Chapter 2

Chapter
Risk management
Chapter learning objectives
Lead Component
A2. Evaluate risk exposure (a) Evaluate the impact of risk
(b) Assess the likelihood of
risks.
(c) Analyse the interaction of
different risks
A3. Discuss ways of (b) Discuss risk tolerance,
managing risk. appetite and capacity
(c) Discuss risk management
frameworks
(d) Discuss risk analytics
C2. Recommend internal (a) Discuss the COSO risk
controls for risk management management framework
37
Risk management
1 Risk management
Risk management is defined as:
‘the process of understanding and managing the risks that the organisation is
inevitably subject to in attempting to achieve its corporate objectives’
CIMA Official Terminology
 The traditional view of risk management has been one of protecting the
organisation from loss through conformance procedures and hedging
techniques – this is about avoiding the downside risk.
 The new approach to risk management is about taking advantage of the
opportunities to increase overall returns within a business – benefiting
from the upside risk.
 The following diagram shows how risk management can reconcile the two
perspectives of conformance and performance (as discussed previously in
chapter 1).
38
Chapter 2
Source: IFAC (1999) Enhancing Shareholder Wealth By Better Managing Risk
Enterprise Risk Management (ERM)

Enterprise risk management is the term given to the alignment of risk
management with business strategy and the embedding of a risk
management culture into business operations.
It has been defined as:
'A process, effected by an entity’s board of directors, management and
other personnel, applied in strategy setting and across the enterprise,
designed to identify potential events that may affect the entity, and
manage risk to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives.'
Committee of Sponsoring Organisations of the Treadway Commission
(COSO) (2003)
Risk management has transformed from a ‘department focused’
approach to a holistic, co-ordinated and integrated process which
manages risk throughout the organisation.
The key principles of ERM include:
 consideration of risk management in the context of business
strategy
 risk management is everyone’s responsibility, with the tone set from
the top
 the creation of a risk aware culture
 a comprehensive and holistic approach to risk management
 consideration of a broad range of risks (strategic, financial,
operational and compliance)
 a focused risk management strategy, led by the board (embedding
risk within an organisation's culture).
39
Risk management
The COSO ERM Framework is represented as a three dimensional matrix

in the form of a cube which reflects the relationships between objectives,
components and different organisational levels.
 The four objectives (strategic, operations, reporting and compliance)

reflect the responsibility of different executives across the entity and
address different needs.
 The four organisational levels (subsidiary, business unit, division
and entity) emphasise the importance of managing risks across the
enterprise as a whole.
 The eight components must function effectively for risk management
to be successful.
The eight components are closely aligned to the risk management
process addressed previously, and also reflect elements from the COSO
view of an effective internal control system:
 Internal environment: This is the tone of the organisation,
including the risk management philosophy and risk appetite (see
later in this chapter).
 Objective setting: Objectives should be aligned with the
organisation’s mission and need to be consistent with the
organisation’s defined risk appetite.
 Event identification: These are internal and external events (both
positive and negative) which impact upon the achievement of an
entity’s objectives and must be identified.
40
Chapter 2
 Risk assessment: Risks are analysed to consider their likelihood

and impact as a basis for determining how they should be managed.
 Risk response: Management selects risk response(s) to avoid,
accept, reduce or share risk. The intention is to develop a set of
actions to align risks with the entity’s risk tolerances and risk
appetite.
 Control activities: Policies and procedures help ensure the risk
responses are effectively carried out.
 Information and communication: The relevant information is
identified, captured and communicated in a form and timeframe that
enables people to carry out their responsibilities.
 Monitoring: The entire ERM process is monitored and
modifications made as necessary.
Risk management and shareholder value

Ernst and Young (2001) have developed a model of shareholder value in
which:
Shareholder value = Static NPV of existing business model + Value
of future growth options
which more simply put is: ‘the sum of the value of what a company does
now and the value of what they could possibly do in the future’.
Good risk management allows businesses to exploit opportunities for
future growth while protecting the value already created. By aligning risk
management activity to what the shareholders consider vital to the
success of the business, the shareholders are assured that what they
value is protected. Ernst and Young identify four stages:
(a) Establish what shareholders value about the company – through
talking with the investment community and linking value creation
processes to key performance indicators.
(b) Identify the risks around the key shareholder value drivers – the
investment community can identify those factors that will influence
their valuation of the company. All other risks will also be
considered, including those not identified by investors.
(c) Determine the preferred treatment for the risks – the investment
community can give their views on what actions they would like
management to take in relation to the risks. The risk/reward trade-
off can be quantified by estimating the change in a company’s
market valuation if a particular risk treatment is implemented.
(d) Communicate risk treatments to shareholders – shareholders need
to be well informed, as a shared vision is important in relation to the
inter-related concepts of risk management and shareholder value.
41
Risk management
Test your understanding 1

IFAC highlighted two aspects of risk management which link risk aversion
and risk seeking activities. They are:
A Compliance and strategy
B Conformance and performance
C Compliance and conformance
D Performance and strategy

In 2003 the Committee of Sponsoring Organisations (COSO) outlined six
key principles of Enterprise Risk Management (ERM).
Identify which of the following is/are included.
Select ALL that apply
A Consideration of risk management in the context of business
strategy
B The creation of a risk aware culture
C Consideration of a narrow range of risks, mainly financial
D Risk management is the responsibility of the Risk Committee
E A comprehensive and holistic approach to risk management
ERM – Integrating strategy with performance 2017

In 2017 COSO produced an update to the ERM framework. The update uses a
new diagram – the double helix (shown below) – and the key principle is that
ERM should be ingrained into everything the organisation does including setting
the mission, vision and core values of the entity.
Risk is inherent in everything an entity does and it is therefore a risk that a
strategy chosen by an entity may not be in line with the stated mission, vision
and core values.
42
Chapter 2
The double helix is broken down into five components:

1 Governance and culture
This relates to the internal environment and emphases the importance of
the tone of the organisation. It also includes ethical behaviour and
understanding the risk appetite of the entity.
2 Strategy and objective setting
This component is possibly the main focus to the update; it emphases the
importance of making sure ERM and objective setting is aligned to risk
appetite in the strategic planning stage – to make sure that the strategy
can be implemented successfully. This component therefore helps to
minimise the risk of the wrong strategy being chosen.
3 Performance
This combines the components from the original cube of event
identification, risk assessment and risk response. It involves maintaining a
focus on identifying internal and external events (both positive and
negative) which could impact upon the achievement of an entity’s
objectives, assessing the likelihood and impact of these events to prioritise
their importance, and then developing a response to accept, reduce, avoid
or share the risk.
4 Review and revision
Policies and procedures to help ensure the risk responses are effectively
carried out, through the selection of key metrics. This ensures that the
entire ERM process is monitored and modifications made as necessary.
5 Information, communication and reporting
As always, it is vitally important that the relevant information is identified,
captured and communicated in a form and timeframe that enables people
to carry out their responsibilities. And that this information is reported to
the right people and levels, be that directors or shareholders.
The cube or the helix

It is important to note that COSO has not withdrawn the cube (which is why it
remains part of the P3 syllabus). The cube also provides a useful background to
the development of the 2017 update.
COSO want to encourage organisations to identify the framework that works
best for their situation, giving the company the best chance to improve their
performance and of achieving their strategy and objectives.
43
Risk management
Benefits of ERM
Benefits of effective ERM include:
 enhanced decision-making by integrating risks
 reduced performance fluctuations and fewer interruptions to operations
 the resultant improvement in investor confidence, and hence shareholder
value
 focus of management attention on the most significant risks
 a common language of risk management which is understood throughout
the organisation enabling performance improvement
 increased ability to benefit from upside risk and reduced susceptibility to
downside risk
 reduced cost of finance through effective management of risk.
 improved utilisation of resources
 increased opportunities for the organisation

Q Co is a new organisation, but management are keen to maximise their
chances of achieving their objectives by using ERM. They have recently
met to discuss the controls they will use to mitigate the risks they
considered to be the most significant.
Which one of the ERM Integrating strategy with performance 2017
components does this best describe:
A Information, communication and reporting
B Review and revision
C Governance and culture
D Performance
E Strategy and objective setting
2 Risk management strategy

Formulation of a risk strategy
 For many businesses the specific formulation of a risk strategy has been a
recent development.
 In the past, a formal strategy for managing risks would not be developed,
but rather it would be left to individual managers to make assessments of
the risks the business faced and exercise judgement on what was a
reasonable level of risk.
 This has now changed: failure to properly identify and control risks has
been identified as a major cause of business failure (take Barings Bank as
an example).
44
Chapter 2
A framework for board consideration of risk is shown below:
Formulating a risk management strategy

A risk management strategy needs to be developed to ensure that the
risk exposures of the organisation are consistent with its risk appetite. At
the very least, the risk management capability within the organisation
should be sufficient to:
 review its internal control system and its adequacy at least annually,
 ensure that controls are properly implemented, and
 monitor the implementation and effectiveness of controls.
However, the investment by the organisation in risk strategy should be
largely determined by the performance requirements of its business
objectives and strategy:
 Risk appetite can be defined as the amount of risk an organisation

is willing to accept in pursuit of value. This may be explicit in
strategies, policies and procedures, or it may be implicit. It is
determined by:
– risk capacity – the amount of risk that the organisation can
bear, and
– risk attitude – the overall approach to risk, in terms of the
board being risk averse or risk seeking.
 The way that the organisation documents and determines the
specific parts of its risk strategy should link to the business strategy
and objectives
 Overall risk management strategy is concerned with trying to achieve
the required business objectives with the lowest possible chance of
failure. The tougher the business objectives, however, the more risks
will have to be taken to achieve them.
 Residual risk is the risk a business faces after its controls have
been considered (see later in this chapter for more details).
45
Risk management
More on risk appetite

To bring risk management into line with strategic management, an
organisation should define the amount of risk it is prepared to take in the
pursuit of its objectives. This willingness to accept risk can be stated in a
mixture of quantitative and qualitative terms. For example:
 The board of directors might state how much capital they would be
prepared to invest in the pursuit of a business objective and the size
of the loss they would be willing to face in the event that results turn
out badly.
 Risk can also be stated qualitatively, for example in relation to the
organisation’s reputation.
In practice, in a large organisation, there will be different levels of risk
appetite for different operations or different profit centres/investment
centres within the business.
Risk appetite factors
The factors, or business strategies, which could affect the risk appetite of
the board of a company include:
Nature of A high risk of product failure in certain products
product being (e.g. aircraft) must be avoided due to the
manufactured serious consequences of such an event. This
will, out of necessity, limit the risk appetite of the
board with regard to these specific products. For
other products the risk of failure will be less (e.g.
a fizzy drink having small changes from the
normal ingredients – customers may not even
notice the difference).
Additionally if a business is taking significant
risks with part of its product range it may be
limited in the risk it can take with other products.
The need to The strategic need to move into a new market
increase sales will result in the business accepting a higher
degree of risk than trying to increase sales or
market share in an existing market. At that stage
the business will appear to have a higher risk
appetite.
The background of Some board members may accept increased
the board risk personally and this may be reflected in the
way they manage the company.
Amount of change Operating in a market place with significant
in the market change (e.g. mobile telephones) will mean that
the board have to accept a higher degree of
risk. For example, new models of phone have to
be available quickly.
Reputation of If the company has a good reputation then the
the company board will accept less risk – as they will not want
to lose that good reputation.
46
Chapter 2

The amount of risk an organisation is willing to accept in the pursuit of
value is known as their:
A Risk map
B Risk appetite
C Risk culture
D Risk thermostat
Features of a risk management strategy

In a CIMA and IFAC (International Federation of Accountants) joint report in
2004 – Enterprise Governance – the following key features of a risk
management strategy were identified:
 Statement of the organisation’s attitude to risk – the balance between risk
and the need to achieve objectives.
 The risk appetite of the organisation.
 The objectives of the risk management strategy.
 Culture of the organisation in relation to risk (and the behaviour the
organisation expects from individuals with regard to risk-taking).
 Responsibilities of managers for the application of risk management
strategy.
 Reference should be made to the risk management systems the company
uses (i.e. its internal control systems).
 Performance criteria should be defined so that the effectiveness of risk
management can be evaluated.
An alternative risk management process

The Institute of Risk Management (IRM) developed a risk management
process containing three elements:
(1) Risk assessment is composed of the analysis and evaluation of
risk through the process of identification, description and estimation.
The purpose of risk assessment is to undertake risk evaluation. Risk
evaluation is used to make decisions about the significance of risks
to the organisation and whether each specific risk should be
accepted or treated.
(2) Risk reporting is concerned with regular reports to the board and to
stakeholders setting out the organisation's policies in relation to risk
and enabling the effective monitoring of those policies.
(3) Risk treatment (risk response) is the process of selecting and
implementing measures to modify the risk.
Residual risk reporting will therefore follow risk treatment.
47
Risk management
3 Identifying, measuring and assessing risks

Chapter 1 examined the different types of risks faced by an organisation. It is
key, however, that businesses can identify the risks they face and evaluate the
effect of these risks on the business. Some risks will be relatively easily borne
by businesses, but others will be more difficult and more serious in their
implications.
Risk identification
 The risk identification process will often be controlled by a risk committee
or risk management specialists (see later in this chapter).
 The risks identified in the process should be recorded in a risk register,
which is simply a list of the risks that have been identified, and the
measures (if any) that have been taken to control each of them.
 There are a variety of methods that can be used by businesses to identify
the risks that they face.
48
Chapter 2
The risk register

The risk register is a very important and practical risk management tool
that should be used by all companies. It takes several days, if not weeks,
to produce, and needs to be reviewed and updated regularly – often
annually (in conjunction with corporate governance guidelines).
The risk register is often laid out in the form of a tabular document with
various headings:
(1) The risk title – stating what the risk might be.
(2) The likelihood of the risk – possibly measured numerically if a
scale has been set e.g. 1 is unlikely, 5 is highly likely.
(3) The impact of the risk should it arise. Again this might be graded
from, say, 1 (low impact) to 5 (high impact).
(4) The risk owner’s name will be given – usually a manager or
director.
(5) The date the risk was identified will be detailed.
(6) The date the risk was last considered will be given.
(7) Mitigation actions should be listed i.e. what the company has done
so far to reduce the risk. This might include training, insurance,
further controls added to the system, etc.
(8) An overall risk rating might be given e.g. 1/10, so that
management can immediately see which risks are the ones they
should be concentrating on.
(9) Further actions to be taken in the future will be listed (if any).
(10) The 'action lead' name will be detailed i.e. who is responsible for
making sure that these future actions are implemented.
(11) A due date will state when the date by which action has to be
implemented.
(12) A risk level target might be given i.e. a score lower than that given in
step 8 above. This might mean that by implementing a control, the
risk rating is expected to lower from, say, 8 to, say 2 (the target risk
level).
For example, using the steps detailed above, one row of a tabulated risk
register might show:
(1) Loss of personal data i.e. unsecure use of mobile devices could
result in personal identifiable information being lost, stolen or
unauthorised access gained.
(2) Likelihood = 3
(3) Impact = 5
(4) Risk owner = Mike Smith (IT manager)
(5) 1.1.X2
(6) 2.2.X4
49
Risk management
(7) Staff receive training every 2 years which highlights the risks. All
laptops are encrypted. Regular audits are undertaken. Any incidents
are reported to the Audit Committee.
(8) Overall risk rating = 7
(9) Encryption technology to be implemented which meets industry
standard.
(10) Mike Smith
(11) 31.7.X4
(12) Risk level target = 3

Risk registers would normally detail which of the following:
A Risk level before controls are implemented
B Risk level after controls are implemented
C Responsibility for managing risks
D The total cost of a control being implemented
More on risk identification
Some of the common methods of risk identification include:

PEST/SWOT analysis PEST (Political, Economic, Social,
Technological) and SWOT (Strengths,
Weaknesses, Opportunities, Threats) are
very well known and familiar business
analysis tools. These models can be
used to assess risks by providing a
framework to identify and think about the
risks in the organisation.
External advisors Companies may employ external risk
consultants who will advise on key risks
and processes that can be used to limit
and control those risks. Consultants have
access to other businesses and as a
result may have pools of knowledge not
available internally.
Interviews/questionnaires The company may conduct interviews or
send questionnaires to key business
managers asking them to indicate
principal risks.
50
Chapter 2
Internal audit One of the functions of internal audit

should be to provide recommendations
on controlling risk. As part of their work
therefore, internal audit assess where the
organisation faces risk.
Brainstorming The business may decide to use more
informal brainstorming meetings to
assess the risks it faces. These meetings
have the advantage of accessing many
different viewpoints.
Any of these methods identify risks but at the end of the process it is
important that the organisation determines which its principal risks are. It
is these principal risks that will determine the controls that need to be put
in place and the systems that will have to be introduced to control and
manage the risks.
Quantification of risk exposures
Quantification of risk is important in understanding the extent and significance of

risk exposure. This can be done by measuring the impact of the risk factor
(such as exchange rates) on the total value of the company, or on individual
item such as cash flow or costs.
 Risks that are identified should be measured and assessed. The extent to
which this can be done depends on the information available to the risk
manager.
 In some companies, particularly in the banking and insurance industries,
many risks can be measured statistically, on the basis of historical
information.
 In many other situations, the measurement and assessment of risk
depends on management judgement.
Some quantitative techniques include:
 expected values and standard deviation
 volatility
 value at risk (VaR)
 regression analysis
 simulation analysis
Expected values and standard deviation
 Some risks can be measured using expected values.
Expected value = Σ prob X
where prob = probability, X = outcome
51
Risk management
Expected value of risk

When statistical estimates are available for the probabilities of different
outcomes and the value of each outcome, risk can be measured as an
expected value of loss or gain.
Expected value of loss = p × L
Where:
p is the probability that the outcome will occur
L is the loss in the event that the outcome does occur.
Example
The finance director of a company has to prepare an assessment of
credit risk for a report to the board. The company has annual credit sales
of $12 million, and customers are given 60 days (two months) credit.
Experience shows that:
 irrecoverable debts written off amount to 1.5% of total annual credit
sales
 10% of irrecoverable debts written off are subsequently recovered
by legal action.
Required:
(a) What is the credit risk exposure of the company?
(b) What is the expected loss each year due to credit risk?
Solution
(a) The total exposure to credit risk can be expressed either as the total
annual credit sales ($12 million) or the exposure to unpaid debts at
any point in time ($12 million × 2/12 = $2 million).
(b) For a full year the expected value of loss is = $12 million × 1.5% ×
90% = $162,000
The standard deviation is a measure of the dispersion of the possible values of

a given factor, such as cash flow, from the expected value or mean. Thus the
standard deviation provides a measure of volatility – the greater the standard
deviation, the greater the risk involved.
Volatility
 Another way of assessing risk might be looking at potential volatility. For
example, a company might calculate an expected value based on a range
of probabilities but also assess the potential variation from that expected
outcome (range or standard deviation).
52
Chapter 2
Test your understanding 6 – Volatility (Integration)

The following are the forecast purchases of raw materials in a future
month:
£200,000 30% probability
Calculate the upside and downside volatility from expected purchases.
Value at risk
Value at Risk (VaR) allows investors to assess the scale of the likely loss in
their portfolio at a defined level of probability. It is becoming the most widely
used measure of financial risk and is also enshrined in both financial and
accounting regulations.
VaR is based on the assumption that investors care mainly about the probability
of a large loss. The VaR of a portfolio is the maximum loss on a portfolio
occurring within a given period of time with a given probability (usually small).
 Calculating VaR involves using three components: a time period, a
confidence level and a loss amount or percentage loss.
 Statistical methods are used to calculate a standard deviation for the
possible variations in the value of the total portfolio of assets over a
specific period of time.
 Making an assumption that possible variations in total market value of the
portfolio are normally distributed, it is then possible to predict at a given
level of probability the maximum loss that the bank might suffer on its
portfolio in the time period.
 A bank can try to control the risk in its asset portfolio by setting target
maximum limits for value at risk over different time periods (one day, one
week, one month, three months, and so on).
 VaR may be calculated as standard deviation × Z-score (the Z-score can
be found from the normal distribution tables).
Normal distribution
Normal distributions can be found when we measure things such as:
 Exam results
 Staff performance gradings
 The heights of a group of people etc
A normal distribution has the following characteristics:
The mean is shown in the centre of the diagram and the curve is
symmetrical about the mean. This means that 50% of the values will be
below the mean and 50% of the values will be above the mean.
Note: The mean, median and mode will all be the same for a normal
distribution.
53
Risk management
How far the values spread out from the mean is the standard deviation.
This can be seen in the following diagram:
The total area under the curve is equal to 1.

If we can think of a standard normal distribution curve with three standard
deviations as follows:
In general 68% of values are within one deviation (between -1 and 1),
95% of values are within two standard deviations (between -2 and 2) and
99.7% of values are within three standard deviations (between -3 and 3).
From this we can see that if we look at a set of data which fits a normal
distribution the majority of values will occur closer to the mean, with fewer
and fewer occurring the further from the mean we move.
54
Chapter 2
A standard normal distribution has:

a mean of 0
a standard deviation of 1.
This special distribution is denoted by z and can be calculated as:
Where:
z is the score
x is the value being considered
µ is the mean
is the standard deviation
This calculation is used to convert any value to standard normal
distribution.
Looking up the normal distribution tables
Once we have calculated our 'z score' we can look this up on the normal
distribution table to find the area under the curve, which equates to the
percentage chance (probability) of that value occurring.
So if we calculated a z score of 1.00. From the table the value is 0.3413.
This means that (0.3413 ÷ 1.0) or 34.13% is the area shown from 0 -1 on
the diagram
From this we can deduce that 34.13% would be the area shown from 0 -1
on the diagram. So we can say that 68.26% of values will fall within one
standard deviation (-1 to 1).
55
Risk management
VaR calculation
For VaR, there are two types of calculation to consider:
(1) The confidence level that the result will be above a particular figure
– this is referred to as a one tail test.
(2) The confidence level that a figure will be within a particular range –
this is referred to as a two tail test.
In both cases we are working backwards from the percentage to find the
value of x.
One tail test
If you are asked to calculate the 95% VaR, this is a one tail test. As we
are looking at risk, it is usually about being 95% certain that the outcome
will be above a particular value.
50% of the distribution is on one side of the mean, within the tables we
are looking for as close to 0.4500.
Two tail test

If you are asked about being 95% certain the result is within a range, the
area would look like this:
We would be looking for 0.4750 in the tables, 47.5% above and below the
mean.
56
Chapter 2
One tail test

Z is a bank. The management accountant of Z has estimated that the
value of its asset portfolio at year end will be $1,500 million, with a
standard deviation of $300 million.
Calculate the value at risk of the portfolio, at a 97.5% confidence
level. (Express your answer in $, rounded to the nearest million.)
Solution
The Z value for a one-tail 97.5% confidence level is 1.96 (from the
Normal Distribution tables).
VaR = standard deviation × Z value, so the
VaR = USD 300 million × 1.96 = USD 588 million
This means there is a 2.5% chance that the value of the portfolio will be
(1,500 – 588) $912 million or below.
Two tail test

AL plc, a UK based company are expecting to receive $10 million from a
US customer. The value in pounds is dependent on the exchange rate
between the dollar and pound.
The mean exchange rate is $1.25/£ and the daily volatility of the
pound/dollar exchange rate is 0.25%.
What is the range of values that AL plc will be 95% confident of
receiving in 1 day?
Solution
The mean value of the $10 million is £8 million ($10 million ÷ $1.25/£)
The daily standard deviation is (0.25% × £8 million =) £20,000
As we are looking at a range, this is a two tail test, to be 95% confident
this will be within 47.5% of the mean on either side.
First find 0.4750 in the normal tables, this is a z value of 1.96. VaR = Z ×
Std deviation = 1.96 × 20,000 = £39,200
This means that AL plc is 95% confident that the value will be within
£39,200 of the mean.
Therefore AL plc is 95% confident the sterling amount will be between
£7,960,800 & £8,039,200.
Given the 1-day VaR, we can easily calculate the VaR for longer holding
periods as:
n day Var = 1 day Var × √n
The VaR increases with the holding period. Thus, the longer the holding period,
the greater the VaR.
57
Risk management
Example of VaR
Suppose a UK company expects to receive $14 million from a US
customer. The value in pounds to the UK company will depend on the
exchange rate between the dollar and pounds resulting in gains or losses
as the exchange rate changes. Assume that the exchange rate today is
$1.75/£ and that the daily volatility of the pound/dollar exchange rate is
0.5%.
Calculate the
(a) 1-day 95% VaR
(b) 1-day 99% VaR.
The value of the $14 million today is £8 million ($14 million ÷ $1.75/£) with
a daily standard deviation of £40,000 (0.5% × £8 million).
(a) The standard normal value (Z) associated with the one-tail 95%
confidence level is 1.645 (see Normal Distribution tables). Hence,
the 1-day 95% VaR is 1.645 × £40,000 = £65,800. This means that
we are 95% confident that the maximum daily loss will not exceed
£65,800. Alternatively, we could also say that there is a 5% (1 out of
20) chance that the loss would exceed £65,800.
(b) The standard normal value (Z) associated with the one-tail 99%
confidence level is 2.33 (see Normal Distribution tables). Hence, the
1-day 99% VaR is 2.33 × £40,000 = £93,200. Thus, there is a 1% (1
out of 100) chance that the loss would exceed £93,200.
If we wanted to calculate the VaR for longer period, say 5 days, at
the 95% level the calculation would be:
5 day 95% VaR = 1 day 95% VaR × √5 = £65,800 × 2.236 =
£147,133
There is a 5% chance that the company’s foreign exchange loss
would exceed £147,133 over the next 5 days.
Similarly, the 30-day 99% VaR would be:
1 day 99% VaR × √30 = £93,200 × 5.477 = £510,477
This illustrates the longer the holding period, the greater the VaR.
58
Chapter 2
More on value at risk (VaR)

The Basel committee established international standards for banking
laws and regulations aimed at protecting the international financial
system from the results of the collapse of major banks. Basel II
established rigorous risk and capital management requirements to ensure
each bank holds reserves sufficient to guard against its risk exposure,
given its lending and investment practices. Regulators require banks to
measure their market risk using a risk measurement model which is used
to calculate the Value at Risk (VaR).
However, the global financial crisis has identified substantial problems
with banks governance procedures in terms of understanding operational
risk and applying risk measurement models like VaR. This has been
emphasised by the number of banks that have failed or required
government support – Northern Rock and Bradford and Bingley in the
UK; Bear Sterns and Washington Mutual in the US amongst others.

A company expects to receive $10 million from a US customer. The value
in £ will depend on the exchange rate changing. Assume that the
exchange rate today is $1.6667 / £ and that the daily volatility of the £/$
exchange rate is 0.5%.
Required:
What is the 10 day 95% VaR?
Test your understanding 8 – Value at risk (Integration)

A bank has estimated that the expected value of its portfolio in two
weeks’ time will be $50 million, with a standard deviation of $4.85 million.
Required:
Calculate and comment upon the value at risk of the portfolio, assuming a
95% confidence level.
Regression analysis
This can be used to measure a company’s exposure to several risk factors at
the same time. This is done by regressing changes in the company’s cash flows
against the risk factors (changes in interest rates, exchange rates, prices of key
commodities such as oil). The regression coefficients will indicate the
sensitivities of the company’s cash flow to these risk factors.
The drawback with this technique is that the analysis is based on historical
factors which may no longer be predictors of the company in the future.
59
Risk management
Simulation analysis
This is used to evaluate the sensitivity of the value of the company, or its cash
flows, to a variety of risk factors. These risk factors will be given various
simulated values based on probability distributions, and the procedure is
repeated a number of times to obtain the range of results that can be achieved.
The mean and standard deviation are then calculated from these results to give
an expected value and measure of the risk.
This technique can be complex and time-consuming to carry out, and is limited
by the assumptions of the probability distributions.
Other methods of measuring or assessing the severity of an identified risk
include:
 scenario planning – forecasting various outcomes of an event;
 decision trees – use of probabilities to estimate an outcome;
 sensitivity analysis – asking 'what-if?' questions to test the robustness of a
plan. Altering one variable at a time identifies the impact of that variable.
Drawbacks of the quantification of risk

Once a risk has been quantified, there is a problem – whether anyone really
knows what it means. Unless you are a trainee or qualified accountant (or
similar) this is unlikely, hence risks are often left unquantified.
Risk or assurance mapping

A common qualitative way of assessing the significance of risk is to produce a
‘risk map’ or sometimes called an 'assurance map'.
 The Board, the Risk Committee, the Audit Committee and senior
management from various departments will all be involved in the
preparation of the map.
 The map identifies whether a risk will have a significant impact on the
organisation and links that into the likelihood of the risk occurring.
 The approach can provide a framework for prioritising risks in the
business.
 Risks with a significant impact and a high likelihood of occurrence need
more urgent attention than risks with a low impact and low likelihood of
occurrence.
 A well-structured risk map will highlight where there are gaps in
assurances over significant risk areas.
 Also, duplicated or potentially burdensome assurance processes may be
identified.
 Risks can be plotted on a diagram, as shown below.
60
Chapter 2
More on risk mapping

The potential loss from an adverse outcome is a function of:
 the probability or likelihood that the adverse outcome will occur, and
 the impact of the outcome if it does occur.
When an initial review is carried out to identify and assess risks, the
assessment of both probabilities and impact might be based on
judgement and experience rather than on a detailed statistical and
numerical analysis.
 In an initial analysis, it might be sufficient to categorise the
probability of an adverse outcome as ‘high’, ‘medium’ or ‘low’, or
even more simply as ‘high’ or ‘low’.
 Similarly, it might be sufficient for the purpose of an initial analysis to
assess the consequences or impact of an adverse outcome as
‘severe’ or ‘not severe’.
Each risk can then be plotted on a risk map. A risk map is simply a 2 × 2
table or chart, showing the probabilities for each risk and their potential
impact.
61
Risk management
Example
The following simple risk map might be prepared for a firm of auditors
Impact/consequences
Low High
High New audit Loss of non-audit
regulations for the work from
profession existing clients
Probability/likelihood Low Increases in Loss of audit
salaries above the clients within the
general rate of next two years.
inflation
Using a risk map
A risk map immediately indicates which risks should be given the highest
priority.
 High-probability, high-impact risks should be given the highest
priority for management, whether by monitoring or by taking steps to
mitigate the risk.
 Low-probability, low-impact risks can probably be accepted by the
organisation as within the limits of acceptability.
 High-probability, low-impact risks and low-probability, high-impact
risks might be analysed further with a view to deciding the most
appropriate strategy for their management.
For each high-probability, high-impact risk, further analysis should be
carried out, with a view to:
 estimating the probability of an adverse (or favourable) outcome
more accurately, and
 assessing the impact on the organisation of an adverse outcome.
This is an area in which the management accountant should be able
to contribute by providing suitable and relevant financial information.
An alternative layout for a risk map (other than the cruciform style shown
above) would be a tabular format. The table might have the following
columns:
(1) The risk name e.g. fraud.
(2) The likelihood of that risk arising e.g. medium.
(3) The impact of the risk if it does arise e.g. high.
(4) Controls already in place.
(5) The risk owner i.e. the name of a manger or director who watches
out for this risk arising.
(6) Whether assurance is sufficient. This might be given a score out of,
say, 10, or a yes/no type response.
(7) Controls to be implemented in the future.
62
Chapter 2
Test your understanding 9 – Restaurant (Integration)

Suggest a risk that could be included in each quadrant for a restaurant.

The loss of lower-level staff would best fit which category of a risk map?
A Low likelihood; low consequence
B High likelihood; low consequence
C Low likelihood; high consequence
D High likelihood; high consequence

The axes of a risk map include:
Select ALL that may apply
A Likelihood
B Volatility
C Consequences
D Certainty

HH Ltd is a private rehabilitation centre which provides services for
people recovering from debilitating injuries. These services include a
supported re-introduction to living at home through independent living
units where clients can ‘practice’ living alone but with medical support on
hand should they need it.
The managers of HH are aware they operate in a high risk industry.
Clients are often prescribed strong medications which must be
administered correctly by HH staff and there are two ongoing legal
disputes over injuries that have occurred to clients in HH’s independent
living units. Some of HH’s managers believe these risks are simply part of
their business model and unavoidable, whereas others are of the opinion
that a formal risk management policy should be devised.
The directors have suggested the managers get together to carry out a
risk mapping exercise.
63
Risk management
Which of the following are benefits from a risk mapping exercise?

Select ALL that apply.
A Managers will reach a consensus on which are the key risks facing
HH and will be able to target the most significant.
B Managers can use the existence of the risk map to prove they have
not been negligent in the legal disputes concerning injured clients.
C The risk of medication being wrongly administered can be assessed
and a policy devised to reduce it going forward.
D The risk of injury to clients accessing the independent living units
can be assessed and prioritised and a policy devised to reduce it
going forwards.
E The existence of a risk map may prevent managers wasting time
dealing with trivial risks.
4 Risk response strategy

So far we have considered the types of risk a company could be exposed to
and the way it may choose to assess, measure and bear those risks. The next
area is to look at the formulation of a strategy to respond to those risks, the
general methods that can be used to treat risks and the implementation of such
a strategy.
The management of risks involves trying to ensure that:
 Exposure to severe risks is minimised.
 Unnecessary risks are avoided.
 Appropriate measures of control are taken.
 The balance between risk and return is appropriate.
The estimate of the potential loss for each risk should be compared with the
acceptable risk limit for the company. If the risk is greater than the acceptable
limit, the next stage is to consider how the risk should be managed or
controlled, to bring it down in size.
Risk treatment (management) methods
Assuming that the business does want to manage its risks a number of methods
can be used. These methods will limit the risks, and the overall risk
management strategy may define how the risks will be managed and the way
these methods will interact.
Avoid risk
 A company may decide that some activities are so risky that they should
be avoided.
 This will always work but is impossible to apply to all risks in commercial
organisations as risks have to be taken to make profits.
64
Chapter 2
Transfer risk
 In some circumstances, risk can be transferred wholly or in part to a third
party.
 A common example of this is insurance. It does reduce/eliminate risks but
premiums have to be paid.
Pool risks
 Risks from many different transactions can be pooled together: each
individual transaction/item has its potential upside and its downside. The
risks tend to cancel each other out, and are lower for the pool as a whole
than for each item individually.
 For example, it is common in large group structures for financial risk to be
managed centrally.
Diversification
 Diversification is a similar concept to pooling but usually relates to different
industries or countries.
 The idea is that the risk in one area can be reduced by investing in
another area where the risks are different or ideally opposite.
 A correlation coefficient with a value close to –1 is essential if risk is to be
nullified.
Managing risk by diversification
The syllabus refers specifically to the principle of diversifying risk, but

states that numerical questions will not be set. It will therefore be useful
to look in more detail at the effect of diversification on risk.
 Risk can be reduced by diversifying into operations in different
areas, such as into Industry X and Industry Y, or into Country P and
Country Q.
 Poor performance in one area will be offset by good performance in
another area, so diversification will reduce total risk.
 Diversification is based on the idea of ‘spreading the risk’; the total
risk should be reduced as the portfolio of diversified businesses gets
larger.
 Diversification works best where returns from different businesses
are negatively correlated (i.e. move in different ways). It will,
however, still work as long as the correlation is less than +1.0.
 Example of poor diversification – swimming costumes and ice
cream – both reliant on sunny weather for sales.
 Spreading risk relates to portfolio management, as an investor or
company spreads product and market risks.
 The most common form of diversification attempts to spread risk
according to the portfolio of companies held within a group – based
on links within the supply chain
65
Risk management
Spreading risk by portfolio management

Within an organisation, risk can be spread by expanding the portfolio of
companies held. The portfolio can be expanded by integration – linking
with other companies in the supply chain, or diversification into other
areas.
This is development beyond the present product and market, but still
within the broad confines of the ‘industry’.
 Backward integration refers to development concerned with the
inputs into the organisation, e.g. raw materials, machinery and
labour.
 Forward integration refers to development into activities that are
concerned with the organisation’s outputs such as distribution,
transport, servicing and repairs.
 Horizontal integration refers to development into activities that
compete with, or directly complement, an organisation’s present
activities. An example of this is a travel agent selling other related
products such as travel insurance and currency exchange services.
Unrelated diversification
This is development beyond the present industry into products and/or
markets that may bear no clear relationship to their present portfolio.
Where appropriate an organisation may want to enter into a completely
different market to spread its risk.
66
Chapter 2
Problems with diversification:

 If diversification reduces risk, why are there relatively few
conglomerate industrial and commercial groups with a broad spread
of business in their portfolio?
 Many businesses compete by specialising, and they compete
successfully in those areas where they excel.
 Therefore, it is difficult for companies to excel in a wide range of
diversified businesses. There is a possible risk that by diversifying
too much, an organisation might become much more difficult to
manage. Risks could therefore increase with diversification, due to
loss of efficiency and problems of management.
 Many organisations diversify their operations, both in order to grow
and to reduce risks, but they do so into related areas, such as
similar industries (e.g. banking and insurance, film and television
production, and so on) or the same industry but in different parts of
the world.
 Relatively little advantage accrues to the shareholders from
diversification. There is nothing to prevent investors from
diversifying for themselves by holding a portfolio of stocks and
shares from different industries and in different parts of the world.

Risk reduction can be achieved using which of the following theories?
A Management theory
B Systems theory
C Portfolio theory
D Contingency theory
Test your understanding 14 – Diversification (Integration)

Evaluate whether it is always a good business strategy for a listed
company to diversify to reduce risk
Risk reduction
 Even if a company cannot totally eliminate its risks, it may reduce them to
a more acceptable level by a form of internal control.
 The internal control would reduce either the likelihood of an adverse
outcome occurring or the size of a potential loss.
 The costs of the control measures should justify the benefits from the
reduced risk.
 More will be seen on internal controls in chapter 5.
67
Risk management
Hedging risks
 Hedging is considered in detail in F3.
 The concept of hedging is reducing risks by entering into transactions with
opposite risk profiles to deliberately reduce the overall risks in a business
operation or transaction.
Risk sharing
 A company could reduce risk in a new business operation by sharing the
risk with another party.
 This can be a motivation for entering into a joint venture.
Risk management using TARA

An alternative way of remembering risk management methods is via the
mnemonic 'TARA':
Transference. In some circumstances, risk can be transferred wholly or
in part to a third party, so that if an adverse event occurs, the third party
suffers all or most of the loss. A common example of risk transfer is
insurance. Businesses arrange a wide range of insurance policies for
protection against possible losses. This strategy is also sometimes
referred to as sharing.
Avoidance. An organisation might choose to avoid a risk altogether.
However, since risks are unavoidable in business ventures, they can be
avoided only by not investing (or withdrawing from the business area
completely). The same applies to not-for-profit organisations: risk is
unavoidable in the activities they undertake.
Reduction/mitigation. A third strategy is to reduce the risk, either by
limiting exposure in a particular area or attempting to decrease the
adverse effects should that risk actually crystallise.
Acceptance. The final strategy is to simply accept that the risk may
occur and decide to deal with the consequences in that particularly
situation. The strategy is appropriate normally where the adverse effect is
minimal. For example, there is nearly always a risk of rain; unless the
business activity cannot take place when it rains then the risk of rain
occurring is not normally insured against.
68
Chapter 2
Risk mapping and risk responses

Risk maps can provide a useful framework to determine an appropriate risk
response:

The death of, or serious injury to, a member of staff at work would best fit
which category on a risk map?
A Low likelihood; low consequence
B High likelihood; low consequence
C Low likelihood; high consequence
D High likelihood; high consequence

A risk identified as having a low frequency and a high severity should be
managed by:
A Avoiding
B Accepting
C Transferring
D Reducing
69
Risk management

P Company is a large international fast food retailer with plans to expand
on a global scale. J is a manager who has relocated to Country X to
begin an aggressive standardised expansion plan.
Five restaurants have opened so far in the cities of Country X but the
response from the local population has been poor. Initial sales targets
have not been met and the Board of P Company believes that further
expansion into Country P is at risk and it is possible the plan will be
abandoned.
J believes that the restaurants have not been immediately successful
because the population of Country X, although affluent and well
educated, are not used to the concept of ‘fast food’. Restaurants in
Country X are typically expensive and serve fresh food to order.
Which of the following are appropriate risk management responses
for J to discuss with The Board?
A P Company should embark on a marketing campaign within Country
X.
B The menus of restaurants in Country X should be modified to reflect
local tastes with more fresh food included.
C P Company should stop expansion plans in Country P and choose a
more appropriate location.
D P Company should replace J as the manager of expansion in
Country X.
E P Company should abandon their standardised plan in Country X
and instead tailor their branding and products to be in line with
successful local restaurants.
70
Chapter 2
5 The risk cube

Another way of considering risk and its management is to use the risk cube.
Risk equals the volume of the cube
Risk is seen as some combination of a threat, exploiting some vulnerability,

that could cause harm to an asset.
Residual risk is the combined function of:
 a threat less the effect of threat-reducing safeguards;
 a vulnerability less the effect of vulnerability-reducing safeguards; and
 an asset less the effect of asset value-reducing safeguards.
Managing the risk can be undertaken by reducing the threat, reducing the
vulnerability and/or reducing the asset value.
For example, imagine a company sells machine parts on credit to industrial
customers.
The threat might be that the customer doesn't pay for their machine parts.
The vulnerability might be that the selling company has a low cash balance and
therefore needs the funds to pay its own suppliers.
The asset is the receivable due.
The threat-reducing safeguards might include performing a credit check on all
customers.
The vulnerability-reducing safeguards might include holding a minimum cash
balance at all times to ensure sufficient cash is available to pay suppliers.
The asset-reducing safeguards might include setting a limit on each receivable
balance, so that once it is reached no further goods would be supplied to a
customer until payment was made.
71
Risk management
Test your understanding 18 – Twinkletoes (Case study)
Scenario
You are the management accountant of a large private company,
Twinkletoes. Twinkletoes manufactures a high volume of reasonably
priced shoes for elderly people. The company has a trade receivables
ledger that is material to the financial statements containing four different
categories of account. The categories of account, and the risks
associated with them, are as follows:
(i) small retail shoe shops. These accounts represent nearly two thirds
of the accounts on the ledger by number, and one third of the
receivables by value. Some of these customers pay promptly,
others are very slow;
(ii) large retail shoe shops (including a number of overseas accounts)
that sell a wide range of shoes. Some of these accounts are large
and overdue;
(iii) chains of discount shoe shops that buy their inventory centrally.
These accounts are mostly well-established `high street' chains.
Again, some of these accounts are large and overdue; and
(iv) mail order companies who sell the company's shoes. There have
been a number of large new accounts in this category, although
there is no history of irrecoverable debts in this category.
Receivables listed under (ii) to (iv) are roughly evenly split by both value
and number. All receivables are dealt with by the same managers and
staff and the same internal controls are applied to each category of
receivables. You do not consider that using the same managers and
staff, and the same controls, is necessarily the best method of managing
the receivables ledger.
Trigger
Twinkletoes has suffered an increasing level of irrecoverable debts and
slow payers in recent years, mostly as a result of small shoe shops
becoming insolvent. The company has also lost several overseas
accounts because of a requirement for them to pay in advance.
Management wishes to expand the overseas market and has decided
that overseas customers will in future be allowed credit terms.
Task
Management has asked you to classify the risks associated with the
receivables ledger in order to manage trade receivables as a whole more
efficiently. You have been asked to classify accounts as high, medium or
low risk.
Write an email to the finance director:
(a) Classifying the risks relating to the four categories of trade
receivables as high, medium or low and explain your classification
(Note: More than one risk classification may be appropriate within
each account category.)
72
Chapter 2
(b) Describing the internal controls that you would recommend to

Twinkletoes to manage the risks associated with the receivables
ledger under the headings: all customers, slow paying customers,
larger accounts, and overseas customers.
(30 minutes)
6 Risk reporting
Risk reports now form part of UK annual reports. It is an important disclosure
requirement. (Examples of these are available on larger companies’ websites.
Candidates are encouraged to read some.)
Managers of a business, and external stakeholders, will require information
regarding the risks facing the business. A risk reporting system would include:
 A systematic review of the risk forecast (at least annually).
 A review of the risk strategy and responses to significant risks.
 A monitoring and feedback loop on action taken and assessments of
significant risks.
 A system indicating material change to business circumstances, to provide
an ‘early warning’.
 The incorporation of audit work as part of the monitoring an information
gathering process.
Marks and Spencer plc – Risk report extract
Within Marks and Spencer's annual report for 2013 there is a risk report
section. This has been duplicated in part below.
It states their approach to risk management and key areas of focus:
What is our approach to risk management?
The Board has overall accountability for ensuring that risk is effectively
managed across the Group and, on behalf of the Board, the Audit
Committee reviews the effectiveness of the Group Risk Process.
Risks are reviewed by all business areas on a half-yearly basis and
measured against a defined set of likelihood and impact criteria. This is
captured in consistent reporting formats, enabling Group Risk to
consolidate the risk information and summarise the key risks in the form
of the Group Risk Profile.
Our Executive Board discusses the Group Risk Profile ahead of it being
submitted to the Group Board for final approval.
To ensure our risk process drives improvement across the business, the
Executive Board monitors the ongoing status and progress of action
plans against key risks on a quarterly basis.
Risk remains an important consideration in all strategic decision-making
at Board level, including debate on risk tolerance and appetite
73
Risk management
Key areas of focus

During the year we have focused on a number of key areas:
(1) Evolving risk descriptions
As time progresses, the nature of some Group risks is evolving. To
ensure we continue to address the most important risks facing the
Group at this point in time we have updated a number of risk titles
and descriptions. New titles are assigned to GM product (2012: Our
customers) and Food safety and integrity (2012: Food safety). New
descriptions are in place for International and Our people.
(2) Action plans for key risks
We continue to assess whether sufficient additional mitigating
activities are underway to reduce the net risk position of the Group’s
key risks. By considering net risk on both a one year and three year
horizon, we are able to identify when mitigating activities will result
in a tangible risk reduction. We also continue to review the ongoing
appropriateness of actions to ensure they are as relevant, timely
and measurable as possible.
(3) Influence of risk tolerance
Risk tolerance and appetite are important considerations in strategic
decision-making at Board level. We also recognise the value in
applying the concept of risk tolerance in discussions across all
levels of the organisation. It is especially beneficial when
determining the nature of mitigating activities and their role in
addressing risk likelihood or impact.
Our principle risks and uncertainties
As with any business, we face risks and uncertainties on a daily basis. It
is the effective management of these that places us in a better position to
be able to achieve our strategic objectives and to embrace opportunities
as they arise.
To achieve a holistic view of the risks facing our business, both now and
in the future, we consider those that are:
 external to our business;
 core to our day-to-day operation;
 related to business change activity; and
 those that could emerge in the future.
Overleaf are details of our principal risks and the mitigating activities in
place to address them. It is recognised that the Group is exposed to a
number of risks, wider than those listed.
However, a conscious effort has been made to disclose those of greatest
importance to the business at this moment in time and those that have
been the subject of debate at recent Board or Audit Committee meetings.
(Two of the many principle risks and mitigating actions are detailed
below.)
74
Chapter 2
Economic outlook
Economic conditions worsen or do not improve, impacting our ability to
deliver the plan
As consumers’ disposable incomes come under pressure from price
inflation and government austerity measures, trading conditions continue
to remain a challenge for our business.
Mitigating activities:
 Proactive management of costs
 Regular review of customer feedback and marketplace positioning
 Continued focus on value proposition in the context of a balanced
product offer, including market leading innovation
 Ongoing monitoring of pricing and promotional strategies
 Regular commercial review of product performance
Food safety and integrity
A food safety or integrity related incident occurs or is not effectively
managed
As a leading retailer of fine quality fresh food, it is of paramount
importance that we manage the safety and integrity of our products and
supply chain, especially in light of the business’ greater operational
complexity and the heightened risk of fraudulent behaviour in the supply
chain.
Mitigating activities:
 Dedicated team responsible for ensuring that all products are safe
for consumption through rigorous controls and processes
 Continuous focus on quality
 Proactive horizon scanning including focus on fraud and
adulteration
 Established supplier and depot auditing programme
(The risk report continues for several pages covering many other risks.)
The Group Risk Profile reflects the most important risks facing the
business at this point in time; these risks receive specific attention by the
Board to ensure that sufficient mitigating activity is in place to reduce net
risk to an acceptable level. The Group Risk Profile will evolve as these
mitigating activities succeed in reducing the residual risk over time, or
new risks emerge. As such, we have removed a number of risks from our
Group Risk Profile since the prior year:
Last year we included Business continuity on the Group Risk Profile in
response to the heightened level of risk driven by the UK’s summer 2012
events. With the risk now returning to a normal level it has been removed,
recognising the strength of our controls in this area
75
Risk management
Financial position, Corporate reputation, New store format, Key supplier

failure and IT security have also been removed in recognition of the
actions taken to reduce the net risk position.
The above risks remain important and they continue to be monitored as
part of ‘business as usual’ activities; however, we consider that they do
not represent key risks to our business at this time and they have
therefore been removed from the Group Risk Profile.
Risk interconnectivity
We continue to recognise the significant interdependency between our
key risks, which is in part a product of our heavily interconnected
business environment (both in terms of systems and processes). The
following diagrams are based on our current Group Risk Profile. Both are
designed to highlight how changes to one risk could impact on those
connected to it, and therefore on the profile as a whole. We have
incorporated a number of potential emerging risks which do not feature
on our Group Risk Profile at this point in time, but could influence our
business in the longer term, illustrating how emerging risk is considered
by the Board.

A recent SWOT analysis carried out within Y Company showed that the
organisation is now subject to more diverse threats than previously
documented. This is mainly due to deregulation of Y Company’s industry
and consequently many new entrants. These new entrants, often from
other countries, are able to undercut Y Company on price and so gain
market share.
The directors believe they have appropriate measures in place to identify
and manage the new risks that Y Company faces but are concerned that
Y Company’s stakeholders should be able to access information relating
to company’s most up to date risks. Y Company’s risk profile has evolved
since the prior year.
The company wishes to convey, via an annual risk report, that risk
remains a key consideration in all strategic decision making.
76
Chapter 2
Which of the following should be included in Company Y’s risk

reporting system?
A A detailed review of Y Company’s risk strategy and responses to
risks it faces.
B A monitoring and feedback loop on action taken and assessments
of significant risks such as those resulting from new entrants.
C A system indicating material change to Y Company’s industry
circumstances, to provide an ‘early warning’.
D The incorporation of audit work as part of the monitoring and
information gathering process.
E A systematic review of the risk forecast (at least quarterly).
7 Gross and net risk

Risk reports should show:
 the gross risk = an assessment of risk before the application of any
controls, transfer or management responses, and
 the net risk (or residual risk) = an assessment of risk, taking into account
the controls, transfer and management responses i.e after any controls
have been implemented to facilitate a review of the effectiveness of risk
responses.
An example of gross and net risk assessments, utilising the risk map
(impact/likelihood matrix) is shown below:
77
Risk management
If the residual risk is considered to be too great then the company will
need to:
 not expose itself to the risk situation; or
 put in place better controls over the risk.
The amount of residual risk a company can bear is ultimately a
management decision.
 It is possible to measure that residual risk, possibly as a proportion of
profit/capital/turnover, in order to help management make that
judgement.
Ability to bear risk

One approach to assessing the ability to bear a risk is to consider its
financial consequences in relation to:
 the organisation’s profits
 return on capital employed
 the organisation’s expenditure budget (not-for-profit organisations).
For example, suppose that the financial consequences of a particular risk
have been estimated as a potential loss of $200,000. For an organisation
making annual profits of, say, $200 million, this might seem relatively
insignificant. On the other hand, for an organisation with annual profits of
just $250,000, say, the risk would be much more significant.
An organisation might establish policy guidelines as to the maximum
acceptable residual risk for any individual risk, or set risk limits to the
maximum acceptable loss on particular operations.
Gross and net risk example

Using the earlier example of the risk register we can show gross and net
(or residual risk):
(1) Loss of personal data i.e. unsecure use of mobile devices could
result in personal identifiable information being lost, stolen or
unauthorised access gained.
(2) Likelihood = 3
(3) Impact = 5
(4) Risk owner = Mike Smith (IT manager)
(5) 1.1.X2
(6) 2.2.X4
(7) Staff receive training every 2 years which highlights the risks. All
laptops are encrypted. Regular audits are undertaken. Any incidents
are reported to the Audit Committee.
(8) Overall risk rating = 7 (Gross risk)
78
Chapter 2
(9) Encryption technology is implemented which meets industry

standard.
(10) Mike Smith
(11) 31.7.X4
(12) Risk level = 3 (Net or residual risk)
By implementing the encryption technology the risk has reduced from a
score of 7 to a score of 3. This means that there is still some risk but far
less than there was. Management will have to consider whether a level 3
risk is acceptable or whether further controls need to be implemented to
achieve a lower score, and at what cost.

TGDW are assessing a new contract to provide maintenance services for
a prestigious office complex. Should the complex be unable to function
for more than 5 hours due an error or omission by TGDW, they will face a
fine of sufficient magnitude to cause the company severe financial
difficulty. The directors assessed the gross risk as high impact and due to
the complexity of the systems maintained there is high probability of an
error occurring. The client is unwilling to reduce the penalty or to change
the criteria and TGDW’s internal controls are already at a high level.
Using TARA what action should TGDW take?
A Transfer
B Avoid
C Reduce
D Accept
8 Evaluating risk management strategy

Once the company has established its risk strategy and decided in what areas it
will reduce its risks and the methods it will use to achieve the desired
reductions, the strategy should be evaluated.
The purpose of the evaluation is two-fold, as shown below:
79
Risk management
Has the strategy been successful?

Within the risk management strategy, targets should be included to enable
the company to assess whether the risk strategy objectives have been
achieved. For example, a company might set a target for risk of faulty
products at a set number or percentage level and then formulate a risk
strategy to achieve that level. In order to assess this, a control mechanism
will need to be set up. The basic control idea is that the company
compares the actual results with a required target and assesses whether
the target has been achieved. If not, the reasons must be investigated and
action taken, including possibly a re-assessment of the risk strategy
Do benefits outweigh costs?

 The costs and benefits of risk measures such as internal controls can be
evaluated, and a cost-benefit comparison carried out.
 The benefits from risk controls should preferably be measured and
quantified, although some benefits (such as protecting the company’s
reputation) might have to be assessed qualitatively.
 The evaluation process should be based on the principle that the costs of
a control measure should not exceed the benefits that it provides.
– For example, a company could be very concerned about theft of
petty cash and therefore introduce controls limiting the cash held to
£25 and also requiring daily reconciliations of the cash balance by
the financial controller, with observation by a member of the internal
audit department.
– This control would probably reduce theft, but would be very
expensive for the company to operate and as a result the costs
would exceed the benefits. The controls set up must be proportionate
to the potential losses that could occur if the risk results in losses
Cost-benefit example
A manufacturing company is concerned about the rate of rejected items
from a particular process. The current rejection rate is 5% of items input,
and it has been estimated that each rejected item results in a loss to the
company of $10.Each day 600 items go through the process.
It is estimated that by introducing inspections to the process, the rejection
rate could be reduced fairly quickly to 3%. However, inspections would
result in an increase of costs of $70 per day.
Required:
How should this control through inspection be evaluated?
Solution
The example is a simple one, but it is useful for suggesting an approach
to risk management and control evaluation.
80
Chapter 2
What is the objective of the control?

Answer: To reduce losses from rejected items from the process, initially
from 5% to 3% of input.
What is the expected benefit?
Answer: A reduction in rejects by 2% of input, from 5% to 3%. The
reduction in rejects each day is (2% × 600) 12. Since each reject costs
$10, the total daily saving is $120.
What is the expected cost of the control?
Answer: $70 per day. Therefore the control appears to be worthwhile in
achieving the objective.
Is the control effective?
Answer: This should be established by monitoring actual results. For
example, if the control costs $70 each day, but succeeds in reducing the
rejection rate from 5% to just 4% (a reduction of 1%), the benefits would
be only $60 each day and the control would not be cost-effective (unless
the savings are more than $10 per unit).
Interaction between risks
Risk identification is very important, because risks are often interrelated. This
means that if one risk is more likely or will have a more significant impact for an
organisation, then it may be more likely to be exposed to other risks or more
susceptible to other risks.
This is a theme throughout P3, but it is highlighted to here to make sure that it is
something that is in your thought processes as you go through the rest of the
material.
Here are some examples:
81
Risk management
Interaction between risks

A café in a busy seaside resort would have compliance risk, it will be
assessed on its food hygiene and if it did not meet the standards that
have been set it may receive fines and it would be published on
government websites and also on review websites that the food hygiene
is poor.
This leads to other risks:
 Financial risk in that it will have to pay any fines it receives by a
particular date.
 Reputation risk because customer are likely to check these things
and avoid cafés that do not perform well on this criteria and also
warn friends, family and colleagues.
 Litigation risk because someone may become ill after eating at the
café due to the poor food hygiene and may take legal action against
the café.

WZL Plc a waste disposal company, have been found to have knowingly
breached environmental legislation about the disposal of hazardous
waste. This is an example of a compliance risk and they stand to receive
a substantial fine as a result. The issue occurred because an employee,
despite training and internal policies, ignored the information that the
customer provided about the waste and how hazardous it was.
Which of the following risks are likely to increase as a result of this
breach?
A Financial risk
B Reputational risk
C Commodity price risk
D Economic risk
E Currency risk
F Fraud risk
Another consideration in the interaction between risks is the combining of risks.
Sometimes for the end result to occur, multiple risks have to combine. Some of
the techniques in this chapter, such as expected values, can help to quantify
that combination.
82
Chapter 2
Risks combining
A company could be considering the risk of somebody breaking into a
warehouse to steal some of the inventory. The company has controls in
place already, with an alarm system fitted, and security guards patrolling
the warehouse.
They have identified the following:
 The risk of an intruder getting past the alarm is 30%
 The risk of an intruder getting past the guards is 25%
This means the overall risk of the intruder getting in is:
0.3 × 0.25 = 7.5%
One of the treatments of risk discussed in this chapter is diversification, and the
idea of creating a portfolio of products or services to help manage risks. This is
another example of how risks interact. In this case we are considering the up
and downside risk that we first discussed in chapter 1. The portfolio will have
different risks and the idea is that they could offset one another – one product
does well while another struggles. In an ideal world all of the organisation’s
portfolio does well, but if demand is affected by different factors then they might
tend to even out overall.
83
Risk management
9 Risk management roles and responsibilities
If the company being considered is divisional there may be a risk officer for
each division who will help to identify and manage tactical and operational level
risks.
84
Chapter 2
All employees have a role and responsibility for risk too. You should be aware
of possible risks (through policies issued and training given) and you should be
audible if you believe a risk needs to be managed (by reporting it to your
manager or by whistleblowing).
Roles of the risk committee

In broad terms, the risk (management) committee within an organisation
has the following main aims:
 Raising risk awareness and ensuring appropriate risk management
within the organisation.
 Establishing policies for risk management.
 Ensuring that adequate and efficient processes are in place to
identify, report and monitor risks.
 Updating the company’s risk profile, reporting to the board and
making recommendations on the risk appetite of the company.
Supporting these objectives of the risk (management) committee, there
are many secondary objectives. These objectives may also be contained
in the terms of reference of the risk (management) committee.
 Advising the board on the risk profile and appetite of the company
and as part of this process overseeing the risk assurance process
within the company.
 Acting on behalf of the board, to ensure that appropriate
mechanisms are in place with respect to risk identification, risk
assessment, risk assurance and overall risk management.
 Continual review of the company’s risk management policy including
making recommendations for amendment of that policy to the board.
 Ensuring that there is appropriate communication of risks, policies
and controls within the company to employees at all management
levels.
 Ensuring that there are adequate training arrangements in place so
management at all levels are aware of their responsibilities for risk
management.
 Where necessary, obtaining appropriate external advice to ensure
that risk management processes are up to date and appropriate to
the circumstances of the company.
 Ensuring that best practices in risk management are used by the
company, including obtaining and implementing external advice
where necessary.
85
Risk management
Roles of the risk committee

Typical activities carried out by a risk manager include:
 Provision of overall leadership for risk management team.
 Identification and evaluation of the risks affecting an organisation
arising from that organisation’s business, operations and policies.
 Implementation of risk mitigation strategies including appropriate
internal controls to manage identified risks.
 Seeking opportunities to improve risk management methodologies
and practices within the organisation.
 Monitoring the status of risk mitigation strategies and internal audits,
and ensuring that all recommendations are acted upon.
 Developing, implementing and managing risk management
programmes and initiatives including establishment of risk
management awareness programmes within the organisation.
 Maintaining good working relationships with the board and the risk
management committee.
 Ensuring compliance with any laws and regulations affecting the
business.
 Implementing a set of risk indicators and reports, including losses,
incidents, key risk exposures and early warning indicators.
 Liaising with insurance companies, particularly with regards to
claims, conditions and cover available.
 Depending on specific laws of the jurisdiction in which the
organisation is based, working with the external auditors to provide
assurance and assistance in their work in appraising risks and
controls within the organisation.
 Again, depending on the jurisdiction, producing reports on risk
management, including any statutory reports (e.g. Sarbanes-Oxley
(SOX) reports in the US).
Northern Rock
A failure of risk management

Perhaps the most interesting example of risk and control was the case of
Northern Rock. In September 2007 Northern Rock plc was a top five UK
mortgage lender, on the FTSE 100 index with over £100 billion in assets.
Northern Rock raised over 70% of the money it used in its growing
mortgage lending business from banks and other financial institutions.
Following the global credit crunch that resulted from the crisis in the US
sub-prime (high risk) mortgage sector, banks stopped lending to each
other and Northern Rock could not raise sufficient cash to cover its
liabilities.
86
Chapter 2
A bank run (the first on a UK bank for 150 years) on Northern Rock by its
customers led to the government providing ‘lender of last resort’ funding
and guarantees for the bank’s depositors totalling about £20 billion. The
result was a 90% fall in the bank’s share price, a deteriorating credit
rating and a loss of reputation. The CEO resigned and several directors
also left the board.
Northern Rock had a formal approach to risk management, including
liquidity, credit, operational and market risk, fully described in its
Securities and Exchange Commission filings. Northern Rock’s assets
were sound so there was no significant credit risk. Market risk was also
well managed in terms of interest rate and foreign exchange exposure.
However, despite formal procedures and a demonstrated compliance
with regulations, there was an assumption by managers that access to
funds would continue unimpeded. The US sub-prime crisis led to liquidity
risk materialising, causing the Northern Rock problems. The
consequence was also the loss of reputation that followed press reports
which blamed the bank’s management for not having a contingency plan
to cover the possibility of disruption to its funding – an operational risk. It
is likely that the board of Northern Rock failed in monitoring both liquidity
risk and the effectiveness of the existing controls.
The lesson of Northern Rock is that we need to move beyond the tick-box
approach to compliance and that good governance requires a more
insightful approach to risk management and internal control.
An example of how risk could be dealt with in a retail chain

A retail group has 480 stores and sales of £1.5 billion. Risk management
is part of the internal audit function. The internal auditor/risk manager has
said that the motivation for risk management is to ‘establish best practice
in corporate governance’ but also commented that the business recently
had ‘problems with its fundamental controls’ when ‘senior management
were looking at refinancing so took their eye off the ball’.
The risk management process commenced with a brainstorming session
by the internal audit team. They considered ‘risk drivers’ to identify what
could go wrong and what controls could be put in place to address these
risks. The team then held interviews with all managers to determine the
effectiveness of these controls using a scale from 1 to 5. The threat of a
control gap was identified and recommendations were made. This list
looked like a risk register, although the group did not call it that. The
internal auditor/risk manager did not see value in a risk register, but
rather saw risk management as a high level concern.
87
Risk management
The group’s Risk Management Committee (RMC) meets every 2 months,

comprising all business (executive) directors. The list given by the
internal audit team to RMC showed the monetary value of a ‘fundamental
control breakdown’, from which was deducted the monetary value arising
from controls implemented, to give a ‘residual risk’ (i.e. the risk after
controls) and this was assigned a probability. These values were
admittedly subjective. The RMC considered the risk maps, which showed
the percentage probability of a threat arising and the residual monetary
risk after taking account of controls. The whole process had been
centrally driven, with a concern for ‘high level’ risks. The big risks
identified through this process were: supply chain, suppliers, people
management, rebates, cost base, key processes, property management,
market share, product offering and pricing, brand management, strategic
management, integration and change, systems and business continuity.
The group’s most recent development is a Key Control Improvement Plan
(KCIP) that provides recommendations to address the risks. It
summarises each risk (the example of supply chain failure was given)
and the ‘mitigating factors’ (i.e. controls) and what still needs to be done.
The Audit Committee (AC) of the Board is made up of four non-executive
directors, the external auditors, the finance director and the internal
auditor/risk manager and is responsible for monitoring progress in
relation to the risk maps. The risk maps also drive the audit plan which is
agreed by the AC, the business directors and the RMC.
The most significant issues are dealt with, for example, purchase
ordering and goods received, new stores, margins. Results are provided
to the RMC and AC where the value of the report is greater than
£250,000. Internal audit now has more exposure to decision-makers, as
the risk management role had given them a high profile.
Going forward, the internal auditor/risk manager wants to implement a
Risk Intelligence Report to provide early warning of risks. This will involve
looking at key performance indicators to identify what the business
should be concerned with. The manager also wants to introduce a Risk
Management Marketing Plan to help communicate risk and to pass on
the responsibility to other managers – with senior managers making
presentations to RMC. The internal auditor/risk manager expects it to
take another 2 years to establish risk management in the organisation.
More ‘bottom up’ controls need to be introduced and risk management
needs to be embedded at the cultural level.
88
Chapter 2
An example of how risk could be dealt with in an engineering

consultancy
This organisation is privately owned with 3,500 employees. A review of its
financial performance had revealed that the estimated cost of project
over-runs, non-productive time and contractual penalties incurred was
about 2% of annual turnover. This represented an opportunity loss of
about £3 million per annum against reported profits of about £5 million.
However, the main driver behind risk management was to address the
rapidly increasing cost of professional indemnity insurance. Premiums
had increased to several million pounds and its excess had increased
from £5,000 to £500,000 per annum over the last few years. The
organisation had appointed a risk manager, adopted an offshore ‘captive’
insurer and implemented a management development programme to
improve the skills of all its managers. This had included a substantial
content on risk awareness.
One of the ways in which it was helping its managers to understand risk
was to undertake risk assessments as part of every project bid and to
reflect each risk in pricing. During contract negotiations, each risk could
be discussed between the lead consultant and the client. The value of the
risk could be discussed – in terms of the control devices that could be put
in place by the client to reduce the risk and hence reduce that component
of the project price that reflected the risk.
It was anticipated that this collaboration between consultant and client
would reduce risk and lead to a more profitable outcome for both parties.
Test your understanding 22 – L tinned foods (Case study)
Scenario
L manufactures a range of very high quality tinned foods. The company
was established eight years ago and it has grown steadily by selling to
independent grocers in prosperous areas. Most consumers associate
tinned food with poor quality and are unwilling to pay high prices.
However, the consumers who buy L’s products are willing to pay a
premium for higher quality.
L’s only large customer is H, a major supermarket chain that has a
reputation for selling high-quality produce. L began sales to H just under
a year ago, with H purchasing small quantities of L’s most popular
product in order to assess demand. After a successful period of test
marketing, H started to place larger orders with L. Now H accounts for
20% of L’s sales by volume.
89
Risk management
Trigger
L has traditionally had a functional organisational structure. There is a
director in charge of each of sales, production, finance and human
resources. Each director has a team of senior managers who support
their function. The hierarchy for organising and supervising staff is
generally based on this functional structure. The only exception arose on
the appointment of Peter, who is the Account Manager in charge of L’s
dealings with H. H insisted on the appointment of a designated account
manager as a condition of placing regular, large orders with the company.
Peter is the designated point of contact on all matters between L and H.
Peter’s job description states that he is responsible for all decisions,
including pricing, relating to L’s relationship with H and that he is
expected to base all such decisions on the promotion of L’s commercial
interests.
There have been a number of complaints from L’s managers since
Peter’s appointment. These include several occasions when staff have
received contradictory instructions. For example, Peter has ordered the
production department to give priority to H’s requests for large deliveries,
even though that has led to regular orders to other customers being
delayed. Peter has also told the staff in the credit control department not
to press H for payment even though the company had several overdue
invoices.
L’s Sales Director believes that the company could sell even greater
quantities to H and that other large supermarket chains will start placing
orders in the near future once H has demonstrated that there is a
demand for high quality tinned food. She has warned L’s Chief Executive
that additional account managers will have to be employed in the event
that L starts to supply further supermarket chains.
Task
Write a report to the Board of L which:
(a) Evaluates the potential risks that might arise from L’s appointment
of an account manager to deal with H’s business; and
(b) Recommends, stating reasons, the changes that L’s board should
introduce in order to minimise the threats arising from having an
autonomous account manager.
(40 minutes)
90
Chapter 2
Test your understanding 23 – Dental practice (Case study)
Scenario
D is a dental practice that was established eight years ago. The practice
was founded by six dentists, each of whom has an equal share.
Trigger
The six dentists have decided that they should undertake a formal
evaluation of the risks affecting their business. To that end, they have
engaged a consultant to act as a facilitator.
The facilitator began with a brainstorming session. The dentists were
provided with a flipchart and they were asked to list as many risks as they
could think of. Then the risks were transferred to a risk map based on the
TARA framework. A simplified version of the risk map is shown below:
Impact/consequences
Low High
High Reduce Avoid
Negligence Cross infection
claims arising
from failed dental
Probability/likelihood implants
Low Accept Transfer/share
Spiral staircase Unknown
allergies
All six dentists agreed that each of these risks is worth classifying, but
there was considerable debate as to where each should appear on the
risk map. The facilitator has used the opinion of the dentist who identified
the risk as a starting point and has asked for some discussion as to how
best to classify each.
Dental implants
Dental implants are false teeth that are rooted in the patient’s jaw using
titanium screws. Fitting an implant is a very time-consuming and
expensive procedure that costs the patient in excess of GBP 2,000. The
patient’s bone structure usually accepts the implant and fuses with it to
form a very strong bond. In 3-5% of cases the implant causes an adverse
reaction and has to be removed. The practice warns patients of this
possibility and does not offer any refund in this event because the failure
is beyond the dentist’s control. Some patients who suffer an adverse
reaction do seek compensation despite these warnings, alleging
negligence on the part of the dentist.
91
Risk management
Cross infection
Cross infection can occur when patients pass infections on to the dental
staff (and vice versa) or when dental instruments transmit infections
between patients. Apart from the need to work in close proximity to the
patient, dental procedures always involve contact with the patient’s saliva
and can sometimes involve contact with blood if a tooth is extracted or
the patient’s gums bleed.
Spiral staircase
The dental surgery is located one floor up from street level. Patients enter
via a narrow hallway and climb to the reception using a narrow spiral
staircase. The building cannot be remodelled to accept a lift or a more
suitable staircase.
Unknown allergies
The dentists are often required to prescribe antibiotics and other drugs in
order to treat gum infections. These can cause severe allergic reactions
that are impossible to foresee unless the patient has been prescribed that
drug in the past and has notified the practice of this allergy.
Task
(a) Discuss the benefits that the dental practice may obtain from the
risk mapping exercise described above.
(b) Critically evaluate the placing of each of the identified risks in the
risk map, stating with reasons whether or not you agree with the
placement.
(30 minutes)
Test your understanding 24 – B bank (Case study)

Scenario
The B Bank is a large international bank. It employs 6,000 staff in 250
branches and has approximately 500,000 borrowers and over 1,500,000
savers. The bank, which was founded in 1856, has an excellent
reputation for good customer service. The bank’s share price has
increased, on average, by 12% in each of the last 10 years.
Trigger
There has been much adverse media coverage in many countries,
including B Bank’s home country, about the alleged excessive bonuses
received by the directors of banks. A meeting of central bank governors
from many nations failed to reach agreement on how to limit the size of
directors’ bonuses. The governor of the central bank in B Bank’s home
country is particularly concerned about this issue, and consequently put
forward the following proposal:
92
Chapter 2
“Directors of banks will be asked to pay a fee to the bank for the privilege
of being a director. This fee will be set by the remuneration committee of
each bank. Directors will be paid a bonus based solely on appropriate
profit and growth indicators. The more the bank succeeds, the higher will
be the bonus. This proposal directly links performance of the bank to
directors’ pay. I see this as a more realistic option than simply limiting
salaries or bonuses by statute as proposed at the recent central bank
governors’ conference.”
B Bank board and strategy
The constitution of the board of B Bank is in accordance with the
internationally agreed code of corporate governance.
Overall board strategy has been to set targets based on previous
(profitable) experience, with increased emphasis on those areas where
higher potential profits can be made such as mortgage lending (this is
discussed below). The bank’s executive information systems are able to
compute relative product profitability, which supports this strategy. This
strategy generated substantial profits in recent years. The last major
strategy review took place four years ago. Non-executive directors do not
normally query the decisions of the executive directors.
In recent years, the profile of the major shareholders of the bank has
moved. Traditionally the major shareholders were pension funds and
other longer term investors but now these are overshadowed by hedge
funds seeking to improve their short-term financial returns.
One of the major sources of revenue for the bank is interest obtained on
lending money against securities such as houses (termed a “mortgage” in
many countries) with repayments being due over periods varying
between 15 and 25 years. Partly as a result of intense competition in the
mortgage market, the values of the mortgages advanced by B Bank
regularly exceed the value of the properties. For example, B Bank has
made advances of up to 125% of a property’s value. Internal reports to
the board estimate that property prices will reverse recent trends and will
rise by 7% per annum for at least the next 10 years, with general and
wage inflation at 2%. B Bank intends to continue to obtain finance to
support new mortgages with loans from the short-term money-markets.
Task
Write a report to the Board:
(a) Evaluating the proposal made by the governor of the central bank;
and
(b) Evaluating the risk management strategy in B Bank (except for
consideration of directors’ remuneration). Your evaluation should
include recommendations for changes that will lower the bank’s
exposure to risk.
(45 minutes)
93
Risk management
Test your understanding 25 – W consumer (Case study)
Scenario
W is a leading manufacturer of consumer electronics devices. The
company has a significant share of the markets for mobile phone and
personal music players (“mp3 players”).W’s main areas of expertise are
in design and marketing. The company has a reputation for developing
innovative products that set the trend for the market as a whole. New
product launches attract a great deal of press interest and consequently
W spends very little on advertising. Most of its promotional budget is
spent on maintaining contact with leading technology journalists and
editors.
Manufacturing and supply
W does not have a significant manufacturing capacity. New products are
designed at the company’s research laboratory, which has a small factory
unit that can manufacture prototypes in sufficient quantity to produce
demonstration models for test and publicity purposes. When a product’s
design has been finalised W pays a number of independent factories to
manufacture parts and to assemble products, although W retains control
of the manufacturing process.
W purchases parts from a large number of suppliers but some parts are
highly specialised and can only be produced by a small number of
companies. Other parts are standard components that can be ordered
from a large number of sources. W chooses suppliers on the basis of
price and reliability.
All assembly work is undertaken by independent companies. Assembly
work is not particularly skilled, but it is time consuming and so labour can
cost almost as much as parts.
 W has a large procurement department that organises the
manufacturing process. A typical cycle for the manufacture of a
batch of products is as follows:
 W’s procurement department orders the necessary parts from parts
suppliers and schedules assembly work in the electronics factories.
 The parts are ordered by W but are delivered to the factories where
the assembly will take place.
 The finished goods are delivered directly to the customer.
This is a complicated process because each of W’s products has at least
100 components and these can be purchased from several different
countries.
94
Chapter 2
Supplier communications
W insists on communicating with its suppliers via electronic data
interchange (EDI) for placing orders and also for accounting processes
such as invoicing and making payment. This is necessary because of the
degree of coordination required for some transactions. For example, W
may have to order parts from one supplier that are then delivered to
another supplier to carry out some assembly work. Both suppliers have to
be given clear and realistic deadlines so that the resulting assemblies are
delivered on time to enable W to meet its own deadlines.
Trigger
W recently launched a new range of mp3 players. The launch of the first
batches of players attracted a great deal of adverse publicity:
The supplier which produces the unique memory chips used in the mp3
player was unable to meet the delivery deadlines and that delayed the
launch. The supplier owns the patent for the design of these memory
chips.
Supplies of the memory chip are now available. The assembly factories
have been asked to increase their rates of production to shorten the
timescale now that the memory chips have become available.
Task
Write a report to W's finance director:
(a) Evaluating THREE operational risks associated with the
manufacture of W’s products including an explanation of how each
of these risks could be managed; and
(b) Evaluating the risks associated with the use of EDI for managing
W’s ordering and accounting processes.
(45 minutes)
Test your understanding 26 – SPM (Case study)
Scenario
SPM is a manufacturer and distributor of printed stationery products that
are sold in a wide variety of retail stores around the country. There are
two divisions: Manufacturing and Distribution. A very large inventory is
held in the distribution warehouse to cope with orders from retailers who
expect delivery within 48 hours of placing an order.
SPM’s management accountant for the Manufacturing division charges
the Distribution division for all goods transferred at the standard cost of
manufacture, which is agreed by each division during the annual budget
cycle. The Manufacturing division makes a 10% profit on the cost of
production but absorbs all production variances. The goods transferred to
Distribution are therefore at a known cost and physically checked by both
the Manufacturing and the Distribution division staff at the time of
transfer.
95
Risk management
Trigger
The customer order process for SPM’s Distribution division is as follows:
 SPM’s customer service centre receives orders by telephone, post,
fax, email and through a new on-line Internet ordering facility (a
similar system to that used by Amazon). The customer service
centre checks the creditworthiness of customers and bundles up
orders several times each day to go to the despatch department.
 All orders received by the despatch department are input to SPM’s
computer system which checks stock availability and produces an
invoice for the goods.
 Internet orders have been credit checked automatically and stock
has been reserved as part of the order entry process carried out by
the customer. Internet orders automatically result in an invoice being
printed without additional input.
 The despatch department uses a copy of the invoice to select goods
from the warehouse, which are then assembled in the loading dock
for delivery using SPM’s own fleet of delivery vehicles.
 When SPM’s drivers deliver the goods to the customer, the
customer signs for the receipt and the signed copy of the invoice is
returned to the despatch office and then to the accounts
department.
 SPM’s management accountant for the Distribution division
produces monthly management reports based on the selling price of
the goods less the standard cost of manufacture. The standard cost
of manufacture is deducted from the inventory control total which is
increased by the value of inventory transferred from the
manufacturing division. The control total for inventory is compared
with the monthly inventory valuation report and while there are
differences, these are mainly the result of write-offs of damaged or
obsolete stock, which are recorded on journal entry forms by the
despatch department and sent to the accounts department.
Due to the size of inventory held, a physical stocktake is only taken once
per annum by Distribution staff, at the end of the financial year. This has
always revealed some stock losses, although these have been at an
acceptable level. Both internal and external auditors are present during
the stocktake and check selected items of stock with the despatch
department staff. Due to the range of products held in the warehouse, the
auditors rely on the despatch department staff to identify many of the
products held.
Task
(a) Evaluate any weaknesses in the risk management approach taken
by SPM’s Distribution division and how this might affect reported
profitability. (30 minutes)
(b) Recommend internal control improvements that would reduce the
likelihood of risk. (15 minutes)
96
Chapter 2
 SPM’s management accountant for the Distribution division

produces monthly management reports based on the selling price of
the goods less the standard cost of manufacture. The standard cost
of manufacture is deducted from the inventory control total which is
increased by the value of inventory transferred from the
manufacturing division. The control total for inventory is compared
with the monthly inventory valuation report and while there are
differences, these are mainly the result of write-offs of damaged or
obsolete stock, which are recorded on journal entry forms by the
despatch department and sent to the accounts department.
Due to the size of inventory held, a physical stocktake is only taken once
per annum by Distribution staff, at the end of the financial year. This has
always revealed some stock losses, although these have been at an
acceptable level. Both internal and external auditors are present during
the stocktake and check selected items of stock with the despatch
department staff. Due to the range of products held in the warehouse, the
auditors rely on the despatch department staff to identify many of the
products held.
Task
(a) Evaluate any weaknesses in the risk management approach taken
by SPM’s Distribution division and how this might affect reported
profitability. (30 minutes)
(b) Recommend internal control improvements that would reduce the
likelihood of risk. (15 minutes)
Test your understanding 27 – ABC (Case study)
Scenario
The operations division of ABC, a listed company, has responsibility to
maintain and support the sophisticated computer systems used for call
centres and customer database management. These are relied on by the
organisation’s retail customers as many of their sales are dependent on
access to these systems, which are accessed over the Internet.
Although there is no risk management department, ABC has a large
number of staff in the operations division devoted to disaster recovery.
Contingency plans are in operation and data are backed up regularly and
stored off-site. However, pressures for short-term profits and cash flow
have meant that there has been a continuing under-investment in capital
equipment.
97
Risk management
Trigger
A review of disaster recovery found that although data were backed up
there was a real risk that a severe catastrophe such as fire or flood would
have wiped out computer hardware and although data back-up was off-
site, there was no proven hardware facility the company could use. While
managers have relied on consequential loss insurance, they appear to
have overlooked the need to carry out actions themselves to avoid or
mitigate any possible loss.
Task
Write a report to the Board:
(a) Advising on the main business issue for ABC and the most
significant risks that ABC faces; (10 minutes)
(b) Advising them on their responsibilities for risk management and
recommending a risk management system for ABC that would more
effectively manage the risks of losing business continuity.
(30 minutes)
(c) Evaluating the likely benefits for ABC of an effective risk
management system for business continuity. (5 minutes)
10 The exam
The models and frameworks detailed in this chapter are a starting point for the
exam, however, candidates need to be able to use their common sense in order
to relate this material to exam questions in both the P3 objective test and the
strategic case study exam.
98
Chapter 2
11 Chapter summary
99
Risk management
Test your understanding answers

The correct answer is B – By definition.

A, B and E
COSO considers a WIDE range of risks, and is the responsibility of
EVERYONE.

D
The management are working on their risk response, which is included in
the performance component.

The correct answer is B – A risk map assesses an organisation’s risks on
the basis of likelihood and consequence.
Risk culture is the set of shared attitudes, values and practices that
characterise how an entity considers risk in its day-to-day activities.
Risk thermostat is the notion that everyone has a propensity to take risks.
This varies by person and is influenced by potential rewards and any
previous ‘accidents’.

The correct answers are A, B and C – The total cost of a control is not
normally detailed on the risk register.
100
Chapter 2
Test your understanding 6 – Volatility (Integration)
The expected value of purchases is:

£
£200,000 × 0.3 60,000
£250,000 × 0.5 125,000
£300,000 × 0.2 60,000
––––––
245,000
––––––
The volatility therefore is:
Downside (£300,000 – £245,000) £55,000
Upside (£245,000 – £200,000) £45,000
The volatility is the possible amount away from the expected value.

The value of $10 million today is £6 million ($10 m/$1.6667) with a
standard deviation of £30,000 (0.5% × £6 million).
The one-tail 95% confidence level is 1.645.
Hence a five day 95% VaR is 1.645 × £30,000 × √10 = £156,058
Test your understanding 8 – Value at risk (Integration)

At the 95% confidence level the value at risk = 1.645 × 4.85 = $8 million
(1.645 is the normal distribution value for a one-tailed 5% probability level
– this can be taken from the normal distribution tables).
As the information is for the 2 week period, and not a daily mean or
standard deviation, there is no need to use the n day VaR adjustment.
There is thus a 5% probability that the portfolio value will fall to $42
million or below.
101
Risk management
Test your understanding 9 – Restaurant (Integration)
For a restaurant:
Impact/consequences
Low High
High A staff member is Head chef
taken ill and resigns
cannot work
Low Accept Ingredient prices

Probability/likelihood
Spiral staircase Several
customers
suffer from food
poisoning
Each suggestion could arguably be in a different quadrant, depending on

the restaurant. These are just suggestions.

The correct answer is B – Low-level staff frequently change jobs in order
to progress. The severity is low as they are unlikely to be well-
trained/highly skilled and could be replaced fairly quickly and easily.

The correct answers are A and C – The axes are likelihood/probability
and impact/severity/consequences.
C, D and E
 Option A – managers may not agree on the key risks facing HH.
The risk map will force them to discuss risks but not to reach a
consensus.
 Option B – the legal disputes are ongoing and a new risk map is
unlikely to help with historical cases.
 Options C, D and E are benefits.
102
Chapter 2

The correct answer is C – Portfolio theory seeks to diversify the
company’s activities which can reduce risk (by not putting all your eggs in
one basket).
Test your understanding 14 – Diversification (Integration)

Arguments for and against diversification:
For
 Reduces risks and enables company to give more predictable return
to investors.
 Attracts investors who want low risk investments.
Against
 Management may not understand all the businesses that the
company operates in – increases the risk.
 It is not necessary to diversify for investors – they can diversify
themselves by investing in a number of different companies.
 New business areas can attract risks – for instance going into a new
country may increase the risk of not understanding a company
culture.

The correct answer is C – The likelihood of this event would hopefully be
low as several controls preventing this should be in place. Staff would
refuse to work otherwise. The consequence of such an event would be
high as it would likely lead to an investigation, legal proceedings,
compensation and reputational risk.

The correct answer is C – Low frequency/high severity risks are often
transferred, by using insurance for example.
103
Risk management

A and B only
 Option A: Is appropriate since the population of Country X are not
familiar with fast food.
 Option B: Often organisations need to adapt their standardised
products because of cultural differences.
 Option C: Significant investment is likely to have already occurred in
Country X and simply pulling out before embarking on other risk
response plans is unlikely to be appropriate at this point. In addition,
the entire strategy of P Company is based around geographical
expansion. It will be more difficult in some countries to establish the
brand.
 Option D: The poor performance of restaurants in Country P is
unlikely to be J’s fault rather it is due to rolling out standardised
products in culturally diverse locations. In fact, since J has now built
up some experience in Country X, he should be retained to continue
expansion.
 Option E: The global brand of P Company is based on uniformity
and although small tweaks to this make sense to enable the
restaurants to ‘fit’ with the local culture, the brand needs to be
consistent with values applied globally.
Test your understanding 18 – Twinkletoes (Case study)
To: The Finance Director

From: The Management Accountant
Date: Today
Subject: Risk management at Twinkletoes
Dear Finance Director,
Please find attached my classification of risks for receivables and a
recommendation for internal controls.
(a) Classification of risks for receivables
(i) Small retail shoe shops
Despite the fact that individual accounts in this category have
small balances, the category as a whole is significant to
Twinkletoes because of the total amounts owed (one-third of
total receivables), the rising level of irrecoverable debts and
the adverse effect of slow payers on cash flow. It is likely that
most of these accounts individually are low risk because
customers pay promptly and the amounts are small. Accounts
that are significantly overdue may be classified as medium
risk, but probably only if they are substantial accounts,
because all entities must expect to experience a small number
of small irrecoverable debts. If, however, a large number of
accounts are significantly overdue, they may be classified as
high risk.
104
Chapter 2
(ii) Large retail shoe shops

Some of these accounts are large and overdue and may
therefore be classified as medium or high risk. However, as
the total value of such accounts is around 22% of total
receivables and the total value of the overdue accounts may
be small in relation to total receivables, the classification
should probably only be medium risk. The classification for
accounts that are not overdue may be low risk
Overseas accounts. Whilst these might at first appear to be at
risk because the accounts are being lost, they represent a
small proportion of accounts by both number and value
(customers currently pay in advance). This means that they
may be viewed as low risk.
(iii) Chains of shoe shops
As with the large shoe shops, large and overdue accounts
might be classified as medium or high risk. However, 'high
street' chains of well-established shops are less likely to
become insolvent than less well-established entities and
therefore represent a lower risk. This means that the
classification may be low risk, even for accounts that are large
and overdue.
(iv) Mail order companies
New accounts generally represent an increased risk of
irrecoverable debts and a large number of new accounts
increases this risk. However, there is no history of
irrecoverable debts in this category at all so the new accounts
may therefore be classified as medium risk. Existing accounts
within this category may be classified as low risk because
there is no history of irrecoverable debts.
(b) Internal controls
(i) All customers
I would recommend that:
– credit checks be performed when new customers seek
credit, and that cash in advance or on delivery is required
where large orders are placed by new customers;
– credit limits be set for all customers based on the length
of the relationship with the customer, the volume of sales
and their payment history;
– payment terms be set (say, 30 days for local customers,
45 days for overseas customers);
– insurance be taken out against the risk of irrecoverable
debts.
These controls will help ensure that accounts do not become
overdue, damaging the company's cash flow and increasing
the risk of irrecoverable debts.
105
Risk management
(ii) Slow paying customers

– dedicated staff are assigned to chase slow payers
regularly for outstanding amounts and to ensure that a
`stop' is put on accounts that are significantly overdue;
– legal action is taken against those customers owing large
amounts for long periods for which there are no good
reasons.
(iii) Larger accounts – large shops, chains of shops and mail order
companies
– dedicated staff are assigned to manage the relationship
with larger customers, particularly the mail order
companies.
(iv) Overseas customers
– overseas customers be allowed a credit period of say, 45
days in order to permit the required bank transfers to take
place;
– overseas customers be required to pay in the currency
used by Twinkletoes (except perhaps for large orders
which may be backed by government guarantees) or in a
stable currency which does not fluctuate significantly
against the currency used by Twinkletoes.
If you have any queries, please do not hesitate to ask.
Best wishes
Management Accountant
B, C and D
 Option A – responses to significant risks only.
 Option E – such a review should be carried out at least annually.
106
Chapter 2

B – avoid
It would appear that the gross risk cannot be reduced since the client will
not renegotiate the level of the penalty. The impact then remains high
and as TGDW’s internal controls are already at a high level it is unlikely
that the likelihood can be reduced.
As the likelihood is high then it is unlikely that TGDW will able to get
insurance against this event occurring so transference is not possible.
Acceptance is unthinkable in this case and there appears to be no further
scope for reduction.
Therefore unless TGDW are an exceptionally risk seeking organisation
they will need to avoid this risk.
A, B and F
 Option A – as they will receive a significant fine, this will increase
the financial pressure on the company.
 Option B – as disposal of waste is their core work, companies may
be reluctant to use them having breached regulations.
 Option F – the issue occurred through employee malfeasance, and
suggests a lack of controls are in place which could mean that fraud
is more likely.
 Option C, D and E – There are no commodities or foreign currencies
involved and economic risk links to how changes in the economy
will affect the business.
Test your understanding 22 – L tinned foods (Case study)
To: The Board of L

From: A.N. Accountant
Date: Today
Subject: Risks and recommendations regarding account managers
Introduction
This report evaluates the potential risks that might arise from L’s
appointment of an account manager to deal with H’s business. It then
goes on to recommend the changes that L’s board should introduce in
order to minimise the threats arising from having an autonomous account
manager.
107
Risk management
(a) The risks of appointing an account manager

L has effectively introduced a matrix management structure with
respect to its dealings with H. This has the potential for a number of
upside risks. In particular, it means that H’s interests will be kept
under constant review by a designated manager. Thus, there is less
risk that H’s business will be lost because of an oversight or a
breakdown in communications. If any of the decision makers at H
require anything then they know to contact Peter and he will then be
responsible for dealing with their request.
There are a number of downside risks arising from this
arrangement. The most obvious of these is that there may be a
conflict between Peter’s role as an account manager and the roles
of the other functional managers within L. H is an important
customer, but it accounts for only 20% of sales by volume and so it
could be argued that the smaller customers are, collectively, far
more important than H. Presumably, H is capable of negotiating
significant trade discounts and so the additional volume of business
is unlikely to be particularly profitable.
Peter’s role may be important, but there is a danger that it will lead
to dysfunctional behaviour on his part. He will be motivated to retain
H’s business because that is the whole point of his employment. H
will be aware of that and may start to pressure him into granting
further discounts, extensions of credit and other concessions.
Peter has already disrupted transactions involving existing
customers with whom L has an established relationship. The most
immediate threat is that those customers may cease trade with L. It
is also possible that such behaviour will lead to conflict between
Peter and the functional managers, which will waste time. The
functional managers may also become demotivated if their efforts
are thwarted by Peter.
Junior staff will also be confused by contradictory instructions. If
they are unsure whether to obey Peter or their usual functional
managers then they may delay acting in order to seek clarification.
Once they start to question instructions from their superiors then the
overall control environment may be undermined.
(b) Recommendations for change to reduce the threat of
autonomous account managers
Firstly, there has to be clear communication between the account
manager and the functional managers. It should be made clear that
any conflict should be discussed and, if possible, resolved by
compromise. If, for example, H wishes to place a large and urgent
order then it may be possible to ask the production manager to
increase output so that all potential sales can be made without
disappointing existing customers. That will reduce the threat of
disagreement between the account manager and the functional
managers.
108
Chapter 2
It should be made clear that any conflict that cannot be resolved by

compromise should be dealt with in a manner that is in L’s overall best
interests. It should be made clear that any dysfunctional behaviour will be
regarded as a disciplinary matter. That will reduce the threat that the
account manager will be tempted to act in H’s best interests rather than
L’s.
Subordinate staff should be free to state that any instruction contradicts
policy or a previous request. It should then be the functional or account
manager’s responsibility to seek a compromise so that subordinate staff
have an agreed instruction. That will avoid the stress and confusion that
will arise for junior staff if they are caught between competing managers.
Ideally, the account manager should have been appointed from within L
and it should be made clear that the appointee’s continued employment
is not conditional on retaining H as a customer. An internal appointee will,
hopefully, have a more immediate loyalty to L than to H. The assurance
of continuing employment will reduce the extent to which H might
pressure the account manager.
There should be a clear policy for resolving conflicts between managers.
It may be that the appropriate functional manager should make the final
decision, on the basis that the business from H is worth only 20% of the
company’s sales by volume, and those may be subject to a substantial
discount because H is the company’s largest customer. That should lead
to a consistent response to any conflicts between managers.
Conclusion
There are several risks arising from the appointment of an account
manager, however, these risks can be reduced by improving
communication, having a clear policy for conflict resolution and
implementing disciplinary action if necessary.
Test your understanding 23 – Dental practice (Case study)

(a) The risk-mapping exercise is not an objective process and so the
resulting diagram is not an objective or “correct” representation of
the risks faced by the practice. The dentists should not risk relying
too heavily on the map itself to determine their overall risk-
management strategies.
The main benefit to be had from this exercise is that the dentists will
have the opportunity to discuss the risks facing the practice.
This communication will mean that each of the dentists is made
aware of the threats that have been identified by each of the others.
That should mean that each of them will have a more
comprehensive understanding of the risks faced by the practice as a
whole.
109
Risk management
The discussion will also ensure that there is an opportunity to

address colleagues’ understanding of identified risks. It may be that
some dentists are devoting too much time and effort to managing
trivial risks. Conversely, potentially serious risks could be
misunderstood and overlooked. The discussion will enable the
dentists to reach some agreement as to the most appropriate
response to each risk. A consensus opinion is more likely to be
balanced and logical than any individual view.
The fact that the risks have been identified and discussed can be
recorded for future reference. In the event that the practice is ever
accused of negligence then the fact that a risk was discussed and a
response put in place may enable the dentists to argue that they
acted with reasonable skill and care. That, of course, implies that an
appropriate response has been put in place for any identified risks.
Dental implants
It is logical to state that the probability of occurrence is high if this is
a relatively common procedure. Presumably the failures are caused
by random factors that are out of the dentist’s control, such as the
patient’s overall health or dental hygiene and so the laws of
probability will mean that failures will occur from time to time.
It is natural for a patient who has spent a significant amount of
money on a procedure to be aggrieved if that procedure fails and so
the practice may be accused of malpractice. Patients may discount
the risk of failure when agreeing to the implant because the
probability seems reasonably remote when looking ahead and
making plans.
The impact of a claim will be low because it is a known risk that the
patient has agreed to accept. It will be both difficult and expensive
for a patient to pursue any formal claim for a refund or a repeat
procedure.
Cross infection
It is important to be clear about whether the likelihood is expressed
in terms of gross risk or net. Every dental procedure puts the dental
staff in close proximity to the patient and will involve contact with
body fluids. The gross risks are, therefore, high. The net risks of
cross infection can, however, be minimised through good hygiene,
such as the dentist and the nurse wearing disposable gloves that
are changed between patients and also face masks to reduce the
risk of transmitting respiratory infections.
The impact of causing an infection will be high. This is a preventable
problem and so there is a risk that any failure will constitute medical
malpractice. In the event that a patient complains to the health
authorities or the dentists’ professional body there could be a
significant penalty. There could also be a serious threat of adverse
publicity, with patients choosing to use another dental practice.
110
Chapter 2
Spiral staircase
The staircase could prevent disabled or infirm patients from
obtaining access to the practice. It may be that a potential patient
will choose to make this a matter of principle and complain that the
practice has not made adequate provision for the disabled. Legally,
the practice is not under any obligation to do more than make
reasonable provision for access and there is no practical solution
that could be offered.
It is unlikely that the impact will be significant. The practice is
already well established, so it has already attracted a viable number
of patients who can cope with this access problem. Any complaints
can be addressed by a polite comment to the effect that the practice
is located in a building that cannot accommodate a lift or a
conventional staircase.
Given that there is no viable response to this risk, it really has to be
accepted in almost any case. Dealing with it would require an
extreme and potentially disproportionate response, such as moving
to new premises.
Allergies
The probability that a patient will suffer an allergic reaction is low.
Pharmaceutical products are tested to ensure that they do not
generally cause reactions. Patients will, hopefully, be aware of most
allergies that they suffer from and the dental practice can record
those in patient files.
The impact of an allergic reaction is probably not high for the
practice, despite the fact that it could be a serious matter for the
patient. Provided the dentist has prescribed the antibiotic in good
faith there is very little risk that the practice will be in trouble for
prescribing a relevant drug to treat an infection. The dentist should
always check that the patient’s medical history is up to date in order
to ensure that there is no reason to avoid any particular medication.
Provided that has been done, any reaction will be viewed as an
unfortunate accident rather than medical negligence.
111
Risk management
Test your understanding 24 – B bank (Case study)
To: The Board of B Bank

Date: Today
Subject: Directors bonuses and risk management
Introduction
This report covers an evaluation of the governor’s suggestion and an
evaluation of B banks risk management strategy.
(a) Evaluate the proposal made by the governor
The governor of the central bank in B Bank’s country has suggested
that directors of banks pay a fee, and that the bonuses will be based
on profit and growth indicators.
Director’s viewpoint
From the view point of the banks directors this will not be a welcome
solution. The amount of the fee will be questioned – will it be the
same for all directors? What will the fee be used for? Will it be
returned when a director retires? It is likely that there will be much
unrest and argument before this proposal is accepted.
The remuneration committee is to set the fee. Presumably the
committee should be an independent one consisting of non-
executive directors (NEDs). The NEDs should not be included under
the heading of ‘directors’ and need not pay a fee.
The target of ‘appropriate profit and growth indicators’ is very vague.
What is appropriate to one person e.g. a director may not be
appropriate to an investor.
However, the idea of linking profits and bonuses is a better idea
than simply paying out large bonuses with little justification (even
when a bank has made a loss).
The linking of bonuses with profit may, however, encourage the
directors to take excessive risks in order to boost their bonuses.
Staff viewpoint
The staff of B Bank may not be happy with this proposal since there
is no mention of them receiving a bonus. They may fear that all
profits are paid out to the directors when they feel that they have
worked hard.
The directors may not accept this proposal either if they consider
the fact that many external factors out of their control can affect the
bank’s profits. They may work extremely hard and still make a loss
in extreme circumstances due to, say, a fall in the demand for
mortgages.
112
Chapter 2
Central bank’s viewpoint

Finally, the proposal may go against any future decision by the
governors of the central banks in other nations.
However, on the plus side, at least the governor in B Bank’s home
country is trying to alleviate the adverse media coverage by doing
something rather than delaying the issue.
(b) Evaluation of the risk management strategy
In the past a formal strategy for managing risks would not be made
but rather it would be left to individual managers to make
assessments of the risks the business faced and exercise
judgement on what was a reasonable level of risk.
This has now changed: failure to properly identify and control risks
has been identified as a major cause of business failure e.g. Barings
Bank.
Risk management strategy
CIMA identified the following key features of a risk management
strategy:
 A statement of the organisation’s attitude to risk – the balance
between risk and the need to meet objectives
 The risk appetite of the organisation
 The objectives of the risk management strategy
 The culture of the organisation in relation to risk
 The responsibility of managers for the application of risk
management strategy
 Reference should be made to the risk management systems
the company uses. i.e. its internal control systems
 Performance criteria should be defined so that the
effectiveness of risk management can be evaluated
B Bank meets only a few of these criteria.
B Bank’s risk management strategy
A statement of B Bank’s attitude to risk and risk appetite is not
mentioned in the scenario. However it can probably be assumed
that they are risk takers as they are able to achieve an increase in
share price of 12% per annum, and attract hedge funds as
investors. From the view point of the investors, B Bank’s risk
management strategy is good.
113
Risk management
The culture of B Banks managers will probably be one of risk

seeking in order to provide the high returns mentioned. (A risk
averse manager would feel very uncomfortable in these
surroundings.) The staff at B Bank may or may not like the risk
management strategy. If it provides them with high salaries then
they are probably happy. However, these high salaries may only be
short-term if an incorrect decision is made in the future and the bank
hits hard times or goes bust. Then the staff may have been happier
with lower salaries and job security.
Since a risk management strategy is not formally mentioned it is
difficult to say whether managers have been allocated responsibility
for the application of risk management. For the bank to have traded
successfully for over 150 years, some risk management must take
place, however, this should be formalised.
The risk management systems will include the bank’s executive
information system (EIS). It is able to compute product profitability
which supports the targets set on previous profitable experience. On
the plus side, having an EIS is an advantage for B Bank; however, it
is not being used to its full potential. (See recommendations below.)
Also, B Bank has non-executive directors (NEDs) but they are a
poor internal control since they do not question the decisions of the
executive directors.
Performance criteria to assess the effectiveness of the risk
management strategy are not mentioned in the scenario, other than
the targets set on previous experience. It seems that while B Bank
is successful, the targets will just roll forward without any reference
to what is happening in the external environment of B Bank.
Evaluation of the risk management strategy in B Bank is two-fold:
Has the strategy achieved its objectives? This is hard to say since
no formal strategy has been set.
Do the benefits outweigh the costs? Most certainly yes. Since the
setting of the strategy cost nothing (no strategy was set) and large
returns have been achieved, then the benefits have far outweighed
the costs.
Conclusions and recommendations
Overall, the current risk management strategy in B Bank is not good
enough. In order to lower the bank’s exposure to risk the following
recommendations are made:
114
Chapter 2
A major strategy review needs to be performed as soon as possible

since the last one was four years ago and much has changed since
then. The management appear to be adopting an incremental
approach to planning ahead (using previous profitable experiences
as the basis for their targets). The past is not always a good
indicator of the future and this could be a very dangerous
philosophy. B Banks directors need to formally identify the banks
attitude to risk, set up a risk committee, and communicate their risk
attitude and appetite to its management and investors. They also
need to perform an environmental analysis in order to prepare
themselves for events that may affect them in the future. E.g. a
further fall in house prices.
Evaluation of the risk management strategy in B Bank is two-fold:
Has the strategy achieved its objectives? This is hard to say since
no formal strategy has been set.
Do the benefits outweigh the costs? Most certainly yes. Since the
setting of the strategy cost nothing (no strategy was set) and large
returns have been achieved, then the benefits have far outweighed
the costs.
Conclusions and recommendations
Overall, the current risk management strategy in B Bank is not good
enough. In order to lower the bank’s exposure to risk the following
recommendations are made:
A major strategy review needs to be performed as soon as possible
since the last one was four years ago and much has changed since
then. The management appear to be adopting an incremental
approach to planning ahead (using previous profitable experiences
as the basis for their targets). The past is not always a good
indicator of the future and this could be a very dangerous
philosophy. B Banks directors need to formally identify the banks
attitude to risk, set up a risk committee, and communicate their risk
attitude and appetite to its management and investors. They also
need to perform an environmental analysis in order to prepare
themselves for events that may affect them in the future. E.g. a
further fall in house prices.
More effective NEDs need to be appointed who will query the
decisions of the executive directors. They may also be able to
provide further experience and insight into the banking industry and
its environment that the executive directors don’t have, or don’t have
the time to consider.
The property price trend into the future needs to be corroborated
with external information, not just internal reports. B Bank should
obtain independent, external advice on this in case their internal
department is wrong in its prediction.
115
Risk management
Currently B Bank is obtaining finance to support new mortgages

with loans from the short-term money-markets. This is a very
dangerous practice should the source of finance dry up. The
principle of ‘matching’ should be adopted whereby long-term assets
(mortgages) are matched with long-term loans (liabilities). This will
secure the finance required for the duration of the mortgage and
avoid ‘renewal risk’.
B Bank may wish to seek new investors. The current investors –
hedge funds, may be driving B Bank down a risky road in order to
provide them with short-term financial returns. B Bank was founded
in 1856 and presumably has the objective of continuing in business
into the future. Taking high risks to provide high returns may prevent
this objective from being met.
Conclusion
There appear to be more negative viewpoints than positive
viewpoints regarding the governor's proposal and B Bank's risk
management strategy could be significantly improved.
Test your understanding 25 – W consumer (Case study)

To: The finance Director
Date: Today
Subject: Evaluation of operational risk and the use of EDI at W
Introduction
This report covers the evaluation of operational risks at W and suggests
management techniques to reduce those risks. It then goes on to
consider the risks in using EDI.
(a) Operational risks
W is dependent upon a small number of third parties for the
manufacture of critical components. If a supplier defaults on a
delivery then W may run out of product to sell. The likelihood of this
is impossible to predict, but it is a risk that is not under W’s direct
control. The best safeguard against such problems would be to
have more than one potential supplier for any given item. W should
make sure that it owns the patents for any components or
processes that it relies on, or that it has a licence in place just in
case it needs to move to an alternative supplier. Penalty clauses will
not mitigate losses in the event of any disruption, but they may
concentrate the attention of its suppliers.
116
Chapter 2
W has no direct control over the quality of its products, which may
lead to customer dissatisfaction. Parts are sourced from many
different suppliers and so it will be difficult for W to ensure that
every component is manufactured to the required tolerances.
Manufacturing staff at the component and assembly factories will
not feel that they are part of W and they may resent the fact that
they do not enjoy the security of working for a large organisation.
The owners and managers of the factories may not feel that there is
a huge incentive to do much more than meet the minimum
standards for quality and delivery because they may be replaced at
the conclusion of their contract. W can control that risk by
introducing quality checks on both components and finished goods.
W could request samples on a random basis and check these
thoroughly. W could also have a policy of rewarding reliable
suppliers by retaining them and giving them as much work as
possible so that they have an incentive to exceed expectations.
The global nature of W’s manufacturing process creates logistical
problems for manufacturing. Manufacturing may be disrupted by
delays in delivery, which could be outside the control of W and its
suppliers. For example, electronic components are frequently
transported by air freight, which can be affected by weather or
industrial action. Goods crossing international borders can be
delayed by customs inspections. One way round this would be to
localise sources as much as possible, with suppliers for minor parts
such as screws and plastic cases chosen for proximity to the
assembly factories even if they are not necessarily the cheapest. W
might use a specialist logistics company to manage the transport of
parts and assemblies so that there is clarity as to who is
responsible for any logistical problems. W might also have a policy
of keeping safety stocks of all but the most expensive parts and
assemblies to cover any disruption.
(b) EDI
EDI is potentially more efficient than more traditional methods of
communication. W has a very complicated manufacturing process
and EDI makes it possible to break the task of ordering and paying
for a batch of completed mp3 players much simpler. In theory, this
system will reduce W’s staffing costs considerably. The system will
place orders and will keep track of inventory as it is received. The
bookkeeping will be done automatically because invoices will be
received, recorded and passed for payment electronically.
The problem with W is that it does not really have a long-term
relationship with all of its suppliers. It is possible that many of the
suppliers it uses will be replaced in the medium or even the short
term if a cheaper source becomes available. For example, a shift in
currencies could make an alternative source of labour for fabrication
tasks cheaper than the present supplier. Potential suppliers might
not be prepared to install the necessary technology and that could
restrict W’s sources.
117
Risk management
Another problem is that W might find it difficult to manage the

processing of invoices and payments. A supplier could invoice W for
parts or fabrication work on sub-assemblies that are delivered to
another third party. W will have no way of verifying that the goods
being invoiced were, in fact, delivered in good order and so the
system will not be able to make payment. Suppliers could be
reluctant to accept orders unless they are likely to be paid for
promptly and efficiently.
On a related matter, the lack of human interaction could complicate
the manufacturing process. Suppliers of even small parts could
delay the completion of finished products if their IT systems accept
electronic orders without any consideration of whether the
requested delivery dates are feasible. A manager in the sales office
could review incoming orders and ensure that the necessary
capacity is available.
Conclusions
There are several risks identified in this report and risk management
recommendations made. Although EDI would help W, there are
many issues which need to be resolved first before EDI could be
implemented.
Test your understanding 26 – SPM (Case study)

(a) Risk management is the process by which organisations
systematically identify and treat upside and downside risks across
the portfolio of all activities with the goal of achieving organisational
objectives. Risk management increases the probability of success,
reduces both the probability of failure and the uncertainty of
achieving the organisation’s objectives. The goal of risk
management is to manage, rather than eliminate risk. This is most
effectively done through embedding a risk culture into the
organisation.
For SPM’s Distribution division, there is a risk of stock losses
through theft, largely due to the lack of separation of duties. This
lack of separation occurs because the Distribution Division:
– enters all orders to the computer;
– selects all stock from the warehouse;
– despatches all goods to customers;
– receives the signed paperwork evidencing delivery;
– writes off stock losses due to damage and obsolescence;
– carries out and to a large extent controls the annual physical
stocktake.
This lack of separation of duties could result in stock losses or theft
that is not identified or not recorded and any stock losses or theft
may be disguised during the stocktake due to the expertise of the
Distribution division which the auditors appear to rely on.
118
Chapter 2
These stock losses or theft may not be accurately recorded and the
reported profits of SPM may overstate profits if physical inventory
does not match that shown in the accounting records. Stock of
stationery is easy to dispose of and losses can easily happen due to
error or carelessness, for instance through water damage, dropping
and so on. The possibility of theft of stock which can readily be sold
in retail stores is also high and the consequences of not identifying
stock losses or theft might be severe over a period of time. There is
a risk that inventory records may substantially overstate the physical
stock. There is a serious limitation of accounting here as it relies on
computer records and a stocktake process that may be severely
impaired and hence there may be hidden losses not reflected in
SPM’s reported financial statements.
Fraud is dishonestly obtaining an advantage, avoiding an obligation
or causing a loss to another party. Those committing fraud may be
managers, employees or third parties, including customers and
suppliers. There are three conditions for fraud to occur: dishonesty,
opportunity and motive. If stock theft is occurring, the weakness in
systems due to the lack of separation of duties provides an
opportunity. Personnel policies and supervision may influence
dishonesty and employment or social conditions among the
workforce may influence motive.
As for all other risks, a risk management strategy needs to be
developed for fraud. This strategy should include fraud prevention;
the identification and detection of fraud and responses to fraud.
Existing risk treatment does not appear to be adequate due to the
lack of separation of duties, the possibility of fraud and the reliance
of internal and external auditors on the Distribution division’s staff.
(b) The main recommendation is for the separation of duties in SPM’s
distribution division. The customer service centre should process all
customer orders, even though this may mean transferring staff from
the despatch department. It may be more effective to use a
document imaging system to reduce paperwork by converting
orders into electronic files that are capable of being read by
computer programs and transferred to the despatch department.
Further separation can be carried out by sending signed paperwork
evidencing delivery to the accounts department and for all write offs
of stock losses due to damage or obsolescence to be carried out by
the accounts department. Finally, the reliance on Distribution staff
for stocktaking needs to be reduced and accountants and internal
auditors need to play a more prominent role in physical counting
and reconciling to computer records.
The second recommendation is for greater emphasis on controls to
prevent dishonesty. These include pre-employment checks, scrutiny
of staff by effective supervision, severe discipline for offenders and
strong moral leadership. Motive can be influenced by providing good
employment conditions, a sympathetic complaints procedure, but
dismissing staff instantaneously where it is warranted.
119
Risk management
Test your understanding 27 – ABC (Case study)

To: The Board
Date: Today
Subject: Risk management
Introduction
This report covers:
(a) The main business issue for ABC and the most significant risks that
ABC faces;
(b) The Board's responsibilities for risk management and
recommending a risk management system for ABC that would more
effectively manage the risks of losing business continuity;
(c) An evaluation of the likely benefits for ABC of an effective risk
management system for business continuity.
Risks
(a) A review of disaster recovery had identified a lack of hardware back-
up as costs had been continually deferred from year to year to
maintain current profits. This has an effect on business continuity for
both ABC and its retail customers. Insurance is only one type of risk
treatment and ABC has overlooked the need to address business
continuity more proactively and comprehensively.
The pressure on short-term profits and cash flow is important to
recognise but the short-term view may lead to medium- and long-
term problems if under-investment continues. This needs to be the
focus of a risk management exercise to properly assess, evaluate,
report and treat the business continuity risk.
Although a severe catastrophe may have a small likelihood of
occurrence, the impact will be severe and insurance cover is
unlikely to be adequate as ABC will not have taken adequate steps
to mitigate the loss. Customer awareness of the risk is likely to
result in customers moving their business elsewhere. Public
disclosure or a severe catastrophe will have a major impact on the
reputation of ABC and on ABC’s share price.
120
Chapter 2
(b) Board responsibilities

The board is responsible for maintaining a sound system of internal
control to safeguard shareholders’ investment and the company’s
assets. When reviewing management reports on internal control, the
board should consider the significant risks and assess how they
have been identified, evaluated and managed; assess the
effectiveness of internal controls in managing the significant risks,
have regard to any significant weaknesses in internal control;
consider whether necessary actions are being taken promptly to
remedy any weaknesses and consider whether the findings indicate
a need for more exhaustive monitoring of the system of internal
control.
Risk management is the process by which organisations
systematically identify and treat upside and downside risks with the
goal of achieving organisational objectives. The goal of risk
management is to manage, rather than eliminate risk. Initially, there
needs to be a commitment from the board and top management in
relation to risk management generally and business continuity in
particular, even if this means a short-term detrimental impact on
profitability. The board of ABC, through the audit committee, needs
to be more involved in the risk management process. Individual
responsibilities for risk management need to be assigned and
sufficient resources need to be allocated to fund effective risk
management for business continuity.
ABC needs to identify its appetite for risk, and a risk management
policy needs to be formulated and agreed by the board. The risk
management process needs to identify and define risk, which needs
to be assessed in terms of both likelihood and impact. For ABC, the
risks have been clearly defined: a loss of business continuity caused
by a major catastrophe and the consequent loss of reputation this
would involve.
The likelihood of fire, flood, terrorist or criminal activity and so on
needs to be assessed, particularly in terms of the risk avoidance
processes that are already in place. For example, ABC needs to
evaluate whether there has been flooding in the area before,
whether water pipes run near the computer facility, whether fire
prevention measures are in place, whether firewalls are in place and
have been tested so as to reduce the likelihood of attack via the
Internet. An assessment of probability of these and other
catastrophes should be made. Although these may be low
probability events, the impact on the business of any such
catastrophe will be severe
121
Risk management
Risk evaluation determines the significance of risks to the

organisation and whether each specific risk should be accepted or
treated. It should be emphasised that these risks cannot be
accepted but do need to be treated. Risk treatment (or risk
response) is the process of selecting and implementing measures to
reduce or limit the risk. The existing contingency plans need to be
examined in detail. While data appear to be backed up regularly and
stored off-site, there seems to be inadequate back-up for hardware.
Risk treatment will involve deciding the most cost-effective method
by which to manage the risk. A preferred solution given the reliance
of ABC’s customers on the system is to have a remote site
equipped with a second system that data can be restored onto.
While this is the most expensive option there may be business
benefits in having two sites. A second solution may be to outsource
the back-up facility so that ABC contracts with a third party to have a
system available if one is needed. A third option is to negotiate with
suppliers as to the availability of other sites and the replacement of
equipment on a short notice basis. Finally, insurance coverage
needs to be reviewed and the mitigation decided in consultation with
ABC’s insurers. The present method of risk management that relies
only on off-site data back-up is inadequate to assure business
continuity.
As business continuity is so important, the board and audit
committee need to be involved in the decision-making process
about risk treatment. There needs to be regular risk management
reporting to assess the control systems in place to reduce risk; the
processes used to identify and respond to risks; the methods used
to manage significant risks and the monitoring and review system
itself. Reporting should take place to business units, senior
management, internal audit, the board and the audit committee.
(c) The benefits of effective risk management
For ABC, the benefits include the maintenance of profitability in the
medium- and longer-term and the avoidance of sudden losses if
business continuity is impeded. The major benefit for ABC in such a
case is the avoidance of profit warnings and major exceptional
items. Additional benefits may include more cost-effective insurance
cover and reduced premium cost. If the recommendations are
adopted, despite the increased costs that will almost necessarily be
incurred, the board of ABC will have greater degree of assurance
that business continuity will be safeguarded in the event of a
catastrophe, will continue to satisfy its customers and will maintain
its reputation with customers, the public and investors.
122
Chapter 2
Conclusions
The main risk for ABC is the lack of a disaster recovery plan as this
has an effect on business continuity.
The board is responsible for maintaining a sound system of internal
control to safeguard shareholders’ investment and the company’s
assets.
The benefits of effective risk management outweigh the costs.
123
Risk management
124

Chapter 2

Uploaded by

Copyright:

Available Formats

Chapter 2

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 2

Uploaded by

Copyright:

Available Formats

Chapter

Source: IFAC (1999) Enhancing Shareholder Wealth By Better Managing Risk

Enterprise Risk Management (ERM)

The COSO ERM Framework is represented as a three dimensional matrix

 The four objectives (strategic, operations, reporting and compliance)

 Risk assessment: Risks are analysed to consider their likelihood

Risk management and shareholder value

Test your understanding 1

Test your understanding 2

ERM – Integrating strategy with performance 2017

The double helix is broken down into five components:

The cube or the helix

Test your understanding 3

2 Risk management strategy

A framework for board consideration of risk is shown below:

Formulating a risk management strategy

 Risk appetite can be defined as the amount of risk an organisation

More on risk appetite

Test your understanding 4

Features of a risk management strategy

An alternative risk management process

3 Identifying, measuring and assessing risks

The risk register

Test your understanding 5

More on risk identification

Some of the common methods of risk identification include:

Internal audit One of the functions of internal audit

Quantification of risk exposures

Quantification of risk is important in understanding the extent and significance of

Expected value of risk

The standard deviation is a measure of the dispersion of the possible values of

Test your understanding 6 – Volatility (Integration)

The total area under the curve is equal to 1.

A standard normal distribution has:

Two tail test

One tail test

Two tail test

More on value at risk (VaR)

Test your understanding 7

Test your understanding 8 – Value at risk (Integration)

Drawbacks of the quantification of risk

Risk or assurance mapping

More on risk mapping

Test your understanding 9 – Restaurant (Integration)

Test your understanding 10

Test your understanding 11

Test your understanding 12

Which of the following are benefits from a risk mapping exercise?

4 Risk response strategy

Risk treatment (management) methods

Managing risk by diversification

The syllabus refers specifically to the principle of diversifying risk, but

Spreading risk by portfolio management

Problems with diversification:

Test your understanding 13

Test your understanding 14 – Diversification (Integration)

Risk management using TARA

Risk mapping and risk responses

Test your understanding 15

Test your understanding 16