P3 – Ch 2 – Risk Management

1 – Risk management models
Risk management models provide a coherent framework for orgs to deal with risk, based on the following components:
– Risk appetite
– Risk identification
– Risk assessment
– Risk profiling
– Risk quantification
– Risk management
– Review and feedback

* RM models are designed to show that RM is continuous and that it is a logical process.

1 – Risk management models

ERM definition

* ERM is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
1 – Risk management models

COSO’s RM model

* The Committee of Sponsoring Organisations of the Treadway Commission furthers the ERM definition, identifying ERM to have the following:

– Process
– Operated at every level
– Applied in strategy setting
– Applied across the enterprise
– Identifies key events and manage their risks
– Provides reasonable reassurance
– Geared to achievement of objectives

1 - Risk management models

COSO's RM model pic
1 – Risk management models

COSO’s RM model pic

1 – Risk management models

Benefits of ERM [p28]

* Alignment of risk appetite and strategy
* Link growth, risk and return
* Choose best risk response
* Minimise surprises ans losses
* Identify and manage risks across the org
* Provide responses to multiple risks
* Seize opportunities
* Rationalise capital
1 - Risk management models

CIMA's risk management cycle
1 – Risk management models

CIMA’s risk management cycle

1 – Risk management models

IFAC’s Risk architecture

* 8 components or the architecture
– Acceptance of a risk management framework
– Commitment from executives
– Establishment of a risk response strategy
– Assignment of a responsibility for RM process
– Resourcing
– Communication and training
– Reinforcing risk cultures through human resources mechanisms
– Monitoring the RM process

* 4 components of RM
– Structure to facilitate the identification and communication of risk
– Resources – sufficient to support implementation
– Culture – reinforcing decision-making processes
– Tools and techniques – developed to enable org-wide management of risk

1 – Risk management models
provide a coherent framework for orgs to deal with risk, based on the following components:
– Risk appetite
– Risk identification
– Risk assessment
– Risk profiling
– Risk quantification
– Risk management
– Review and feedback
2 – Risk appetite and culture
Even if orgs manage risk systematically, that does not remove the human element from decision-making on dealing with risks. How orgs respond to risk will be determined by the views of the directors or managers, and also the stakeholders to whom they are accountable.

* Factors influencing risk appetites – mgnmt perceptions or appetite to take risk. Also influences risk culture, the values and practices that influence how an org deals with risk in it’s ops

* Personal views; emotional satisfactions

* Response to s’holder demand

2 – Risk appetite and culture
* Organisational influences – influenced by history, significant losses, changes in regulation and best practice, changing views

* National influences

* Cultural influences
– Fatalists
– Hierarchists
– Individualists
– Egalitarians

2 - Risk appetite and culture

Risk thermostat
2 – Risk appetite and culture

Risk thermostat

2 – Risk appetite and culture

Aversion, seeking, conformance and performance

* Risk aversion and risk tolerance
– aversion focuses on the risk level: seeking focuses on the return level

* Conformance and performance
– conformance focuses on controlling pure (only downside) strategic risks: performance focuses on taking advantage of opportunities to increase overall returns within a business.

IFAC states that RM should seek to reconcile performance and conformance – the two enhance eachother.

2 - Risk appetite and culture

Deal and Kennedy: risk, feedback and reward
2 – Risk appetite and culture

Deal and Kennedy: risk, feedback and reward

3 – Risk assessment
* Framework
– Identification
– Analysis
– Mapping
– Consolidation
3 – Risk assessment

Risk and event identification

– External events
– Internal events
– Leading event indicators
– Trends and root cacuses
– Escalation triggers
– Event interdependencies
3 – Risk assessment

Analysis

means obtaining an idea of the severity of the consequences of the risk materialising and how frequently (or likely) it is that the risk will materialise.

* Risk quantification – risk that require more analysis can be quantified, where possible results or losses and probabilities are calculated and distributions or confidence limits added on. From this exercise is derived the following key data:
– Average or expected result or loss
– Frequency of losses
– Chances of losses
– Largest predictable loss

3 - Risk assessment

Risk mapping
3 – Risk assessment

Risk mapping

3 – Risk assessment

Consolidation

Now risk needs to be aggregated to corp leveel and grouped into categories.

A good way to approach exam questions on risk is to analyse:
– what do we know or what can we infer from the scenario about the risks and their causes (consider events that result in risk and conditions that result in risk)
– what is the likelihood of the risk materialising and how severe will the consequences be

* A risk register lists and prioritises the main risks an org faces and can be used for decisions. Monetary value sh/be added, interdependencies, who is responsible, actions taken, levels before and after control has been taken for a CBA.

4 - Risk response
4 – Risk response
Methods of dealing with risk include abandonment, control, acceptance and transfer
4 – Risk response
* Abandonment – Take immediate action, eg changing major suppliers or abandoning activities

* Control of risk – Take some action, eg enhanced control systems to detect problems or reduce impact (hedging, diversification, procedures, physical devices, education)

* Acceptance – Risks are not significant. Keep under view, but costs of dealing with risks unlikely to be worth the benefits

* Transfer – Insure risk or implement contingency plans. Reduction of severitiy of risk will minimise insurance premiums

5 – Risk responsibilities
Orgs need to approach RM in a systematic way. A risk policy statement sets out general guidelines, incl responsibilities for RM. Everyone in the org has some responsibility for RM, but the org may employ specialists to oversee the RM processes.

– the board (resp determining RM strategy)
– RM group
– Internal and external audit
– line managers
– staff

6 – Risk monitoring
* Board review is an essential part of the RM process

* Board review should be based on information collected from various sources

* Factors influencing the extent of external reporting of risk include regulations, governance codes, and attitudes of stakeholders, particularly shareholders

Round up
* RM models provide a coherent framework for ogs to deal with risk, based on the following components:
Risk:
– Appetite
– Identification
– Assessment
– Profiling
– Quantification
– Management
– Review and feedback

* Mgt responses to risk are not automatic, but will be determined by their own attitudes to risk, which in turn will be influenced by shareholder attitudes and cultural factors

* Risk analysis involves identifying, assessing, profiling and quantifying risks

* Methods of dealing with risk include abandonment, acceptance, transfer or control

Round up
* General steps orgs can take to manage risks include issuing a risk policy statement, appointing a risk manager or risk specialists and communicating risks to staff and shareholders

* Board review is an essential part of the RM process

* Board review should be based on info collected from various sources

* Factors influencing the extent of external reporting of risk include regulations, governance codes and attitudes of stakeholders, particularly shareholders

Formal RM process
1) Risk appetite
2) Establishment of RM process
3) Responsibilities for RM process
4) Risk identification
5) Risk assessment
6) Risk profiling
7) RM measures
8) Risk reporting