SAMPLE NOTES FROM OUR ACCOUNTANCY ANSWERED BUSINESS, TECHNOLOGY & FINANCE GUIDE:
BUSINESS BASICS: RISK MANAGEMENT
Accountancy Answered is a comprehensive, first-class set of exam-focused study notes for the ACA (Certificate Level) and CFAB. Please visit accountancyanswered.com if you wish to purchase a copy. This chapter is provided by way of a sample, for marketing purposes only. It does not constitute legal advice. No warranties as to its contents are provided. All rights reserved. Copyright © Answered Ltd.
9 RISK MANAGEMENT
BUSINESS BASICS
RISK MANAGEMENT Risk management is the process carried out by a business to manage and prepare for risks, both internally and arising from the external environment. More specifically, risk management involves the identification, analysis and control of risks which may reduce the profitability or viability of the business. There is often a legal requirement to manage risk (e.g. to take out buildings insurance, public liability insurance or professional indemnity insurance). All FTSE 350 companies are required to have a risk-based approach to management (under the UK Corporate Governance Code).
RISK AND OPPORTUNITY
UNCERTAINTY
Generally speaking, “risk” is the possible variation in an expected outcome. Risk can be viewed as symmetrical: an outcome can turn out better (“upside risk”) or worse than expected (“downside risk”). From a business perspective, risk is the possibility that an outcome will adversely affect the business’s ability to achieve its objectives, whereas an “opportunity” is the possibility that an outcome will positively affect the business’s ability to achieve its objectives. “Uncertainty” is simply the inability to predict an outcome due to a lack of information.
There are a number of potential risks for businesses – poor trading conditions, falling sales, rising costs, inadequate internal controls and poor cashflow all being examples. These risks are detailed in the diagram overleaf. Stakeholders share in these risks: investors risk failed debt payments, and shareholders face the risk of losing their investment if the company becomes insolvent. The extent to which a business is willing to bear risks is known as its risk appetite. Risk appetite is the extent to which a business is happy to take on risks to achieve its aims and objectives. Businesses fall into one of three broad categories: RISK APPETITE
1) Risk adverse – preferring to choose an option with a certain outcome, but likely lower returns. For example, choosing to invest in gilts over more high-risk investments, such as shares, although the shares would potentially have higher returns.
1
BUSINESS BASICS: RISK MANAGEMENT
2) Risk neutral – choosing investments based on their expected return; risk level is a secondary consideration. RISK APPETITE (continued)
3) Risk seeking – preferring to choose an option with a less certain outcome in return for potentially higher returns. For example, choosing an investment with higher risk levels, even if there is an option for a high return with a lower risk-level.
BUSINESS RISKS There are number of different types of risk that a business may face: Process risk
BUSINESS RISK
Cyber risk
Single events:
Operational risk
People risk
Disaster, regulatory, reputation, systemic risk
Strategy risk
Event risk
Product risk
Systems risk
Environment factors: Physical, social, political, legal, technological or economic risk
Enterprise risk Credit risk Controllable financial risk Financial risk
Gearing risk Noncontrollable financial risk
See overleaf for an explanation of these terms.
Liquidity risk
2
Market risk
BUSINESS BASICS: RISK MANAGEMENT
BUSINESS RISK
The risks faced by a business due to its environment and the conditions that it works in. The introduction of a new technology, creating a new alternative market can increase business risk. Business risk can be broken down into operational risk, strategy risk, product risk, enterprise risk and financial risk.
ENTERPRISE RISK
The chance that the planning, organisation and managing of an organisation’s activities will have a detrimental effect on the capital or earnings.
PRODUCT RISK
The chance that customers will not purchase the expected quantities of product.
STRATEGY RISK
The chance that the business chooses an inappropriate corporate, business or functional strategy. Financial risk can sometimes be controlled, such as:
FINANCIAL RISK
•
the chance of customers not paying by defaulting on their payments (credit risk);
•
the chance of reduced cashflow (liquidity risk); or
•
the chance of inappropriate financing and overly-high or too-low levels of debt (gearing risk).
Borrowings or the introduction of fixed costs (e.g. through new machinery) will increase financial risk. Uncontrollable financial risk arises from external factors, such as a change in interest, commodity or exchange rates. This is known as market risk. The chance that something will go wrong within the business which will have an adverse effect or cause losses. This can include:
OPERATIONAL RISK
•
Process risk – ineffective or inefficient processes.
•
Cyber risk – data loss, reputation damage or disruption to operations as a result of poor system integrity (see below)
•
People risk – insufficient staff, dishonesty, incompetence, etc.
•
Systems risk – data integrity failure, unauthorised access, system capacity insufficient, etc.
•
Event risk – can arise from one-off events, such as the introduction of new laws (regulatory risk), a catastrophe (disaster risk), damaged reputation (reputation risk) or failure of the supply chain (systemic risk). Ongoing environment changes can also cause event risk, such as climate changes (physical risk), change in societal trends (social risk), a recession (economic risk), new technologies (technology risk) or failing to meet legal obligations (legal risk).
3
BUSINESS BASICS: RISK MANAGEMENT
Cyber risk is the risk of accidental or deliberate network activity resulting in disrupted services, reputation damage or data loss. Cybercrime covers a range of crimes which take advantage of technological weaknesses to gain unauthorised access to data or systems and / or carry out unauthorised acts on that data or system. These crimes include hacking, phishing (bogus emails asking for personal details), data hijacking (generally to hold at ransom or to access the users screen or webcam), keylogging (recording keyboard activity) and ad clickers.
CYBER RISK
Hacking is the most commonly known and used method of cyber-attack. Hacking risks the integrity of any data held on a system and can affect the robustness of a business’s physical IT infrastructure, which can prevent or severely reduce a company’s ability to operate effectively. Distributed denial of service (“DDos”) attacks disrupt a business’s online network by overwhelming the business’s online network with multiple requests (using botnets), preventing legitimate users from accessing these online services. The key defences to cybercrime are to: a) Report incidents to authorities to enable investigation b) Manage cyber security in line with the businesses overall risk strategy to ensure comprehensive protection c) Mitigate cyber risk through data encryption, patch management (small updates to remove or reduce risk in software), regular backup of key data, implementation of access controls d) Share knowledge and best practice (e.g. through training) e) Develop and promote awareness both internally and externally
Risks can be measured by examining four elements: 1) Exposure – how likely is it that the risk will occur based on the operations of the business? 2) Volatility – is the risk level likely to change (e.g. trends or seasonal dependency)? 3) Probability – what is the likelihood of the undesired outcome occurring? 4) Impact – what would the loss be if the adverse outcome actually occurred? The process of managing risk can be broken down into four steps:
AWARENESS & IDENTIFICATION
RESPONSE & CONTROL
ANALYSIS
MONITORING & REPORTING
4
BUSINESS BASICS: RISK MANAGEMENT
These steps are explained below.
1)
Awareness and Identification:
Risk identification is an ongoing process within the business carried out by management and staff. Top-down risk identification is led by senior management. Bottom-up risk identification is carried out by employees, preferably with the guidance of a risk expert. In reality, a mixed approach is often the best solution; management should aim to create a culture which encourages employees to identify potential risks or changes to existing risks in addition to their own more formal, management-led risk identification processes. 2)
Analysis:
The analysis of risks will involve assessing the implications that a risk will have on the business and measuring its probability and potential impact. The “gross risk” is the potential loss which is associated with the risk: Gross risk = Impact x Probability The “probability” is calculated as a number between 0 (will not occur) and 1 (will definitely occur). The “impact”, or potential loss, is the expected value of the loss and is generally calculated using weighted averages. A weighted average will look at the possible losses for each likely outcome and takes an average loss value for all possible outcomes. 3)
Response and Control:
There are four possible responses to risk, which are set out below in the order in which they should be considered. a) AVOID – does the business actually need to carry out this activity? If not, do not do it or stop doing it. b) REDUCE – if the business does need to carry out this activity, what can the business do to reduce the risk of an adverse outcome? c) SHARE / TRANSFER – if the business cannot avoid or reduce the risk, what can the business do to share the risk or transfer part of the risk away? For example, can the business take out insurance against this risk? d) ACCEPT / RETAIN – if the other options are not possible, the business will have to bear the risk and do what it can to manage the risk. This order provides a general approach to risk management. However, that strategy will not always be suitable. The best strategy will depend on both the probability of an adverse outcome occurring and the impact that the adverse outcome would have if it occurred.
5
BUSINESS BASICS: RISK MANAGEMENT
The table below illustrates the risk management strategy that a business should take depending on different probabilities and impacts: 1) Avoid, if not, 2) Reduce, or if not, 3) Share / Transfer.
4) Accept / Retain
2) Reduce
IMPACT
High
2) Reduce, or if not, 3) Share / Transfer
Low
Low
High PROBABILITY
4)
Monitoring and Control:
Risk monitoring should be an ongoing process. If a “risky” event occurs, corrective actions, which may include the implementation of new controls, should be put into place. Possible controls which a business can use to manage a risk include: •
Physical controls (“locks”)
•
Financial controls (credit limits)
•
Management controls (budgeting)
•
System controls (system access review, restructuring operations)
All potential problems should be reported to management, who may use a risk matrix to map and assess risks and their subsequent corrective approach.
6
BUSINESS BASICS: RISK MANAGEMENT
UNPREDICTABLE AND UNPLANNED EVENTS Whilst risks can be managed, sometimes events may happen unexpectedly which cannot be predicted or planned for. A crisis is an unexpected event which significantly disrupts the normal operations of the business. The three main types of crisis which a business will face are a:
CRISIS
•
Financial crisis (cashflow problems)
•
PR crisis (negative publicity, loss of reputation)
•
Strategic crisis (a change in the business environment)
Contingency plans should be arranged by every business. Contingency plans will detail perceived best-case and worst-case scenarios and the appropriate responses to each. If the crisis fits within a contingency plan, then the business will already have a plan of action for how to respond to the crisis. A disaster is the potential loss of equipment, funds or data due to a major breakdown in the business’s operations (or a breakdown in a significant part of its operations). All foreseeable disasters should be considered by a business, and that business should have put provisions in place to deal with disasters as they unfold, such as fire safety plans.
DISASTER
All businesses should already have a disaster recovery plan, which details the standby procedures in place to ensure that critical operations can continue, recovery procedures to bring the business back on track, and management policies to ensure that the disaster recovery plan is completed quickly and effectively. The disaster recovery plan will include:
•
Detailed responsibilities and priorities
•
Backup arrangements (e.g. back-up servers)
•
Communication and PR templates to communicate information with staff, suppliers, the public and the media.
QUESTION BANK
ICAEW Question Bank, Chapter 5: Introduction to risk management Questions: 1 – 28
7