Concepts of risk identification

and assessment in business

operations
LECTURE 3
BBA 3
 Definition:
 A stakeholder is any individual, group, or party that has an interest in an organization and
the outcomes of its actions.
 Common examples of stakeholders include employees, investors, customers, shareholders,
suppliers, communities, and governments. Different stakeholders have different interests,
and companies often face trade-offs in trying to please all of them.
 Stakeholders involved in business risk management can vary depending on the
organization's structure, industry, and operating environment. Here are some key
stakeholders typically involved in business risk management
Identification of stakeholders involved in
business risk
 Board of Directors: The board of directors is responsible for providing oversight and
governance of the organization's risk management activities. They establish risk appetite
and tolerance levels, review risk management policies and procedures, and monitor the
effectiveness of risk mitigation strategies.
 Executive Management: Executive management, including the CEO, CFO, and other C-
suite executives, play a key role in defining the organization's risk management strategy,
setting risk management priorities, and allocating resources to address key risks. They are
responsible for implementing risk management processes and ensuring that risk
considerations are integrated into decision-making across the organization.
 Risk Management Committee: Some organizations have a dedicated risk management
committee or a subcommittee of the board of directors responsible for overseeing risk
management activities. This committee reviews and assesses the organization's risk profile,
monitors the implementation of risk management initiatives, and provides guidance on
risk-related matters.
 Risk Management Department: The risk management department is responsible for
implementing and executing the organization's risk management strategy. This may include
identifying, assessing, prioritizing, and mitigating risks across various functional areas of
the organization, as well as developing risk policies, procedures, and controls.
 Internal Audit: Internal audit plays a crucial role in evaluating the effectiveness of the
organization's internal controls, risk management processes, and governance practices.
Internal auditors provide independent and objective assurance to management and the
board of directors regarding the adequacy and effectiveness of risk management activities.
 External Auditors: External auditors review the organization's financial statements and
internal controls to provide an independent assessment of their accuracy, reliability, and
compliance with accounting standards and regulatory requirements. They may also assess
the organization's risk management practices as part of their audit procedures.
 Employees: Employees at all levels of the organization are key stakeholders in business
risk management. They play a role in identifying and reporting risks, implementing risk
controls and procedures, and adhering to risk management policies and guidelines in their
day-to-day activities.
 Regulators and Government Agencies: Regulators and government agencies have a
vested interest in ensuring that organizations manage risks effectively and comply with
applicable laws, regulations, and industry standards. They may conduct inspections, audits,
and investigations to assess the organization's risk management practices and enforce
regulatory requirements.
 Customers and Suppliers: Customers and suppliers may be impacted by the
organization's risk management practices, particularly in areas such as product quality,
supply chain resilience, and business continuity. They may expect the organization to
manage risks effectively to ensure the reliability and sustainability of products and
services.
 Investors and Shareholders: Investors and shareholders are interested in the
organization's ability to manage risks effectively to protect and enhance shareholder value.
They may evaluate the organization's risk management practices as part of their investment
decisions and engage with management and the board of directors on risk-related matters.
Ranking/Prioritizing Stakeholders

 Companies often struggle to prioritize stakeholders and their competing interests. Where
stakeholders are aligned, the process is easy.
 However, in many cases, they do not have the same interests. For example, if the company
is pressured by shareholders to cut costs, it may lay off employees or reduce their wages,
which presents a difficult tradeoff.
Severity and Probability of risk events

 “Severity” is the impact or damage which would arise if the risk were to be realized.
 Risk Severity: The extent of the damage to the institution, its people, and its goals and
objectives resulting from a risk event occurring.
 “Probability” is the likelihood that the risk could arise.
 Probability should not be 100 percent because it would then be certain while risks are
uncertain events.
The quantified risk falls into one of three zones:
 Low risk that’s considered acceptable (green)
 High risk that’s considered unacceptable (red)
 Moderate risk which may or may not be acceptable (yellow)
framework for board level consideration of risk

A framework for board-level consideration of risk provides a structured approach for boards of
directors to fulfill their oversight responsibilities regarding risk management. Such a
framework typically includes the following key components:
1. Risk Governance Structure:
Define the roles and responsibilities of the board, board committees, management, and other
stakeholders in the risk management process.
Establish a clear reporting structure for risk-related matters, including regular updates to the
board and its committees on the organization's risk profile, risk management activities, and
emerging risks.
2. Risk Appetite and Tolerance:
Develop a risk appetite statement that articulates the types and levels of risk the organization
is willing to accept in pursuit of its objectives.
Define risk tolerance thresholds for key risk categories to guide decision-making and resource
allocation.
3. Risk Identification and Assessment:
Implement processes for identifying, assessing, and prioritizing risks across the organization.
Ensure that risk assessments consider both internal and external factors, including strategic,
operational, financial, compliance, and reputational risks.
Encourage proactive risk identification through scenario analysis, trend analysis, and horizon
scanning techniques.
4. Risk Monitoring and Reporting:
Establish mechanisms for ongoing monitoring and reporting of risks to the board, board
committees, and senior management.
Define key risk indicators (KRIs) and risk metrics to track changes in risk exposure and
inform decision-making.
Ensure that risk reports provide relevant, accurate, and timely information to support board-
level discussions and decision-making.
5. Risk Response and Mitigation:
Review and approve risk management strategies, policies, and procedures developed by
management to mitigate identified risks.
Evaluate the effectiveness of existing risk controls and corrective actions taken to address
deficiencies or incidents of non-compliance.
Ensure that risk response strategies align with the organization's risk appetite and strategic
objectives.
6. Board Education and Expertise:
Provide ongoing education and training for board members to enhance their understanding of
key risks facing the organization and their oversight role in risk management.
Seek to include individuals with relevant expertise and experience in risk management on the
board or its committees.
7. Continuous Improvement:
Regularly evaluate and enhance the effectiveness of the board's oversight of risk management
through self-assessments, external reviews, and benchmarking against leading practices.
Foster a culture of continuous improvement and learning within the board and the
organization as a whole.
Risk Management Framework

 British Standard BS 31100 describes the risk management framework as a set of

components that provide the foundations and organizational arrangements for designing,
implementing, monitoring, reviewing and continually improving risk management
processes throughout the organization.
 The foundations include the objectives, a mandate and commitment to managing risk
(strategy); the organizational arrangements include plans, relationships, accountabilities,
resources, processes and activities (architecture). The risk management framework is
embedded within the organization’s overall strategic and operational policies and practices
(protocols).
COSO ERM framework

 1. The internal environment : This encompasses the tone of an organization and sets the basis for how risk is
viewed and addressed.
 2. Objective setting: Objectives must exist before management can identify potential
events affecting their achievement.
 3.Event identification: Internal and external events affecting achievement of
objectives must be identified, distinguishing between risks and opportunities.
 4. Risk assessment: Risks are analyzed, considering likelihood and impact, as a basis
for determining how they should be managed.
 5.Risk response: Management selects risk responses – avoiding, accepting, reducing,
or sharing risk.
 6. Control activities: Policies and procedures are established and implemented to
help ensure the risk responses are effectively carried out.
 7. Information and communication: Relevant information is identified, captured,
and communicated so that people can fulfil their responsibilities.
 8.Monitoring: The entirety of enterprise risk management is monitored and
modifications made as necessary.
Risk and Internal Controls

 Internal controls are processes, procedures, and mechanisms put in place by an

organization to ensure the achievement of its objectives, safeguard its assets, maintain
accuracy and reliability of financial reporting, and ensure compliance with laws and
regulations.
 Internal controls serve as a fundamental component of corporate governance and risk
management, helping organizations mitigate risks, prevent fraud, and promote operational
efficiency. Here are some key aspects of internal controls:
Objectives of Internal Controls:

 Operational Efficiency: Internal controls help streamline operations and processes,

ensuring that resources are utilized effectively and efficiently to achieve organizational
goals.
 Risk Management: Internal controls identify, assess, and mitigate risks that may hinder
the achievement of organizational objectives or cause financial loss or reputational
damage.
 Financial Reporting: Internal controls ensure the accuracy, completeness, and reliability
of financial information reported by the organization, enhancing transparency and
accountability.
 Compliance: Internal controls help ensure compliance with laws, regulations, and internal
policies and procedures, reducing the organization's exposure to legal and regulatory
sanctions.
Components of Internal Controls

 Internal controls typically consist of five interrelated components, as defined by the

Committee of Sponsoring Organizations (COSO):
 1.Control Environment: The tone set by management regarding the importance of
internal control and ethical behavior within the organization.
 2.Risk Assessment: The process of identifying, analyzing, and managing risks that may
affect the achievement of objectives.
 3.Control Activities: The policies, procedures, and mechanisms implemented to mitigate
risks and achieve control objectives.
 4. Information and Communication: The flow of information within the organization,
ensuring that relevant information is communicated effectively to support decision-making
and control activities.
 5. Monitoring: Ongoing monitoring and evaluation of internal controls to ensure they are
operating effectively and adapting to changes in the business environment.
Types of Internal Controls:

 1. Preventive Controls: Measures designed to prevent errors, fraud, or other undesirable

events from occurring. Examples include segregation of duties, approval processes, and
physical security measures.
 2. Detective Controls: Measures designed to identify errors, fraud, or other undesirable
events after they have occurred. Examples include reconciliations, audits, and exception
reports.
 3. Corrective Controls: Measures designed to address and correct errors, fraud, or other
undesirable events identified through detective controls. Examples include corrective
actions, process improvements, and disciplinary actions.
Importance of internal control

The primary purpose of internal control activities is to help the organization achieve its
objectives. Typically, internal controls have the following importance:
safeguard and protect the assets of the organization;
ensure the keeping of accurate records;
promote operational effectiveness and efficiency;
adhere to policies and procedures, including control procedures;
enhance reliability of internal and external reporting;
ensure compliance with laws and regulations;
safeguard the interests of shareholders/stakeholders
Risk Reporting

 It means the internal processes of an organization that collect, process and organize diverse
information from internal and external sources with the objective of generating
summarized overviews of the Risk Profile of the organization and thereby support
further Risk Management activities.

The importance externally and internal reporting of risk

 Critical feedback: Risk reporting also provides critical feedback to the risk management
process and constitutes an important element in strategic planning.
 Performance Comparisons: Comprehensive but targeted risk disclosures help investors to
make comparisons between companies and between the actions and behaviors of their
management, ‘weighing up their attitude and appetite towards particular areas of risk’.
 Regulatory Compliance: Many jurisdictions require organizations, to disclose
information about their internal control systems and risk management practices in their
external financial reports. Compliance with these regulatory requirements helps ensure that
organizations adhere to industry standards and best practices, promotes market integrity,
and protects investors' interests.
 Transparency and Accountability: External reporting provides stakeholders, such as
investors, creditors, regulators, and the public, with transparent and reliable information
about an organization's internal control systems and risk management practices. This
transparency enhances accountability by allowing stakeholders to assess whether the
organization is effectively managing its risks and safeguarding its assets.
 Investor Confidence: Investors rely on external reports to make informed decisions about
investing in a company. Clear and comprehensive reporting on internal control and risk can
increase investor confidence by demonstrating that the organization has robust systems in
place to identify, assess, and mitigate risks. This, in turn, can attract investment and
support the organization's financial stability and growth.
 Risk Management: External reporting on internal control and risk serves as a critical tool
for monitoring and improving risk management processes within an organization. By
regularly evaluating and reporting on the effectiveness of internal controls and risk
management strategies, organizations can identify areas for improvement, implement
corrective actions, and strengthen their overall risk management framework.
 Enhanced Decision-Making: Accurate and timely information about internal control and
risk enables stakeholders, including management, board members, and auditors, to make
well-informed decisions. External reporting provides insights into the organization's risk
profile, potential vulnerabilities, and areas of strength, enabling stakeholders to allocate
resources effectively, prioritize initiatives, and respond proactively to emerging risks.
Best Practices in Risk Reporting

 Clear Communication: Risk reports should be written in clear and easily understandable
language, avoiding jargon or technical terms that may confuse stakeholders. Use concise
summaries and visual aids such as charts or graphs to present complex information in a
digestible format.
 Tailored to Audience: Different stakeholders have varying levels of knowledge and
interest in risk management. Tailor risk reports to the specific needs and preferences of
each audience, providing more detailed information for internal stakeholders such as
management and board members, while offering higher-level summaries for external
stakeholders such as investors and regulators.
 Timeliness and Frequency: Risk reporting should be timely and regular to ensure
stakeholders receive up-to-date information about emerging risks and changes in the risk
landscape. Establish a reporting schedule that aligns with the organization's governance
processes and risk management cycles, such as quarterly or annual reports, supplemented
by ad-hoc updates as needed.
 Comprehensive Coverage: Risk reports should cover a comprehensive range of risks
relevant to the organization's objectives, operations, and external environment. Include
both strategic risks that may impact long-term performance and operational risks that
affect day-to-day activities. Consider a broad spectrum of risk categories, including
financial, operational, compliance, strategic, and reputational risks.
 Quantitative and Qualitative Analysis: Balance quantitative data with qualitative
insights to provide a holistic view of risks. Use key risk indicators (KRIs), risk metrics,
and benchmarks to quantify risks where possible, but also incorporate qualitative
assessments of risk likelihood, impact, and interdependencies. Provide contextual
explanations and narratives to help stakeholders understand the significance of the data.
 Risk Appetite and Tolerance: Clearly articulate the organization's risk appetite and
tolerance thresholds in risk reports. Align risk assessments and reporting with the
organization's risk appetite statement to ensure consistency in risk-taking decisions and
risk management priorities.
 Actionable Recommendations: Risk reports should not only highlight areas of concern
but also provide actionable recommendations for risk mitigation and control. Include
insights on risk response strategies, risk treatment options, and potential opportunities for
improvement to empower stakeholders to take proactive measures to manage risks
effectively.
 Independent Review and Validation: Ensure the accuracy and credibility of risk
reporting through independent review and validation processes. Subject risk reports to
internal audit reviews, external audits, or peer reviews by risk management experts to
verify the integrity of the data, the robustness of risk assessments, and the effectiveness of
risk management practices.
The sources of accurate information for risk
management

1. Internal Data and Records:

 Financial Records: Accurate financial data, including balance sheets, income statements,
and cash flow statements, provide insights into the organization's financial health and
exposure to various risks such as liquidity risk, credit risk, and market risk.
 Operational Data: Data related to business operations, such as production metrics, sales
figures, inventory levels, and customer feedback, help identify operational risks, supply
chain disruptions, and process inefficiencies.
 Incident Reports: Records of past incidents, accidents, near-misses, and compliance
violations provide valuable insights into potential risks and vulnerabilities within the
organization.
 Internal Controls Documentation: Documentation of internal controls, policies,
procedures, and audit findings helps assess the effectiveness of risk management processes
and identify areas for improvement.
2. External Data and Information:

 Market Data: External market data, including economic indicators, industry trends,
competitor analysis, and market research reports, help organizations understand external
factors that may impact their business operations and financial performance.
 Regulatory Updates: Accurate information about changes in laws, regulations, and
industry standards enables organizations to ensure compliance and adapt their risk
management practices to evolving regulatory requirements.
 Third-Party Reports: Reports from credit rating agencies, industry associations, and
regulatory bodies provide valuable insights into industry-specific risks, market dynamics,
and emerging trends.
 Vendor and Supplier Information: Information about vendors, suppliers, and business
partners, including financial stability, reputation, and compliance history, helps assess
supply chain risks and vendor-related risks
3. Expert Analysis and Insights

 Risk Assessments: Expert assessments and analyses conducted by risk management

professionals, internal auditors, and external consultants provide valuable insights into potential
risks, their likelihood, potential impact, and appropriate risk mitigation strategies.
 Scenario Planning: Scenario planning exercises and risk modeling techniques help organizations
simulate potential future scenarios, assess their implications, and develop contingency plans to
manage risks effectively.
The Principle of ALARP in risk assessment

 ALARP stands for "As Low As Reasonably Practicable." It is a principle used in risk
management to guide decision-making regarding the control and mitigation of risks. The
ALARP principle recognizes that it may not be feasible or practical to eliminate all risks
entirely, but it aims to ensure that risks are reduced to the lowest possible level while
taking into account factors such as costs, benefits, and feasibility.
 According to the ALARP principle Eg: the risks in decision-making regarding safety and
health must be reduced to levels as low as reasonably practicable, after which a further
reduction in risk would be excessively expensive
 The principle of ALARP is typically applied in situations where risks cannot be completely
eliminated but must be managed to an acceptable level. It involves the following key
components:
 Identification of Hazards and Risks: The first step in applying the ALARP principle is to
identify potential hazards and assess the associated risks. This involves evaluating the
likelihood and consequences of various scenarios that could lead to harm or loss.
 Evaluation of Risk Control Measures: Once risks are identified, the next step is to
evaluate the effectiveness of existing risk control measures or identify additional measures
that could be implemented to mitigate the risks. This may include engineering controls,
administrative controls, personal protective equipment, or other risk reduction strategies.
 Cost-Benefit Analysis: In determining the appropriate level of risk control, a cost-benefit
analysis is often conducted to assess the costs associated with implementing risk control
measures against the potential benefits in terms of risk reduction. This analysis helps
decision-makers determine whether the costs of further risk reduction are justified by the
expected reduction in harm or loss.
 Feasibility Considerations: The ALARP principle recognizes that risk control measures
must be practical and feasible to implement. Factors such as technical feasibility, resource
availability, and logistical constraints are taken into account when determining the most
appropriate risk management strategies.
 Continuous Improvement: Risk management is a continuous process, and the ALARP
principle emphasizes the importance of ongoing monitoring, review, and improvement of
risk control measures. As new information becomes available or circumstances change,
organizations should reassess risks and adjust their control measures accordingly.
Risk perceptions

 1. Objective risk perception

 Objective risk perception is based on factual information, scientific evidence, and
statistical data.
 Objective risk perception relies on empirical evidence and is often used in risk assessment
and management processes by experts, policymakers, and organizations.
 The objective risk is measurable and statistical. It involves quantifiable measures of risk
such as mortality rates, injury probabilities, or financial losses.
 Objective risk can be the relative variation of actual loss from expected loss.
 Objective risk is where the analysis and probability of a loss event occurring is based on a
statistical analysis or observations made on a large amount of historic data.
2.Subjective Risk Perception

 Subjective risk perception, is influenced by individual beliefs, attitudes, emotions, and

personal experiences.
 It involves how people feel about the level of risk, regardless of the actual statistical
probabilities. Subjective risk perception can vary widely among individuals, even when
presented with the same objective data.
 Factors such as mental biases, cultural influences, media coverage, and social influences
play significant roles in shaping subjective risk perception.
 For example, someone might feel a high level of fear about flying in airplanes despite
statistically lower accident rates compared to driving, due to media coverage of plane
crashes and personal fears of loss of control.
 subjective risk is the uncertainty based on a person's mental condition or state of mind.
 Accordingly, the subjective risk is personal and not easily measured.
 Subjective probability is the individual’s personal estimate of the chance of loss.
 Subjective risk is the perceived chance of something bad based on a person’s opinion,
emotions, gut feeling, or intuition. It is not a mathematical review of the situation, but
rather a quick assessment based on a person's feelings at the time. For example, a
superstitious person might skip a flight on Friday the 13th because they see a subjective
risk.
 Subjective risk, by definition, differs from person to person as it is heavily dependent on
personal bias. This type of risk is not based on any hard data and is highly flexible.
 Personal beliefs or even life experiences can have an effect on someone’s perception of
how likely an event actually is.
 Oftentimes, subjective risk can be explained rationally but predictions of subjective risk
can not be made accurately.
Concepts of related and correlated risk factor

 Related Risk Factors: Related risk factors refer to risks that have a logical or causal
connection with each other. In other words, related risks are interconnected or
interdependent in some way, such that changes in one risk factor may influence or be
influenced by changes in another. Related risks often share common underlying causes,
drivers, or consequences.
 Supply chain disruptions: A disruption in the supply chain could lead to delays in
production or shortages of raw materials.
 Equipment failures: Malfunctioning equipment could result in production downtime or
quality issues.
 Labor disputes: Strikes or labor shortages could affect production capacity or increase
operational costs.
 Correlated risk factors refer to risks that exhibit a statistical relationship or tendency to
move in the same direction over time. In other words, correlated risks tend to behave
similarly or move together in response to changes in external factors or market conditions.
While correlated risks may not have a direct causal relationship, they are influenced by
common external factors or market forces.
 Risks are positively correlated if the two risks are positively related in that one will fall
with the reduction of the other and increase with the rise of the other.
 They would be negatively correlated if one rose as the other fell.
 Negatively correlated risks are also present in some situations. If, for example, a
company borrows money to reduce its environmental emissions then it might be that its
environmental risks are reduced but, with its increased gearing, its financial risks are
increased at the same time. This is because the higher gearing will increase the
vulnerability to rising interest rates and put pressure on cash flow.
 Positively correlated risk - Activities designed to reduce environmental risk, such as
acquiring resources from less environmentally-sensitive sources or through the fitting of
emission controls, will reduce the likelihood of the environmental risk being realized.
This, in turn, will reduce the likelihood of the reputation risk being incurred.