3. Role of Board Significant role in risk mgmt Consider strategic nature of risk Define org’s risk appetite & approach Responsible for driving risk mgmt process Ensure risk mgmt supports strategic objectives Determine level of risk that an org can accept- to match strategic objectives Communicate risk mgmt strategies to the entire org- top/down approach Ensure integration of risk mgmt in operations Review risk and monitor progress of risk mgmt plans Risk mgmt strategy- which risk will be accepted, declined, transferred Appoint a risk committee
6. Risk attitude Risk averse Avoid risk Withdraw from risky ventures Risk seeking Seeking additional risk See risk management as strategic Invest in comprehensive risk mgmt system High risk = high return
7. Risk attitude- cont’d Risk attitude depending on org. 3 factors to consider : Size Structure Development
8. SIZE Small Size Small size = higher risk for org= vulnerable. Smaller product range- so adversely impacted in case if drop in sales. There will be a tendency towards Risk averse strategy – to protect limited product ranges. Large Size Large size = lower risk Wider product range But large size may mean attempt to minimize reputational risk.
11. A portfolio with limited risk means that more risky/daring investments can be made.
12.
13. Risk committee C.G codes don’t specify whether risk comm is needed. If there is no formal risk comm, then the audit comm will take over Roles Update co’s risk profile & appetite Oversee risk assurance process Raise risk awareness Establish policies for risk mgmt Implement processes to monitor & report risk Ensure proper communication of risks @ all levels Ensure adequate training arrangements in place for awareness of all managers. Obtain external advise to make sure risk mgmt process are up to date.
14. Responsibilities of risk committees Assess risk mgmt. procedures i.r.o change in operating environment. i.e identify, measure & control of key risk exposures. Emphasize on benefits of risk based approach to internal control. Risk audit report on critical business areas Assess risks of new ventures/ alliances Review credit risk, interest rate risk, liquidity risk, operational risk exposures, in light of board’s risk appetite. Consider f/s disclosure i.r.o I.C.S , risk mgmt& key risk exposure Make recommendations to the full board on matters pertaining to strategy & policies.
30. Tactical level Risks affecting divisional level. Monitoring is required as it affects eg. continuity of supply Lack of monitoring impact on continuity of process/operations Eg – Resignation of staff leads to a break into normal chain- key process may be left incomplete Staff motivation should be monitored to prepare for any future succession planning.
31. Operational level Monitor risk at day-to-day level. Lack of monitoring is a threat to the org. Persistent lack of monitoring = reputational risk. E.g . Lack of availability of certain goods in the long term will create , in the LT, increasing customer frustration.
32. Embedding risk Embedding risk mgmt : ensure it is part of business’ DNA. Part of the way of doing biz- part of the philosophy. Process of embedding risk management:
33. Embedding risk- cont’d Risk is embedded in : Systems Culture Embedding risk in systems Ensure risk mgmt is included in control systems. Control system will integrate all systems into a proper mechanism. Risk mgmt is an integrated system. Embedding risk in culture This is related to the way people behave , think and act. So employees must accept the need for a system of risk management in the enterprise.
34. Embedding risk Methods of embedding risk mgmt in culture & values Align individuals’ goals with corporate goals Make risk mgmt pervasive, include it in job descriptions Establish reward systems – for those who take risks in practice- no blame game , no victims. Establish metrics & KPI’s that can monitor risk & provide early alerts / trigger buttons.
35. Embedding risk Factors impacting on success of embedding risk in culture Open/ closed culture Overall commitment to risk mgmt policies throughout the org. Attitude towards ICS Governance- include risk mgmt in the org, to meet needs and expectations of external stakeholders. Is risk mgmt a normal part of the org?
37. Transference Trf part or 100% of the risk to a 3rd party. E.g re-insurance / insurance , where 3rd party accepts full liability in case risk crystallise There may also be alliance , strategic partnerships
38. Avoidance Avoid by not investing/ venturing Risk averse strategy But in business , not all risk can be avoided
41. Finally risks is considered from the “pool perspective” or cluster wise
42. E.g diversification investment portfolio.Reduce financial risk/ hedging Hedging- offset risks . Used to manage exposures. Hedging neutralise the risk / reduce risk Forwards contracts- fix the price in advance of txn happening. Neutralise / eliminate the risk from unfavorable movement. Mainly used in purchase / sale of currency.
43. Risk mapping & risk mgmt strategies Risk mapping will determine risk mgmt strategy as shown in the table below:
44. Further risk mgmt strategies Risk avoidance Risk strategy if avoiding the risk but not undertaking the activity Org has low risk appetite Strategy is to avoid risky ventures Risk retention Similar to concept of risk acceptance . Strategy used where risk is minimal or where strategy of transference are expensive.
45. Further risk mgmt strategies Diversify/ spread risk Reduce risk by diversifying into operations into different locations Performance will net off – cross subsidise Overall total risk will be reduced Diversify- spread the risk; eg portfolio mgmt. Risks can be spread by expanding portfolio through integration, thus linking with other co’s in the supply chain.
46. Backward integration- Development concerned with the inputs into the org , eg raw mats, machinery, labour. Forward integration- Development into activities concerned with org’s output e.g distribution, tpt, repairs. Horizontal integration- Development into activities that compete with or complement an org’s present activities . E.g travel agent selling related products such as travel insurance & currency exchange services. Unrelated diversification- development into a completely different area
48. Risk auditing Risk audit is not mandatory. Risk audit is part of general awareness and will be concerned with understanding the risks that the org face. Risk mgmt – is an internal function under resp of mgmt. Internal auditors sometimes cumulate the functions of risk audit also
49. Purpose of risk audit Risk audit assist risk monitoring Provide independent view of risks & controls Fresh pair of eyes may identify errors in the original monitoring process In some legislation, audit work is mandatory e.g SOX After review , internal audit & external audit make recommendation to amend risk mgmt.
51. Advantages of internal audit Familiar with culture , procedure, policy I.A can perform specific & focused risk assessment Internal teams are flexible , mgmt will control their timetable Internal teams focus their reports more than external audit teams
52. Advantages of external audit( weaknesses of internal audit) More independent / less bias Reporting based on ACCA/ IFAC code of ethics Create high degree of confidence for investors & regulators Fresh pair of eyes Outside in approach Internal auditors are used to system and behavior and may not want to question basic established principles External auditors have wide exposure, best practice can be introduced.
54. Process of external reporting of Internal controls & risks Reporting may be voluntary or by statute( US sec 404 SOX) Some reporting systems are more for internal use – eg audit committee Process of external reporting- imply compliance with ethical guidelines.