Chapter 14: Risk Strategy and Identification

 Effective risk management is an organisation wide activity, with the

leadership setting the tone in terms of organisational attitude to risk.

 The leadership group should also evaluate strategic options in a way that
ensures they fully understand the risks and can identify, assess and control
the risks.

 Effective risk management needs to address the fundamental organisational

leadership and governance structures, and ensure that appropriate values
are in place.
Having understood and controlled the strategic risks, the organisation
needs to identify and evaluate the key operational risks.
Risk and uncertainty are inevitable aspects of doing business.
All organizations face risk. Here are two useful definitions of risk:
 "Risk is the possibility that an event will occur and adversely affect the
achievement of objectives."
– Committee of Sponsoring Organisations of the Treadway Commission
(COSO)
 "Risk is the combination of the probability of an event and its
consequences."

The underlying principle of the COSO ERM framework is that every entity exists to
create value for its stakeholders, and this value can be preserved or eroded by
management decisions.

A risk management strategy is the responsibility of senior management. It

recognises the significance that risk can play on the achievement of an
organisation's goals and the fact that some risks threaten the existence of the
organisation.

Relationship With Organisational Strategy

Organizational strategy concerns the actions that will shape the long-term direction
of an organisation. Risk management strategy and organisational strategy should
be integrated because:
 The objectives of the organization, set out during the strategic planning
process, will determine the risk preferences of the stakeholders of the
organisation. This is then used to define the risk appetite of the
organisation (see s.5.1).

 During the strategy selection process, management needs to

ensure that strategic options chosen are acceptable, given the
risk appetite of the organization’s stakeholders. The risk profile of
 each strategic option needs to be assessed, as well as the effect it will
have on the overall risk profile of the organization.

 Strategic risk management can ensure that the probability that

the organisation fails to achieve its stated business objectives is
kept to an acceptably low level.

 Strategic planning may be based on assumptions about what events will

occur.

 Risk management can provide insights into the sensitivity of the

achievement of objectives to changes in the underlying assumptions to
help managers make better strategic decisions.

Risk Profile
The risk profile shows how expected performance increases as the risk
that is taken increases.
Enterprise Risk Management (ERM) Approach
The culture, capabilities, and practices, integrated with strategy-setting and
performance that organizations rely on to manage risk in creating, preserving, and
realizing value
Benefits of successfully implementing ERM are claimed to include:
 Increase the range of opportunities by considering both the positive and
negative aspects of risk
 Increase positive outcomes and advantages while reducing negative
surprises
 Respond more proactively to risks versus reactive responses
 Enhance ability to identify and manage entity-wide risks
 Reduce performance variability
 Improve resource deployment
 Hold richer and more robust conversations and dialog among
management and the board about risks.

COSO's Enterprise Risk Management (ERM) model has become a widely

accepted framework since it was introduced in 1992. The framework has
evolved over the years to address changing needs and developing understanding of
effective ERM.
COSO Framework Keys to Success
1.Start at the top; board and management support is necessary
This refers to the tone of the organization, including the attitudes towards risk.
The board of directors has an important role in defining the tone, which will
impact the attitudes of divisional and line managers, who must reinforce the tone
set by the board, particularly regarding attitudes to risk.

2.The role and objective of ERM must be understood and communicated

 The role and objective of ERM is to help the board and management make
better decisions and enhance the value of the organization.

 Once directors and managers understand this objective, they can position
their ERM initiative correctly.
3 ERM must be integrated into the fabric and culture of the organization
 Organizations already have processes in place for strategy development and
implementation, and performance measurement.

 Integrating ERM activities into these existing processes is simpler than

creating new processes, and also reinforces the concept that the risk
activities are essential to performance and value.
4 The starting point is to focus initially on the organization’s top strategies and
business objectives
 ERM starts with a thorough analysis of the organization’s key strategies and
business objectives, not by simply attempting to identify risks.
5 The key risks are those events and outcomes related to the key strategies
 All organizations face a number of risks of various levels of likelihood and
impact, but the biggest losses of value for organizations are from
strategic risks - the risks and events related to key strategic
decisions.
 Linking ERM with strategy provides a lens that enables the organization to
identify the risks that are most significant to its success.
6 Start with simple actions and build incrementally
 A barrier to implementation of an ERM initiative is the perception that it
requires a major and costly effort to implement.
 By taking an incremental, step-by-step approach to implementing or
enhancing ERM can also be a successful approach.
 Organizations can start with simple risk management processes and actions
and build from there, rather than trying to implement a complete ERM
process in one step.
7 Leverage existing resources and risk management activities
 Using these existing resources and activities means ERM can be introduced
without significant new resources being needed to support the
implementation.
8 Criticisms of the Framework
 While the updated framework has addressed many of the previous criticisms,
there are still concerns that it offers limited consideration of issues
related to risks from external parties or external events.

Strategic Risk
Strategic (sometimes called "enterprise") risk is the risk that an entity is unable to
achieve one or more of its strategic objectives.
This may be due to poor selection of strategic options, poor management
and execution or other factors.
The risks to an entity's strategy are the threats or opportunities that materially
affect the ability of an entity to succeed or even survive.
A top-down (strategic) approach is essential, rather than an (operational) bottom-up
approach.
As strategy concerns assumptions about the future, strategic threats and
opportunities:
 Often come from unexpected quarters (surveys of CEOs and boards
indicate at least 35% of all strategic threats). Risk management
systems must rapidly identify, analyse and enable fast and
effective responses to mitigate threats and capitalize on
opportunities.

 Are often low frequency, but high impact. Because such risks will
never have occurred before, they may not be predicted or identified by
traditional risk management systems which rely on historical data.
  Are often very complex, arising out of ambiguous and non-routine
situations (the very nature of strategic decision-making) with
organisation-wide rather than operation-specific implications.

 In order to recognise and respond quickly to developing strategic

risks, it is essential for boards to understand how the entity
integrates with, and reacts to, the external environment. Building
up an understanding of all environmental factors that will effect an entity
is an essential first step to enabling recognition of a developing problem.

Operational Risks
Operational risk – The risk of loss resulting from inadequate or failed internal
processes, people and systems, or from external events
Operational risks are associated with operational management and relate to day-to-
day activities of the organisation.
 People: Risks include fraud and theft, breaches of employment law and
loss of key personnel and actions of unsupervised employees that may
lead to financial loss.
 Processes: The risks that the business processes are not
operating as they should (e.g. disruption to business due to suppliers
failing to deliver on time).
 Systems: Risks of failures of the system, including risks associated with
developing and implementing new systems.
 External events: Any external events that disrupt the operations of an
organisation, such as natural disasters, utilities failures and strikes.

Dynamic Nature of Risk

 The risks that organisations face vary in relation to the size, structure,
industry, sector and development of an organisation.

 Some organisations may operate in high-risk environments that can change

suddenly, making some risks challenging to foresee, but the risks that all
organisations face will change over time.

 This means that risk management has to be a continuous process, and

management must continually scan for new risks and decide how to manage
them.

The extent of environmental change that is faced varies from organisation to

organisation and can be seen as a continuum between static and dynamic:
It is worth noting, however, that some risks, such as climate change, the digital
technology revolution, changing stakeholder expectations and increased
geopolitical risk, will affect all organisations.
Organisations who operate in traditionally more static environments, or
who have larger, more established operations, may find it a challenge to
adapt to a more dynamic risk environment.
A dynamic risk assessment is a process in which an organisation continually
assesses the risks in their environment. All organisations, no matter their size,
structure, industry, sector and or age, need to embed these at different levels of the
organisation to address the different types of risk that they face.

Market Risk
Market risk (sometimes referred to as systematic risk) is the exposure to
the uncertain market value of an asset, liability, investment portfolio or a
derivative contract linked to the asset (liability) held.
It is the risk that the value of an investment (or liability) will decrease (increase)
due to moves in market factors. Typical market factors include:
 Changes in equity value (equity risk);
 Interest rate changes (interest rate risk);
 Foreign exchange changes (currency risk);
 Changes in commodity prices (commodity risk);
 Other price risks that would cause the market price to change.

Credit Risk
The risk that one party to a financial instrument (e.g. trade receivable,
loan) will cause a financial loss for the other party by failing to discharge
an obligation (i.e. fail to settle the debt). This also may be known as credit
default risk.
The term "credit risk" also may be applied to the risk that the firm's credit rating
could be downgraded, in which case its cost of capital will increase. That type of risk
is more commonly known as "credit rating risk" or "financing cost risk" (a type of
financial risk).

The factors to be taken into account include:

 the total volume of credit sales;
 the organization’s credit policy and credit terms offered (credit limits and
time allowed to pay);
 the "quality" of customers (some types of customer are a greater credit
risk than others); and
 credit vetting, assessment and debt collection procedures.
 Liquidity Risk
There are three aspects to liquidity risk:
1. Risk that an entity will encounter difficulty in meeting obligations
associated with financial liabilities (i.e. difficulty in repaying debt).
2. Risk that an entity will not be able to raise cash either from its
shareholders or other third parties (e.g. banks).
3. Risk of a premature or forced sale of assets, at a market loss, to raise
necessary funds.

Technological Risk
The risk that a firm does not realize (or recognize) the potential of
technology (including change and emerging technology) to maintain or
gain competitive advantage.
Such technology may be:
 back room (e.g. executive information systems, decision support systems,
computer-aided design); or
 front room (e.g. operational systems, production systems, procurement
systems, supply chain systems, customer management systems).
Like many other categories of risk, technology risk is a two-way risk and
technological change creates threats and opportunities for organizations.
Legal and Regulatory Risk
The risk of breaching applicable laws and regulations, sometimes referred to
as compliance risk (i.e. the risk of not complying with laws and regulations).
Health and Safety Risk
Health and safety risk is the risk of unintentional harm (actual or potential) to
employees or other individuals (e.g. visitors, customers and local population)
caused by the entity.
Climate-related Risk
Risks related to climate change have been described as one of the most significant
and perhaps most widely misunderstood facing organizations today.
The 2021 updated TCFD report continues with the 2017 division of climate-related
risks into two categories:
 Transition risks related to the transition to a lower-carbon
economy (to reduce greenhouse gas emission);

 Physical risks related to the physical impacts of climate change.

Climate-
related
Type risk Examples of risks Potential financial impacts
 Governance
Strategy Risk Management Metric and Target
Recommendation
: Recommendation: Recommendation: Recommendation:
Write-offs, asset impairment, and early
retirement of existing assets due to policy
Mandatesthe
Disclose onactual
and regulation
and changes Disclose the metrics and
ofpotential
existing products
impacts ofand targets used to assess
services Increased costs and/or reduced demand
Disclose the climate-related risks and and manage relevant
for products and services resulting from
organization’s
Policy and opportunities on the Disclose how the climate-related financial
Exposure to litigation fines and judgments
governance around
legal organization’s businesses, organization risks and …
climate-related strategy, and financial identifies, assesses, opportunities where
risks and planning where such andResearch
managesand climate- such
development information is
(R&D)
opportunities information isinvestment
Unsuccessful material in related financialin
expenditures risks material
new and alternative
Technology new technologies technologies
↓ ↓ ↓ ↓
Changing customer Reduced demand for goods and services
Disclosures:
Market Disclosures:
behaviour Disclosures:
due Disclosures:
to shift in consumer preferences

Describe the stakeholder

Increased climate-related Reduced revenue from negative impacts
Transiti financial
concern risks and
or negative on workforce management and planning
on Reputation opportunities
stakeholder feedbackthe Describe
(e.g., the attraction and retention)
employee
organization has identified processes for Disclose metrics used to
and the impact
Increased of these
severity of identifying, assessingfrom assess
Reduced revenue climate-related
decreased
risks to business,
extreme weatherstrategy
events and managing
production capacity (e.g.,financial
transportrisks and
Describe the
Acute and financial
such planning.
as cyclones andAlso
floods climate-related
difficulties, opportunities and
supply chain interruptions)
board’s oversight use scenario analysis to financial risks and disclose GHG emissions
of – and describe the resilience of Reduced
how revenue and higher
these processes and thecosts fromrisks.
related
management’s role the organization’s strategy negative impacts
are integrated into on workforce (e.g.,
Describe targets used to
in – assessing and under different global health,
the safety, absenteeism)
organization’s manage climate-related
Physical Chronic Rising sea levels
managing, climate- warming scenarios, overall risk risks and opportunities
related risks and including a 2-degree or management and performance
opportunities lower scenario approach against these targe

Organizations’ disclosures of their climate related metrics and information from

their transition plans are key inputs for estimating actual or potential financial
impacts associated with climate change.

Risk appetite – the amount and nature of exposure to risks that an entity is
prepared to accept in pursuit of its strategic and operational goals.
The risk appetite shows what level of risk and return an organisation will accept.
 Risk seekers – take on higher levels of risk if this leads to greater
rewards (e.g. gamblers and speculators).
 Risk-averse decision makers – avoid risk when possible and happy to
accept a lower level of return if this reduces their risk.

The factors that affect risk appetite include the following:

 The attitudes of stakeholders, particularly shareholders and owners;
 The culture of the organisation;
 The existing risk profile, as this will influence how much additional risk the
organisation is prepared to take on;
 The organisation's risk capacity (see below);
 The importance of a particular strategic objective. Different strategic
appetites may exist for different objectives:
o a lower risk appetite is associated with objectives that are
extremely important; and
o a higher risk appetite for less important ones.
 The risk management capabilities of management. Organizations that
have greater experience with risk management are likely to be able to
understand and identify their risk appetites more accurately.