Chapter 5

Introduction to risk
management

Introduction
Learning outcomes
Syllabus link
Assessment context
Chapter study guidance

Learning topics
1 Introduction to risk
2 Risks for businesses and their investors
3 Types of risk
4 Risk concepts and measurement
5 The objectives of risk management
6 The risk management process
7 Crisis management
8 Business resilience
9 Disaster recovery and business continuity planning
Summary
Further question practice
Technical references
Self-test questions
Answers to Interactive questions
Answers to Self-test questions
 Introduction

Learning outcomes
• Identify the main components of the risk management process and show how they operate
• Identify the key issues in relation to crisis management, business resilience, business continuity
planning and disaster recovery
• Specify types of risk and techniques for measuring risk, including: measures of central tendency
(mean, mode, median); measures of spread (range, standard deviation, variance, co-efficient of
variation); the normal distribution; skewness
Specific syllabus references are: 1f, 1g; 3f
5

Syllabus link
The topics covered in this introduction to risk management are also developed in assurance at
Certificate level, in Audit and Assurance, Business Strategy and Technology, and Financial
Management at Professional level, and in the Advanced level assessments.
5

Assessment context
Questions on risk management will be set in the assessment in either MCQ or multiple response
format. They will be either straight tests of knowledge or applications of knowledge to a scenario.
5

Chapter study guidance

Use this schedule and your study timetable to plan the dates on which you will complete your study
of this chapter.

Topic Practical Study approach Exam approach Interactive

significance questions

1–2 Introduction to risk/ Approach Questions on risk IQ1: Business

Risks for businesses The first two management could risk gets you to
and their investors sections of the easily appear in the think about risks
The effective chapter introduce exam. that businesses
management of risk the concept of risk Questions are likely to you know may
is a key task in any and the risks faced be set in a scenario face
business and by businesses. context. Knowledge-type
accountants can get Note the definition questions are also likely,
heavily involved in of risk and the set on particular
the process of difference principles or definitions.
identifying, between risk and Essential points are:
measuring and uncertainty.
monitoring risk. • Risk, uncertainty and
Stop and think their effects on
Whether a business
thrives or fades is What does the businesses
determined at least term ‘risk’ mean to themselves and their
in part by how it you? Have you investors
manages the risks considered how
that things may go you manage the
wrong, and how far risks that worry
it exploits its you most in your
opportunities, life? Do you just
where things go accept that we all
well. Risk have to live with
management is, risk or do you try
to find ways to

152 Business, Technology and Finance ICAEW 2023

Topic Practical Study approach Exam approach Interactive
significance questions

therefore, not minimise how

merely a defensive much you would
attempt to avoid suffer if a
losses; it is integral perceived risk
to seeking and actually
exploiting happened? These
competitive are the issues that
advantage. In face businesses as
addition, effective well.
risk evaluation and
management is
increasingly
becoming a
regulatory
requirement.

3 Types of risk Approach Questions on types of

It is important to be Read through the risk are likely to come up
able to identify the topic to be aware in your exam. They will
risks that an of the different test that you know the
organisation faces. types of risk. Learn meaning of the different
While different the difference types of risk.
companies face between business Essential points are:
different types of risk, financial risk • Difference between
risk, many of the and operational business risk, financial
risks included here risk. risks and operational
are common to a Stop and think risks.
majority of
businesses. What types of
industry
experience low
business risk and
what types of
industry
experience higher
business risk?

4 Risk concepts and Approach There may be questions ICQ 2: Mean,

measurement Work carefully requiring you to median and
Having a systematic through this interpret the meaning of mode
approach to important section. particular measures. ICQ 3: Measures
managing and Ensure you There may also be of dispersion
measuring risk understand the questions involving
should lead to more various concepts. basic calculations of the
effective decision For the measures of central
making regarding quantitative tendency and
the risks that are measures, ensure dispersion. There will be
being taken on by you understand questions about the
organisations the meaning of advantages and
these and their disadvantages of the
importance to methods discussed.
decision makers.

5–6 Objectives and Approach Questions on this area IQ4: Indemnity

process of risk Know the meaning could easily come up in insurance: This
management of risk the exam, particularly question looks at
management from from topic 6 dealing with risks specific to

ICAEW 2023 5: Introduction to risk management 153

 Topic Practical Study approach Exam approach Interactive
significance questions

There may be topic 5. The risk management. accountants in

regulatory or legal process of risk Questions are likely to practice
requirements for management is include practical
some companies to covered in detail scenarios to see if you
have a formal risk in topic 6. Learn can apply your
management the steps in the knowledge (eg, by
process in place. risk management recommending a risk
These sections process in Figure response to a particular
explain what risk 5.6, and learn the situation).
management four possible Essential points are:
involves. responses to risk.
• Risk concepts:
Stop and think exposure, volatility,
Assess the risk of impact and
your home being probability
destroyed by fire, • Definition of risk
in terms of management
probability and
the impact this • Risk management
would have on process
your life. How have • The risk assessment
you managed this map
risk? Does this
match the risk
responses given in
Figure 5.6?

7–9 Crisis management, Approach Questions in this area IQ5:

business resilience Read through are likely to present you Contingency
and disaster topics 7, 8 and 9 at with practical scenarios planning helps
recovery and least twice: and ask you what steps you to think
business continuity remember crisis might be appropriate about how you
planning management, (eg, in a disaster might plan for
The impact of some business resilience recovery plan). the occurrence of
risks can be so large and business Essential points are: a specific crisis.
that they threaten continuity plans • Crisis management
the very existence of are extreme forms
the organisation. of risk • Business resilience
These three sections management. • Business continuity
look at how Stop and think plans
management can
plan for such risks. What types of plan
could your
employer put in
place so that the
business could
recover from a
major crisis such
as the destruction
of head office by
fire?

Once you have worked through this guidance you are ready to attempt the further question practice
included at the end of this chapter.

154 Business, Technology and Finance ICAEW 2023

 1 Introduction to risk
Section overview

• Risk means that something can turn out differently to what you expected, or wanted.
• Risk exists in any situation, while uncertainty arises only because there is inadequate information.
• Pure risk is the possibility that something will go wrong, and speculative risk is the possibility that
it will go well.
• Downside or pure risk represents a threat: things may turn out worse than expected.
• Upside or speculative risk represents an opportunity: things may turn out better than expected.

1.1 What is risk?

You know what risk is in everyday terms. You know it is risky to climb a tall ladder, no matter what you
may think there is at the top. You know it is risky to bet your life savings on a horse race, no matter
how much you think you might win.
These things are risky because at the point when you decide to do them you cannot be sure how
bad the outcome will be. You may fall off the ladder and injure yourself when you are half-way up.
The horse you back may be beaten at the winning post.
On the other hand, you cannot be sure how good the outcome may be, either: you cannot be sure
that the opportunities won’t ever amount to anything. If you don’t risk climbing the ladder you will
never be the owner of whatever it is at the top. Most people would think it is too risky to throw away
their life savings on a race, but there is always the chance that your horse will win. If you don’t place
the bet you will miss the opportunity.
Risks and opportunities exist because nobody knows what will happen in the future, and nobody can
control it. Of course you can control whether or not you climb the ladder, but you cannot stop others
from doing so, and you cannot stop entirely unexpected things from happening.
These issues can be summarised in the following definition of risk.

Definition
Risk: The possible variation in an outcome from what is expected to happen.

We can break this definition down to highlight the following issues to do with risk:
• Variability: events in the future cannot be predicted with certainty
• Expectation: we expect something to happen, or perhaps hope that it will not happen
• Outcomes: this is what actually happens compared with what is intended or expected to happen

1.2 What is uncertainty?

Risk and uncertainty are not the same things:
• Risk (the possibility of variation) exists in any situation
• Uncertainty arises only because we are ignorant of all the facts: we lack information

Definition
Uncertainty: The inability to predict the outcome from an activity due to a lack of information.

You can never avoid this uncertainty, in anything you do: it is something that you have to make
decisions about, or something you need to manage. If you decide to take a risk, or follow up an
opportunity, the outcome may be hugely beneficial – or it may ruin you.

ICAEW 2023 5: Introduction to risk management 155

1.3 What are upside and downside risks?
Because events could turn out either better or worse than expected, sometimes we refer to two-way
risk or symmetrical risk.
The risk that something will go wrong is called ‘downside risk’, if it is likely that things will go right the
term ‘upside risk‘ is used.

1.4 How far does risk affect a business achieving its objectives?
When considering whether a business will be successful and achieve its objectives, the term ‘pure
risk‘ describes the possibility that something will go wrong, speculative risk is the possibility that
something could go better than expected (though it could go worse). If we all focused on pure risk
then there would be little point in taking a risk; the fact that something could go well is the basis on
which business flourishes. It is helpful for businesses to think about risk in the context of managing
events with an eye on achieving objectives.

Definitions
Downside risk: The possibility that an event will occur and adversely affect the achievement of
objectives.
Upside risk (opportunity): The possibility that an event will occur and positively affect the
achievement of objectives.

In this chapter we shall be concentrating on risk.

2 Risks for businesses and their investors

Section overview

• Risks for a business include poor market conditions, poor control and poor outcomes of
investments. Often businesses look particularly at the risks that they will fail to achieve their critical
success factors (CSFs). How far the business is prepared to take on these risks is a measure of its
risk appetite.
• The risk to those who finance the business (owners and lenders) is that they will suffer poor rather
than high returns on their investment.
• Both businesses and financiers have particular attitudes to the level of risk they are prepared to
endure: risk averse, risk neutral and risk seeking.

2.1 Risks for the business

If the objective of a business is to maximise shareholder value then risks for the business are risks of
losses, resulting (directly or indirectly) in negative cash flows. When losses become severe, there
might be a risk of insolvency, leading to the liquidation of the business.
The activities of certain businesses are inherently risky because they are potentially dangerous to
public well-being: transport and pharmaceutical businesses are obvious examples.
The risks faced by businesses in general are as follows.
• There are risks that trade conditions might be poor, and sales might fall or costs might rise. A
new product launch might be unsuccessful, or an expensive research and development project
might fail to produce a new commercial product.
• There is a risk that inadequate controls (quality controls, administrative controls, controls over
people etc) within the business may result in losses through inefficiency, damage to business
reputation, or deliberate fraud.
• A business might face risks of a financial nature, and losses might occur because of the way it has
financed an operation.

156 Business, Technology and Finance ICAEW 2023

 • Environmental, Social and Governance (ESG) risks are becoming increasingly significant (eg, the
risks of businesses’ reputations being harmed as a result of failing to address their contribution to
climate change).
• The larger the business, the more varied are the risks.

Interactive question 1: Business risk

Try to identify a small business with which you have some familiarity, such as an audit client or one
you have worked for in a vacation. What risks does the business, as opposed to its owner(s), face?

See Answer at the end of this chapter.

2.2 Risks for investors

Lenders have to bear the risk that the business will default on its debt obligations, and fail to make an
interest payment or even become insolvent and be unable to repay the loan principal. A lender will
expect a higher return than that offered on, say, government securities or gilts (commonly taken to
be a risk-free investment), to compensate for the added risk.
Shareholders are the ultimate bearers of risk. If a company becomes insolvent, they will lose all their
investment. More important, if company profits fall, dividends and the share price are also likely to
fall. Lenders are entitled to interest before any profits can be paid as dividend, so that the risk to
income is much less for lenders than for equity shareholders.
Risk for shareholders is two-way: there is the possibility of poor returns (no dividends or low
dividends, and a fall in the share price), or profits and dividends might be higher than expected, and
the share price might rise by more than anticipated. Risk is greater for shareholders when there is a
greater possibility of wide variations in profits, dividends and share prices from year to year. The
range of potential variation in returns is known as the volatility of returns.

2.3 Risk and strategic planning

In the strategic planning analysis process, it is important to focus on risks that are specific to the
business, or the industry sector in which it operates, rather than general ones. They should be
mapped to the relevant threats and opportunities that they represent to the business. A plan for
managing each specific risk can then be formulated.
It is often useful to relate risks to the business’s critical success factors (CSFs), as a significant risk is
one that would create an obstacle to any of the CSFs.

Definition
Critical success factor (CSF): ‘Those product features that are particularly valued by a group of
customers and, therefore, where the organisation must excel to outperform the competition.’
(Johnson & Scholes, 2002)

2.3.1 Risk appetite

Not all risk is bad, and returns are generally higher for higher-risk projects. As part of the planning
process, the business needs to decide what its ‘appetite’ for risk is and apply this in choosing
appropriate strategies.

Definition
Risk appetite: The extent to which a business is prepared to take on risks in order to achieve its
objectives.

The approach should be as follows.

(a) Decide what the business wants to achieve (the strategic objective).
(b) Decide what the business’s ‘risk appetite’ is, in other words the extent to which it is prepared to
take on risks in order to achieve its objective.

ICAEW 2023 5: Introduction to risk management 157

 (c) Find strategies to achieve the objectives that do not involve more risk than the business is willing
to accept.
(d) If there are no methods of reducing the risk to an acceptable level, the objective needs to be
amended.

2.3.2 Attitudes to risk

• A risk averse attitude is that an investment would be chosen if it has a more certain but possibly
lower return than an alternative less certain, potentially higher return investment.
• A risk neutral attitude is that an investment would be chosen according to its expected return,
irrespective of the risk.
• A risk seeking attitude is that an investment would be chosen on the basis of it offering higher
levels of risk, even if its expected return is lower than an alternative no-risk investment with a
higher expected return.
The concept of expected values is discussed in more detail in section 4 below.

3 Types of risk
Section overview

• Business risk arises from the business’s nature, industry and environment.
• Financial risks can be controllable or uncontrollable.
• Operational risks arise from things just going wrong.

3.1 Business risk

Business risk arises from the nature of the entity’s business, its industry and the conditions it operates
in. Business risk is willingly taken by the business as part of its objective of making a return.
Business risk includes:
• Strategy risk: The risk that the business’s objectives will not be achieved because it chooses the
wrong corporate, business or functional strategy. A key strategy risk in the current era of rapid
technological change is to fail to keep up with technological developments.
• Enterprise risk: The chance that a strategy will succeed or fail, and therefore whether the business
should have undertaken it in the first place.
• Product risk: The chance that customers will not buy the company’s products or services in the
expected quantities.
• Financial risk arises in part from how the business is financed and in part from changes in the
financial markets such as to interest rates and exchange rates (see section 3.2).
• Sustainability and climate relatedrisk: In 2018, four of the top five risks identified in the World
Economic Forum’s Global Risk Report survey were environmental or societal (see section 3.3).
• Operational risk is the risk that something will just go wrong. It is not a risk that a business
willingly accepts and indeed a large part of both management and risk management is
attempting to make sure that potential operational risks do not occur (see sections 3.4 and 3.5).

3.2 Financial risk

Financial risk is a key concern to businesses and to professional accountants. There are two types:
• Controllable financial risk is financial risk arising from factors that are within the business’s direct
control. They arise in particular from:
– How far the business chooses to finance itself by debt rather than shares (gearing risk). High
borrowing, in relation to the amount of shareholders’ capital in the business, increases the risk
of volatility in earnings, and insolvency.
– How far the business deals with customers who end up not paying (credit risk).

158 Business, Technology and Finance ICAEW 2023

 – How far the business’s costs are incurred in such a way that there is increased likelihood of it
running short of cash (liquidity risk). A business is exposed to greater liquidity risk if, for
instance, it has a high proportion of fixed costs which must be paid whatever its level of
revenue.
• Uncontrollable financial risk is financial risk arising from factors that operate independently of the
business. The key factor here is market risk, that is the risk of losses resulting from changes in
market prices or rates that the entity itself cannot control but can deal with or manage. These
include share prices, commodity prices, interest rates and foreign exchange rates. Management
of these financial risks is a key role for accountants using hedging and other techniques.
Financial risk is assessed in greater detail in Financial Management at the Professional Level.

3.3 Sustainability and climate related risks

Sustainability and climate related risks is a broad term that covers many potential risks. Some
important examples are:
• Risks caused by climate change, such as increased instances of flooding or drought or other
extreme weather that leads to disruption of operations and damage to assets.
• Reputationalrisks – poor environmental or social behaviour can harm the reputation of an
organisation leading to a fall in sales and providers of finance, such as investors and banks,
refusing to provide additional finance. This can have a significant impact on the value of a
business.
• Governance risks – poor corporate governance structures can lead to poor strategic decision
making and, in extreme cases, fraud.
• Regulatory risks – risks of failing to adhere to regulations relating to environmental and social
issues, such as laws on carbon emissions or anti bribery laws. This can lead to fines or other
sanctions.

3.4 Operational risk

Unlike business risk, operational risk is not willingly incurred by the business in order to make a
return. Operational risk relates to things that just go wrong. A useful way of describing it is in terms of
what causes it.

Definition
Operational risk: The risk that actual losses, incurred because of inadequate or failed internal
processes, people and systems, or because of external events, differ from expected losses.

• Process risk is the risk that a business’s processes may be ineffective (fail to achieve their
objectives) or inefficient (achieve their objectives but at excessive cost).
• People risk is the risk arising from staff constraints (for example insufficient staff, or inability to pay
good enough wages to attract the right quality of staff), incompetence, dishonesty, or a corporate
culture that does not cultivate risk awareness, or encourages profits without regard to the
methods used to make them.
• Systems risk is the risk arising from information and communication systems such as systems
capacity, security and availability, data integrity, and unauthorised access and use. A key aspect of
systems risk arises from the interconnectedness of computer systems via the internet, known as
cyber risk (see below).
• Event risk is the operational risk of loss due to single events that are unlikely but may have serious
consequences. These include:
– disaster risk: a catastrophe occurs, such as fire, flood, ill health or death of key people, terrorism
and so on;
– regulatory risk: new laws or regulations are introduced, affecting the business’s operations and
profitability;
– reputation risk: the business’s activities damage its reputation in the eyes of stakeholders; and
– systemic risk: failure by a participant in the business’s supply chain or system to meet its
contractual obligations, so the system itself is at risk

ICAEW 2023 5: Introduction to risk management 159

 Another way of classifying event risks is according to their sources in the environment.
– Physical risks: such as climate and geology
– Social risks: changes in tastes, attitudes and demography
– Political risks: changes determined by government, or by a change of government
– Legal risks: the consequences of being unable to enforce contracts, of breaking the law or
otherwise of failing to meet legal duties or obligations. Legal risk can also arise from changes in
legislation and regulations
– Economic risks: changing economic conditions such as a recession
– Technology risks: changes in production or delivery technology and from the threat of cyber
attack
– Cyber risk: the risk of financial loss, disruption or damage to the reputation of an organisation
from failure of its information technology systems due to accidents, breach of security, cyber-
attacks or poor systems integrity. Cyber risk and controls for dealing with it are covered in more
detail in the chapter Developments in technology.
– Climate risk: the risk of disruption related to climate change – such as damage caused by
floods or droughts.

Professional skills focus: Assimilating and using information

Exam questions may test your ability to recognise specific issues that may arise in the context. This
could include providing details about a specific risk and asking what type of risk it is.

4 Risk concepts and measurement

Section overview

• The risk a business is facing is measured in terms of exposure, volatility, impact and probability.
• Statistical techniques have wide application. In the context of this chapter, they can be used to
analyse risk.
• Measures of central tendency include the mean, median, mode and expected values. These can
use used to indicate the average or central value than can be expected by a particular event or set
of data.
• Measures of dispersion measure the variability of data or events. As such they are good measures
of risk, as the higher the variability is, the higher the level of risk. Dispersion can be measured
using the range, the variance, standard deviation and co-efficient of variation.
• Frequency distributions show the number of times a particular value occurs in a set of data. These
can be shown graphically.
• The normal distribution is a particular frequency distribution that often occurs with very large sets
of data, where the data is distributed symmetrically around the mean. A normal distribution is
defined by its mean and standard deviation.
• Some distributions are not symmetric, and are referred to as skewed.

4.1 Key risk concepts

The scale of any risk for a business depends upon four key risk concepts.
• Exposure is the measure of the way in which a business is faced by risks. Some businesses will by
their very nature be less exposed than others. A transport company such as an airline or a railway
operator is considerably more exposed to the risk that its customers will be injured while using its
services than is a bank or a firm of accountants. A business that has minimal debt finance and no
overseas customers or suppliers has little or no exposure to the risks of either interest rate
movements or exchange rate movements.

160 Business, Technology and Finance ICAEW 2023

 • Volatility is how the factor, to which a business is exposed, is likely to alter. A coffee producer is
dependent on good weather; businesses like fashion and music are subject to changes in public
taste. Some businesses operate in regions that are politically unstable.
• Impact (or consequence) refers to measures of the amount of the loss if the undesired outcome
occurs. Impact might be measured purely in financial terms, or in terms of delay, injuries/loss of
life or other ways depending on the risk being faced.
• Probability (or likelihood) means how likely it is that a particular outcome will occur. In some
cases, it is possible to estimate probability on the basis of past experience (historical records)
combined with information about all the factors involved and how they interact. In others it is
much harder to estimate probability because no historical data exists. The development of an
entirely new product is an example.
The greatest risks for a particular business will arise when:
• exposure is high;
• the underlying factor is volatile;
• the impact is severe; and
• the probability of occurrence is high.
Different combinations of these four risk concepts result in different levels of response from the
business.

4.2 Statistics
Analysis of risk may involve the use of statistics.

Definitions
Statistics: A branch of mathematics that involves the collection, description, analysis, and inference of
conclusions from quantitative data (Investopedia).
Data set: A collection of data about a population, or a sample of a population (eg, the values of a
variable such as age of all ICAEW students would be a data set).
Population and sample: A population is the entire set of data (eg, all sales invoices issued during a
particular month). A sample can be taken from the population (eg, a sample of 40 invoices is taken
from all the invoices issued during a particular month). The sample may be analysed to find out more
about the population from which it is taken.
Descriptive statistics: Describe the properties of sample and population data, such as the average
value and the degree of variability.
Inferential statistics: The analysis of samples to draw conclusions about the population.

This chapter covers descriptive statistics, which are relevant to analysis of risk. We look at measures
of central tendency, which aim to describe a typical or average element in a population. We then
examine measures of dispersion (spread) which describe how spread out the values are in a set of
data.
Inferential statistics is discussed in the chapter Data analysis.

4.3 Measures of central tendency (average)

Measures of central tendency attempt to measure the ‘average’ or typical value of a given set of data.
This is the value that represents the central value of all the possible values. In relation to risk, the
average is what the typical or expected value would be: it gives an impression of the size of all the
values in the data set.
Measures of central tendency commonly used are:
• Median
• Mode
• Mean
• Expected value

ICAEW 2023 5: Introduction to risk management 161

Definitions
Median: The middle value in a data set when the values are placed in order, from smallest to largest.
If there is an even number of values, then the median is the value halfway between the two middle
values. For large data sets if the number of values is n, the median is the (n + 1)/2-th value.
Mode: The value which occurs most often in a data set.
Mean: What most people think of as the ‘average’. It is the arithmetic mean, denoted as

X
and is calculated by taking the sum (Σ) of all the values (x) and dividing by the number of values (n) in
the data set:

X
X=
n

Context example: Measures of central tendency

The monthly profits of a garden centre last year were:

Profits
Month £000
January 50
February 52
March 74
April 105
May 120
June 125
July 120
August 85
September 65
October 58
November 52
December 54
Total 960

Median
In order to calculate the median of the data, the monthly profits need to be ranked in order of value,
and the median is the middle value:

Profits Order
Month £000
January 50 1
February 52 2
November 52 3
December 54 4
October 58 5
September 65 6
March 74 7

162 Business, Technology and Finance ICAEW 2023

 Profits Order
Month £000
August 85 8
April 105 9
May 120 10
July 120 11
June 125 12

Since there is an even number of months, there is no exact middle value, as the median is the 6.5th
value (calculated as (12 + 1)/2). This will be taken as the value exactly half-way between the sixth
value (65) and the seventh value (74):

65 + 74
= = 69.5
2
Mode
The mode is the value that appears most often in a set of data. In the example above there are two
modes – 52 and 120 as these values both occur twice. All the other values occur once only.
Where there are two modes, the data is said to be bi-modal. In this case, the mode does not really
provide any useful information as neither of these values represent a ‘typical’ month.
Mean
The mean is calculated by dividing the sum of all values by the number of values (n). In this case the
sum of all the values is the total revenue for the year (£960,000) and n is 12. The mean is therefore:
Mean = Σ(x)/n =

960,000
= £80,000
12

Interactive question 2: Mean, median and mode

Mrs Baker owns a giftshop in Bigtown. Her daily sales for the last week were as follows:

Day Sales (£)

Monday 2,000
Tuesday 2,500
Wednesday 6,400
Thursday 6,400
Friday 12,000
Saturday 14,000
Sunday 12,700

Requirement
Calculate the mean, median and mode of the daily sales for the week.

See Answer at the end of this chapter.

ICAEW 2023 5: Introduction to risk management 163

4.3.1 Evaluation of measures of central tendency

Mean Median Mode

Advantages • It is easy to • It is easy to • It is easy to find and

calculate and is understand. understand.
widely understood. • It is not distorted • It is the value of at
• It is representative by very large or least one actual
of all the values in very small, value in the data
the data set as they exceptional values set.
are included in the (known as outliers). • If the data is
calculation (eg, qualitative not
sales from all 12 quantitative (eg,
months were used the data comprises
in calculating the individuals’ choice
average monthly of favourite flavour
revenue). of a food product),
• It is suited to the mode is the
further statistical only measure of
analysis. central tendency
that can be used.
• It is not influenced
by extreme
outliers.

Disadvantage • It may not return a • It may not return a • It does not take all
value that is the value that is the the values in the
same as an actual same as an actual data set into
value in the data value in the data account, so it is less
set (eg, the average set. representative.
household has 1.4 • It does not take all • There can be more
cars but one the values in the than one mode in
cannot own 0.4 of a data set into which case it may
car). account, so it is less not be a good
• It may return the representative. reflection of the
same result for two • It is difficult to central tendency.
very different sets identify in large • It is not suited to
of data, so may not data sets as the further statistical
be comparable values have to be analysis.
between different ordered.
data sets.
• It is not suited to
• May be distorted further statistical
by outliers, which analysis.
are values that are
significantly
different from most
of the other data
values, and that
may arise due to
errors in
measurement or
very unusual
circumstances.

Context example: Outliers

A runner has kept a log of how many kilometres she runs each week during training:

164 Business, Technology and Finance ICAEW 2023

 Week number Kilometres run
Week 1 3
Week 2 49
Week 3 49
Week 4 50
Week 5 50
Week 6 50
Week 7 50
Week 8 51

It can be seen that week 1 is significantly lower than the other weeks, and is therefore an outlier.
There might be a reason why the runner only ran 3 km that week – perhaps she was injured.
The mean distance covered each week is 44 km. This is below the actual distance run every week
except for week 1, and is therefore not really a representative measure of the runner’s weekly
distance. The mean has been distorted by the outlier.
Some statisticians ignore outliers. If week 1 is ignored, the mean weekly distance run is 49.85
kilometres, which is a much more representative indicator of the runner’s weekly distance.

Context example: Same mean for very different data sets

An employer has recorded how many people were absent from work during the last 10 days at two
of its sites:

Site 1 Site 2
Monday 7 1
Tuesday 2 2
Wednesday 3 3
Thursday 4 3
Friday 5 3
Monday 6 3
Tuesday 4 10
Wednesday 8 10
Thursday 9 10
Friday 7 10
Total 55 55
Mean 5.5 5.5

The mean number of absentees was 5.5 per day in both sites which might suggest that both sites
have the same level of absenteeism. When the data is examined in more detail, however, it can be
seen that there is a big difference in the profile of absenteeism. In particular, site 2 has very high
absenteeism rate in the second week and a very low level in the first, while the level of absentees in
site 1 is closer to the mean on most days. These different profiles are not visible from the mean.

4.3.2 Expected values

An expected value is a weighted average value that you might expect to get if you take some action
where the possible outcomes are variable, but you can estimate the probability of each outcome
occurring. Imagine if you are planning to sell an item on eBay. You are told that there is a 20% chance

ICAEW 2023 5: Introduction to risk management 165

 that you will not sell the item, a 30% chance that you will achieve a price of £30 and a 50% chance
that you will sell the item for £50. Your expected selling price is £34, being (20% × 0) + (30% × 30) +
(50% × 50).

Context example: Expected values

Jack plc has the opportunity to invest £100,000 in a project. The project manager has identified three
scenarios: best case, worst case, and most likely – for the project’s annual return, with related
probabilities and returns.

Annual return
Probability under the
of scenario scenario
occurring £
Worst case scenario 0.3 2,000
Most likely scenario 0.6 5,000
Best case scenario 0.1 10,000

The expected return for the investment can be calculated using a weighted average:

Annual return Expected return

under the scenario (probability x return)
Probability £ £
Worst case scenario 0.3 2,000 600
Most likely scenario 0.6 5,000 3,000
Best case scenario 0.1 10,000 1,000
Expected return 4,600

The expected return of £4,600 is not actually predicted as a return for any of the three scenarios; it is
the average of the annual returns that would be expected over a number of years. It is a measure of
the investment’s return for decision-making and risk evaluation purposes.
An expected value is a type of mean. If an action is repeated many times, the expected value
represents the expected mean of the outcomes achieved over time.

4.4 Measures of dispersion

Measures of dispersion (spread) indicate how widely dispersed the values in a data set are. Using the
example of the daily sales of a gift shop, if sales were the same every day, then there would be no
dispersion. If the values change significantly from day to day, then the values are more widely
dispersed. Greater dispersion means greater risk.
Imagine putting savings into a bank account that pays interest of 5% per annum. There will be no
dispersion in your returns, and therefore no risk (other than a negligible risk that the bank goes bust
and you lose your savings).
Alternatively, if you invested your savings in shares of companies listed on the stock exchange, your
returns would be variable. Some years, the market will rise, making your shares more valuable, other
years the market may fall, and your savings will lose some of their value, so there may be capital
gains and losses. Some years dividends may be paid, other years they may not, so the income from
the investment may be variable. The returns on shares are more dispersed, and therefore there is
more risk associated with them.
The measures of spread that you need to know are:
• range;
• standard deviation;
• variance; and
• co-efficient of variation

166 Business, Technology and Finance ICAEW 2023

 Definitions
Range: The difference between the highest and lowest value in a set of data.
Deviation: For each value in a data set, deviation refers to how far from the mean that value is.
Mathematically this is written as:

(X X)
Variance: The average of the squared deviations of the values in a data set from the mean of that
data:

(X X)2
Variance = where n is the number of items in the data set
n
Standard deviation: Standard deviation =

Variance
Coefficient of variation: Co-efficient of variation =

Standard deviation
mean

4.4.1 Range
The range is simply the difference between the highest and lowest value in a set of data. The larger
the range is, the more dispersed the data is. This is a fairly simplistic measure, and suffers from the
following disadvantages:
• It only considers the lowest and highest value in the set of data so does not take into account the
dispersion of the other values.
• The range may be distorted by outliers.

4.4.2 Deviation, variance and standard deviation

For each value in a set of data, its deviation shows how far above or below the mean that value is. If
the deviation is positive, this shows that the value is above the mean, while a negative deviation
implies that the value is below the mean.
In order to show how dispersed that data is, we can calculate the average deviation from the mean.
However, if we simply calculated the average deviation, by adding together the values of all
deviations from the mean, the sum of the positive deviations would offset the negative variations
leading to a mean deviation of zero. This would not be useful. The solution therefore is to square the
deviations before adding them together, because the square of a negative number is a positive
number.
The variance is the average of the square of each deviation from the mean.
The formula for the variance is:

(X X)2
where X represents each value and X represent the mean of the distribution.
n

The standard deviation is the square root of the variance. The standard deviation shows the average
deviation from the mean, ignoring whether the deviation is positive or negative. A larger standard
deviation signifies greater variability/ spread in the values in a data set and therefore greater risk. The
size of the standard deviation is also affected by the size of the data in the data set, as data sets that
contain higher absolute values will tend to have higher standard deviations, given the same level of
dispersion. This problem with the standard deviation is solved by using the co-efficient of variation
(see below).

Context example: Calculation of variance and standard deviation

The monthly profits of a garden centre last year were:

ICAEW 2023 5: Introduction to risk management 167

Month Profits £000
January 50
February 52
March 74
April 105
May 120
June 125
July 120
August 85
September 65
October 58
November 52
December 54
Total 960

The mean monthly profits were £80,000. The calculation of the standard deviation and variance are
as follows:

Month Deviation Deviation squared

X (X X) (X X)2
£000 £000 £000
January 50 -30 900
February 52 -28 784
March 74 -6 36
April 105 25 625
May 120 40 1,600
June 125 45 2,025
July 120 40 1,600
August 85 5 25
September 65 -15 225
October 58 -22 484
November 52 -28 784
December 54 -26 676
Total 960 9,764

Explanation: The second column, X shows the profits of the month, in thousands, eg, in January it was
50. The third column,

(X X)
shows the difference between the profits of the month and

X
the mean monthly profits of 80. In January, monthly profits are 50,

168 Business, Technology and Finance ICAEW 2023

 so (X X) is –30. The fourth column is simply the third column squared, eg, in January it is –30× –30
= 900.

(X X)2 9,764
The variance is = = 813.67 ie, £813,670
n 12

The standard deviation is 813.67 = 28.5249 ie, £28,525

Note: The examiner would not expect you to calculate a variance or standard deviation in the exam.
However, you may be required to show that you understand the meaning of the standard deviation
and are aware of its advantages and disadvantages.

4.5 Coefficient of variation

As an absolute number, the standard deviation can be lack meaning. Standard deviations may be
large simply because the values in a set of data are high.
The co-efficient of variation relates the standard deviation of a data set to the size of the data set
using the mean (expected) value of the data.

Context example: Calculation of coefficient of variation

In the previous example, the mean monthly profits of the garden centre were given as £80,000 and
the standard deviation was £28,525.

28,525
The coefficient of variation was therefore = 0.36 (or 36%)
80,000
This shows that the standard (average) monthly deviation from the mean was 36% of the mean.

The coefficient of variation is a useful way to compare the risk of different potential projects:

Context example: Comparing risk using coefficient of variation

A business is reviewing monthly profit from two products. It has produced the following table
showing the monthly profit levels for the last five months for two products:

Product 1 –
profit/(loss) Product 2 – profit/(loss)
£ £
Month 1 (1,000) 16,000
Month 2 1,000 18,000
Month 3 5,000 22,000
Month 4 12,000 29,000
Month 5 15,000 32,000
Average contribution 6,400 23,400
Standard deviation 6,184 6,184

Both products have the same standard deviation, which may suggest that they bear the same level of
risk. However, the differences in profits for product 1 are relatively much larger.
The co-efficient of variation for the two products is as follows:

Product 1 Product 2
Standard deviation £ 6,184 6,184

ICAEW 2023 5: Introduction to risk management 169

 Product 1 Product 2
Average profits £ 6,400 23,400
Coefficient of variation 96.6% 26.4%

As the coefficient of variation of product 1 is higher than for product 2, we can conclude that it is
riskier than product 2.

Interactive question 3: Measures of dispersion

Mrs Baker owns a giftshop in Bigtown. Her daily sales for the last week were as follows:

Day Sales
Monday 2,000
Tuesday 2,500
Wednesday 6,400
Thursday 6,400
Friday 12,000
Saturday 14,000
Sunday 12,700

The mean daily sales were £8,000 per day. The standard deviation was £4,559.
Requirement
Calculate the range and the coefficient of variation. Explain the meaning of the standard deviation
and coefficient of variation in relation to the gift shop.

See Answer at the end of this chapter.

4.6 Uses in risk management

The bigger the standard deviation is, the more widely dispersed the possible outcomes of an event
are, so a bigger standard deviation means a higher risk.
If decision makers have information about the expected values and standard deviations of the
projects they are considering, they can make more informed decisions, balancing the risks and
rewards. In general:
if risks are higher (indicated by higher standard deviations), decision makers require higher expected
values to compensate them for this.
If two projects have the same expected return, decision makers would choose the project with the
lower standard deviation (assuming the two projects are mutually exclusive, so they cannot both be
chosen). However, a higher standard deviation may also result from having larger numbers in the
data set, so the co-efficient of variation is a better measure of the relative risk and should be used
when evaluating the relative risk of two or more mutually exclusive projects that have different
means.
Standard deviations may be used as a screening device, to reject decisions where the risk is
considered to be too high, given the risk appetite of the decision makers.
Often, accurate information about potential values and their associated probabilities is not available.
Sometimes historic values can be used as an approximation. In the financial markets, for example,
historic values about the standard deviation of prices are used when assessing the risks of particular
securities.

170 Business, Technology and Finance ICAEW 2023

4.7 Frequency distributions
The way that the data in a data set is distributed can also vary. A frequency distribution shows how
often values within particular ranges occur in a data set. The monthly profits from the garden centre
can be summarised in the following frequency diagram, showing how many months the profits fall
within certain ranges:
Frequency Monthly profits
6

0
50-59 60-69 70-79 80-89 90-99 100-109 110-119 120-129 Profits

Figure 5.1: Frequency diagram of profits from the garden centre

There is no particular pattern to the data above. In five of the 12 months, profits were in the lowest
range (£50,000 - £59,000). In three of the months, they were in the highest range (£120,000 -
£129,000). In the other months, they were spread among the other ranges.
As data sets become larger, however, the higher frequencies tend to be centred around the centre of
the frequency diagram. A frequency diagram for a large data set (in this case, the heights of adults in
a country) would look like this:
Height
1200

1000

800

600

400

200

0
110-119 120-129 130-139 140-149 150-159 160-169 170-179 180-189 190-199 Height
in cms

Figure 5.2: Frequency diagram for a larger data set

If a curve was drawn that linked the centre points of each bar, we would have a ‘bell-shaped curve’ as
follows:
Height of adults
Frequency
1200

1000

800

600

400

200

0
110-119 120-129 130-139 140-149 150-159 160-169 170-179 180-189 190-199 Height
in cms

ICAEW 2023 5: Introduction to risk management 171

 Figure 5.3: Frequency diagram for a distribution using a line chart

This curve is known as a frequency distribution as it shows the relative frequency of the data taking
different values.

4.8 The normal distribution

Many large data sets in the real world approximate the normal distribution:

34.1% 34.1%
13.6% 13.6%
0.1% 2.1% 2.1% 0.1%

–3σ –2σ –1σ μ 1σ 2σ 3σ

68.2%

95.4%

99.7%

Figure 5.4: Normal distribution

Ц is the mean of the distribution (and the median and the mode)
Ϭ represents a standard deviation
The area under the curve shows the probabilities of being within certain ranges of the mean, where
distance from the mean is measured in standard deviations.
The normal distribution has the following consistent properties:
• The mean of the distribution = the median = the mode
• The distribution is symmetrical – the probability of identifying a value as equal to or below the
mean is 50% and the probability of it being equal to or above the mean is also 50%.
• The probability of being within particular ranges of the mean depends on the standard deviation:
– 34.1% lie between the mean and one standard deviation below the mean, and 34.1% lie
between the mean and one standard deviation above the mean.
– 68.2% of values lie between one standard deviation below and one standard deviation above
the mean.
– 95.4 % of values lie between two standard deviations below and two standard deviations above
the mean.
– 99.7% of values lie within three standard deviations below and three standard deviations above
the mean.
Some useful values are:
• 95% of values lie with 1.96 standard deviations above and 1.96 standard deviations below the
mean.
• 99% of values lie within 2.58 standard deviations above and 2.58 standard deviations below the
mean.

Context example: Normal distribution

The mean number of units produced by a machine is 1,000 per day, with a standard deviation of 25
units. The Production Manager wishes to know what is the probability of producing between 950 and
1,000 units per day. Assume that daily output is normally distributed.

172 Business, Technology and Finance ICAEW 2023

 950 units is two standard deviations below the mean of 1,000 units. We are therefore looking at the
probability of being in the range between the mean and two standard deviations below the mean.
Using the normal distribution (refer to Figure 5.4 above), we can see that there is a 47.7% probability
of being between the mean and two standard deviations below it (34.1% + 13.6%).
There is therefore a 47.7% chance that the machine will produce between 950 and 1,000 units per
day.

Context example: Normal distribution 2

The number of units produced by a machine is 1,000 per day, with a standard deviation of 25 units.
The Production Manager wishes to know what is the probability of producing between 975 and 1025
units per day. Assume that daily output is normally distributed.
In this case, we are looking for the probability of being between one standard deviation below the
mean and one standard deviation above the mean. Referring to Figure 5.4 above we can see that the
probability of being in the range from one standard deviation below to one standard deviation
above the mean is 68.2%.
Note: This has a much higher probability than being between the mean and two standard deviations
from the mean.
There is therefore a 68.2% chance that production will be between 975 and 1025 units per day.

4.9 Skewness
The normal distribution is symmetrical, with half the values lying above the mean, and half lying
below. It is often useful to assume, when evaluating data, that it has a normal distribution, but in fact
most distributions are not symmetrical, and are therefore said to be skewed or asymmetric to some
degree.
• A left-skewed (negatively skewed) distribution has the majority of values concentrated on the
right-hand side of the distribution. There are fewer values on the left-hand side of the distribution
but these are more spread out, so the curve has a long left-hand tail but appears to lean slightly to
the right. The mode typically occurs at the highest point in the distribution, and typically the
median is to the left of the mode (so it has a lower value than the mode) and the mean is to the
left of the median (so it has a lower value than both the mode and the median)’.
• ‘A right-skewed (positively skewed) distribution has the majority of values concentrated on the
left-hand side of the distribution. There are fewer values on the right-hand side of the distribution
but these are more spread out, so the curve has a long right-hand tail but appears to lean slightly
to the left. Again, the mode typically occurs at the highest point in the distribution, and typically
the median is to the right of the mode (so it has a higher value than the mode) and the mean is to
the right of the median (so it has a higher value than both the mode and the median).
• The normal distribution is not skewed, and the mean = the median = the mode at the highest
point of the distribution.
Skewness can be illustrated by the following diagrams:

Mode
Median
Mean

Left skewed

Figure 5.5: Left skewed distribution

ICAEW 2023 5: Introduction to risk management 173

 Mode
Median
Mean

Right skewed

Figure 5.6: Right skewed distribution

In a very skewed set of data, with extreme values at one end of the distribution, the mean of the data
is not representative of the data as a whole. This means the data is more difficult to analyse using
statistics. Skewness if often indicative of bias in the data. See the chapter Data analysis for more
discussion of data bias.

5 The objectives of risk management

Section overview

• Risk management involves identifying, analysing and controlling those risks that threaten the
assets or earning capacity of the business so as to reduce the business’s exposure by either
reducing the probability or limiting the impact, or both.

5.1 What is risk management?

Definition
Risk management: The identification, analysis and economic control of risks which threaten the
assets or earning capacity of a business.

Risk management is actively used by many businesses, some of which employ risk managers. Smaller
businesses and individuals may not recognise a specific task of risk management but will
nevertheless have developed their own methods of analysing and managing risk.
The purpose of risk management is to understand and then to minimise cost-effectively the
business’s exposure to risk and the adverse effect of risks, by:
• reducing the probability of risks occurring in the first place; and then if they do occur
• limiting the impact they will have on the business

5.2 When is risk management necessary?

• There may be legal requirements to manage risk; you are required by law to insure your car, for
instance.
• Risk management (in the form of insurance) may be required by licensing authorities and
regulatory bodies. For example, a football stadium would not be allowed to operate if it did not
have public liability insurance: ICAEW members in public practice must have professional
indemnity insurance (PII).
• Financial organisations may require risk management; if you have a mortgage your lender no
doubt requires you to have buildings insurance to protect its security.

174 Business, Technology and Finance ICAEW 2023

 Interactive question 4: Indemnity insurance
Find out, if you can, the basis of the requirement that chartered accountants should have to have
professional indemnity insurance (PII), and what it is designed to achieve.

See Answer at the end of this chapter.

Large, listed companies in the UK are required to determine the nature and extent of their significant
risks and to maintain sound risk management systems.
A risk-based management approach is a requirement for all UK companies with a premium listing
under the UK Corporate Governance Code. We shall see more about this in the chapter Corporate
governance.

6 The risk management process

Section overview

• Risk management involves identifying risk, assessing and measuring it in terms of exposure,
volatility, impact and probability, controlling it by means of avoidance, transfer and reduction,
accepting what remains and then monitoring and reporting on events.
• Risks can be identified by considering what losses would ensue: property, liability, personnel,
pecuniary and interruption loss.
• Once identified, the gross risk is measured by multiplying its probability (a value between 0 and
1) by the impact (the value of the loss that would arise). The aim of risk management is to
minimise gross risk.
• Some risk can be avoided by not doing the risky activity, and some can be reduced by taking
precautionary measures. Some of what remains of the gross risk can be transferred to someone
else, especially by insurance. The remaining gross risk must be accepted or retained.
• All the elements of the risk management process must be monitored and reported on to an
appropriate person.

6.1 What is involved in the risk management process?

Awareness and
identification

Analysis: assessment
and measurement

Avoidance Response and control Sharing

Acceptance Reduction

Monitoring and reporting

Figure 5.7: Risk management process

ICAEW 2023 5: Introduction to risk management 175

 • Risk awareness and identification, using techniques such as brainstorming and analysis of past
experience to identify the business’s exposure to risks.
• Risk analysis (assessment and measurement): this considers the volatility of particular factors, the
probability of an event occurring and the severity of the impact if it does. Measurement may be
qualitative or quantitative.
• Risk response and control: in essence a risk can be avoided (do not do the risky activity), reduced
(eg, by strictly controlling processes), shared (eg, with an insurer) or simply accepted.
• Risk monitoring and reporting is a continuous process.
We shall look at each element of the risk management process in turn.

6.2 Risk awareness and identification

Risk awareness is partly a state of mind, but it is also dependent on how well the matter under
consideration is understood.
Suppose a UK business was considering launching a new product in China but knew absolutely
nothing about doing business in China. It is highly likely that it will not be aware of the many risks to
which the business could be exposed because of factors such as different regulations, different ways
of approaching customers, differences in disposable income and so on. The risks remain to be
identified.

Definition
Risk identification: Identifying the whole range of possible risks and the likelihood of losses
occurring as a result of these risks.

Risk identification must be a continuous process, based on awareness and knowledge that:
• potential new risks may arise; and
• existing risks may change
Exposure to both new and altered risks must be identified quickly and managed appropriately.
There are two approaches to identifying risks, which operate most effectively when combined.
• A top-down approach is led by the senior management/board of the business, spending time on
attempting to identify key risks. Often, this is linked to the business’s CSFs: what might happen to
prevent us from achieving each CSF?
• A bottom-up approach involves a group of employees, with an expert in risk management,
working together to identify risks at the operational level upwards.
Categories of loss:
• Property loss – possible loss, theft or damage of any static or moveable assets
• Liability loss – loss occurring from legal liability to third parties, personal injury or damage to
property
• Personnel loss – due to injury, sickness or death of employees
• Pecuniary loss – as a result of defaulting receivables
• Interruption loss – a business being unable to operate due to one of the other types of loss
occurring
Identifying too many risks can make the risk management process overly complex. The business
should focus its efforts on significant risks: those that are potentially damaging to the business’s
value.

6.3 Risk analysis: assessment and measurement

After risks have been identified, there should be a process of judging whether each risk is serious,
and which risks are more serious than others.

176 Business, Technology and Finance ICAEW 2023

Definitions
Risk assessment: For each risk its nature is considered, and the implications it might have for the
business achieving its objectives; an initial judgement is then made about the seriousness of the risk.
Risk measurement: Identifying the probability (likelihood) of the risk occurring, quantifying the
resultant impact (consequence) and calculating the amount of the potential loss using expected
values for gross risk.
Gross risk: The potential loss associated with the risk, calculated by combining the impact and the
probability of the risk, before taking any control measures into account.

An aim of risk assessment should be to identify those risks that have the greatest significance, and so
should receive the closest management attention.
Significance can be measured in terms of the potential loss arising as a result of the risk, that is its
gross risk. This depends on:
• the potential impact, quantified as an expected value (usually using weighted averages as we saw
earlier in the section on risk concepts and measurement).
• the probability of occurrence, measured mathematically, as a decimal between 0 and 1
Gross risk = Probability × Impact
A method that is frequently used to assess risks is to plot each one on a risk map, showing impact on
a scale of 1 to 10 (or just low to high) on one axis, and probability on a similar scale on the other axis.
High

High significance
Impact
Low

Low significance

Low High

Probability

Figure 5.8: Risk assessment map

With regard to controlling risk the greatest attention may then be paid to risks that fall in the high
significance (high impact/high probability quadrant), bearing in mind that the quantum of each in
terms of gross risk should also be considered: a ‘high significance’ gross risk of only £10,000 will
probably draw less attention than a medium significance risk of £1 million, for example.
An alternative way to measure risk is by using measures of dispersion, such as the standard deviation
or co-efficient of variation, as described above in the section of risk concepts and measurement.
In the chapter Corporate governance, we shall look at corporate governance and risk assessment
relevant to large, listed companies in the UK (the UK Corporate Governance Code and the FRC’s
guidance on risk management, internal control and related financial and business reporting).

Professional skills focus: Applying judgement

You may need to identify which quadrant a particular risk should be included in. You will need to
think about the impact (big or small) and the probability of the risk occurring.

ICAEW 2023 5: Introduction to risk management 177

6.4 Risk response and control
Measurement (qualitative or quantitative) and assessment establish priorities that determine the
amount of management time that should be spent developing and implementing a response to
control any particular risk: obviously, large gross risks in the high significance quadrant should be
considered first.
The possible responses to a risk, so as to control it, are as follows.
• Avoidance: not doing the risky activity. This may not be an option, but the first question should
always be ‘Do we need to do this risky activity at all?’
• Reduction: doing the activity, but using whatever means are available to ensure that the
probability of the event occurring and the impact if it does are as small as possible.
• Sharing: for example, taking out insurance against the risk, but only after every effort has been
made to reduce it, so that insurance premiums are kept as low as possible. Another sharing
strategy might be to enter an agreement with one or more other companies (joint ventures,
outsourcing arrangements and partnerships with suppliers are all examples). Hedging is a means
of sharing market risk. Risk sharing is sometimes called risk transfer, but it is rare to be able to
transfer all the risk.
• Acceptance (sometimes called retention): this should only be considered if the other options are
not viable, for example if the costs of extra control activities and the costs of insuring against the
risk are greater than the cost of the losses that will occur if the event happens. The concept of
materiality should apply: immaterial risks can be accepted. Nevertheless, risks that have been
accepted should still be kept under review: new developments may mean that a different
response becomes more appropriate.
• The risk map can be expanded to include risk responses depending on the assessment and
measurement of the risk.

High impact, low probability

High impact, high probability
These risks might be shared using
These risks must be controlled,
High

insurance, and at the same time

using avoidance, reduction
the impact might be reduced so
and/or sharing
that insurance premiums are lower
Impact

Low impact, low probability

Low impact, high probability
Often these risks are just
Low

accepted, as the cost of Reduction is the key

avoiding, reducing or sharing response here
them exceeds the benefits

Low High

Probability

Figure 5.9: Risk responses

The controls that are put in place in response to risks can take a variety of forms:
• Physical controls such as locks, speed limits and clothing protect people, assets and money
• Financial controls such as credit checks, credit limits and customer deposits protect money and
other financial assets
• System controls include procedural controls, so that processes are carried out in the right way,
software controls in computer systems, and organisation controls on people so that, for instance,
they do not exceed their authority. Together system controls protect the business’s ability to
perform its work.
• Management controls include all aspects of management that ensure the business is properly
planned, controlled and led, such as the organisation’s structure, and the annual budget.
We shall see more about controls later in this Workbook.

178 Business, Technology and Finance ICAEW 2023

 Professional skills focus: Structuring problems and solutions

Questions may test your ability to demonstrate understanding of the business and this includes risk.
A risk matrix is a useful way of summarising the different risks a business faces, and emphasizing
which of these require more attention or controlling.

6.4.1 ALARP
An alternative approach to risk management is ALARP, which stands for ‘as low as reasonably
practicable’. ALARP is the basis of many regulations relating to health and safety at work in the UK,
where employers are expected to take actions to reduce risk faced by employees to a level that is
‘reasonably practicable’, but have no duty to go beyond this.

Definition
Reasonably practicable: Reasonably practicable means that the risk (the probability of an event
occurring and the impact that the event would have), has been reduced to a level that is
proportionate, given the cost that would be involved in reducing it any further. Reducing the risk
below this point would require an excessive amount of expenditure or effort to achieve very small
additional reductions in the risk. Reasonably practicable implies a higher level of risk than ‘as low as
possible’.

Applying the ALARP principle to health and safety at work means that employers are expected to
take action to reduce risks where the cost of those actions is not disproportionate in relation to the
risk. Requiring staff to wear protective clothing may reduce the risk of serious harm without causing
significant cost to an employer, so it would be expected that such a measure should be taken.
Spending millions to reduce the chance of two employees receiving minor injuries might be
considered disproportionate, so the employer would not be expected to do that. Clearly, some
judgement may be required in determining whether additional efforts to reduce the risks further
would be disproportionate.

6.5 Monitoring and reporting risk

Monitoring risk should be a continuous, ongoing process, such that if a risky event does occur then
the action taken should include an immediate review of the management of that risk, followed by
changes as necessary. In this sense ‘monitoring’ is a form of control.
• Has corrective action now been taken? Has it been effective?
• Was the risk identified in the first place, and if not, why not?
• If the risk was identified and planned for but the event still occurred, is it because early warning
indicators were not monitored?
• If the response and/or controls were ineffective what changes or new procedures are necessary?
All identified risk management problems that could affect the organisation’s ability to achieve its
objectives should be reported to those in a position to take necessary action.
• The chief executive regarding serious problems
• Senior managers regarding risk management problems that affect their units
• Managers in increasing levels of detail as the process moves down the organisational structure
The board of directors or audit committee should also be informed. The board or committee may ask
to be made aware only of problems that meet a specified threshold of seriousness or importance.
Premium listed companies (see the chapter Business finance, section 6) are required to follow the
main principles of the UK Corporate Governance Code so the board must:
• carry out robust assessments of the company’s emerging and principal risks;
• monitor the company’s risk management and internal control systems at least annually;
• state whether it is appropriate to adopt the going concern basis of accounting in annual and half-
yearly statements; and
• explain how the board assessed the prospects of the company in its annual report

ICAEW 2023 5: Introduction to risk management 179

 We shall see more about this in the chapter Corporate governance.

7 Crisis management
Section overview

• Crisis management involves identifying a crisis and planning a response to it.

• Three main types of crisis are financial, public relations and strategic.
• Businesses need contingency plans to deal with a crisis should it occur.

7.1 What is a crisis?

Definition
Crisis: An unexpected event that threatens the wellbeing of a business, or a significant disruption to
the business and its normal operations which impacts on its customers, employees, investors and
other stakeholders.

Crises can be fairly predictable and quantifiable, or totally unexpected.

7.2 What is crisis management?

Definition
Crisis management: Identifying a crisis, planning a response to the crisis and confronting and
resolving the crisis.

Crisis management is much more commonly used in businesses now.

• Crises such as natural disasters and terrorism have been seen to have an even more extreme
effect in the context of global trade, so businesses are more motivated to manage crises better.
• Society is more litigious than it used to be, and businesses are expected to be able to deal better
with crises now than in the past.
• Better IT and other technology systems allow businesses to be able to do more to avert and/or
manage a crisis.
• Social media means that publicity surrounding any sort of crisis is widespread and can feed on
itself, raising the potential for very severe reputational consequences if damage limitation does
not swing into action quickly.

7.3 Types of crisis

There are three main types of crisis in terms of their effects on the business:
• Financial crisis – short-term liquidity or cash flow problems, and long-term solvency problems
• Public relations crisis – negative publicity that could adversely affect the success of the business
• Strategic crisis – changes in the business environment that call the viability of the business into
question, such as new technology making old products or processes obsolete
There are many types of crisis in terms of their cause.
• Natural event – physical, especially environmental, destruction due to natural causes such as
earthquake
• Industrial accident – buildings collapse, fire, release of toxic fumes, sinking or leaking of a ship
• Product or service failure – product recall of faulty or dangerous goods; communications, systems
or machine failure causing massive reduction in capacity; health scare related to the product or
industry

180 Business, Technology and Finance ICAEW 2023

 • Public relations disaster – pressure group or unwelcome media attention; adverse publicity in the
media; removal/loss/prosecution of chief executive officer or other key management
• Business crisis – sudden strike by workforce; sudden collapse of key supplier; withdrawal of
support by major customer; competitor launches new product; sudden shortfall in demand
• Management crisis – hostile takeover bid; death of key management; managers poached by main
competitor; boardroom battles
• Legal/regulatory crisis – product liability; new regulations increase costs or remove competitive
edge; employee or other fraud

7.4 Managing a crisis

A crisis happens when a risk becomes a reality. The business should seek to prevent crises, and to
have contingency plans should a crisis occur. It should also act to resolve an actual crisis in the most
effective way.

7.4.1 Crisis prevention

The business should always seek to prevent a crisis by planning ahead and projecting likely
outcomes; it should avoid decisions that have the potential to turn into a crisis.

7.4.2 Contingency planning

The business should make a contingency plan for the worst and/or most likely crises to occur. This
must be kept up to date, and staff should be trained in how it should be implemented in the event of
a crisis.

7.4.3 Effective action in the event of a crisis

• Assess objectively the cause(s) of the crisis
• Determine whether the cause(s) will have a long-term or short-term effect
• Project the most likely course of events
• Focus resources on activities that mitigate or eliminate the crisis
• Look for opportunities
In the event of a public relations crisis:
• act immediately to prevent or counter the spread of negative information; this may require
intense media activities; and
• use media to provide a counter-argument or question the credibility of the original negative
publicity

Interactive question 5: Contingency planning

Consider what you would do if, at a time when your business has a small overdraft and very little
money expected in shortly, it is faced with a large demand from a government body which requires
settlement in one month.

See Answer at the end of this chapter.

8 Business resilience
Section overview

• Business resilience can be assessed using two factors: the processes and functions that protect
the organisation; and cross-cutting characteristics of the organisation that drive resilience.
• There are a number of features that resilient organisations share as well as a number of challenges
to building resilience.
• Organisations should measure their current levels of resilience in order to identify areas that can
be improved.

ICAEW 2023 5: Introduction to risk management 181

8.1 What is business resilience?

Definition
Business resilience: A business’s ability to manage and survive against planned or unplanned shocks
and disruptions to its operations.

Organisations exist within the business environment. This environment is highly dynamic with
changes happening much of the time. Usually, these changes are small and unlikely to significantly
adversely affect most businesses (such as minor changes to legislation or tax rates). However, from
time-to-time, larger events can occur which shock organisations and can have significant detrimental
effects on them (for example, strict new laws being enforced; economic recessions and major
uncertainties in the political or social contexts; new technologies and/or new competitors disrupting
an industry, as e-commerce has done to ‘traditional’ retailing).
Other changes might be planned by the organisation itself. It may, for example, choose to make a
major investment overseas, close down a significant operation, or stretch itself financially by taking
on high levels of debt.
Business resilience is the ability of an organisation to manage all of these changes and survive,
regardless of how disruptive these changes are.
According to the ICSA Solutions report ‘Building a resilient organisation’ (Crack, 2014), an
organisation’s resilience can be described on two axis.
Axis 1: Processes and functions that protect the organisation
• Risk management
• Business continuity planning
• Security
• IT disaster recovery
• Health and safety
• Crisis management
• Internal audit
• Governance
Axis 2: More general (‘cross-cutting’) characteristics of the organisation that drive resilience
• The level of trust employees have in the organisation and its management
• The level of trust of customers in the organisation
• The ability of the organisation to innovate
• The extent that organisational values are understood
• The extent that organisational values drive employee behaviour
• The ability of the organisation to operate risk management
• Employee morale
• Leadership and senior management involvement

Interactive question 6: Failing organisations

For an organisation that you are familiar with, or have read about in the press or online, that has
failed, consider the following:
• Why did it fail?
• What are the key factors (internal/external) which led to its failure?
• What do successful organisations in the same industry do differently, which has led to them being
successful?

See Answer at the end of this chapter.

182 Business, Technology and Finance ICAEW 2023

8.2 Resilient organisations
The ICSA report identifies the following features of resilient organisations:
• Have diversified resources and assets to facilitate alternative approaches and adaption to change
• Build strong relationships and networks (both internal and external)
• Have the ability to respond rapidly and decisively to an emerging crisis
• Have the ability to review and adapt based on experience and changing circumstances
The report also identifies the following challenges to building a resilient organisation:

Challenge Explanation

Lack of expertise As organisations become more complex, a

greater degree of expertise is required to
ensure that approaches and activities used are
robust and result in an appropriate level of
resilience.

Lack of input from senior management Directors delegate delivery of resilience

policies and procedures to operational
managers who may not fully understand what is
required, or the urgency of the task in hand.

Siloes for delivery Implementation of resilience programmes may

lack cross-organisational collaboration, with
each business function only being concerned
with their specific area. Therefore synergy that
would be created if all business areas worked
together is lost.

Limited sharing of risk information Siloes also limit information sharing. Rather than
sharing the outputs of their work on resilience,
functions tend to keep the information to
themselves. Therefore the opportunity to
improve resilience by cross-referencing and
sharing results of investigations is lost.

8.3 Measuring resilience

Because an organisation’s environment is constantly changing, the level of its resilience will also
change. For example, it might have procedures in place to ensure that if interest rates rise, to say 5%,
that it can cope financially, but what happens if interest rates rise to 10%?
Therefore it is important that organisations have a means of measuring their resilience, so that it can
adapt if necessary.
The ICSA report identifies the following four metrics that can be used to measure resilience:
• Compliance – how well the organisation complies with its standards and policies
• Completeness – the scope of resilience (ie, how wide a range of issues is the organisation
prepared for)
• Value – qualitative and quantitative measures of how well the organisation can meet specific
outcomes
• Capability – evidence, collected through exercises and reviews, of the extent to which the
organisation has put resilience processes and procedures in place

8.4 Supply chain resilience

Supply chain disruption is a particular issue for companies that adopt a just-in-time approach to
inventory management. Such organisations receive deliveries almost at the point when the materials
are needed in the production process and very little if any, spare inventory is held. Therefore any

ICAEW 2023 5: Introduction to risk management 183

 disruption to the supply chain (such as late deliveries or the failure of a supplier) will have a major
impact on production.
Additionally, the more that companies outsource or work with partners (such as virtual organisations)
the more they depend on, and therefore must be able to rely on, their supply chain. In a similar way
to just-in-time organisations, virtual organisations will feel a great impact from any disruption to their
supply chain. Disruption in this case may relate to the failure of IT systems to transfer data or
information, as well as the failure of suppliers to meet deadlines or if they cease operations.
In response to this potential supply chain disruption, the FM Global Resilience Index is a data-driven
tool and repository that ranks business resilience in 130 countries. The purpose of the index is to
help executives evaluate and manage supply chain risk.
Note: Cyber resilience is discussed in the chapter Developments in technology.

9 Disaster recovery and business continuity planning

Section overview

• A disaster is a major crisis or event which causes a breakdown in the business’s operations and
resultant losses.
• A business needs to recover from a disaster as quickly as possible. This is helped if the business
has a business continuity plan in place.

9.1 Disasters

Definition
Disaster: The business’s operations, or a significant part of them, break down for some reason,
leading to potential losses of equipment, data or funds.

We have seen that event risk is the operational risk of loss due to single events that are unlikely but
that may have serious consequences. Political risk is one example and is often associated especially
with less developed countries where events such as wars or military coups may result in an industry
or a business being taken over by the government and having its assets seized.
Here are some examples, along with some responses and controls, based on reduction and sharing
of the risk of the disaster where it cannot be avoided.
• A fire safety plan is an essential feature of security procedures, in order to prevent fire, detect fire
and put out the fire. Fire safety includes:
– site preparation (for example, appropriate building materials, fire doors);
– detection (for example, smoke detectors);
– extinguishing (for example, sprinklers); and
– training for staff in observing fire safety procedures
• Flooding and water damage can be countered by the use of waterproof ceilings and floors
together with the provision of adequate drainage.
• Keeping up maintenance programmes can counter the leaking roofs or dripping pipes that result
from adverse weather conditions. The problems caused by power surges resulting from lightning
can be countered by the use of uninterruptible (protected) power supplies. This will protect
equipment from fluctuations in the supply. Power failure can be protected against by the use of a
separate generator.
• Threats from terrorism can be countered by physical access controls and consultation with police
and fire authorities.
• Accidental damage can be avoided by sensible attitudes to behaviour while at work and good
layout of workspaces.

184 Business, Technology and Finance ICAEW 2023

 Any system which has suffered a disaster must recover as soon as possible so that further losses are
not incurred, and current losses can be rectified.
What is considered a disaster is relative to the size of the business and the significance of the item
that breaks down. The failure of a hard drive in a single PC could be extremely serious for a small
business which depended on that one computer, but in a large business it might cause minimal
inconvenience, so long as backup copies of data files are maintained.
Minor breakdowns occur regularly and require short-term recovery plans such as agreements with a
maintenance company for same or next-day on-site repairs. Disasters which result in the destruction
of a major facility or installation require a long-term plan.

9.2 Business continuity plans

A business continuity plan will typically provide for:
• Standby procedures so that some operations can be performed while normal services are
disrupted
• Recovery procedures once the cause of the breakdown has been discovered or corrected
• Personnel management policies to ensure that the above are implemented properly
The plan must cover all activities from the initial response to the disaster (crisis management),
through to damage limitation and full recovery. Responsibilities must be clearly spelt out for all
tasks.
The contents of business continuity plans often include the following.

Section Comment

Definition of responsibilities It is important that somebody (a manager or co-ordinator) is

designated to take control in a crisis. This individual can then
delegate specific tasks or responsibilities to other designated
people.

Priorities Limited resources may be available for processing. Some tasks are
more important than others. These must be established in
advance. Similarly, the recovery plan may indicate that certain
areas must be tackled first.

Backup and standby These may be with other installations, or with a business that
arrangements provides such services (eg, maybe the hardware vendor).
Alternatively, other processes may be possible, for instance taking
cash when credit/debit card processing is interrupted.

Communication with staff The problems of a disaster can be compounded by poor

communication between members of staff.

Public relations If the disaster has a public impact, the recovery team may come
under pressure from the public or from the media.

Risk assessment Some way must be found of assessing the particular requirements
of the problem.

Context example: ICAEW’s business continuity plan

The ICAEW has its own business continuity plan, details of which can be found on its website
www.icaew.com/about-icaew/regulation-and-the-public-interest/business-continuity-plan
The plan covers its operational sites in Milton Keynes and London and accepts that the ICAEW may
need to materially reduce its immediate operations if the disruptive event is major.
Initially, the focus will be on recovering key business-critical activities. These have already been
identified and will be guided by business impact analysis (BIA).
In the case of a major event occurring, the priority will be to:
• protect and preserve the safety and well-being of employees, visitors and contractors;
• recover mission critical systems and resume critical ICAEW business operational activities;

ICAEW 2023 5: Introduction to risk management 185

• communicate appropriately with employees, media, principal contractors and stakeholders; and
• continuously manage the recovery process to ensure timely and efficient resumption of normal
business.

186 Business, Technology and Finance ICAEW 2023

Summary

The future is uncertain

EITHER OR

Positive event may occur Adverse event may occur

Classifying risk
= OPPORTUNITY = RISK

Measuring risk
Faced by Faced by Risk concept • Mean
business investor Risk management • Volatility • Median
Aim to: minimise • Exposure • Mode
limit • Impact • Range
reduce • Probability • Standard deviation
Critical success factors • Coefficient of variation

Risk management Business resilience

Risk Strategic planning process
appetite Chapter 4 • see Fig 5.2 Effects
Crisis
Causes

Attitude to risk Crisis

• Risk-averse management
• Risk-neutral • Contingency
• Risk-seeking planning
• Prevention
• Action Occurs

Business continuity plan Disaster recovery plan

ICAEW 2023 5: Introduction to risk management 187

 Further question practice

1 Knowledge diagnostics
Before you move on to question practice, confirm you are able to answer the following questions
having studied this chapter. It not, you are advised to revisit the relevant learning from the topic
indicated.

Confirm your learning

1 Can you distinguish between ‘risk’ and ‘uncertainty’? (Topic 1)

2 Do you know what risk appetite means and are you aware of the three different
attitudes to risk and what they are? (Topic 2)

3 Do you know the meaning of business risk, financial risk and operational risk? Can you
give examples of each? (Topic 3)

4 Do you know the meaning of ‘exposure’, ‘volatility’, ‘impact’ and ‘probability’ in the
context of risk? (Topic 4)

5 Do you understand the meaning of the mean, median and mode, can you calculate
them, and can you describe the advantages and disadvantages of these as measures
of central tendency (Topic 4)

6 Can you interpret the range, standard deviation and co-efficient of variation of a set of
data and do you understand what, for example, a high standard deviation and a high
co-efficient of variation mean in relation to risk? (Topic 4)

7 Do you understand the concept of the normal distribution, and how it can be used to
determine the probability of a value or range of values occurring in a set of data?
(Topic 4)

8 Do you know the meaning and implications of skewness in a distribution, and can you
remember the order of the mean, median and mode in left tailed and right tailed
distributions?

9 Can you define risk management? (Topic 6)

10 What is involved in the risk management process? (Topic 7)

11 What are the four potential responses to a risk? (Topic 7)

12 Do you know what the types of crisis are in terms of their effects and their cause? (Topic
8)

13 Do you know what actions business could take in the event of a crisis? (Topic 8)

14 Do you know the meaning of business resilience? (Topic 9)

15 Can you remember the four metrics that can be used to measure business resilience?
(Topic 9)

16 Can you state what areas are included in a business continuity plan? (Topic 10)

2 Chapter Self-test question practice

Aim to complete all self-test questions at the end of this chapter. Once completed, attempt all
questions in the Introduction to risk management chapter of the Business, Technology and Finance
Question Bank. Refer back to the learning in this chapter for any questions which you did not answer
correctly or where the suggested solution has not provided sufficient explanation to answer all your

188 Business, Technology and Finance ICAEW 2023

queries. Once you have attempted these questions, you can move onto the next chapter,
Introduction to financial information.

ICAEW 2023 5: Introduction to risk management 189

Technical references

• ICAEW (2018) Audit Insights: Cyber security. London, ICAEW.

• ICAEW (2013) Audit Insights: Cyber security. London, ICAEW.
• ICSA Solutions (2014) Building a resilient organisation. London, ICSA Publishing.

190 Business, Technology and Finance ICAEW 2023

 Self-test questions

Answer the following questions.

1 Which of the following is a definition of risk?
A That events in the future cannot be predicted with certainty
B The element of a decision which is unknown
C The inability to predict the outcome of an activity due to a lack of information
D The possibility that an event will occur and adversely affect the achievement of objectives
2 Which of the following is a downside risk for a business?
A That costs might rise
B That revenue might rise
C That controls may succeed
D That quality might improve
3 Benbuck plc has had a wide range of returns to shareholders in recent years. This means that as an
investment, Benbuck plc shares are:
A volatile and low risk
B non-volatile and low risk
C volatile and high risk
D non-volatile and high risk
4 Strang plc is considering an investment in new production machinery. It has identified that the
machinery may soon become obsolete on the grounds of low productivity. This business risk could
be identified as:
A a product risk
B a strategy risk
C an enterprise risk
D an event risk
5 Mimso Bank plc’s staff appear to be unaware of the importance of risk. For Mimso Bank plc this is:
A a business risk
B an enterprise risk
C a financial risk
D an operational risk
6 The size of the gross risk facing a business is measured as:
A volatility (exposure)
B impact (exposure)
C impact (probability)
D volatility (probability)
7 Which two of the following statements relating to the mean are correct?
A It reflects all values in a data set
B It is not distorted by outliers
C It will always return a value that is the same as an actual value in the data set
D It is widely understood
8 Which statement about the standard deviation is correct?
A the value of the standard deviation is not affected by the size of the values in the data set

ICAEW 2023 5: Introduction to risk management 191

 B the standard deviation does not reflect all the values of a set of data
C the standard deviation can take positive or negative values
D the lower it is, the more concentrated the data is around the mean
9 Which two of the following statements about the normal distribution are correct?
A the distribution is skewed to the right
B the mean and mode do not necessarily take the same value
C the probability of any value in the data set being equal to or less than the mean is 50%
D more than half of the values in a data set lie within one standard deviation of the mean
10 If a distribution is positively (right) skewed, what is the typical order (from lower to higher) of the
values of the mean, median and mode?
A mode, median, mean
B median, mean, mode
C mode, mean, median
D median, mode, mean
11 In terms of risk management, choosing to transfer some risk is part of:
A risk awareness
B response awareness
C assessment awareness
D monitoring awareness
12 Brando plc has 40 employees engaged in an activity that has been identified as having a high
element of risk to the company’s reputation. The company decides that the activity is necessary but
that only 10 staff should be engaged in it in future, and these staff should receive extra training. The
risk responses that Brando plc has applied are:
A avoidance and reduction
B transfer and acceptance
C reduction and acceptance
D avoidance and transfer
13 Heller & Co is a firm of solicitors which has long been aware that the departure of one partner, Mike
Heller, would constitute a crisis for the firm. It has therefore ensured that he is highly paid and that
Sue Jones, another partner, shadows his work and knows his clients. On 15 June Mike walks out of
the firm and provokes a serious crisis, which the firm’s very expensive PR consultants handle. The area
of crisis management which Heller & Co has neglected to address in their management of the crisis
is:
A crisis prevention
B contingency planning
C analysis of the causes of Mike’s actions on 15 June
D Taking action to mitigate the crisis
14 Klib plc operates in a politically unstable country. It has arranged that a consultancy firm with access
to similar facilities as Klib plc has a complete set of backup files for Klib plc. This strategy is part of
Klib plc’s:
A risk management
B crisis management
C disaster recovery planning
D operational planning
15 Which of the following statements best describes a cyber-attack?
A Accidental damage to a computer system caused by an inexperienced user

192 Business, Technology and Finance ICAEW 2023

 B Data corruption caused by poor systems integrity
C Deliberate action through the internet causing loss or damage to an organisation
D Data loss caused by physical damage such as vandalism to a computer system
16 What is the meaning of business resilience?
A The ability of a business to continue its planned strategic direction and not become distracted
by external changes.
B A business’s ability to maintain its market share in a competitive environment.
C A business’s ability to manage and survive against planned or unplanned shocks and disruption
to its operations.
D A business’s ability to continue to deliver stable growth in profits over the longer term.
17 One of the threats that Blogs Co has identified to its cyber resilience is that broadband and Wi-Fi
networks may become unavailable, so people working from home would be unable to access Blog
Co’s systems.
Requirement
In terms of the ICAEW report ‘Developing a cyber-resilience strategy’, what type of threat has Blog
Co identified?
A Mobile threat
B Networking and cloud considerations
C Access controls in the mobile world
D Denial of service
18 A firm of chartered accountants, XYZ LLP is updating the priority of the tasks in its business continuity
plan and wishes to be consistent with the priorities used in the ICAEW’s own business continuity
plan.
Requirement
Which of the following tasks is likely to have the highest level of priority?
A Ensuring all systems recover from the disaster
B Communicating with staff and other key stakeholders
C Recovering mission critical systems so business activities can be resumed
D Protecting the safety and wellbeing of employees, visitors and contractors

Now go back to the Introduction and ensure that you have achieved the Learning outcomes listed for
this chapter.

ICAEW 2023 5: Introduction to risk management 193

Answers to Interactive questions

Answer to Interactive question 1

For many small businesses the most evident risk is that customers do not buy what they supply,
whether because of competition, fashion or an economic downturn. This is also the risk that is most
difficult to deal with, though being well-informed and innovative help to ensure that the business can
react adequately. There is a real risk too that the costs of providing the goods or service will rise,
which again is hard to contend with as the business may have little or no bargaining power. The risks
from inadequate controls are less likely though more catastrophic; most small business owners are
very closely involved in the running of it and keep close control of quality, administration and staff,
but there are plenty of businesses which have gone under due to one fraud, or one lapse of quality.
Finance is also a serious risk; bank overdrafts can be called in on demand, and cash flow has often
caused very severe problems, even winding up, in otherwise successful businesses.

Answer to Interactive question 2

Mean = £8,000. Median = £6,400. Mode = £6,400.
The mean = the sum of all the values ÷ number of values
Total sales for the week were £(2,000 + 2,500 + 6,400 + 6,400 + 12,000 + 14,000 + 12,700) =
£56,000
Number of days = 7
Therefore mean = Σ(x)/n = £8,000
To calculate the median, daily sales must be ranked in order (2,000, 2,500, 6,400, 6,400, 12,000,
12,700, 14,000). Since we have 7 values, the median is the 4th value being £6,400.
The mode is the most frequently occurring value. The only value that occurs more than once is
£6,400 which occurs twice. The mode is therefore £6,400.

Answer to Interactive question 3

The range is the difference between the highest and lowest values, being £10,700 (12,700 - 2,000).
£10,700.

Standard deviation 4,559

The coefficient of variation is = = 57%
mean 8,000
The meaning of the standard deviation is that on average, the difference between daily sales and the
mean is £4,559. The coefficient of variation is 57%, meaning that on average, sales deviate from the
mean by 57% each day. Sales are therefore very volatile.

Answer to Interactive question 4

PII is a requirement not of the law but of ICAEW itself, which acts as regulator of its members both in
and out of public practice. PII is intended to provide funds to persons who have suffered financial
loss as a result of the negligence of a chartered accountant; this is paid to the injured party, not to
the chartered accountant, but it is an example of how a person (the chartered accountant) may
transfer some of the risks they face to another entity, in this case the insurance company.

Answer to Interactive question 5

You should not wait for further evidence before acting. Immediately take action to maintain or
increase cash flow:
• Accelerate receipts from customers even if this requires the granting of discounts
• Decelerate payments to suppliers even if this means losing discounts
• Increase short-term sales but maintain or increase margins on sales if possible

194 Business, Technology and Finance ICAEW 2023

• Reduce expenses:
– Eliminate non-essential expenses
– Sell surplus long-term assets
– Reduce payroll if possible
– Renegotiate the overdraft and other debts

Answer to Interactive question 6

There is no ‘answer’ to this question as such, because responses will depend on the organisation that
you chose. However, this is a useful exercise to get you thinking about business resilience issues from
a ‘real-world’ point of view.

ICAEW 2023 5: Introduction to risk management 195

 Answers to Self-test questions

1 Correct answer(s):
D The possibility that an event will occur and adversely affect the achievement of objectives
Option A describes variability, option B is not a definition of risk and option C defines uncertainty.

2 Correct answer(s):
A That costs might rise
All of the other options are upside risks.

3 Correct answer(s):
C volatile and high risk
Volatility measures the variation of returns in terms of profits, dividends and share prices – the more
volatile the return, the higher the risk.

4 Correct answer(s):
B a strategy risk

5 Correct answer(s):
D an operational risk
This is a people risk, which is a kind of operational risk.

6 Correct answer(s):
C impact (probability)

7 Correct answer(s):
A It reflects all values in a data set
D It is widely understood
The mean could be distorted by outliers, so statement B is not correct.
The mean may return a value that is not the same as an actual value in the data set, so C is not
correct.

8 Correct answer(s):
D the lower it is, the more concentrated the data is around the mean
If the size of the values in the data is higher, the standard deviation is likely to be larger too, which is
why the coefficient of variation is used. A is therefore wrong.
The standard deviation does use all the data in a data set (via the variance).
The standard deviation can either be positive or (in rare cases) zero. It cannot be negative.

9 Correct answer(s):
C the probability of any value in the data set being equal to or less than the mean is 50%
D more than half of the values in a data set lie within one standard deviation of the mean
The normal distribution is symmetrical – it is not skewed. Therefore A is incorrect.
The mean, median and mode all have the same value in the normal distribution. So B is incorrect.
Since the distribution is symmetrical, 50% of the values do lie at or below the mean.
The probability of any value being in the range from one standard deviation below the mean to one
standard deviation above the mean is 68.2% (you would not be expected to memorise this value, but

196 Business, Technology and Finance ICAEW 2023

 it is important to understand that the majority of the data in the normal distribution is located within
one standard deviation of the mean). D is therefore correct.

10 Correct answer(s):
A mode, median, mean
The mode is typically at the top of the hump in a distribution. In a skewed distribution the median is
next to the mode and the mean is next to the median. In a positive skewed (right hand) distribution,
the sequence is mode, median, mean as both the median and the mean are a higher value than the
mode, sliding down the long right-hand tail of the distribution which is humped to the left.

11 Correct answer(s):
B response awareness

12 Correct answer(s):
A avoidance and reduction
Reducing the number of staff is a form of avoidance; training the remaining ones is a form of risk
reduction.

13 Correct answer(s):
C analysis of the causes of Mike’s actions on 15 June

14 Correct answer(s):
C disaster recovery planning

15 Correct answer(s):
C Deliberate action through the internet causing loss or damage to an organisation
Cyber-attacks are deliberate and take place through the internet.

16 Correct answer(s):
C A business’s ability to manage and survive against planned or unplanned shocks and disruption
to its operations.

17 Correct answer(s):
B Networking and cloud considerations
Mobile threat refers to the risk of mobile devices containing confidential information or access the
business’s networks being lost or stolen. Access controls in the mobile world relates to the threat of
poor access controls on the company’s main systems relating to providing access to mobile devices.
A denial of service attack is not mentioned as a category of cyber resilience threats in the ICAEW
report, but is a type of cyber-attack where the perpetrators try to crash a target system.

18 Correct answer(s):
D Protecting the safety and wellbeing of employees, visitors and contractors
This is the first priority in the ICAEW’s business continuity plan. It recognises that when a disaster
occurs (eg, an earthquake or terrorist attack) the safety of humans is paramount.

ICAEW 2023 5: Introduction to risk management 197

198 Business, Technology and Finance ICAEW 2023
 Chapter 6

The finance function and

financial information

Introduction
Learning outcomes
Syllabus links
Assessment context
Chapter study guidance

Learning topics
1 What does the finance function do?
2 The structure of the finance function
3 Managing the finance function
4 Uses and types of financial information
5 Users of financial information and their information needs
6 Limitations of financial information in meeting users’ need
7 Information processing and management
8 Information security
9 Measuring performance
10 Measuring climate change, sustainability management and
natural capital
11 Establishing financial control processes and internal controls
Summary
Further Question Practice
Technical references
Self-test questions
Answers to Interactive questions
Answers to Self-test questions