Date post: | 21-Jan-2015 |
Category: |
Business |
Upload: | gde-coaching-jean-noel-macaque |
View: | 1,926 times |
Download: | 0 times |
Chapter 11
19 July 2011
*Controlling risk
Awareness Risk mgmt strategies
risk monitoring
Embedding Risk TARA
Controlling risk
avoidance/ retention
risk reporting
Roles
Board
Risk Comm
Risk manager
Internal / external audit
Diversification
* Role of Board*Significant role in risk mgmt
*Consider strategic nature of risk
*Define org’s risk appetite & approach
*Responsible for driving risk mgmt process
*Ensure risk mgmt supports strategic objectives
*Determine level of risk that an org can accept- to match strategic objectives*Communicate risk mgmt strategies to the entire org- top/down
approach
*Ensure integration of risk mgmt in operations
*Review risk and monitor progress of risk mgmt plans*Risk mgmt strategy- which risk will be accepted, declined,
transferred
*Appoint a risk committee
*Board consideration of risk
Risk appetite
Risk attitude
Business strategy
risk strategy
risk capacity
residual risk
*Risk appetite comprises :
a)Risk attitude – overall character of the BOD (Risk averse & risk seeking).
b)Risk capacity- Amt of risk that an org can bear.
-Risk appetite is a measure of the general attitude to risk
Factors likely to affect risk appetite of BOD are:1) Nature of product manufactured- amt of risk will vary depending
on the product
2) Need to increase sales-
3) Background of the BOD
4) Amount of change in the market- eg mobile phones, new drugs
5) Reputation of the company- here BOD will be very cautious with risk positioning.
* Risk attitude*Risk averse
*Avoid risk
*Withdraw from risky ventures
*Risk seeking
*Seeking additional risk
*See risk management as strategic
*Invest in comprehensive risk mgmt system
*High risk = high return
* Risk attitude- cont’d*Risk attitude depending on org.
*3 factors to consider :
1) Size
2) Structure
3) Development
* SIZE*Small Size
*Small size = higher risk for org= vulnerable.
*Smaller product range- so adversely impacted in case if drop in sales.
*There will be a tendency towards Risk averse strategy – to protect limited product ranges.
*Large Size
*Large size = lower risk
*Wider product range
*But large size may mean attempt to minimize reputational risk.
* Structure
*Functional structure- who manages the risk. Normally decided at BOD level.
*Large org manage risk across the globe.
*Divisional structure
- spread risk & diversified portfolio
-Risk appetite determined by current portfolio of co’s , in terms of overall risk
-A portfolio with limited risk means that more risky/daring investments can be made.
-But high risk portfolios means that lower risk investments will be attractive.
* Development*Relates to the stages of development of an org.
*Can be linked to the Product Life cycle stages. (P.L.C)
*Initial stages of P.L.C are more risky.
*New products & initial investments are highly risky.
*But a risk seeker philosophy needed as new products need to be launched and innovation will always be risky.
* Risk committee*C.G codes don’t specify whether risk comm is needed.*If there is no formal risk comm, then the audit comm will take
over
*Roles
*Update co’s risk profile & appetite
*Oversee risk assurance process
*Raise risk awareness
*Establish policies for risk mgmt
*Implement processes to monitor & report risk
*Ensure proper communication of risks @ all levels
*Ensure adequate training arrangements in place for awareness of all managers.
*Obtain external advise to make sure risk mgmt process are up to date.
*Responsibilities of risk committees*Assess risk mgmt. procedures i.r.o change in operating
environment. i.e identify, measure & control of key risk exposures.
*Emphasize on benefits of risk based approach to internal control.
*Risk audit report on critical business areas
*Assess risks of new ventures/ alliances
*Review credit risk, interest rate risk, liquidity risk, operational risk exposures, in light of board’s risk appetite.
*Consider f/s disclosure i.r.o I.C.S , risk mgmt & key risk exposure
*Make recommendations to the full board on matters pertaining to strategy & policies.
*Risk manager
Implement risk mgmt policies
Operational role
Risk manager Role
Member of risk comm
report direct to the
committee & to B.O.D
- Risk manager is supported & monitored by Risk mgmt committee
- More operational role for the risk manager- The tone is set at the top by BOD & risk mgmt committee.
* Risk manager activitiesLeadership functionIdentify & evaluate risks- business, operations, policies
Implement risk mitigation strategies , i.e I.C.S.Improve risk mgmt methodologiesMonitor status of R.M strategies & internal auditsEnsure compliance with legislation & regulationsMaintain good relationship / link between BOD & Risk mgmt committee
Develop/implement / manage risk mgmt programmes / initiatives
Establish risk mgmt awareness programme within the org
Establish risk indicators
* Risk awareness*Risk comm role- raise risk awareness
*Lack of risk awareness = inappropriate risk mgmt strategy
*Risk awareness will be at 3 levels:
- Strategic : High level monitoring of risk- Tactical : Monitoring at divisional level- Operational : Day to day monitoring
* Strategic level*Need for continued monitoring of risks for the org.
*Lack of monitoring create competitive disadvantage.
*Lack of monitoring creates going concern problems.
* Tactical level*Risks affecting divisional level.
*Monitoring is required as it affects eg. continuity of supply
*Lack of monitoring impact on continuity of process/operations
*Eg – Resignation of staff leads to a break into normal chain- key process may be left incomplete
*Staff motivation should be monitored to prepare for any future succession planning.
* Operational level*Monitor risk at day-to-day level.
*Lack of monitoring is a threat to the org.
*Persistent lack of monitoring = reputational risk.
*E.g . Lack of availability of certain goods in the long term will create , in the LT, increasing customer frustration.
* Embedding risk*Embedding risk mgmt :
*ensure it is part of business’ DNA.
*Part of the way of doing biz- part of the philosophy.
*Process of embedding risk management:
*Embedding risk- cont’d*Risk is embedded in :
1) Systems
2) Culture
Embedding risk in systems
*Ensure risk mgmt is included in control systems.
*Control system will integrate all systems into a proper mechanism.
*Risk mgmt is an integrated system.
*Embedding risk in culture
*This is related to the way people behave , think and act.
*So employees must accept the need for a system of risk management in the enterprise.
* Embedding risk*Methods of embedding risk mgmt in culture & values
*Align individuals’ goals with corporate goals
*Make risk mgmt pervasive, include it in job descriptions
*Establish reward systems – for those who take risks in practice- no blame game , no victims.
*Establish metrics & KPI’s that can monitor risk & provide early alerts / trigger buttons.
* Embedding risk*Factors impacting on success of embedding risk in culture
1. Open/ closed culture2. Overall commitment to risk mgmt policies throughout the
org.
3. Attitude towards ICS
4. Governance- include risk mgmt in the org, to meet needs and expectations of external stakeholders.
5. Is risk mgmt a normal part of the org?
* Risk management- TARA
*Risk planning & formulating risk mgmt strategies
*Strategies
1)Transference
2)Avoidance
3)Reduction
4)Acceptance
* Transference*Trf part or 100% of the risk to a 3rd party.
*E.g re-insurance / insurance , where 3rd party accepts full liability in case risk crystallise
*There may also be alliance , strategic partnerships
*Avoidance*Avoid by not investing/ venturing
*Risk averse strategy
*But in business , not all risk can be avoided
* Reduction/mitigation*Reduce risk – e.g. limit exposure in specific area or decrease
adverse effects , should the worse happen.
*Effective ICS is necessary to reduce impact of risk.
*Risk poolingPooling will cause some positive & negative effects to cancel
out
Risks from many different txns are pooled together
Finally risks is considered from the “pool perspective” or cluster wise
E.g diversification investment portfolio.
*Reduce financial risk/ hedging*Hedging- offset risks . Used to manage exposures.
*Hedging neutralise the risk / reduce risk
*Forwards contracts- fix the price in advance of txn happening. Neutralise / eliminate the risk from unfavorable movement. Mainly used in purchase / sale of currency.
* Risk mapping & risk mgmt strategies
*Risk mapping will determine risk mgmt strategy as shown in the table below:
L H
Impact/ consequence
HReduce Avoid
LAccept Transfer
*Further risk mgmt strategies*Risk avoidance
*Risk strategy if avoiding the risk but not undertaking the activity
*Org has low risk appetite
*Strategy is to avoid risky ventures
*Risk retention
*Similar to concept of risk acceptance .
*Strategy used where risk is minimal or where strategy of transference are expensive.
* Further risk mgmt strategies*Diversify/ spread risk
*Reduce risk by diversifying into operations into different locations
*Performance will net off – cross subsidise
*Overall total risk will be reduced
*Diversify- spread the risk; eg portfolio mgmt.
*Risks can be spread by expanding portfolio through integration, thus linking with other co’s in the supply chain.
*Backward integration- Development concerned with the inputs into the org , eg raw mats, machinery, labour.
*Forward integration- Development into activities concerned with org’s output e.g distribution, tpt, repairs.
*Horizontal integration- Development into activities that compete with or complement an org’s present activities . E.g travel agent selling related products such as travel insurance & currency exchange services.
*Unrelated diversification- development into a completely different area
*Risk strategy & ansoff matrix
* Risk auditing*Risk audit is not mandatory.
*Risk audit is part of general awareness and will be concerned with understanding the risks that the org face.
*Risk mgmt – is an internal function under resp of mgmt.
*Internal auditors sometimes cumulate the functions of risk audit also
* Purpose of risk audit*Risk audit assist risk monitoring
*Provide independent view of risks & controls
*Fresh pair of eyes may identify errors in the original monitoring process
*In some legislation, audit work is mandatory e.g SOX
*After review , internal audit & external audit make recommendation to amend risk mgmt.
*Stages of risk audit
Identify risks
Assess risks
Review controls
over
risk
Report on
inadequatel
y controlle
d risks
*Advantages of internal audit*Familiar with culture , procedure, policy
*I.A can perform specific & focused risk assessment
*Internal teams are flexible , mgmt will control their timetable
*Internal teams focus their reports more than external audit teams
* Advantages of external audit( weaknesses of internal audit)
*More independent / less bias
*Reporting based on ACCA/ IFAC code of ethics
*Create high degree of confidence for investors & regulators
*Fresh pair of eyes
*Outside in approach
*Internal auditors are used to system and behavior and may not want to question basic established principles
*External auditors have wide exposure, best practice can be introduced.
* Process of external reporting of Internal controls & risks
Process
identify reporting situations
Check compliance
with legislation
make report if required
- Internal ctrl failure - Di rectors make inadequate decisions, based on erroneous info
- C.Act - Stock exch req - prof/ethical guidelines may require disclosure
- Document reason for report - eg going concern basis- qualified audit opinion - Then report to 3rd party
* Process of external reporting of Internal controls & risks
*Reporting may be voluntary or by statute( US sec 404 SOX)
*Some reporting systems are more for internal use – eg audit committee
*Process of external reporting- imply compliance with ethical guidelines.
* Comparison SOX & UK external reporting