1

Module 5
Risk Management
LEARNING OUTCOMES

At the end of this module, you should be able to:

1. Understand what is risk and the different attitude towards risk;
2. Understand the risk management process;
3. Understand the different categories of and examples of risk.

DEFINITIONS OF RISK

 It is the uncertainty of an event occurring that could have an impact on the

achievement of the objectives. It is measured in terms of consequences and
likelihood. (Institute of Internal Auditors)

 Risk is the combination of the probability of an event and its consequence.

Consequences can range from positive to negative. (Institute of Risk
Management)

 It is the effect of uncertainty on objectives. The effect may be positive,

negative, or a deviation from the expected. Also, risk is often described by an
event, a change in circumstances or a consequence. (ISO Guide 73)

RISK APPETITES AND ATTITUDES

Management responses to risk are not automatic, but will be determined by their
own attitudes to risk, which in turn may be influenced by cultural factors.

Risk appetite
 describes the nature and strength of risks that an organisation is prepared to
bear.

Risk attitude
 is the directors' views on the level of risk that they consider desirable.

Risk capacity
 describes the nature and strength of risks that an organisation is able to bear.

AE1 – Governance, Business Ethics, Risk Management and Internal Control

/uepcba _Summer 2023
 2

Different Attitudes Towards Risk:

Risk-averse businesses may be willing to tolerate risks up to a point provided

they receive acceptable return, or if risk is 'two-way' or symmetrical, that it has both
positive and negative outcomes. Some risks may be an unavoidable consequence
of operating in their business sector. However there will be upper limits to the risks
they are prepared to take whatever the level of returns they can earn.

Risk-seeking businesses are likely to focus on maximising returns and may not be
worried about the level of risks that have to be taken to maximise returns (indeed
their managers may thrive on taking risks).

The range of attitudes to risk can be illustrated as a continuum. The two ends are
two possible extremes, whereas real-life organisations are located between the two.
At the left-hand extreme are organisations that never accept any risk and whose
strategies are designed to ensure that all risks are avoided. On the right-hand side
are organisations that actively accept risks and are risk-seeking.

Whatever the viewpoint, a business should be concerned with reducing risk where
possible and necessary, but not eliminating all risks, whilst managers try to
maximise the returns that are possible given the levels of risk. Most risks must be
managed to some extent, and some should be eliminated as being outside the
business. Risk management under this view is an integral part of strategy, and
involves analysing what the key value drivers are in the organisation's activities, and
the risks tied up with those value drivers.

Another issue is that organisations that seek to avoid risks (for example public
sector companies and charities) do not need the elaborate and costly control
systems that a risk seeking company may have. However businesses such as those
that trade in derivatives, volatile share funds or venture capital companies need
complex systems in place to monitor and manage risk. The management of risk
needs to be a strategic core competence of the business.

RISK MANAGEMENT DEFINITIONS

Risk management
 It is the process of measuring or assessing risk and developing strategies to
manage it
 It is a systematic approach in identifying, analysing and controlling areas or
events with a potential for causing unwanted change
 It is the act or practice of controlling risk

AE1 – Governance, Business Ethics, Risk Management and Internal Control

/uepcba _Summer 2023
 3

 It includes risk planning, developing risk handling options, monitoring risks to

determine how risks have changed and documenting overall risk management
program.
 According to ISO 31000, it is the identification, assessment, and prioritization
of risks followed by coordinated and economical application of resources to
minimize, monitor and control the probability and/or impact of unfortunate
events and to maximize the realization of opportunities.

RISK MANAGEMENT PROCESS

1. Establish the context

 Define the scope for the risk management process and set the criteria
against which the risks will be assessed.

 The scope should be determined within the context of the firm's

organisational objectives. Risks are uncertainties that affect the
achievement of business objectives, so risks cannot fully be identified if
these objectives and strategies are unclear.

o Objectives can include both:

 Explicit - objectives that are well defined (example, to
increase client satisfaction feedback by 5%)
 Implicit – objectives that might be undocumented but are
expected (example, to obey the law)

AE1 – Governance, Business Ethics, Risk Management and Internal Control

/uepcba _Summer 2023
 4

 Identify relevant stakeholders

o This includes stakeholders which may expose the entity to risk, are
exposed to an entity’s risks, or may be able to help an entity manage
risk.

 Other elements to consider in establishing context for risk assessment:

o The external context
 the environment in which the entity operates including policy,
operational, cultural, political, people, environmental, legal,
regulatory, financial, technological and economic factors

o The internal context

 includes those factors within the entity that are relevant to the
risk assessment.
 Factors typically include the entity’s strategic objectives,
organisational capabilities and culture

o The risk management context

 this defines the goals and objectives of the risk management
activity including how it is to be undertaken, who is
responsible for each component and what is in scope

2. Risk identification

 This can start with the analysis of the source of the problem or with the
analysis of the problem itself

 The aim of this step is to develop a comprehensive and tailored list of future
events which could be uncertain, but are likely to have an impact (either
positively or negatively) on the achievement of the objectives - these are
the risks.

 Thorough identification of potential risks is critical to the success of any risk

assessment. It is important not be too narrow or constrained. Often referred
to as a ‘failure of imagination’, care needs to be taken to ensure that the
identification process does not just focus on today’s challenges but rather
also considers a diverse range of sources including risk events that are
emerging or in the future.

 A number of techniques can be used during risk identification and assist in

the discovery process. These can be sophisticated and highly structured, or
more informal, depending on the purpose and context of the assessment
being undertaken. Common techniques include the use of risk categories or
linking risks to each objective identified in the context setting phase.
Another method is to begin thinking of the threats and opportunities the
entity faces, and use these to identify relevant risks.

AE1 – Governance, Business Ethics, Risk Management and Internal Control

/uepcba _Summer 2023
 5

3. Risk assessment/analysis
 Establishes the potential impact of each risk and the probability of
occurrence. The combination of these two determines the severity of the
risk, which may be positive or negative.

 Shown below is one approach to risk analysis with uses a matrix or a “risk
heat map”. Consequence and likelihood are plotted on the two axes of the
matrix, with each corresponding cell assigned a level of severity.

4. Risk evaluation

 This determines the tolerability of each risk. Tolerability is different from

severity. Tolerability assists to determine which risks need treatment and
the relative priority. This is achieved by comparing the risk severity
established in the risk analysis step with the risk criteria found in the
likelihood and consequence criteria already defined.

 At its simplest, an entity might decide that risks above a certain severity are
unacceptable, and risks below this are tolerable. More sophisticated
approaches might assign risk acceptance delegations for risks of increasing
severity to officials of different levels of seniority.

 Decisions on tolerability should also be made after considering the broader

context of the risk including the impact of the risk upon other entities
outside of the organisation. Treatment decisions should consider financial,
legal, regulatory and other requirements. Ultimately though, the considered
and informed acceptance of risk supports decision making and is essential
to entity performance including the achievement of objectives.

AE1 – Governance, Business Ethics, Risk Management and Internal Control

/uepcba _Summer 2023
 6

5. Risk treatment

 This is the action taken in response to the risk evaluation, where it has
been agreed that additional mitigation activities are required.

 It is a cyclical process where individual risk treatments (or combinations of

treatments) are assessed to determine if they are adequate to bring the
residual risk levels to a tolerable or appropriate level. If not, then new risk
treatments are generated and assessed until a satisfactory level of residual
risk is achieved.

 Risk treatment will be most effective where it is tailored to the requirements

and capabilities of the entity.

 Risk treatment strategies:

a. Risk avoidance

o Not undertaking the activity that could expose the entity to risk.

o However, this also means losing out on the potential gain that
accepting (retaining) the risk may have allowed.

b. Risk reduction

o Risk reduction or optimization involves reducing the severity of

the loss or the likelihood of the loss from occurring.

o Optimizing risks means finding a balance between the negative

risk and the benefit of the operation or activity; and between
risk reduction and effort applied.

o For example, an entity may decide to outsource certain

activities if the outsourcer can demonstrate higher capability of
managing or reducing risks.

c. Risk sharing

o This means sharing with another party the burden of loss or the
benefit of gain, from a risk, and the measures to reduce a risk.

o For example, having the property of the company be insured

from fire.

d. Risk retention

o This involves accepting the loss or benefit of gain, from a risk

when it occurs.
AE1 – Governance, Business Ethics, Risk Management and Internal Control
/uepcba _Summer 2023
 7

o All risks that are not avoided are transferred (shared) or

retained by default.

o Examples:

 Self-insurance - a company or individual sets aside a pool

of money to be used to remedy an unexpected loss.

 Accepting a large excess or deductible on an insurance

policy. Any amount of potential loss over the amount
insured is retained risk. This is acceptable if the chance
of a very large loss is small or if the cost to insure for
greater coverage involves a substantial amount that could
hinder the goals of the organization.

 Selecting the most appropriate treatment requires balancing the cost and
effort of implementation against the benefits derived from additional risk
mitigation. In some cases, further treatment may be unachievable or
unaffordable and the residual risk may need to be accepted and
communicated. Entities may wish to consider how external stakeholders
can provide support when developing treatment options or if treatments can
be implemented collaboratively.

6. Communication and consultation

 Communication and consultation is an essential attribute of good risk

management. Risk management cannot be done in isolation and is
fundamentally communicative and consultative. Hence this step is, in
practice, a requirement within each element of the risk management
process.

 Formal risk reporting is only one form of risk communication. Good risk
communication generally includes the following attributes:

o encourages stakeholder engagement and accountability

o maximises the information obtained to reduce uncertainty
o meets the reporting and assurance needs of stakeholders
o ensures that relevant expertise is drawn upon to inform each step of
the process
o informs other entity processes such as corporate planning and
resource allocation.

 Different stakeholders will have different communication needs and

expectations. Good risk communication is tailored to these requirements.

AE1 – Governance, Business Ethics, Risk Management and Internal Control

/uepcba _Summer 2023
 8

7. Monitoring and review

 Risks change over time and hence risk management will be most effective
where it is dynamic and evolving. Monitoring and review is integral to
successful risk management and entities may wish to consider articulating
who is responsible for conducting monitoring and review activities.

 Key objectives of risk monitoring and review include:

o detecting changes in the internal and external environment, including

evolving entity objectives and strategies

o identifying new or emerging risks

o ensuring the continued effectiveness and relevance of controls and

the implementation of treatment programs

o obtaining further information to improve the understanding and

management of already identified risks

o analysing and learning lessons from events, including near-misses,

successes and failures

 Monitoring and review can be both periodic and based upon trigger events
or changing circumstances. The frequency of the review process should be
commensurate with the rate at which the entity and its operating
environment is changing.

 The results and observations from monitoring and review are most useful
when well documented and shared. They may be included in formal risk
reports be recorded and published internally and externally as appropriate
and should also be used as an input to reviews of the whole risk
management framework.

CATEGORIES OF RISKS

1. Strategic risks

 Strategic risk is the potential volatility of profits caused by the nature and
type of the business operations. These relate to the fundamental decisions
that the directors take about the future of the organisation.

 The most significant risks are focused on the strategy the organisation
adopts, including concentration of resources, mergers and acquisitions and
exit strategies. These will have major impacts on costs, prices, products
and sales, also the sources of finance used.

AE1 – Governance, Business Ethics, Risk Management and Internal Control

/uepcba _Summer 2023
 9

 Business risks are strategic risks that threaten the survival of the whole
business. Business risks, the most serious risks, are likely to be greatest
for those in start-up businesses or cyclical industries. However perhaps the
most notable victim of the credit crunch over the last few years, Lehman
Brothers, was not immune to business risks even after 158 years of
operating.

 Organisations also need to guard against the risks that business processes
and operations are not aligned to strategic goals, or are disrupted by
events that are not generated by business activities.

2. Operational risk

 Operational or process risk is the risk of loss from a failure of internal

business and control processes.

 Operational risks include:

o Losses from internal control system or audit inadequacies
o Non-compliance with regulations or internal procedures
o Information technology failures
o Human error
o Loss of key-person risk
o Fraud
o Business interruptions

 The main difference between strategic and operational risks is that

strategic risks relate to the organisation's longer-term place in, and
relations with, the outside environment. Although some of them relate to
internal functions, they are internal functions or aspects of internal functions
that have a key bearing on the organisation's situation in relation to its
environment. Operational risks are what could go wrong on a day-to-day
basis, and are not generally very relevant to the key strategic decisions that
affect a business, although some (for example a major disaster) can have a
major impact on the business's future.

EXAMPLE OF RISKS FACED BY AN ORGANIZATION

1. Entrepreneurial risk

 These are the risks that arise from carrying out business activities.
Entrepreneurial risk has to be incurred if a business is to gain returns.
Entrepreneurial risk is forward-looking and opportunistic rather than
negative and to be avoided.

 It includes the risks of a possible range of returns from a major investment

or profits being lessened by competitor's activities. Remember that all
AE1 – Governance, Business Ethics, Risk Management and Internal Control
/uepcba _Summer 2023
 10

businesses apart from monopolies face risks from competitors if they are to
carry on business. In addition, it will be necessary to take some risks when
doing business to achieve the level of returns that shareholders demand.

2. Financial risk

 Financial risks include reductions in revenues or profits, or incurring losses.

The ultimate financial risk is that the organisation will not be able to
continue to function as a going concern.

 Financial risks include the risks relating to the structure of finance the
organisation has, in particular the risks relating to the mix of equity and
debt capital, also whether the organisation has an insufficient longterm
capital base for the amount of trading it is doing (overtrading).
Organisations also must consider the risks of fraud and misuse of
financial resources. Longer-term risks include currency and interest rate
risks, also market risk. Shorter-term financial risks include credit risk
and liquidity risk.

a. Financing risk – includes:

o Long-term sources of finance being unavailable or ceasing to be

available
o Taking on commitments without proper authorisation
o Taking on excessive commitments to paying interest that the
company is unable to fulfil
o Having to repay multiple sources of debt finance around the same
time
o Being unable to fulfil other commitments associated with a loan
o Being stuck with the wrong sort of debt (floating rate debt in a period
when interest rates are rising, fixed rate debt in a period when
interest rates are falling)
o Excessive use of short-term finance to support investments that will
not yield returns until the long-term
o Ceding of control to providers of finance (for example banks
demanding charges over assets or specifying gearing levels that the
company must fulfil)

b. Liquidity risk

o risk of loss due to a mismatch between cash inflows and outflows

o If a business is suddenly unable to cover or renew its short-term

liabilities (for example, if the bank suspends its overdraft facilities),
there will be a danger of insolvency if it cannot convert enough of its
current assets into cash quickly.

o If short-term funding is obtained to cover liquidity problems, the

business may have to pay an excessively high borrowing rate. It will

AE1 – Governance, Business Ethics, Risk Management and Internal Control

/uepcba _Summer 2023
 11

then be subject to interest rate risk on borrowing rates and so there

is a potentially strong relationship between interest rate risks and
liquidity risks.

o Liquidity risk can also be extended to cover the risk of gaining a poor
liquidity reputation, and therefore having existing sources of finance
withdrawn as well.

o There is also asset liquidity risk, the failure to realise the expected
value on the sale of an asset due to lack of demand for the asset or
having to accept a lower price due to the need for quick funds.

c. Cash flow risk

o This relates to the volatility of a firm's day-to-day operating cash

flows. A key risk is having insufficient cash available because cash
inflows have been unexpectedly low, perhaps due to delayed
receipts from customers. If for example a firm has had a very large
order, and the customer fails to pay promptly, the firm may not be
able to delay payment to its supplier in the same way.

d. Credit risk

o This is the risk to a company from the failure of its debtors to meet
their obligations on time.

o The most common type of credit risk is when customers fail to pay
for goods that they have been supplied on credit.

o Liquidity risk will often be very strongly correlated to credit risk. If

customers delay paying their bills, there is a stronger risk that the
business will not have sufficient monies to settle its own liabilities.

e. Currency risk

o This is the possibility of loss or gain due to future changes in

exchange rates.

o When a firm trades with an overseas supplier or customer, and the

invoice is in the overseas currency, it will expose itself to exchange
rate or currency risk. Movement in the foreign exchange rates will
create risk in the settlement of the debt – ie the final amount
payable/receivable in the home currency will be uncertain at the time
of entering into the transaction.

o One way of reducing or eliminating this risk is through the use of

hedging.

AE1 – Governance, Business Ethics, Risk Management and Internal Control

/uepcba _Summer 2023
 12

f. Interest rate risk

o If a firm has a significant amount of variable (floating) rate debt,

interest rate movements will give rise to uncertainty about the cost of
servicing this debt. Conversely, if a company uses a lot of fixed rate
debt, it will lose out if interest rates begin to fall. Like currency risks
however, interest rate risks have upsides as well as downsides. A
business with floating rate debt will benefit from lower costs if
interest rates fall.

o Just like currency risk, one way of managing interest rate risk is
through the use of hedging.

3. Market risk

 is a risk of gain or loss due to movement in the market value of an asset –

a stock, a bond, a loan, foreign exchange or a commodity – or a derivative
contract linked to these assets. Market risk is often discussed in the context
of the stock markets.

 is a risk arising from any of the markets in which a company operates,

including resource markets (inputs), product markets (outputs) or capital
markets (finance).

 is the risk that the fair values or cash flow of a financial instrument will
fluctuate due to market prices. Market risk reflects interest rate risk,
currency risk and other price risks.

4. Product risk

 Product risks will include the risks of financial loss due to producing a poor
quality product. These include the need to compensate dissatisfied
customers, possible loss of sales if the product has to be withdrawn from
the market or because of loss of reputation and the need for expenditure
on improved quality control procedures. However product risks also include
the risks involved in developing a new product, and the risks cover the
range of outcomes from the products being a great success to a total
failure.

5. Technological risk

This includes:
 Strategic risks and opportunities
 Physical damage risks
 Data and systems integrity risks
 Fraud risk
 Internet risk

AE1 – Governance, Business Ethics, Risk Management and Internal Control

/uepcba _Summer 2023
 13

 Denial of Service (DoS) attack – This is characterised by an attempt by

attackers to prevent legitimate users of a service from using that service.
For example:
o 'Flood' or bombard a site or network, thereby preventing legitimate
network traffic
o Disrupt connections between two machines, thereby preventing
access to a service
o Prevent a particular individual from accessing a service

6. Health and Safety Risk

Health and safety risks include loss of employees' time because of injury and the
risks of having to pay compensation or legal costs because of breaches. Health
and safety risks can arise from:

 Lack of health and safety policy – due to increased legislation in this area
this is becoming less likely
 Lack of emergency procedures – again less likely
 Failure to deal with hazards – often due to a failure to implement policies
such as inspection of electrical equipment, labelling of hazards and training
 Poor employee welfare – not just threats to health such as poor working
conditions or excessive exposure to computer monitors, but also risks to
quality from tired staff making mistakes
 Generally poor health and safety culture

7. Environmental Risk

Environmental risk is a loss or liability arising from the effects of the natural
environment on the organisation or a loss or liability arising out of the
environmental effects of the organisation's operations.

The risk is possibly greatest with business activities such as agriculture and
farming, the chemical industry and transportation generally. These industries have
the greatest direct impact on the environment and so face the most significant
risks. However other factors may be significant. A business located in a sensitive
area, such as near a river, may face increased risks of causing pollution. A key
element of environmental risk is likely to be waste management, particularly if
waste materials are toxic.

However, there may be upsides associated with environmental risks and the way
they are managed. There may also be substantial gains in terms of reputation and
how key stakeholders act towards them.

AE1 – Governance, Business Ethics, Risk Management and Internal Control

/uepcba _Summer 2023
 14

Assessment Task

1. Match the term to the definition.

Terms:
(a) Risk appetite
(b) Risk capacity
(c) Risk attitude
Definitions:
i. The nature and strength of risks that an organisation is able to bear
ii. The nature and strength of risks that an organisation is prepared to bear
iii. The directors' views on the level of risk that they consider desirable

2. Which of the following would not normally be classified as a strategic risk?

A. The risk that a new product will fail to find a large enough market
B. The risk of competitors moving their production to a different country and being able to cut
costs and halve sale prices as a result
C. The risk that a senior manager with lots of experience will be recruited by a competitor
D. The risk of resource depletion meaning that new sources of raw materials will have to be
found

3. Give three examples of items that could be subject to market risk.

ANSWERS TO ASSESSMENT TASK:

1. (a) – ii
(b) – i
(c) – iii

2. C

3. Stock/shares
Bonds
Loans
Foreign exchange
Commodity

REFERENCES

Financial Management Principles and Applications Volume 2, 2015 Edition, by Ma.

Elenita B. Cabrera

Fundamentals of Risk Management – Understanding, Evaluating and Impementing

Effective Risk Management, 4th Edition, by Paul Hopkin, 2017, Kogan Page Limited

https://www.finance.gov.au/sites/default/files/2019-11/Risk-Management-Process.pdf

Paper P1 – Governance, Risk and Ethics Study Text, 2014, BPP Learning Media
AE1 – Governance, Business Ethics, Risk Management and Internal Control
/uepcba _Summer 2023