se DL eeee Se This special distribution is denoted by z and can be calculated as: x= z-xct oO Where: zis the score nsidered xis the value being pis the mean | Cis the standard deviation This calculation is used to convert any value to standard normal distribution, Looking up the normal distribution tables ‘Once we have calculated our 'z score’ we can look this up on the normal distribution table to find the area under the curve, which equates to the percentage chance (probability) of that value occurring So if we calculated a z score of 1.00. From the table the value is 0.3413. This means that (0.3413 + 1.0) or 34.13% is the area shown from 0 - 1 on the diagram 0 4 | | From this we can deduce that 34.13% would be the area shown from 0 - Jon the diagram. So 58.26 /e can say that 68.26% of values will fall within one Standard deviation (-1 to 1), chapter 20 ee 7 For VaR , there are two types of calculation to consider: | 1) The confidence level that the result will be above a particular figure — | this is referred to as a one tail test. | 2) The confidence level that a figure will be within a particular range ~ this is referred to as a two tail test. | In both cases we are working backwards from the percentage to find the value of x. One tail test Ifyou are asked to calculate the 95% VaR, this is a one tail test. As we are looking at risk, itis usually about being 95% certain that the outcome will be above a particular value. 50% of the distribution is on one side of the mean, within the tables we | are looking for as close to 0,4500. | 4 45% | 50% + 95% ——> 1.645 Two tail test If you are asked about being 95% certain the result is within a range, the area would look like this’ a <We would be looking for 0.4750 in the tables, 47.5% above and below the mean. Zis a bank. The management accountant of Z has estimated that the value of its asset portfolio at year end will be $1,500 million, with a standard deviation of $300 million Calculate the value at risk of the portfolio, at a 97.5% confidence level. (Express your answer in $, rounded to the nearest million.) Solution The Z value for a one-tail 97.5% confidence level is 1.96 (from the Normal Distribution tables). tandard deviation x Z value, so the USD 300 million x 1.96 = USD 588 million This means there is a 2.5% chance that the value of the portfolio will be (1,500 - 588) $912 million or below. AL Plc. a UK based company are expecting to receive $10 million from a US customer. The value in pounds is dependant on the exchange rate between the dollar and pound. The mean exchange rate is $1.25/¢ and the daily volatility of the Poundidollar exchange rate is 0.25%What is the range of values that AL confident of receiving in 1 day? Solution ‘The mean value of the $10 million is £8 million ($10 million + $1.25/£) The daily standard deviation is (0.25% * £8 million =) £20,000 As we are looking at a range, this is a two tail test, to be 95% confident this will be within 47.5% of the mean on either side. First find 0.4750 in the normal tables, this is a z value of 1.96. \aR = Z x Std deviation = 1.96 x 20,000 = £39,200 This means that AL Plc is 95% confident that the value will be within £39,200 of the mean. | Therefore AL plc is 95% confident the sterling amount will be between £7,960,800 & £8,039,200. Given the 1-day VaR, we can easily calculate the VaR for longer holding periods as: nday Var = 1 day Var x Yn The VaR increases with the holding period: Thus, the longer the holding period, the greater the VaR. Suppose a UK company expects to receive $14 million from a US customer. The value in pounds to the UK company will depend on the exchange rate between the dollar and pounds resulting in gains or losses as the exchange rate changes. Assume that the exchange rate today is $1.75/€ and that the daily volatility of the pound/dollar exchange rate is 0.5%. Calculate the (a) 1-day 95% VaR b) 1-day 99% VaR,ng ng es, ——— The value of the $14 million today is £8 million ($14 million + $1.75/£) with a daily standard deviation of £40,000 (0.5% * £8 million). (a) The standard normal value (Z) associated with the one-tail 95% confidence level is 1.645 (see Normal Distribution tables). Hence, the 1-day 95% VaR is 1.645 x £40,000 = £65,800. This means that we are 95% confident that the maximum daily loss will not exceed £65,800. Alternatively, we could also say that there is a 5% (1 out of 20) chance that the loss would exceed £65,800. (b) The standard normal value (Z) associated with the one-tail 99% confidence level is 2.33 (see Normal Distribution tables). Hence, the 1-day 99% VaR is 2.33 x £40,000 = £93,200. Thus, there is a 1% (1 out of 100) chance that the loss would exceed £93,200. Ifwe wanted to calculate the VaR for longer period, say 5 days, at the 95% level the calculation would be’ 5 day 95% VaR = 1 day 95% VaR * V5 = £65,800 x 2.236 = £147,133 There is a 5% chance that the company’s foreign exchange loss would exceed £147,133 over the next 5 days. Similarly, the 30-day 99% VaR would be: 1 day 99% VaR x 30 = £93,200 x 5.477 = £510,477, This illustrates the longer the holding period, the greater the VaR. [Dior on value at isk var) The Basel committee established international standards for banking laws and regulations aimed at protecting the international financial System from the results of the collapse of major banks. Basel |! @stablished rigorous risk and capital management requirements to ensure each bank holds reserves sufficient to guard against its risk ponestre given its lending and investment practices. Regulators require Be to measure their market risk using a risk measurement model Ich is used to calculate the Value at Risk (VaR). a the global nancial criss has identified substantial problems fheend Governance procedures in terms of understanding operational B Reece ae measurement models like VaR. This has been rent he numberof banks that have failed or required re nba Northern Rock and Bradford and Bingley in the UK; | fashington Mutual in the US amongst others. chapter 2isk management Test your understanding 6 oe A company expects to receive $10 million from a US customer. The value in € will depend on the exchange rate changing. Assume that the exchange rate today is $1.6667 /£ and that the daily volatility of the £/$ exchange rate is 0.5%. Required: What is the 10 day 95% VaR? Tk A bank has estimated that the expected value of its portfolio in two weeks’ time will be $50 million, with a standard deviation of $4.85 million. | Required: Calculate and comment upon the value at risk of the portfolio, assuming a 95% confidence level. Regression analysis This can be used to measure a company's exposure to various risk factors at the same time. This is done by regressing changes in the company's cash flows against the risk factors (changes in interest rates, exchange rates, prices of key commodities such as oil). The regression coefficients will indicate the sensitivities of the company’s cash flow to these risk factors. The drawback with this technique is that the analysis is based on historical factors which may no longer be predictors of the company in the future. Simulation analysis This is used to evaluate the sensitivity of the value of the company, or its cash flows, to a variety of risk factors. These risk factors will be given various simulated values based on probability distributions, and the procedure is repeated a number of times to obtain the range of results that can be achieved The mean and standard deviation are then calculated from these results to give an expected value and measure of the risk. This technique can be complex and time-consuming to carry out, and is limited by the assumptions of the probability distributions.Other methods of measuring or assessing the severity of an identified risk include: * scenario planning — forecasting various outcomes of an event; * — decision trees — use of probability to estimate an outcome; * — sensitivity analysis — used to ask ‘what-if?’ questions to test the robustness of a plan. Altering one variable at a time identifies the impact of that variable Drawbacks of the quantification of risk. Once a risk has been quantified, there is @ problem — whether anyone really knows what it means. Unless you are a trainee or qualified accountant (or similar) this is unlikely, hence risks are often left unquantified Risk or assurance mapping _ A. common qualitative way of assessing the significance of risk is to produce a ‘risk map’ or sometimes called an ‘assurance map’. * The Board, the Risk Committee, the Audit Committee and senior management from various departments will all be involved in the preparation of the map. * ‘The map identifies whether a risk will have a significant impact on the organisation and links that into the likelihood of the risk occurring. The approach can provide a framework for prioritising risks in the business Risks with a significant impact and a high likelihood of occurrence Need more urgent attention than risks with a low impact and low likelihood of occurrence. Awell-structured risk map will highlight where there are gaps in assurances over significant risk areas. A\so, duplicated or potentially burdensome assurance processes may be identified Risks can be plotted on a diagram, as shown below.= [| PROBABLY oO More on risk mapping The potential loss from an adverse outcome is a function of: * the probability or likelihood that the adverse outcome will occur, and + the impact of the outcome if it does occur. t When an initial review is carried out to identify and assess risks, the 7 assessment of both probabilities and impact might be based on Ip. judgement and experience rather than on a detailed statistical and numerical analysis. + Inaninitial analysis, it might be sufficient to categorise the probability of an adverse outcome as ‘high’, ‘medium’ or ‘low’, or even more simply as ‘high’ or ‘low’ + Similarly, it might be sufficient for the purpose of an initial analysis to assess the consequences or impact of an adverse outcome as ‘severe’ or ‘not severe’. | Each risk can then be plotted on a risk map. A risk map is simply a 2 * 2 table or chart, showing the probabilities for each risk and their potential impact. TTTSSS Example The following simple risk map might be prepared for a firm of auditors: Impacticonsequences Low igh High New audit regulations} Loss of non-audit Probability/likelihood for the profession work | from existing clients Low !ncreases in salaries | Loss of audit above clients the general rate of | within the next two inflation years Using arisk map Atisk map immediately indicates which risks should be given the highest priority High- probability, high-impact risks should be given the highest Priority for management, whether by monitoring or by taking steps to mitigate the risk. Low-probability, low-impact risks can probably be accepted by the organisation as within the limits of acceptability, High-probability, low-impact risks and low-probability, high-impact risks might be analysed further with a view to deciding the most. appropriate strategy for their management. For each high-probabilty, high-impact risk, further analysis should be Carried out, with a view to: estimating the probability of an adverse (or favourable) outcome More accurately, and SSsessing the impact on the organisation of an adverse outcome. {his is an area in which the management accountant should be able ‘© contribute by providing suitable and relevant financial information, =Y Providing suitable and r mage chapteraq [Fest your understanding 10 a — An alternative layout from a risk map being in the cruciform style so far might be that of a tabular format. Here the table might have the following columns: (1) The risk name e.g. fraud. (2) The likelihood of that risk arising e.g. medium. (3) The impact of the risk if it does arise e.g. high (4) Controls already in place. (5) The risk owner ie. the name of a manger or director who watches out for this risk arising. (6) Whether assurance is sufficient. This might be given a score out of, say, 10, or a yes/no type response (7) Controls to be implemented in the future | Test your understanding 8 — Restaurant (Integration) Suggest a risk that could be included in each quadrant for a restaurant. Test your understanding 9 The loss of lower-level staff would best fit which category of a risk map? A Low likelihood; low consequence B High likelihood; low consequence C Low likelihood; high consequence High likelihood; high consequence The axes of a risk map include: (Select all that may apply.) A B Likelihood Volatility ° Consequences CertaintyTest your understanding 11 HH Ltd is a private rehabilitation centre which provides services for people recovering from debilitating injuries. These services include a supported re-introduction to living at home through independent living units where clients can ‘practice’ living alone but with medical support on hand should they need it ‘The managers of HH are aware they operate in a high risk industry, Clients are often prescribed strong medications which must be administered correctly by HH staff and there are two ongoing legal disputes over injuries that have occurred to clients in HH’s independent living units. Some of HH's managers believe these risks are simply part of their business model and unavoidable whereas others are of the opinion that a formal risk management policy should be devised. The directors have suggested the managers get together to carry out a risk mapping exercise. Which of the following are benefits from a risk mapping exercise? Select that apply. Managers will reach a consensus on which are the key risks facing HH and will be able to target the most significant, Managers can use the existence of the risk map to prove they have not been negligent in the legal disputes concerning injured clients. The risk of medication being wrongly administered can be assessed and a policy devised to reduce it going forward. The risk of injury to clients accessing the independent living units can be assessed and prioritised and a policy devised to reduce it going forwards. The existence of a risk map may prevent managers wasting time dealing with trivial risks.Risk management 4 Risk response strategy So far we have considered the types of risk a company could be exposed tc and the way it may choose to assess, measure and bear those risks. The next area is to look at the formulation of a strategy to respond to those risks, the general methods that can be used to treat risks and the implementation of such strategy. ‘The management of risks involves trying to ensure that: *°- Exposure to severe risks is minimised + Unnecessary risks are avoided. * Appropriate measures of control are taken. + The balance between risk and return is appropriate. The estimate of the potential loss for each risk should be compared with the acceptable risk limit for the company. If the risk is greater than the acceptable limit, the next stage in risk management is to consider how the risk should be managed or controlled, to bring it down in size Aa Risk treatment (management) methods ‘Assuming that the business does want to manage its risks in some way a | number of methods can be used. These methods will it the risks, and the overall risk management strategy may define how the risks will be managed h and the way these methods will interact. | Avoid risk | + Acompany may decide that some activities are so risky that they should be avoided This will always work but is impossible to apply to all risks in commercial organisations as risks have to be taken to make profits. Transfer risk * In some circumstances, risk can be transferred wholly or in part to a third party. + Acommon example of this is insurance. It does reduceeliminate risks but premiums have to be paid.Pool risks «Risks from many different transactions can be pooled together: each individual transaction/item has its potential upside and its downside. ‘The risks tend to cancel each other out, and are lower for the pool as a whole than for each item individually. + Forexample, itis common in large group structures for financial risk to be managed centrally. Diversification + Diversification is a similar concept to pooling but usually relates to different industries or countries. + The idea is that the risk in one area can be reduced by investing in another area where the risks are different or ideally opposite, + Acorrelation coefficient with a value close to —1 is essential if risk is to be nullified. aging risk by di ification | The syllabus refers specifically to the principle of diversifying risk, but states that numerical questions will not be set. It will therefore be useful to look in more detail at the effect of diversification on risk. areas, such as into Industry X and Industry Y, or into Country P and + Risk can be reduced by diversifying into operations in different | Country Q. | + Poor performance in one area will be offset by good performance in another area, so diversification will reduce total risk Diversification is based on the idea of ‘spreading the risk’; the total tisk should be reduced as the portfolio of diversified businesses | gets larger. | * Diversification works best where returns from different businesses are negatively correlated (j.e. move in different ways). It wil, however, still work as long as the correlation is less than +1.0. Example of poor diversification — swimming costumes and ice cream — both reliant on sunny weather for sales. Spreading risk relates to portfolio management as an investor or company spreads product and market risks The most common form of diversification attempts to spread risk according to the portfolio of companies held within a group based _more on links within the supply chain lL a oe 7576 RELATED pp oo ee ec fees ofthe indus E bv procucts and stain that may bear noc ourter TnReaTeD Development beyond Spreading risk by portfolio management Within an organisation, risk can be spread by expanding the portfolio of companies held. The portfolio can be expanded by integration — linking with other companies in the supply chain, or diversification into other areas. This is development beyond the present product and market, but still within the broad confines of the ‘industry + Backward integration refers to development concerned with the inputs into the organisation, e.g. raw materials, machinery and labour. + Forward integration refers to development into activities that are concerned with the organisation's outputs such as distribution, transport, servicing and repairs. * Horizontal integration refers to development into activities that compete with, or directly complement, an organisation's present activities. An example of this is a travel agent selling other related products such as travel insurance and currency exchange services. | Unrelated diversification This is development beyond the present industry into products and/or markets that may bear no clear relationship to their present portfolio. Where appropriate an organisation may want to enter into a completely different market to spread its risk. eachapter 2 ee Problems with diversification: * If diversification reduces risk, why are there relatively few conglomerate industrial and commercial groups with a broad spread of business in their portfolio? + Many businesses compete by specialising, and they compete successfully in those areas where they excel + Therefore, itis difficult for companies to excel in a wide range of diversified businesses. There is a possible risk that by diversifying too much, an organisation might become much more difficult to manage. Risks could therefore increase with diversification, due to loss of efficiency and problems of management. + Many organisations diversify their operations, both in order to grow and to reduce risks, but they do so into related areas, such as similar industries (e.g. banking and insurance, film and television production, and so on) or the same industry but in different parts of the world, + Relatively litle advantage accrues to the shareholders from diversification. There is nothing to prevent investors from diversifying for themselves by holding a portfolio of stocks and shares from different industries and in different parts of the world. Test your understanding 12 Risk reduction can be achieved using which of the following theories? Management theory Systems theory Portfolio theory gom> Contingency theory Evaluate whether itis always a good business strategy fora listed Company to diversify to reduce risk.Risk management Kk reduc! + Evenif'a company cannot totally eliminate its risks, it may reduce them toa more acceptable level by a form of internal control + The internal contro! would reduce either the likelihood of an adverse ‘outcome occurring or the size of a potential loss. = The costs of the contro! measures should justify the benefits from the reduced risk. +" More will be seen on internal controls in chapter 5. Hedging risks +" Hedging will be consideréd in detail when financial risk is examined in later chapters. + The concept of hedging is reducing risks by entering into transactions with opposite risk profiles to deliberately reduce the overall risks in a business operation or transaction Risk sharing + Acompany could reduce risk in a new business operation by sharing the risk with another party. + This can be a motivation for entering into a joint venture inal Risk management using TARA B ‘An alternative way of remembering risk management methods is via the mnemonic "TARA Transference. In some circumstances, risk can be transferred wholly or in part to a third party, so that if an adverse event occurs, the third party suffers all or most of the loss. A common example of risk transfer is insurance. Businesses arrange a wide range of insurance policies for | protection against possible losses. This strategy is also sometimes | referred to as sharing, | avoidance. An organisation might choose to avoid a risk altogether However, since risks are unavoidable in business ventures, they can be avoided only by not investing (or withdrawing from the business area completely). The same applies to not-for-profit organisations: risk is unavoidable in the activities they undertakeReduction/mitigation. A third strategy is to reduce the risk, either by limiting exposure in a particular area or attempting to decrease the adverse effects should that risk actually crystallise. Acceptance. The final strategy is to simply accept that the risk may occur and decide to deal with the consequences in that particularly situation. The strategy is appropriate normally where the adverse effect is | minimal, For example, there is nearly always a risk of rain; unless the business activity cannot take place when it rains then the risk of rain occurring is not normally insured against Risk mapping and risk responses Risk maps can provide a useful framework to determine an appropriate risk response: IMPACT/CONSEQUENCE PROBABLY) ‘UKELIHOOD chapter 2Risk management Wa] |[Testyour understand | The death of, or serious injury to, a member of staff at work would best fit | which category on a risk map? A Low likelihood; low consequence B__ High likelihood; low consequence C _Lowlikelihood; high consequence D__ High likelihood; high consequence 17] Test your understanding 15 5 | Atisk identified as having a low frequency and a high severity should be managed by: Avoiding Accepting Transferring ooD> Reducing Vj] | Test your understanding 16 | | P Company is a large international fast food retailer with plans to expand ona global scale. J is a manager who has relocated to Country X to | begin an aggressive standardised expansion plan. | Five restaurants have opened so far in the cities of Country X but the | response from the local population has been poor. Initial sales targets | have not been met and the Board of P Company believes that further expansion into Country P is at risk and itis possible the plan will be abandoned, | J believes that the restaurants have not been immediately successful | because the population of Country X, although affluent and well educated, are not used to the concept of ‘fast food’. Restaurants in Country X are typically expensive and serve fresh food to order. 80chapter 2 Which of the following are appropriate risk management responses for J to discuss with The Board? Select all that apply. AP Company should embark on a marketing campaign within Country x. B The menus of restaurants in Country X should be modified to reflect local tastes with more fresh food included CP Company should stop expansion plans in Country P and choose a more appropriate location. DP Company should replace J as the manager of expansion in Country X. EP Company should abandon their standardised plan in Country X and instead tailor their branding and products to be in line with } Successful local restaurants. | 5 The risk cube Another way of considering risk and its management is to use the risk cube. Risk equals the volume of the cube. ‘Counter Values Vulnerbility is Seen as some combination of a threat, exploiting some lity, that could cause harm to an asset.Risk manag Residual risk is the combined function of: + a threat less the effect of threat-reducing safeguards; +” a Vulnerability less the effect of vulnerabilty-reducing safeguards; and + _ anasset less the effect of asset value-reducing safeguards. Managing the risk can be undertaken by reducing the threat, reducing the vulnerability and/or reducing the asset value. For example, imagine a company sells machine parts on credit to industrial customers. } The threat might be that the customer doesn''t pay for their machine parts. The vulnerability might be that the selling company has a low cash balance and therefore could do with the funds to pay its own suppliers. The asset is the receivable due in. The threat-reducing safeguards might include performing a credit check on all customers. The vuinerability-reducing safeguards might include holding a minimum cash balance at all times to ensure sufficient cash is available to pay suppliers. The asset-reducing safeguards might include setting a limit on each receivable balance, so that once it is reached no further goods would be supplied to a customer until payment was made.Test your understanding 17 — Twinkletoes (Case study) Scenario You are the management accountant of a large private company, Twinkletoes. Twinkletoes manufactures a high volume of reasonably priced shoes for elderly people. The company has a trade receivables ledger that is material to the financial statements containing four different categories of account. The categories of account, and the risks associated with them, are as follows: (i) small retail shoe shops. These accounts represent nearly two thirds of the accounts on the ledger by number, and one third of the receivables by value. Some of these customers pay promptly, others are very slow; large retail shoe shops (including a number of overseas accounts) that sell a wide range of shoes. Some of these accounts are large and overdue; chains of discount shoe shops that buy their inventory centrally. These accounts are mostly well-established ‘high street’ chains. ‘Again, some of these accounts are large and overdue; and mail order companies who sell the company’s shoes. There have been a number of large new accounts in this category, although there is no history of irrecoverable debts in this category Receivables listed under (ii) to (iv) are roughly evenly split by both value and number. All receivables are dealt with by the same managers and staff and the same internal controls are applied to each category of receivables. You do not consider that using the same managers and staff, | and the same controls, is necessarily the best method of managing the receivables ledger. Trigger Twinkletoes has suffered an increasing level of irrecoverable debts and Slow payers in recent years, mostly as a result of small shoe shops becoming insolvent. The company has also lost several overseas accounts because of a requirement for them to pay in advance. lanagement wishes to expand the overseas market and has decided lal overseas customers will in future be allowed credit terms. Task anagement has asked you to classify the risks associated with the ivables la tly ysdge" in order to manage trade receivables as a whole more H ag You have been asked to classify accounts as high, medium or | —~) chapter 2management oe eee EEE Write an email to the finance director: (a) Classifying the risks relating to the four categories of trade receivables as high, medium or low and explain your classification (Note: More than one risk classification may be appropriate within each account category.) (b) Describing the internal controls that you would recommend to Twinkletoes to manage the risks associated with the receivables ledger under the headings: all customers, slow paying customers | larger accounts, and overseas customers. | (30 minutes) k reporting Risk reports now form part of UK annual reports. It is an important disclosure requirement. (Examples of these are available on larger companies websites. Candidates are encouraged to read some.) Managers of a business, and external stakeholders, will require information regarding the risks facing the business. A risk reporting system would include: + Asystematic review of the risk forecast (at least annually), + Areview of the risk strategy and responses to significant risks. + Amonitoring and feedback loop on action taken and assessments of significant risks. + Asystem indicating material change to business circumstances, to provide an ‘early warning + The incorporation of audit work as part of the monitoring and information gathering process. Within Marks and Spencer's annual report for 2013 there is a risk report section. This has been duplicated in part below. It states their approach to risk management and key areas of focus: What is our approach to risk management? The Board has overall accountability for ensuring that risk is effectively managed across the Group and, on behalf of the Board, the Audit Committee reviews the effectiveness of the Group Risk Process. 84$—$<—$<$ $$ _$_$_$__— Risks are reviewed by all business areas on a half-yearly basis and measured against a defined set of likelihood and impact criteria. This is captured in consistent reporting formats, enabling Group Risk to consolidate the risk information and summarise the key risks in the form of the Group Risk Profile Our Executive Board discusses the Group Risk Profile ahead of it being submitted to the Group Board for final approval. To ensure our risk process drives improvement across the business, the Executive Board monitors the ongoing status and progress of action plans against key risks on a quarterly basis isk remains an important consideration in all strategic decision-making at Board level, including debate on risk tolerance and appetite. Key areas of focus During the year we have focused on a number of key areas: (1) Evolving risk descriptions As time progresses, the nature of some Group risks is evolving. To ensure we continue to address the most important risks facing the Group at this point in time we have updated a number of risk titles and descriptions. New titles are assigned to GM product (2012: Our customers) and Food safety and integrity (2012: Food safety). New descriptions are in place for International and Our people. (2). Action plans for key risks We continue to assess whether sufficient additional mitigating activities are underway to reduce the net risk position of the Group's key risks. By considering net risk on both a one year and three year horizon, we are able to identify when mitigating activities will result in a tangible risk reduction. We also continue to review the ongoing appropriateness of actions to ensure they are as relevant, timely and measurable as possible. chapter 2(3) Influence of risk tolerance Risk tolerance and appetite are important considerations in strategic decision-making at Board level. We also recognise the value in applying the concept of risk tolerance in discussions across all levels of the organisation. It is especially beneficial when determining the nature of mitigating activities and their role in addressing risk likelihood or impact. Our principle risks and uncertainties As with any business, we face risks and uncertainties on a daily basis. It is the effective management of these that places us in a better position to be able to achieve our strategic objectives and to embrace opportunities as they arise. To achieve a holistic view of the risks facing our business, both now and in the future, we consider those that are: external to our business; core to our day-to-day operation related to business change activity; and those that could emerge in the future. Overleaf are details of our principal risks and the mitigating activities in place to address them. It is recognised that the Group is exposed to a number of risks, wider than those listed. However, a conscious effort has been made to disclose those of greatest importance to the business at this moment in time and those that have been the subject of debate at recent Board or Audit Committee meetings. (Two of the many principle risks and mitigating actions are detailed below.) Economic outlook Economic conditions worsen or do not improve, impacting our ability to deliver the plan ‘As consumers’ disposable incomes come under pressure from price inflation and government austerity measures, trading conditions continue to remain a challenge for our business. Sa a ORT STSS SS a ee a Mitigating activities: Proactive management of costs Regular review of customer feedback and marketplace positioning Continued focus on value proposition in the context of a balanced product offer, including market leading innovation Ongoing monitoring of pricing and promotional strategies Regular commercial review of product performance Food safety and integrity A food safety or integrity related incident occurs or is not effectively managed ‘Asa leading retailer of fine quality fresh food, it is of paramount importance that we manage the safety and integrity of our products and supply chain, especially in light of the business’ greater operational complexity and the heightened risk of fraudulent behaviour in the supply chain. Mitigating activities: Dedicated team responsible for ensuring that all products are safe for consumption through rigorous controls and processes Continuous focus on quality Proactive horizon scanning including focus on fraud and adulteration Established supplier and depot auditing programme (The risk report continues for several pages covering many other risks.) The Group Risk Profile reflects the most important risks facing the business at this point in time; these risks receive specific attention by the Board to ensure that sufficient mitigating activity is in place to reduce net Fisk to an acceptable level. The Group Risk Profile will evolve as these Mitigating activities succeed in reducing the residual risk over time, or New risks em ee lerge. As such, we have removed a number of risks from our Toup Risk Profile since the prior year: Be zeer vo included Business continuity on the Group Risk Profile in vents wigs heightened level of risk driven by the UK's summer 2012 a the risk now returning to a normal level it has been removed, ising the strength of our controls in this area Inclal position, Cory and IT s ns taken t orate reputation, New store format, Key supplier *ecurity have also been removed in recognition of the reduce the net risk position. wa chapter 2Risk management 88 ones in the longer term, illustrating how emerging risk is considered | other countries, are able to undercut ¥ Company on price and so gain ‘The above risks remain important and they continue to be monitored as part of ‘business as usual’ activities; however, we consider that they do hot represent key risks to our business at this time and they have therefore been removed from the Group Risk Profile. Risk interconnectivity We continue to recognise the significant interdependency between our key risks, which is in part a product of our heavily interconnected business environment (both in terms of systems and processes). The following diagrams are based on our current Group Risk Profile, Both are designed to highlight how changes to one risk could impact on those connected to it, and therefore on the profile as a whole. We have incorporated a number of potential emerging risks which do not feature on our Group Risk Profile at this point in time, but could influence our by the Board Test your Understanding 18 "eps FETA OTR a ‘A recent SWOT analysis carried out within ¥ Company showed that the organisation is now subject to more diverse threats than previously Seoamented. This is mainly due to deregulation of Y Company's industry | fané consequently many new entrants, These new entrants, often from market share. “The directors believe they have appropriate measures in place to identify and manage the new risks that Y Company faces but are concerned that Y Company's stakeholders should be able to acoess information relating | to company's most up to date risks. Y Company's risk profile has evolved since the prior year. | They wish to convey, via an annual risk report that risk remains a key | consideration in all strategic decision making | Which of the following should be included in Company Y's risk reporting le 7chapter 2 Select all that apply. | A Adetailed review of Y Company's risk strategy and responses to risks it faces. B Amonitoring and feedback loop on action taken and assessments of significant risks such as those resulting from new entrants. lc A system indicating material change to Y Company's industry circumstances, to provide an ‘early warning’. | D__ The incorporation of audit work as part of the monitoring and | information gathering process. E Asystematic review of the risk forecast (at least quarterly). | { aa —— | 7 Gross and net risk Risk reports should show: + the gross risk = an assessment of risk before the application of any controls, transfer or management responses, and ‘* the net risk (or residual risk) = an assessment of risk, taking into account the controls, transfer and management responses i.e after any controls have been implemented, to facilitate a review of the effectiveness of risk responses, Anexample of gross and net risk assessments, utilising the risk map {impactlikelihood matrix) is shown below: “Grosse assessment Netrek ateesment 89Risk management ro | If the residual risk is considered to be too great then the company willneed to: + not expose itself to the risk situation; or + putin place better controls over the risk The amount of residual risk a company can bear is ultimately a management decision + Itis possible to measure that residual risk, possibly as a proportion of profiticapital/turnover, in order to help management make that judgement. EE [patty bear risk | one approach to assessing the ability to bear a risk is to consider the financial consequences of the risk, in relation to: + the organisation's profits + return on capital employed + the organisation's expenditure budget (not-for-profit organisations). For example, suppose that the financial consequences of a particular risk have been estimated as a potential loss of $200,000. For an organisation making annual profits of, say, $200 million, this might seem relatively insignificant. On the other hand, for an organisation with annual profits of just $250,000, say, the risk would be much more significant. ‘An organisation might establish policy guidelines as to the maximum acceptable residual risk for any individual risk, or set risk limits to the maximum acceptable loss on particular operations. Using the earlier example of the risk register we can show gross and net (or residual risk): (1) Loss of personal data i.e. unsecure use of mobile devices could result in personal identifiable information being lost, stolen or unauthorised access gained. (2) Likelihood = 3 (3) Impact=5 (4) Risk owner = Mike Smith (IT manager) 90eS EEE EEE (5) 1.4.12 (8) 2.2.14 (7) Staff receive training every 2 years which highlights the risks. All laptops are encrypted, Regular audits are undertaken. Any incidents are reported to the Audit Committee (8) Overall risk rating = 7 (Gross risk) (9) Encryption technology is implemented which meets industry standard, (10)Mike Smith (11)31.7.14 (12)Risk level = 3 (Net or residual risk) By implementing the encryption technology the risk has reduced from a score of 7 to a score of 3. This means that there is still some risk but far less than there was. Management will have to consider whether a level 3 risk is acceptable or whether further controls need to be implemented to achieve a lower score, but at what cost. Test your understanding 19 TGDW are assessing a new contract to provide maintenance services for | a prestigious office complex. Should the complex be unable to function for| more than 5 hours due an error or omission by TGDW they will face a fine Of sufficient magnitude to cause the company severe financial difficulty. The directors assessed the gross risk as high impact and due to the Complexity of the systems maintained there is high probability of an error Occurring. The client is unwilling to reduce the penalty or to change the criteria and TGDW's internal controls are already at a high level Using TARA what action should TGDW take? Transfer Avoid Reduce Accept | ating risk management strategy company has e: a stablished its risk strategy and decided in what, ione |S isks and the methods it will use to achieve the 's, the strategy should be evaluated ” chapter 292 ‘The purpose of the evaluation is two-fold, as shown below: RISK STRATEGY EVALUATION Has the strategy achieved its objectives? Do the benefits outweigh the costs? | Within the risk management strategy, targets should be included to | enable the company to assess whether the risk strategy objectives have been achieved. For example, a company might set a target for risk of | fauity products ata set number or percentage level and then formulate a tisk strategy to achieve that level. In order to assess this a control mechanism will need to be set up. The basic control idea is that the ‘company compares the actual results with a required target, and | assesses whether the target has been achieved. If not, the reasons must | be investigated and action taken, including possibly a re-assessment of the risk strategy. Do benefits outweigh costs? «The costs and benefits of risk measures such as internal controls can be evaluated, and a cost-benefit comparison carried out. + The benefits from risk controls should preferably be measured and quantified, although some benefits (such as protecting the company's reputation) might have to be assessed qualitatively. +The evaluation process should be based on the principle that the costs of a control measure should not exceed the benefits that it provides. _ For example, a company could be very concemed about theft of petty cash and therefore introduce controls limiting the cash held to £25 and also requiring daily reconciliations of the cash balance by the financial controller, with observation by a member of the internal audit department. — This control would probably reduce theft, but would be very expensive for the company to operate and as a result the costs would exceed the benefits. The controls set up must be proportionate to the potential losses that could occur if the risk results in losses | |chapter 2 jan| Cost-benefit example | Amanufacturing company is concerned about the rate of rejected items from a particular process. The current rejection rate is 5% of items input, and it has been estimated that each rejected item results in a loss to the company of $10.600 items go through the process each day. itis estimated that by introducing some inspection to the process, the rejection rate could be reduced fairly quickly to 3%. However, inspections would result in an increase of costs of $70 per day. Req How should this control through inspection be evaluated? Solution The example is a simple one, but it is useful for suggesting an approach to risk management and control evaluation. What is the objective of the control? Answer: To reduce losses from rejected items from the process, initially from 5% to 3% of input What is the expected benefit? ‘Answer: A reduction in rejects by 2% of input, from 5% to 3%. The reduction in rejects each day is (2% x 600) 12. Since each reject costs $10, the total daily saving is $120. What is the expected cost of the control? Answer: $70 per day. Therefore the control appears to be worthwhile in achieving the objective ISthe control effective? are: This should be established by monitoring actual results. For a if the control costs $70 each day, but succeeds in reducing the N tate from 5% to just 4% (a reduction of 1%), the benefits would a 60 each day and the control would not be cost-effective (unless Ings are more than $10 per unit) 93Risk management tf 9 Risk management roles and responsibilities wo? RESPONSIBILITIES + Ultimate responsibility for risk management + Define risk appetite for the organisation Board of directors (see more in chapter 8) joard commitiee with responsibilities for reviewing intemal control systems and working with internal and external auditors ‘Audit committee “chapter 8) Possibly a risk life risk committee ~ Board committee with * Group of senior and middle management with operational responsibility for carrying out the risk management process + Report into the board, via the audit or risk committee + Identification of risks Monitor the effectiveness of the overall process, and make recommendations for improvement Risk management group, led by the risk manager Involved in the review of internal controls. Support ‘management inthe risk management process Internal audit (see more in chapters 9 and10) If the company being considered is divisional there may be a risk officer for each division who will help to identify and manage tactical and operational level risks. All employees have a role and responsibility for risk too. You should be aware of possible risks (through policies issued and training given) and you should be audible if you believe a risk needs to be managed (by reporting it to your manager or by whistleblowing)chapter 2 (0) [Rossettierakconnies In broad terms, the risk (management) committee within an organisation has the following main aims: Raising risk awareness and ensuring appropriate risk management within the organisation. Establishing policies for risk management. Ensuring that adequate and efficient processes are in place to identify, report and monitor risks. Updating the company's risk profile, reporting to the board and making recommendations on the risk appetite of the company. | Supporting these objectives of the risk (management) committee, there | are many secondary objectives. These objectives may also be contained in the terms of reference of the risk (management) committee. Advising the board on the risk profile and appetite of the company and as part of this process overseeing the risk assurance process within the company. ‘Acting on behalf of the board, to ensure that appropriate mechanisms are in place with respect to risk identification, risk assessment, risk assurance and overall risk management, Continual review of the company’s risk management policy including making recommendations for amendment of that policy to the board. Ensuring that there is appropriate communication of risks, policies and controls within the company to employees at all management levels. Ensuring that there are adequate training arrangements in place so Management at all levels are aware of their responsibilities for risk management. Where necessary, obtaining appropriate external advice to ensure that risk management processes are up to date and appropriate to the circumstances of the company. Ensuring that best practices in risk management are used by the Company, including obtaining and implementing external advice Where necessary,Risk management oO Risk manager activities 96 Typical activities carried out by a risk manager include: * Provision of overall leadership for risk management team. + Identification and evaluation of the risks affecting an organisation from that organisation's business, operations and policies. ‘+ Implementation of risk mitigation strategies including appropriate internal controls to manage identified risks. * Seeking opportunities to improve risk management methodologies and practices within the organisation. + Monitoring the status of risk mitigation strategies and intemal audits, and ensuring that all recommendations are acted upon * Developing, implementing and managing risk management programmes and initiatives including establishment of risk management awareness programmes within the organisation + Maintaining good working relationships with the board and the risk management committee. * Ensuring compliance with any laws and regulations affecting the business. + Implementing a set of risk indicators and reports, including losses, incidents, key risk exposures and early warning indicators. * Liaising with insurance companies, particularly with regards to claims, conditions and cover available. * Depending on specific laws of the jurisdiction in which the organisation is based, working with the external auditors to provide assurance and assistance in their work in appraising risks and controls within the organisation. + Again, depending on the jurisdiction, producing reports on risk management, including any statutory reports (e.g. Sarbanes-Oxley (SOX) reports in the US)| worthorn Rock Afailure of risk management Perhaps the most interesting example of risk and control was the case of Northern Rock. In September 2007 Northern Rock plc was a top five UK mortgage lender, on the FTSE 100 index with over £100 billion in assets. Northern Rock raised over 70% of the money it used in its growing mortgage lending business from banks and other financial institutions. Following the global credit crunch that resulted from the crisis in the US sub-prime (high risk) mortgage sector, banks stopped lending to each other and Northern Rock could not raise sufficient cash to cover its liabilities. A bank run (the first on @ UK bank for 150 years) on Northern Rock by its customers led to the government providing ‘lender of last resort’ funding ‘and guarantees for the bank's depositors totalling about £20 billion. The result has been a 90% fall in the bank's share price, a deteriorating credit rating and a loss of reputation. The CEO has resigned and several directors have also left the board. Northern Rock had a formal approach to risk management, including liquidity, credit, operational and market risk, fully described in its Securities and Exchange Commission filings. Northern Rock’s assets were sound so there was no significant oredit risk. Market risk was also well managed in terms of interest rate and foreign exchange exposure. However, despite formal procedures and a demonstrated compliance with regulations, there was an assumption by managers that access to funds would continue unimpeded. The US sub-prime crisis led to liquidity risk materialising, causing the Northern Rock problems. The ‘consequence was also the loss of reputation that followed press reports Which blamed the bank's management for not having a contingency plan to cover the possibility of disruption to its funding, an operational risk. Itis likely that the board of Northern Rock failed in both monitoring liquidity Tisk and in monitoring the effectiveness of the existing controls. Zs lesson of Northern Rock is that we need to move beyond the tick-box | @PPfoach to compliance and that good governance requires a more Insightful approach to risk management and internal control. chapter 20 ima a | The group has 480 stores and sales of £1.5 billion. Risk management | was part ofthe internal aut function. The internal auditorrisk manager said that the motivation for risk management was to ‘establish best practice in corporate governance’. However, he commented that the business recently had ‘problems with its fundamental controls’ when ‘senior management were looking at refinancing so took their eye off the ball | The process commenced with a brainstorming by the internal audit tear | of risk drivers’ to identify what could go wrong and what controls could be put in place to address risks. The internal audit team held interviews with all managers to determine a measure of the effectiveness of these controls on a scale from 1 to 5. The threat of the control gap was | identified and recommendations were made. This list looked like a risk register, although the group did not cal it that. The internal auditoririsk manager did not see value in a risk register but rather saw risk | management as high level | The Risk Management Committee (RM) meets every 2 months, | comprising all business (executive) directors. The list given by the internal audit team to RMC showed the monetary value of a ‘fundamental control breakdown’, from which was deducted the monetary value arising from controls implemented to give a ‘residual risk’ (ie. the risk after controls) to which was assigned a probability. These values were admittedly subjective. The RMC consider the risk maps, which showed the | percentage probability of a threat arising and the residual monetary risk ‘after taking account of controls. The whole process has been centrally driven, with a concern for ‘high level’ risks. The big risks identified through this process were: supply chain, suppliers, people management, rebates, | cost base, key processes, property management, market share, product offering and pricing, brand management, strategic management, integration and change, systems and business continuity. | the most recent development is a Key Control Improvement Plan (KCIP) that provides recommendations to address the risks. It summarises each | risk (the example of supply chain failure was given) and the ‘mitigating factors’ (ie. controls) and what still needs to be done. The Audit Committee (AC) of the Board has four non-executive directors the external auditors, the finance director and the internal auditor/risk manager and monitors progress in relation to the risk maps. The risk maps also drive the audit plan which is agreed on by the AC, business | directors and RMC. {___——regThe ‘big nasties’ are picked off, for example, purchase ordering and goods received, new stores, margins. Results are provided to the RMC and AC where the value of the report is greater than £250,000, Internal audit now had more exposure to decision-makers, as the risk management role had given them a high profile. n the future, the internal auditor/risk manager wants to implement a Risk Intelligence Report to provide early warning of risks, by looking at key performance indicators to identify what the business should be concerned with. He also wanted to | introduce a Risk Management Marketing Plan to help communicate risk and to pass on the responsibility to other managers with senior managers making presentations to RMC. The internal auditor/risk manager expects | it to take another 2 years to establish risk management in the organisation. More ‘bottom up’ controls need to be introduced and risk management needs to be embedded at the cultural level. Q Risk in an engineering consultancy q This organisation is privately owned with 3,500 employees. A review of its financial performance had revealed that the estimated cost of project over-runs, non-productive time and contractual penalties incurred was about 2% of annual tumover. This represented an opportunity loss of about £3 million per annum against reported profits of about £5 milion. However, the main driver behind risk management was to address the rapidly increasing premium for professional indemnity that had increased premiums to several million pounds and had seen its excess increase from £5,000 to £500,000 per annum over the last few years. The organisation had appointed a risk manager; adopted an offshore ‘captive’ insurer and implemented a management development programme to improve the skills of all its managers. This had included a Substantial content on risk awareness. One of the ways in which it was helping its managers to understand risk Was to undertake risk assessments as part of every project bid and to reflect each risk in pricing. During contract negotiations, each risk could be discussed between the lead consultant and the client when the value of the risk could be discussed in terms of the control devices that could be eS In place by the client to reduce the risk and hence reduce that Mponent of the project price that reflected the risk. It 5 | Hivas anticipated that this collaboration between consultant and client Wold reduce risk and lead to a more profitable outcome for both parties. chapter 2Risk management Test your understanding 20 — L tinned foods (Case study) Scenario L manufactures a range of very high quality tinned foods. The company was established eight years ago and it has grown steadily by selling to independent grocers in prosperous areas. Most consumers associate tinned food with poor quality and are unwilling to pay high prices. However, the consumers who buy L's products are willing to pay a premium for higher quality. L's only large customer is H, a major supermarket chain that has a reputation for selling high-quality produce. L began sales to H just under a year ago, with H purchasing small quantities of L's most popular product in order to assess demand. After a successful period of test marketing, H started to place larger orders with L. Now H accounts for 20% of L's sales by volume. Trigger L has traditionally had a functional organisational structure. There is a director in charge of each of sales, production, finance and human resources. Each director has a team of senior managers who support their function. The hierarchy for organising and supervising staff is generally based on this functional structure. The only exception to this has been the result of the appointment of Peter, who is the Account Manager in charge of L's dealings with H. H insisted on the appointment of a designated account manager as a condition of placing regular, large orders with the company. Peter is the designated point of contact on all matters between L and H. Peter's job description states that he is responsible for all decisions, including pricing, relating to L's relationship with H and that he is expected to base all such decisions on the promotion of L’s commercial interests. There have been a number of complaints from L's managers since Peter's appointment. These include several occasions when staff have received contradictory instructions. For example, Peter has ordered the production department to give priority to H's requests for large deliveries, even though that has led to regular orders to other customers being delayed, Peter has also told the staff in the credit control department not to press H for payment even though the company had several overdue invoices. [ ~wa [= ° Us Sales Director believes that the company could sell even greater | quantities to H and that other large supermarket chains will start placing | orders in the near future once H has demonstrated that there is a demand for high quality tinned food. She has warned L's Chief Executive that additional account managers will have to be employed in the event that L starts to supply further supermarket chains. | Task Write a report to the Board of L which: (a) Evaluates the potential risks that might arise from L's appointment of } an account manager to deal with H’s business; and (b) Recommends, stating reasons, the changes that L's board should |” introduce in order to minimise the threate arising from having an autonomous account manager. (40 minutes) Test your understanding 21 ~ Dental practice (Case study) Scenario Dis a dental practice that was established eight years ago. The practice was founded by six dentists, each of whom has an equal share. Trigger ihe six dentists have decided that they should undertake a formal Evaluation ofthe risks affecting their business. To that end, they have ®ngaged a consultant to act as a facilitator. J, he facitator began with a brainstorming session. The dentists were Peeled with a fipchart and they were asked to list as many risks as they TagattiNk of. Then the risks were transferred to a risk map based on the Framework. A simplified version of the risk map is shown below. 101Risk management SS Impacticonsequence Probabilityllikelihood Low High High Reduce Avoid | Negligence Cross infection | claims arising from failed | dental implants | Low Accept Transfer/share | Spiral staircase Unknown allergies | | All six dentists agreed that each of these risks is worth classifying, but | there was considerable debate as to where each should appear on the risk map. The facilitator has used the opinion of the dentist who identified | the risk as a starting point and has asked for some discussion as to how | best to classify each. Dental implants Dental implants are false teeth that are rooted in the patient's jaw using | titanium screws. Fitting an implant is a very time-consuming and | expensive procedure that costs the patient in excess of GBP 2,000. The patient’s bone structure usually accepts the implant and fuses with itto form a very strong bond. In 3-5% of cases the implant causes an adverse reaction and has to be removed. The practice warns patients of this possibility and does not offer any refund in this event because the failure | is beyond the dentist's control. Some patients who suffer an adverse reaction do seek compensation despite these warnings, alleging | negigence on the part of the dentist. | Cross infection | Cross infection can occur when patients pass infections on to the dental staff (and vice versa) or when dental instruments transmit infections | between patients. Apart from the need to work in close proximity to the patient, dental procedures always involve contact with the patient's saliva | Gnd can sometimes involve contact with blood ifa tooth is extracted or the patient's gums bleed. Spiral staircase “The dental surgery is located one floor up from street level. Patients enter | via‘a narrow hallway and climb to the reception using a narrow spiral staircase. The building cannot be remodelled to accept a lift or a more | suitable staircase. — 102chapter 2 im OO | Unknown allergies The dentists are often required to prescribe antibiotics and other drugs in | order to treat gum infections. These can cause severe allergic reactions that are impossible to foresee unless the patient has been prescribed | that drug in the past and has notified the practice ofthis allergy. Task (a) Discuss the benefits that the dental practice may obtain from the risk mapping exercise described above: | (b) Critically evaluate the placing of each of the identified risks in the |” ick map, stating with reasons whether or not you agree with the placement. (30 minutes) Fest your understanding 22— B bank (Case study) | | ‘Scenario | The B Bank is a large international bank. It employs 6,000 staff in 250 | branches and has approximately 500,000 borrowers and over 1,500,000 | savers. The bank, which was founded in 1856, has an excellent reputation for good customer service. The bank's share price has increased, on average, by 12% in each of the last 10 years. Trigger There has been much adverse media coverage in many countries including B Bank's home country, about the alleged excessive bonuses Teceived by the directors of banks. A meeting of central bank governors from many nations failed to reach agreement on how to limit the size of directors’ bonuses. The governor of the central bank in B Bank's home rey is particularly concerned about this issue, and consequently put forward the following proposal sectors A banks will be asked to pay a fee to the bank for the pilege of beng a crecior. Ths fee willbe set by ihe remuneration 4 "ad of each bank. Directors will be paid a bonus based solely on rebate prof and growth indicators. The more the bank succeeds, Cl be the bonus. This proposal diecty Inks performance of Bie ipcore pay. | see this as a more realistic option than mor bang salaries or bonuses by statute as proposed at the recent governors’ conference.”Risk management 104 Mle B Bank board and strategy The constitution of the board of B Bank is in accordance with the internationally agreed code of corporate governance. Overall board strategy has been to set targets based on previous (profitable) experience, with increased emphasis on those areas where higher potential profits can be made such as mortgage lending (this is discussed below). The bank's executive information systems are able to compute relative product profitability, which supports this strategy. This strategy generated substantial profits in recent years. The last major strategy review took place four years ago, Non-executive directors do not normally query the decisions of the executive directors. In recent years, the profile of the major shareholders of the bank has moved. Traditionally the major shareholders were pension funds and other longer term investors but now these are overshadowed by hedge funds seeking to improve their short-term financial returns One of the major sources of revenue for the bank is interest obtained on lending money against securities such as houses (termed a “mortgage” in many countries) with repayments being due over periods varying between 15 and 25 years. Partly as a result of intense competition in the mortgage market, the values of the mortgages advanced by B Bank regularly exceed the value of the properties, for example B Bank has made advances of up to 125% of a property's value. Internal reports to the board estimate that property prices will reverse recent trends and will rise by 7% per annum for at least the next 10 years, with general and wage inflation at 2%. B Bank intends to continue to obtain finance to support new mortgages with loans from the short-term money-markets. Task Write a report to the Board: (a) Evaluating the proposal made by the governor of the central bank: and (b) Evaluating the risk management strategy in B Bank (except for consideration of directors’ remuneration), Your evaluation should include recommendations for changes that will lower the bank's exposure to risk. (45 minutes) |{ Test your understanding 23 — W consumer (Case study) ‘Scenario Wis a leading manufacturer of consumer electronics devices. The company has a significant share of the markets for mobile phone and personal music players ("mp3 players").W's main areas of expertise are in design and marketing. The company has a reputation for developing innovative products that set the trend for the market as a whole. New product launches attract a great deal of press interest and consequently W spends very little on advertising. Most of its promotional budget is spent on maintaining contact with leading technology journalists and editors. Manufacturing and supply: W does not have a significant manufacturing capacity. New products are designed at the company's research laboratory, which has a small factory unit that can manufacture prototypes in sufficient quantity to produce demonstration models for test and publicity purposes. When a product's design has been finalised W pays a number of independent factories to manufacture parts and to assemble products, although W retains control | of the manufacturing process. W purchases parts from a large number of suppliers but some parts are highly specialised and can only be produced by a small number of companies. Other parts are standard components that can be ordered ftom a large number of sources. W chooses suppliers on the basis of price and reliability, All assembly work is undertaken by independent companies. Assembly work is not particularly skilled, but itis time consuming and so labour can Cost almost as much as parts X*)/, Wasa large procurement department that organises the Manufacturing process, A typical cycle for the manufacture of a batch of products is as follows: a $ Procurement department orders the necessary parts from parts ppliers and schedules assembly work in the electronics factories. Wg Parts are ordered by W but are delivered to the factories where he'assembly will take place. The finished goods are delivered directly to the customer. compli fee cated Process because each of W's products has at least and these can be purchased from several differentRisk management Supplier communications | Winsists on communicating with its suppliers via electronic data | interchange (EDI) for placing orders and also for accounting processes | such as invoicing and making payment. This is necessary because of the | degree of coordination required for some transactions. For example, W | | | | may have to order parts from one supplier that have to be delivered to another so that the other supplier can carry out some assembly work. Both suppliers have to be given clear and realistic deadlines so that the resulting assemblies are delivered on time to enable W to meet its own deadlines. | Trigger W recently launched a new range of mp3 players. The launch of the first batches of players attracted a great deal of adverse publicity: The supplier which produces the unique memory chips used in the mp3. player was unable to meet the delivery deadlines and that delayed the launch. The supplier owns the patent for the design of these memory chips. Supplies of the memory chip are now available. The assembly factories have been asked to increase their rates of production to shorten the | timescale now that the memory chips have become available. Task Write a report to W's finance director: | | (a) Evaluating THREE operational risks associated with the manufacture of W's products including an explanation of how each of these risks could be managed; and (b) Evaluating the risks associated with the use of EDI for managing W's ordering and accounting processes. | (45 minutes)Test your understanding 24 — SPM (Gase study) ‘Scenario ‘SPM is a manufacturer and distributor of printed stationery products that | are sold in a wide variety of retail stores around the country. There are | two divisions: Manufacturing and Distribution. A very large inventory is held in the distribution warehouse to cope with orders from retailers who expect delivery within 48 hours of placing an order. SPM’s management accountant for the Manufacturing division charges the Distribution division for all goods transferred at the standard cost of manufacture which is agreed by each division during the annual budget | oycle. The Manufacturing division makes a 10% profiton the cost of | production but absorbs all production variances. The goods transferred to | Distribution are therefore at a known cost and physically checked by both | the Manufacturing and the Distribution division staff at the time of transfer. Trigger The customer order process for SPM's Distribution division is as follows: SPM's customer service centre receives orders by telephone, post, fax, email and through a new on-line Internet ordering facility (a similar system to that used by Amazon). The customer service centre checks the creditworthiness of customers and bundles up orders several times each day to go to the despatch department. All orders received by the despatch department are input to SPM's computer system which checks stock availability and produces an invoice for the goods. Internet orders have been credit checked automatically and stock has been reserved as part of the order entry process carried out by the customer. Internet orders automatically result in an invoice being Printed without additional input The despatch department uses a copy of the invoice to select goods from the warehouse, which are then assembled in the loading dock for delivery using SPM's own fleet of delivery vehicles. i: pen SPIM's drivers deliver the goods to the customer, the retu meg Sias forthe receipt and the signed copy of the invoice is lumed to the despatch office and then to the accounts department ww chapter 2beat an + SPM's management accountant for the Distribution division produces monthly management reports based on the selling price of the goods less the standard cost of manufacture. The standard cost of manufacture is deducted from the inventory control total which is increased by the value of inventory transferred from the manufacturing division. The control total for inventory is compared —_| with the monthly inventory valuation report and while there are differences, these are mainly the result of write-offs of damaged or obsolete stock, which are recorded on journal entry forms by the despatch department and sent to the accounts department. Due to the size of inventory held, a physical stocktake is only taken once per annum by Distribution staff, at the end of the financial year. This has always revealed some stock losses, although these have been at an acceptable level. Both internal and external auditors are present during the stocktake and check selected items of stock with the despatch department staff. Due to the range of products held in the warehouse, the auditors rely on the despatch department staff to identify many of the products held. Task (a) Evaluate any weaknesses in the risk management approach taken by SPW's Distribution division and how this might affect reported profitability (30 minutes) (b) Recommend internal control improvements that would reduce the likelihood of risk. (15 minutes) | Test your understanding 25 — ABC (Case study) Scenario The operations division of ABC, a listed company, has responsibility tO maintain and support the sophisticated computer systems used for call | centres and customer database management which the organisation's retail customers rely on as much of their sales are dependent on access to these systems, which are accessed over the Internet, 108Although there is no risk management department as such, ABC has a large number of staff in the operations division devoted to disaster recovery. Contingency plans are in operation and data are backed up regularly and stored off-site. However, pressures for short-term profits and cash flow have meant that there has been a continuing under. investment in capital equipment, which one manager was heard to ‘comment as being ‘a little like Railtrack’ Trigger A review of disaster recovery found that although data were backed up there was a real risk that a severe catastrophe such as fire or flood would have wiped out computer hardware znd although data back-up was off- site, there was no proven hardware facility the company could use. While managers have relied on consequential loss insurance, they appear to have overlooked the need to carry out actions themselves to avoid or mitigate any possible loss. Task Write a report to the Board: (@) Advising on the main business issue for ABC and the most significant risks that ABC faces; (10 minutes) (©) Advising them on their responsibilities for risk management and Tscommending a risk management system for ABC that would more effectively manage the risks of losing business continuity. (30 minutes) (€) Evaluating the likely benefits for ABC of an effective risk management system for business continuity. mes 8nd frameworks detailed in this chapter are a starting point for Werte ramen ct Candidates need to be able to use their common serve : slate this material to exam questions chapter 2chapter 2 Test your understanding answers Test your understanding 4 The correct answer is B - By definition. Sfyour understanding 2 A, Band E COSO considers a WIDE range of risks, and is the responsibility of EVERYONE. Test your understanding 3 The correct answer is B — A risk map assesses an organisation's risks on the basis of likelihood and consequence Risk culture is the set of shared attitudes, values and practices that characterise how an entity considers risk in its day-to-day activities. Risk thermostat is the notion that everyone has a propensity to take risks. This varies by person and is influenced by potential rewards and any Previous ‘accidents’ The correct answers are A, B and C ~ The total cost of a control is not hormally detailed on the risk register.ment | [Test Your understanding 5 — Volatility (Integration Risk mana | The expected value of purchases is | | £ £200,000 x 0.3 60,000 £250,000 x 0.5, 125,000 | £300,000 x 0.2 60,000 | 245,000 | The volatility therefore is | Downside (£300,000 - £245,000) £55,000 Upside (£245,000 - £200,000) £45,000 | The volatility s the possible amount away from the expected value. 17} Test your understanding 6 The value of $10 million today is £6 million ($10 m/$1.6667) with a standard deviation of £30,000 (0.5% x £6 million). } | The one-tail 95% confidence level is 1.645. | Hence a five day 95% VaR is 1.645 x £30,000 x V10 = £156,058chapter 2 Test your understanding 7 — Value at risk (Integration) At the 95% confidence level the value at ris! (1.645 is the normal distribution value for a one-tailed 5% probability level — this can be taken from the normal distribution tables). ‘As the information is for the 2 week period, and not a daily mean or standard deviation, there is no need to use the n day VaR adjustment. ‘There is thus @ 5% probability that the portfolio value will fall to $42 million or below, fs a \ Sam 50m Portfolio value For a restaurant: esl your understanding 6 ~ Restaurant (Integration) il Impacticonsequences Low High A staff member is Head chef resigns taken ill and cannot work Low Ingredient prices | Several customers | rise sharply suffer from food poisoning eSuggestion could ar: the ‘quably be in a different quadrant, depending on | eTstaurant. These are just suggestions.Risk management 114 Test your understanding 9 The correct answer is B — Low-level staff frequently change jobs in order to progress. The severity is low as they are unlikely to be well- trained/highly skilled and could be replaced fairly quickly and easily, Test your understanding 10 | “The correct answers are A and C- The axes are likelinood/probability | and impact/severity/consequences. Test your understanding 11 | ¢,DandE + Option A — managers may not agree on the key risks facing HH, The risk map will force them to discuss risks but not to reach a consensus. + Option B — the legal disputes are ongoing and a new risk map is unlikely to help with historical cases + Options C, D and E are benefits. Test your understanding 12 The correct answer is C - Portfolio theory seeks to diversify the company's activities which can reduce risk (by not putting all your eggs in | one basket).Test your understanding 13 — Diversification (Integration) ‘Arguments for and against diversification: For | + Reduces risks and enables company to give more predictable return to investors. += Attracts investors who want low risk investments. Against |» Management may not understand all the businesses that the company operates in — increases the risk. + tis not necessary to diversify for investors — they can diversify themselves by investing in a number of different companies. + New business areas can attract risks — for instance going into a new country may increase the risk of not understanding a company culture. Test your understanding 14 The correct answer is C— The likelihood of this event would hopefully be low as several controls preventing this should be in place. Staff would refuse to work otherwise. The consequence of such an event would be high as it would likely lead to an investigation, legal proceedings, ‘compensation and reputational risk. st Your understanding 15 The correct answer is C — Low frequencylhigh severity risks are often transferred, by using insurance for example. chapter 2