BM7037-15: Corporate Governance,
Ethics & Risk Management
Risk Management
(There are internet links in this presentation that you should explore.)
Learning outcomes
At the end of the lecture, you’ll be able to:
Critically define ‘risk’ and distinguish it from other things
Critically explore a given organisation’s risk appetite
Evaluate an organisation’s risk management processes against best practice
Critically explore interrelationships between risk management and corporate governance
What is risk?
“Uncertainty of outcome, whether positive opportunity or negative threat, of actions and events”
(HM Treasury, ‘The Orange Book’, 2004, p.9)
“An uncertain event or set of events that, should it occur, will have an effect on the achievement of objectives.”
(PRINCE2 2017, p.120)
“An unrealised future loss arising from a present action or inaction”
(Kaplan)
1️⃣
3
What is risk?
Is:
Uncertain – not, then, known (known as ‘dis-benefits’ in PRINCE2)
Uncertain – in that we might never realise it as a risk! (Particularly if we don’t even try)
Uncertain – and we might try to measure its probability
Impactful – whether that’s minimal, moderate, or severe
Impactful – in one or several respects: Strategic, operational, etc.
Possibly beneficial, known as ‘upside risk’ (if we ignore Kaplan def.)
As it can be terminal (think Carillion; also here) but can also give a competitive advantage, it should not be overlooked by management.
4
Risk ‘appetite’
You go to a casino. Would you rather:
Wager £10 to possibly win £100?
or
Wager £100 to possibly win £10,000?
or
Do neither, and keep your money?
2️⃣
5
Risk ‘appetite’
Investments often are expressed in terms of risk-reward
Organisations are also on this risk-seeking to risk-adverse continuum.
6
Risk ‘appetite’
All organisations have a risk appetite, however:
They may not be consciously aware of it
It may not be expressed/articulated anywhere
It may not be known across the organisation
It may not inform decision-making (consistently, across the organisation)
See COSO Report (2014)
7
Risk ‘appetite’
Q
Try to think of 2 types of firm:
One which is high-risk-taking and one which is low-risk-taking.
Why do they take this approach?
8
Risk management
There are lots of risk management models. They all broadly include the same elements:
Risk…
Identification
Assessment (probability/impact)
Planning (responses)
Monitoring (responsibilities)
This process is cyclical.
Risk-related activities should be recorded, including lessons.
3️⃣
9
Risk management: 1/4 Identification
‘Risk workshop’: Brainstorming.
Also: Previous lessons, checklists, prompt-lists, breakdown structures
External auditing can help – a fresh view
(Can be compulsory; think SOX)
10
Risk management: 1/4 Identification
Risks can be classified:
Business or operational: relating to activities carried out within an entity, arising from structure, systems, people, products or proce ...
1. BM7037-15: Corporate Governance,
Ethics & Risk Management
Risk Management
(There are internet links in this presentation that you should
explore.)
Learning outcomes
At the end of the lecture, you’ll be able to:
Critically define ‘risk’ and distinguish it from other things
Critically explore a given organisation’s risk appetite
Evaluate an organisation’s risk management processes against
best practice
Critically explore interrelationships between risk management
and corporate governance
What is risk?
“Uncertainty of outcome, whether positive opportunity or
negative threat, of actions and events”
(HM Treasury, ‘The Orange Book’, 2004, p.9)
“An uncertain event or set of events that, should it occur, will
have an effect on the achievement of objectives.”
(PRINCE2 2017, p.120)
“An unrealised future loss arising from a present action or
2. inaction”
(Kaplan)
1️️
3
What is risk?
Is:
Uncertain – not, then, known (known as ‘dis-benefits’ in
PRINCE2)
Uncertain – in that we might never realise it as a risk!
(Particularly if we don’t even try)
Uncertain – and we might try to measure its probability
Impactful – whether that’s minimal, moderate, or severe
Impactful – in one or several respects: Strategic, operational,
etc.
Possibly beneficial, known as ‘upside risk’ (if we ignore Kaplan
def.)
As it can be terminal (think Carillion; also here) but can also
give a competitive advantage, it should not be overlooked by
management.
4
Risk ‘appetite’
You go to a casino. Would you rather:
Wager £10 to possibly win £100?
3. or
Wager £100 to possibly win £10,000?
or
Do neither, and keep your money?
2️️
5
Risk ‘appetite’
Investments often are expressed in terms of risk-reward
Organisations are also on this risk-seeking to risk-adverse
continuum.
6
Risk ‘appetite’
All organisations have a risk appetite, however:
4. They may not be consciously aware of it
It may not be expressed/articulated anywhere
It may not be known across the organisation
It may not inform decision-making (consistently, across the
organisation)
See COSO Report (2014)
7
Risk ‘appetite’
Q
Try to think of 2 types of firm:
One which is high-risk-taking and one which is low-risk-taking.
Why do they take this approach?
8
Risk management
There are lots of risk management models. They all broadly
include the same elements:
Risk…
Identification
Assessment (probability/impact)
5. Planning (responses)
Monitoring (responsibilities)
This process is cyclical.
Risk-related activities should be recorded, including lessons.
3️️
9
Risk management: 1/4 Identification
‘Risk workshop’: Brainstorming.
Also: Previous lessons, checklists, prompt-lists, breakdown
structures
External auditing can help – a fresh view
(Can be compulsory; think SOX)
10
Risk management: 1/4 Identification
Risks can be classified:
Business or operational: relating to activities carried out within
an entity, arising from structure, systems, people, products or
processes.
Country: associated with undertaking transactions with, or
holding assets in, a particular country. Risk might be political,
6. economic or stem from regulatory instability. The latter might
be caused by overseas taxation, repatriation of profits,
nationalisation or currency instability.
Environmental: these risks may occur due to political,
economic, socio-cultural, technological, environmental and
legal changes.
11
Risk management: 1/4 Identification
Risks can be classified…continued:
Financial: relating to the financial operations of an entity and
includes:
credit risk: a loss may occur from the failure of another party to
perform according to the terms of a contract
currency risk: the value of a financial instrument could fluctuate
due to changes in foreign exchange rates
interest rate risk: interest rate changes could affect the financial
well being of an entity
liquidity (or funding) risk: an entity may encounter difficulty in
realising assets or otherwise raising funds to meet financial
commitments.
Reputational: this is damage to an entity's reputation as a result
of failure to manage other risks.
Strategic risk: these are risks stemming from the entity's
strategy and pose the greatest threat to the achievement of the
strategy.
12
Risk management: 2/4 Assessment
7. Needs to be assessed against the firm’s risk appetite
Often, a ‘heat map’ is used…see HBR article
BUT these have received criticism for:
Subjectivity
Error of symmetry
Risk aversion
Category prioritization reversal
Take your time to get your understanding of these right
13
Risk management: 3/4 Planning
Answers the question: How do we respond to this risk?
- Can be a response now or if/when it happens
- Might involve a cost
- Also includes who is responsible for monitoring response (if
not a ‘now’ response) and who impleme nts it (which might be
someone different)
14
Risk management: 3/4 Planning
8. (Back to risk management models…)
Responses can include:
Avoid/exploit
Reduce/enhance
Transfer
Share
Accept
Prepare contingency plans…see also ‘TARA’
For explanations of these, see p.132 of PRINCE2 manual
15
Risk management: 4/4 Implement
Simply the matter of putting the plans into practice
Might be based on an organisation-, entity-, department-
or project-wide strategy/standard/approach/plan
Most organisations of any size will have, as a minimum, a
strategy, identified persons responsible, and a risk register to
record all that
…insurance providers may also insist on such things, of course
16
Risk and Governance
9. Boards are ultimately responsible for organisations, and so are
responsible for risk:
Including clarifying/setting/‘enforcing’ the ‘appetite’; and
Controlling risks within tolerances
Often there is a ‘risk committee’ of the board, but sometimes
combined with audit (e.g. BT PLC). Main roles:
Raising risk Awareness
Establishing policies for risk management
Processes for identifying, reporting and monitoring risk
Reporting to the Board, recommending changes to the risk
appetite as appropriate
4️️
17
Risk and Governance
Risk managers:
Usually a member of the Risk Committee
Focuses on implementation of Risk Management policies
Reports to, and is supported and monitored by the risk
management committee
Have an operational emphasis
Risk management only works in organisations if it’s part of the
culture/day-to-day – included in JDs, proper internal control,
embraced and supported by senior management/the board,
Part 4 of UKCGC is titled ‘Audit, Risk and Internal Control’
18
10. Other things to explore
ERM – Enterprise Risk Management
ALARP
19
Questions?
20