controlling risk

40
Chapter 11 19 July 2011 * Controlling risk

Upload: gde-coaching-jean-noel-macaque

Post on 21-Jan-2015

1.926 views

Category:

Business


0 download

DESCRIPTION

 

TRANSCRIPT

Page 1: Controlling risk

Chapter 11

19 July 2011

*Controlling risk

Page 2: Controlling risk

Awareness Risk mgmt strategies

risk monitoring

Embedding Risk TARA

Controlling risk

avoidance/ retention

risk reporting

Roles

Board

Risk Comm

Risk manager

Internal / external audit

Diversification

Page 3: Controlling risk

* Role of Board*Significant role in risk mgmt

*Consider strategic nature of risk

*Define org’s risk appetite & approach

*Responsible for driving risk mgmt process

*Ensure risk mgmt supports strategic objectives

*Determine level of risk that an org can accept- to match strategic objectives*Communicate risk mgmt strategies to the entire org- top/down

approach

*Ensure integration of risk mgmt in operations

*Review risk and monitor progress of risk mgmt plans*Risk mgmt strategy- which risk will be accepted, declined,

transferred

*Appoint a risk committee

Page 4: Controlling risk

*Board consideration of risk

Risk appetite

Risk attitude

Business strategy

risk strategy

risk capacity

residual risk

Page 5: Controlling risk

*Risk appetite comprises :

a)Risk attitude – overall character of the BOD (Risk averse & risk seeking).

b)Risk capacity- Amt of risk that an org can bear.

-Risk appetite is a measure of the general attitude to risk

Factors likely to affect risk appetite of BOD are:1) Nature of product manufactured- amt of risk will vary depending

on the product

2) Need to increase sales-

3) Background of the BOD

4) Amount of change in the market- eg mobile phones, new drugs

5) Reputation of the company- here BOD will be very cautious with risk positioning.

Page 6: Controlling risk

* Risk attitude*Risk averse

*Avoid risk

*Withdraw from risky ventures

*Risk seeking

*Seeking additional risk

*See risk management as strategic

*Invest in comprehensive risk mgmt system

*High risk = high return

Page 7: Controlling risk

* Risk attitude- cont’d*Risk attitude depending on org.

*3 factors to consider :

1) Size

2) Structure

3) Development

Page 8: Controlling risk

* SIZE*Small Size

*Small size = higher risk for org= vulnerable.

*Smaller product range- so adversely impacted in case if drop in sales.

*There will be a tendency towards Risk averse strategy – to protect limited product ranges.

*Large Size

*Large size = lower risk

*Wider product range

*But large size may mean attempt to minimize reputational risk.

Page 9: Controlling risk

* Structure

*Functional structure- who manages the risk. Normally decided at BOD level.

*Large org manage risk across the globe.

*Divisional structure

- spread risk & diversified portfolio

-Risk appetite determined by current portfolio of co’s , in terms of overall risk

-A portfolio with limited risk means that more risky/daring investments can be made.

-But high risk portfolios means that lower risk investments will be attractive.

Page 10: Controlling risk

* Development*Relates to the stages of development of an org.

*Can be linked to the Product Life cycle stages. (P.L.C)

*Initial stages of P.L.C are more risky.

*New products & initial investments are highly risky.

*But a risk seeker philosophy needed as new products need to be launched and innovation will always be risky.

Page 11: Controlling risk

* Risk committee*C.G codes don’t specify whether risk comm is needed.*If there is no formal risk comm, then the audit comm will take

over

*Roles

*Update co’s risk profile & appetite

*Oversee risk assurance process

*Raise risk awareness

*Establish policies for risk mgmt

*Implement processes to monitor & report risk

*Ensure proper communication of risks @ all levels

*Ensure adequate training arrangements in place for awareness of all managers.

*Obtain external advise to make sure risk mgmt process are up to date.

Page 12: Controlling risk

*Responsibilities of risk committees*Assess risk mgmt. procedures i.r.o change in operating

environment. i.e identify, measure & control of key risk exposures.

*Emphasize on benefits of risk based approach to internal control.

*Risk audit report on critical business areas

*Assess risks of new ventures/ alliances

*Review credit risk, interest rate risk, liquidity risk, operational risk exposures, in light of board’s risk appetite.

*Consider f/s disclosure i.r.o I.C.S , risk mgmt & key risk exposure

*Make recommendations to the full board on matters pertaining to strategy & policies.

Page 13: Controlling risk

*Risk manager

Implement risk mgmt policies

Operational role

Risk manager Role

Member of risk comm

report direct to the

committee & to B.O.D

- Risk manager is supported & monitored by Risk mgmt committee

- More operational role for the risk manager- The tone is set at the top by BOD & risk mgmt committee.

Page 14: Controlling risk

* Risk manager activitiesLeadership functionIdentify & evaluate risks- business, operations, policies

Implement risk mitigation strategies , i.e I.C.S.Improve risk mgmt methodologiesMonitor status of R.M strategies & internal auditsEnsure compliance with legislation & regulationsMaintain good relationship / link between BOD & Risk mgmt committee

Develop/implement / manage risk mgmt programmes / initiatives

Establish risk mgmt awareness programme within the org

Establish risk indicators

Page 15: Controlling risk

* Risk awareness*Risk comm role- raise risk awareness

*Lack of risk awareness = inappropriate risk mgmt strategy

Page 16: Controlling risk

*Risk awareness will be at 3 levels:

- Strategic : High level monitoring of risk- Tactical : Monitoring at divisional level- Operational : Day to day monitoring

Page 17: Controlling risk

* Strategic level*Need for continued monitoring of risks for the org.

*Lack of monitoring create competitive disadvantage.

*Lack of monitoring creates going concern problems.

Page 18: Controlling risk

* Tactical level*Risks affecting divisional level.

*Monitoring is required as it affects eg. continuity of supply

*Lack of monitoring impact on continuity of process/operations

*Eg – Resignation of staff leads to a break into normal chain- key process may be left incomplete

*Staff motivation should be monitored to prepare for any future succession planning.

Page 19: Controlling risk

* Operational level*Monitor risk at day-to-day level.

*Lack of monitoring is a threat to the org.

*Persistent lack of monitoring = reputational risk.

*E.g . Lack of availability of certain goods in the long term will create , in the LT, increasing customer frustration.

Page 20: Controlling risk

* Embedding risk*Embedding risk mgmt :

*ensure it is part of business’ DNA.

*Part of the way of doing biz- part of the philosophy.

*Process of embedding risk management:

Page 21: Controlling risk

*Embedding risk- cont’d*Risk is embedded in :

1) Systems

2) Culture

Embedding risk in systems

*Ensure risk mgmt is included in control systems.

*Control system will integrate all systems into a proper mechanism.

*Risk mgmt is an integrated system.

*Embedding risk in culture

*This is related to the way people behave , think and act.

*So employees must accept the need for a system of risk management in the enterprise.

Page 22: Controlling risk

* Embedding risk*Methods of embedding risk mgmt in culture & values

*Align individuals’ goals with corporate goals

*Make risk mgmt pervasive, include it in job descriptions

*Establish reward systems – for those who take risks in practice- no blame game , no victims.

*Establish metrics & KPI’s that can monitor risk & provide early alerts / trigger buttons.

Page 23: Controlling risk

* Embedding risk*Factors impacting on success of embedding risk in culture

1. Open/ closed culture2. Overall commitment to risk mgmt policies throughout the

org.

3. Attitude towards ICS

4. Governance- include risk mgmt in the org, to meet needs and expectations of external stakeholders.

5. Is risk mgmt a normal part of the org?

Page 24: Controlling risk

* Risk management- TARA

*Risk planning & formulating risk mgmt strategies

*Strategies

1)Transference

2)Avoidance

3)Reduction

4)Acceptance

Page 25: Controlling risk

* Transference*Trf part or 100% of the risk to a 3rd party.

*E.g re-insurance / insurance , where 3rd party accepts full liability in case risk crystallise

*There may also be alliance , strategic partnerships

Page 26: Controlling risk

*Avoidance*Avoid by not investing/ venturing

*Risk averse strategy

*But in business , not all risk can be avoided

Page 27: Controlling risk

* Reduction/mitigation*Reduce risk – e.g. limit exposure in specific area or decrease

adverse effects , should the worse happen.

*Effective ICS is necessary to reduce impact of risk.

*Risk poolingPooling will cause some positive & negative effects to cancel

out

Risks from many different txns are pooled together

Finally risks is considered from the “pool perspective” or cluster wise

E.g diversification investment portfolio.

*Reduce financial risk/ hedging*Hedging- offset risks . Used to manage exposures.

*Hedging neutralise the risk / reduce risk

*Forwards contracts- fix the price in advance of txn happening. Neutralise / eliminate the risk from unfavorable movement. Mainly used in purchase / sale of currency.

Page 28: Controlling risk

* Risk mapping & risk mgmt strategies

*Risk mapping will determine risk mgmt strategy as shown in the table below:

L H

Impact/ consequence

HReduce Avoid

LAccept Transfer

Page 29: Controlling risk

*Further risk mgmt strategies*Risk avoidance

*Risk strategy if avoiding the risk but not undertaking the activity

*Org has low risk appetite

*Strategy is to avoid risky ventures

*Risk retention

*Similar to concept of risk acceptance .

*Strategy used where risk is minimal or where strategy of transference are expensive.

Page 30: Controlling risk

* Further risk mgmt strategies*Diversify/ spread risk

*Reduce risk by diversifying into operations into different locations

*Performance will net off – cross subsidise

*Overall total risk will be reduced

*Diversify- spread the risk; eg portfolio mgmt.

*Risks can be spread by expanding portfolio through integration, thus linking with other co’s in the supply chain.

Page 31: Controlling risk

*Backward integration- Development concerned with the inputs into the org , eg raw mats, machinery, labour.

*Forward integration- Development into activities concerned with org’s output e.g distribution, tpt, repairs.

*Horizontal integration- Development into activities that compete with or complement an org’s present activities . E.g travel agent selling related products such as travel insurance & currency exchange services.

*Unrelated diversification- development into a completely different area

Page 32: Controlling risk

*Risk strategy & ansoff matrix

Page 33: Controlling risk

* Risk auditing*Risk audit is not mandatory.

*Risk audit is part of general awareness and will be concerned with understanding the risks that the org face.

*Risk mgmt – is an internal function under resp of mgmt.

*Internal auditors sometimes cumulate the functions of risk audit also

Page 34: Controlling risk

* Purpose of risk audit*Risk audit assist risk monitoring

*Provide independent view of risks & controls

*Fresh pair of eyes may identify errors in the original monitoring process

*In some legislation, audit work is mandatory e.g SOX

*After review , internal audit & external audit make recommendation to amend risk mgmt.

Page 35: Controlling risk

*Stages of risk audit

Identify risks

Assess risks

Review controls

over

risk

Report on

inadequatel

y controlle

d risks

Page 36: Controlling risk

*Advantages of internal audit*Familiar with culture , procedure, policy

*I.A can perform specific & focused risk assessment

*Internal teams are flexible , mgmt will control their timetable

*Internal teams focus their reports more than external audit teams

Page 37: Controlling risk

* Advantages of external audit( weaknesses of internal audit)

*More independent / less bias

*Reporting based on ACCA/ IFAC code of ethics

*Create high degree of confidence for investors & regulators

*Fresh pair of eyes

*Outside in approach

*Internal auditors are used to system and behavior and may not want to question basic established principles

*External auditors have wide exposure, best practice can be introduced.

Page 38: Controlling risk

* Process of external reporting of Internal controls & risks

Process

identify reporting situations

Check compliance

with legislation

make report if required

- Internal ctrl failure - Di rectors make inadequate decisions, based on erroneous info

- C.Act - Stock exch req - prof/ethical guidelines may require disclosure

- Document reason for report - eg going concern basis- qualified audit opinion - Then report to 3rd party

Page 39: Controlling risk

* Process of external reporting of Internal controls & risks

*Reporting may be voluntary or by statute( US sec 404 SOX)

*Some reporting systems are more for internal use – eg audit committee

*Process of external reporting- imply compliance with ethical guidelines.

Page 40: Controlling risk

* Comparison SOX & UK external reporting