This document provides guidance on establishing a framework for managing business risk. It recommends defining business objectives and acceptable risk levels. It also suggests appointing a risk manager to oversee the process and communicate the framework throughout the organization. The key steps are to identify all potential risks through brainstorming and collecting internal/external data, then prioritize risks based on likelihood and potential impact. Once risks are identified, actions can be taken to reduce, retain, or transfer each risk. An integrated, ongoing approach helps ensure all risks are addressed and the risk profile is monitored over time.

1. Introduction
What is business risk and why is it so important?
A practical guide to assessing business risk
Establish the business framework
Identify the risks
Measure the risk
Deal with the risks
Monitoring
Conclusions
Appendix 1 Examples of factors increasing risk levels
Appendix 2 Further reading and information
Judith Shackleton BSc, ACA, who has written this Technical Focus, is the Technical Project Manager
for the Faculty of Finance and Management. Prior to joining the Faculty, she has held a number of
senior finance posts in major organisations.
This research was made possible by a grant by Chartered Accountants' Trustees Limited, and
provided out of funds of the PD Leake Trust - a registered charity.
In addition to the Good Practice Guidelines the Faculty Committee believes that members want in-depth
studies of specific subjects.
Not all members will want to read these papers immediately, but they are intended to be sources of reference
when the subject becomes a practical issue for individual members.
These papers are intended to summarise the state of knowledge on a particular topic at a point in time.
It is hoped that these papers will challenge and interest all Faculty members, but in particular those with
experience of the particular subject matter.
Technical Focus represents the personal views of the author and not necessarily those of their firms, the
Faculty or the Institute. The nature of some subjects will preclude the publication from being definitive or
mandatory. Being general in nature, the points made in the publication may or may not be relevant to specific
circumstances. The Faculty cannot accept responsibility for the accuracy or completeness of this Technical
Focus.
Responses from the membership will be a very important part of the successful development of Technical
Technical Focus - Issue 10 - 01/97
file:///C|/TechFocus/Business Risk Manag/Index/index.htm (1 of 2) [11/10/1999 16:45:39]

2. Focus. Please contact Chris Jackson with your comments and suggestions. You may email Chris Jackson at
CDJackson@icaew.co.uk or write via the address shown on the Copyright Disclaimer page.
Faculty Home Page
ICAEW Home Page
© copyright & disclaimer
ISBN 1 85355 640 8
Technical Focus - Issue 10 - 01/97
file:///C|/TechFocus/Business Risk Manag/Index/index.htm (2 of 2) [11/10/1999 16:45:39]

3. The management of business risk is one of the most important issues currently facing businesses. Recent
high profile cases such as Barings demonstrate the consequences of not managing risk properly. But risk is
not just about financial markets: a risk is any serious threat to an organisation's well being. The increasing
pace of change, customer demands and market globalisation all put risk management high on the agenda for
forward-thinking companies. Having adequate insurance cover is no longer enough. It is necessary today to
have a comprehensive risk management strategy. In addition, the Cadbury Committee's Report on Corporate
Governance lists having a process in place to identify major business risks as one of the key procedures of
an effective control system.
All businesses take risks in order to make profits, but those risks need to be managed sensibly in order to
ensure commercial survival. To be successful, an organisation needs to maximise profits for a given level of
risk.
Charles Miller Smith, Chief Executive of ICI, when talking about the role of the finance director, recognised
the importance of the finance director's role in managing risk, commenting that 'the finance director must use
his or her knowledge, experience and judgment to minimise the level of risk without significantly affecting the
profitability of the organisation.'
This Technical Focus examines the management of business risk - be it political, environmental or as yet
unidentified. Treasury risks, such as foreign exchange and interest rate exposure are part of the risk
exposure of the organisation but are not covered in detail in the current text, as much has already been
written about these risks.
In the past, risk management efforts were often dispersed across the organisation. Whilst all risks may have
been managed, it was difficult to confirm the position. There is also the danger when risk management is not
properly co-ordinated across the organisation that different managers individually take significant risks, which
add up to a huge exposure for the organisation as a whole. A properly integrated and structured risk
management framework is therefore essential.
After deciding on the overall level of risk that the organisation is prepared to take, the next step is to identify
the risks faced. At this stage it helps to prioritise the importance of the risks by estimating the likelihood of the
event occurring and the impact of that event on the business. Once the key risks have been established and
the existing measures that are in place to reduce the risk have been identified, the remaining risk can be
retained, reduced or transferred to a third party.
Such an approach will take time to implement, but in the current climate it is essential for management to be
aware of the all the risks facing their organisation. In addition, a risk management programme can help in
planning and prioritising for the future. Being able to demonstrate that all significant business risks have been
addressed can enhance the value of a business in the eyes of both shareholders and customers.
Cover page & Preface
Introduction
What is business risk and why is it so important?
A practical guide to assessing business risk
Establish the business framework
Identify the risks
Measure the risk
Deal with the risks
Monitoring
Conclusions
Appendix 1 Examples of factors increasing risk levels
Appendix 2 Further reading and information
Faculty Home Page
ICAEW Home Page
© ICAEW 1997. All rights reserved.
Technical Focus - Issue 10 - 01/97
file:///C|/TechFocus/Business Risk Manag/tf10_1/tf10_1.htm (1 of 2) [11/10/1999 16:46:44]

4. ISBN 1 85355 640 8
Technical Focus - Issue 10 - 01/97
file:///C|/TechFocus/Business Risk Manag/tf10_1/tf10_1.htm (2 of 2) [11/10/1999 16:46:44]

5. Definitions of business risk
'The threat that an event or action will adversely affect an organisation's ability to achieve its
business objectives and execute its strategies.'
'Business risk arises as much from the likelihood that something good won't happen as it does
from the threat that something bad will happen'
(Economist Intelligence Unit Executive Briefing/Arthur Andersen - Managing Business Risk)
In this Technical Focus the term 'risk' is used in the commonly accepted business form to include any
circumstances which may or do have an adverse effect on an organisation's activities or strategy.
Risks can be classified into those arising from external and internal factors.
External risks
External risks result from factors outside the organisation. They can often be very difficult or impossible to
control. Examples include:
Changing legislation or a change of government.q
Public opinion - such as attitudes to drinking or smoking.q
A price war initiated by a competitor.q
Changing economic conditions and demographic trends.q
Environmental factors.q
Natural hazards such as fire.q
Internal risks
Internal risks arise from within the organisation as a result of the activities undertaken. There will be risks
arising from:
The particular products made or services provided.q
The processes undertaken to make or supply those products or services.q
Employees.q
The process of dealing with suppliers.q
The process of dealing with customers.q
Internal risks are usually easier to control than their external counterparts, but it is important to balance the
cost of control against the benefits.
Whilst risks and uncertainties are normally associated with negative effects on an organisation, there can
also be positive effects. For example, an unusually cold winter could benefit coat manufacturers. When
managing risks it is important to protect the organisation from negative consequences, but still be able to
take advantage of any upside of an uncertain event.
Why managing risk is important
All organisations face some risk. Although it is possible to react to the effects of risks as they occur, this can
be an inefficient and ineffective way of managing risk. In some cases, if the event occurs the organisation
may not be able to survive the consequences, so it is essential to protect in advance against the effect of the
risks.
In the current climate of rapid change people are less likely to recognise the unusual, the decision-making
Technical Focus - Issue 10 - 01/97
file:///C|/TechFocus/Business Risk Manag/tf10_2/tf10_2.htm (1 of 3) [11/10/1999 16:47:15]

6. timeframe is smaller and, since in many organisations resources are scarce, the impact of unmanaged risk is
aggravated.
It is important to remember that the risks facing an organisation change constantly. Therefore the
management of risk cannot be a static process but must be constantly reviewed.
Implemented successfully, the management of business risk can help with future business planning and
enhance the value of the business.
Reporting under Cadbury
The guidance from the Cadbury committee working party (December 1994) on how to implement the
Cadbury Code requirement that directors should report on the effectiveness of their system of internal control
lists the following criteria for assessing effectiveness on the identification and evaluation of risks and control
objectives:
Identification of key business risks in a timely manner.q
Consideration of the likelihood of risks crystallising and the significance of the consequent financial
impact on the business.
q
Establishment of priorities for the allocation of resources available for control and the setting and
communicating of clear control objectives.
q
The London Stock Exchange requires every listed company to include a statement in its annual report
confirming that it is complying with the Code, or giving details of and the reasons for any areas of
non-compliance.
Changing nature of risk management
Traditionally, risk management was dealt with by the individual business units or managers. Each was
responsible for the day to day management of risk.
One of the dangers of such a compartmentalised approach is that there is no overall review of the
organisation's risk exposure. A situation could arise rapidly where the organisation's overall risk profile was
more than it could bear. For example, the treasurer may be holding an exposure of £125,000 on foreign
exchange, the insurance manager may have deductibles totalling £200,000 on insurance policies and the
marketing manager may have just commissioned a new product with a potential write off of £175,000. Each
manager could be operating within their limit of authority; nevertheless, without an integrated view of risk, the
company may be unaware that it is facing a potential loss of £ 1/2million.
An integrated approach to risk management is needed to ensure that the acceptable level of risk is
determined for the organisation as a whole. The individual managers take responsibility for the management
of risk within the overall organisation-wide risk management framework.
Cover page & Preface
Introduction
What is business risk and why is it so important?
A practical guide to assessing business risk
Establish the business framework
Identify the risks
Measure the risk
Deal with the risks
Monitoring
Conclusions
Appendix 1 Examples of factors increasing risk levels
Appendix 2 Further reading and information
Faculty Home Page
ICAEW Home Page
© ICAEW 1997. All rights reserved.
Technical Focus - Issue 10 - 01/97
file:///C|/TechFocus/Business Risk Manag/tf10_2/tf10_2.htm (2 of 3) [11/10/1999 16:47:15]

7. ISBN 1 85355 640 8
Technical Focus - Issue 10 - 01/97
file:///C|/TechFocus/Business Risk Manag/tf10_2/tf10_2.htm (3 of 3) [11/10/1999 16:47:15]

8. Adopting a structured approach to the management of business risk will help to ensure that all risks are
covered and that a procedure is in place to monitor continuously the risk profile of the organisation in the light
of any changes (see Figure 1).
Figure 1 Risk management process
Cover page & Preface
Introduction
What is business risk and why is it so important?
A practical guide to assessing business risk
Establish the business framework
Identify the risks
Measure the risk
Deal with the risks
Monitoring
Conclusions
Appendix 1 Examples of factors increasing risk levels
Appendix 2 Further reading and information
Faculty Home Page
ICAEW Home Page
© ICAEW 1997. All rights reserved.
ISBN 1 85355 640 8
Technical Focus - Issue 10 - 01/97
file:///C|/TechFocus/Business Risk Manag/tf10_3/tf10_3.htm [11/10/1999 16:47:53]

9. Establish the business framework
In order to identify and control risks, it is important that the business framework is set up appropriately.
Business objectives
It is important to be clear on the business objectives. If objectives have already been set up it is worth
reviewing them and updating them if necessary before embarking on a major risk review. When looking at
risk it is tempting to try and address all risks. By establishing the business objectives in advance it makes it a
lot easier to weigh up the impact of the risks relevant to the business. It also means that time spent is
focused on discussing the risks and not the direction of the organisation.
Acceptable risk levels
Once the business objectives have been established then it is necessary to work out the level of the risk that
the business can accept. This is generally a matter for the controlling management's judgment. The critical
factor that should be considered is the organisation's ability to bear the cost of financial loss in terms of its
cash flow effect. Other factors to consider include the size and type of the business.
It is important to be aware that, contrary to the common perception of group behaviour, groups often make
more risky decisions than do individuals. In a group, many individuals feel protected by the size of the group
and the feeling that, should the decision be the wrong one, the blame will be shared.
Appoint a risk manager
It is important to have someone to take overall responsibility for risk management in the organisation. This
needs to be someone with sufficient authority to secure action and command respect from other managers.
Their role is to spearhead the risk campaign and to assist other managers in identifying and controlling risks.
In smaller organisations this role is likely to be performed by the finance director, while in larger concerns it
may be a separate job, or even a separate department. The existing risk manager may take on the role, but it
is important that they have the skills and experience to examine the whole business risk profile. Some boards
of larger companies have set up risk committees of the board, along the same lines as audit committees, to
which the risk manager reports.
The risk manager should co-ordinate the various risk management functions throughout the organisation and
advise individual managers on how best to manage risk. The line managers should have responsibility for
managing risk in their areas - the risk manager oversees and advises.
Communicate
Good communications are vital. It is important that all employees understand and feel involved in the risk
management process for it to work successfully. In addition, this will increase awareness of risks with the
result that risk is factored into business decisions.
Cover page & Preface
Introduction
What is business risk and why is it so important?
A practical guide to assessing business risk
Establish the business framework
Identify the risks
Measure the risk
Deal with the risks
Monitoring
Conclusions
Appendix 1 Examples of factors increasing risk levels
Technical Focus - Issue 10 - 01/97
file:///C|/TechFocus/Business Risk Manag/tf10_3a/tf10_3a.htm (1 of 2) [11/10/1999 16:48:16]

10. Appendix 2 Further reading and information
Faculty Home Page
ICAEW Home Page
© ICAEW 1997. All rights reserved.
ISBN 1 85355 640 8
Technical Focus - Issue 10 - 01/97
file:///C|/TechFocus/Business Risk Manag/tf10_3a/tf10_3a.htm (2 of 2) [11/10/1999 16:48:16]

11. Identify the risks
The key step in managing business risk is to identify the risks facing the business. Once a risk has been
identified then it can be dealt with. Many business failures are a consequence of risks that had not even been
identified. The first step in dealing with risk is, therefore, to draw up a comprehensive list of all the risks facing
the business. Case Study 1 gives details of how Rolls-Royce plc identifies and reports on risk.
Collecting ideas
Brainstorm ideas The key is to identify all risks - therefore involve as many people as possible. An
add-on benefit is that this communicates the risk message and makes employees start to think of risk.
This in itself will reduce the organisation's level of risk.
q
'What if?' sessions 'What if?' sessions are particularly useful in the context of customer liability and
public affairs issues. The organisation's risk manager and legal advisors should attend. Imagine the
worst possible situation - would the company be covered legally, what would it do?
q
Use company and external information
Financial information Although financial information is based on historical data, it can be useful to
track trends in performance. Graphs are particularly useful for identifying any new trends.
q
Other company data Information such as sales figures, market share, customer complaints,
customer satisfaction surveys, warranty claims, health and safety records, employee attrition rates,
market research.
q
Internal and external audit reports These reports will highlight existing control weaknesses and any
actions recommended to strengthen controls, thereby reducing risk.
q
Economic forecasts Economic information such as predictions for future inflation and interest rates.q
Professional press The professional press contains many articles on incidents in companies and
can provide a useful source of ideas.
q
Media Newspapers and television provide cheap sources of information on business trends and
competitive information.
q
Use experts where appropriate The business managers will often be the best people to identify
risks, but it can also be useful to use experts to assist in the identification process, particularly on
legal, insurance, finance, sales and marketing and public relations issues.
q
Report all risks when they happen It is important to monitor all near misses and actual incidents as
these can give an indication of exposure to future risks. In practice this can be very difficult, especially
for near misses - as managers are often reluctant to report these for fear of criticism.
q
Benchmarking Benchmarking data can be useful in identifying areas that appear to be out of the
ordinary. (The Faculty of Finance and Management offers a free benchmarking service to members.)
q
Use checklists When trying to identify risks, a checklist giving headings under which risks may be
categorised can be useful. Reproduced below is the Arthur Andersen Business Risk Model TM (see
Figure 2). The table below is intended to cover businesses generally, and so some of the risks may
not be applicable to all businesses. Risks facing specialised industries are covered in industry-specific
models. For each of the risks shown below, the model provides further examples of risks within each
category.
q
Environment risk
Competitor Sensitivity Shareholder relations Capital availability
Catastrophic loss Sovereign/Political Legal Regulatory Industry Financial markets
Process risk
Technical Focus - Issue 10 - 01/97
file:///C|/TechFocus/Business Risk Manag/tf10_3b/tf10_3b.htm (1 of 3) [11/10/1999 16:48:48]

12. Operations risk
Customer satisfaction
Human resources
Product development
Efficiency
Capacity
Performance gap
Cycle time
Sourcing
Commodity pricing
Obsolescence/Shrinkage
Compliance
Business interruption
Product/Service failure
Environmental
Health and safety
Trademark/brand name erosion
Empowerment risk
Leadership
Authority
Limit
Performance incentives
Communications
Information
processing/Technology risk
Access
Integrity
Relevance
Availability
Integrity risk
Management fraud
Employee fraud
Illegal acts
Unauthorised use
Reputation
Financial risk
Currency
Interest rate
Liquidity
Cash transfer/Velocity
Derivative
Settlement
Reinvestment/Rollover
Credit
Collateral
Counterparty
Information for decision-making risk
Operational
Pricing
Contract commitment
Measurement
Alignment
Completeness and accuracy
Regulatory reporting
Financial
Budget and planning
Completeness and accuracy
Accounting information
Financial reporting evaluation
Taxation
Pension fund
Investment evaluation
Regulatory reporting
Strategic
Environmental scan
Business portfolio
Valuation
Measurement
Organisation structure
Resource allocation
Planning
Life cycle
Figure 2 Arthur Andersen's Business Risk Model TM
Case Study 1: Rolls-Royce plc
Rolls-Royce plc designs, manufactures and supports aero engines, gas turbines and power generation
and transmission equipment.
Assuming more risk within the business
Rolls-Royce's philosophy has been to assume more risk and to carry that within the business. At the
same time, the company has sought to manage risk more effectively.
The individual businesses within Rolls-Royce now take increased deductibles on insured risks and
avoid the adverse impact of this by improvements in their quality systems and increased awareness of
risk. Insurance premiums have been allocated in relation to each business's recent experience in
terms of claims and risk occurrence. This has been extremely effective in managing risk, especially
when coupled with profit responsibility and profit-related bonuses.
Identifying and reporting risks
Through discussions, the board of Rolls-Royce identified the following as the major risks facing the
company:
Treasury.q
Health, safety and environment.q
Sales financing.q
Company name, trademarks and other intellectual property issues.q
Contract terms and conditions.q
Product design.q
Technical Focus - Issue 10 - 01/97
file:///C|/TechFocus/Business Risk Manag/tf10_3b/tf10_3b.htm (2 of 3) [11/10/1999 16:48:48]

13. Manufacturing integrity.q
Natural perils.q
Information loss.q
Security.q
Intellectual property.q
Product liability insurance.q
Contract review and control.q
General controls.q
The internal audit department was then used to examine each of these risks and to report to the board
on:
The scale of the risk.q
The awareness within the organisation of the risk.q
The means by which the risk was addressed.q
Any weaknesses in the means of addressing the risk.q
To what extent such weaknesses were tolerable or had to be remedied.q
The work was summarised in a report to the board which analysed the risks into high, medium and
low, and the weaknesses into fundamental, important or detailed. Risks were mapped by responsibility
and level so that weaknesses which were significant and which clearly related naturally to significant
risks were highlighted. The report then detailed action to be taken with timescales and responsibility.
The internal audit department will perform regular follow up to ensure that all the actions have been
addressed.
Cover page & Preface
Introduction
What is business risk and why is it so important?
A practical guide to assessing business risk
Establish the business framework
Identify the risks
Measure the risk
Deal with the risks
Monitoring
Conclusions
Appendix 1 Examples of factors increasing risk levels
Appendix 2 Further reading and information
Faculty Home Page
ICAEW Home Page
© ICAEW 1997. All rights reserved.
ISBN 1 85355 640 8
Technical Focus - Issue 10 - 01/97
file:///C|/TechFocus/Business Risk Manag/tf10_3b/tf10_3b.htm (3 of 3) [11/10/1999 16:48:48]

14. Appendix 2 Further reading and information
Faculty Home Page
ICAEW Home Page
© ICAEW 1997. All rights reserved.
ISBN 1 85355 640 8
Technical Focus - Issue 10 - 01/97
file:///C|/TechFocus/Business Risk Manag/tf10_3a/tf10_3a.htm (2 of 2) [11/10/1999 16:48:16]

15. Measure the risk
Once a list of the risks facing the organisation has been established they need to be measured in order to be
prioritised. In a smaller organisation this may well be based on instinct, in a larger organisation it may be
appropriate to use a more formal technique to rank the risks. In practice this will often be performed
alongside the process of identifying the risks.
There are two important aspects to the measurement of risk:
The impact of the risk.q
The likelihood of the risk.q
In other words two questions must be asked: first, what is the potential damage from which the organisation
is at risk; and secondly, how likely is that damage to occur?
Once the measures have been established it is much easier to focus on the important risks. High impact,
frequently occurring risks need to be dealt with immediately, and these will probably feature on the board's
agenda. Small, unlikely risks can possibly be ignored, or covered as part of a routine internal control review.
The in-between risks (high impact, but unlikely) could be covered by a contingency plan, and the low impact,
high occurrence risks could be covered by task forces consisting of managers.
Impact of risk
The impact of the risk needs to be measured in some way.
Quantitative measures It may be possible to fix a financial cost to each risk. However, this can be
difficult to perfect and can be very time consuming. It is important here to include both direct and
indirect costs. For example, if a major airline's computerised flight booking system failed, there would
be a cost to the company to restore the system, but, in addition, a loss of sales when customers were
unable to make a flight reservation. Further, there may be the loss of goodwill and therefore future
sales by customers who had tried to make a booking or perhaps because of negative coverage by the
media.
q
Qualitative measures Each organisation should set up its own way of grading risks: an example is
given in Figure 3, below. In this example, risks are graded from 1 to 5, depending on the severity of
their impact on the business should the event in question occur.
q
Level 1 Life threatening - the organisation would not survive if this happened.
Level 2 Major impact on the business - would seriously damage the organisation's
ability to service customers.
Level 3 Significant impact on the business - would affect customers.
Level 4 Impact on the internal business only.
Level 5 Insignificant impact on the business.
Figure 3 Example of risk levels
Likelihood of risk
Since most risks are as a result of unpredictable or uncertain events it is usually not possible to be definite
about the likelihood of the risk. However, once it has been established that a risk could occur it is important to
estimate the likelihood of the event happening. For frequently occurring events it is often possible to base this
upon the past record of events, so it is essential to keep records. It is also important to record any 'near
misses' as this may indicate that the risk is more likely to occur in the future. For more infrequent risks, care
should be taken before dismissing the risk, as the fact that the event has not yet happened does not mean
that it will never happen in the future.
Technical Focus - Issue 10 - 01/97
file:///C|/TechFocus/Business Risk Manag/tf10_3c/tf10_3c.htm (1 of 3) [11/10/1999 16:49:14]

16. For risks relating to natural hazards such as storms, floods and earthquakes it is possible to obtain statistical
information on the likelihood of such events occurring. Insurance companies use past claims information to
calculate premiums and, therefore, retain a large amount of information. However, this can be very difficult to
obtain.
For most risks, managers will have to make a judgment on the likelihood of the risk based on available
information such as economic forecasts, market intelligence, competitor analysis and technological
developments.
Prioritising risks
The treatment of risk depends then on the impact of the risk and the likelihood of it happening. Figure 4
below illustrates the relationship between the impact and likelihood of a risk.
Figure 4 Impact of risk vs likelihood
High impact/high likelihood Examples - a fire in a paper mill, or environmental pollution by a
chemical plant.
These risks must be dealt with immediately and usually at board level. Procedures should be in place
to reduce the risk to an acceptable level and contingency plans should be developed. If this approach
is not possible then the risk should be avoided
q
High impact/low likelihood Example - a meteorite landing on a factory, or a terrorist attack on a
telecommunications centre.
Extremely improbable risks can be ignored. For more probable risks a contingency plan should be in
place.
q
Low impact/high likelihood Example - company car accident.
These can usually be dealt with by line managers. It is important to monitor these risks, as a large
number of seemingly unimportant risks can quickly gain significance.
q
Low impact/low likelihood Example - the theft of the organisation's daily canteen takings.
These can usually be ignored
q
Cover page & Preface
Introduction
What is business risk and why is it so important?
A practical guide to assessing business risk
Technical Focus - Issue 10 - 01/97
file:///C|/TechFocus/Business Risk Manag/tf10_3c/tf10_3c.htm (2 of 3) [11/10/1999 16:49:14]

17. Establish the business framework
Identify the risks
Measure the risk
Deal with the risks
Monitoring
Conclusions
Appendix 1 Examples of factors increasing risk levels
Appendix 2 Further reading and information
Faculty Home Page
ICAEW Home Page
© ICAEW 1997. All rights reserved.
ISBN 1 85355 640 8
Technical Focus - Issue 10 - 01/97
file:///C|/TechFocus/Business Risk Manag/tf10_3c/tf10_3c.htm (3 of 3) [11/10/1999 16:49:14]

18. Deal with the risks
Once the list of risks has been established, and the current controls and actions to reduce the risk identified,
then the remaining risk needs to be dealt with (see Figure 5, below). There are four options for dealing with
the remaining risk:
Avoidq
Reduceq
Transferq
Acceptq
Figure 5 Methods of dealing with business risk
Avoid the risk
If the risk is too great for the business to bear and any possible ways of reducing it are either impractical or
too expensive then the only option is to eliminate the risk. For example, if a new product which is just about
to be launched is found to be defective and the defect cannot be corrected, then the only option to eliminate
the risk is to withdraw the product from the market.
Reduce the risk
It may be possible to reduce the risk by taking action now. It is important to be aware of the costs of reducing
the risk, it is easy to get carried away and spend more money on controlling the risk than the actual risk
exposure warrants. Risk management generally involves incurring costs now to avoid potential costs in the
future. Case Study 2 shows how risk can be reduced in the theatre industry.
Some of the ways of reducing risk are listed below:
Physical measures The risk of fire can be reduced by fitting fire doors, smoke alarms and sprinklers.
Often, these measures are required by insurance companies or are subject to regulatory control. The
q
Technical Focus - Issue 10 - 01/97
file:///C|/TechFocus/Business Risk Manag/tf10_3d/tf10_3d.htm (1 of 5) [11/10/1999 16:49:39]

19. risk of losing assets can be reduced by improving security around the building.
Controls Improving internal controls can significantly reduce risk. Better quality controls and
procedures can reduce product liability risk.
q
Training and health and safety procedures Implementing proper health and safety procedures and
employee training will reduce the risk of accidents at work.
q
Awareness Employee awareness, which is a by-product of performing a risk management review,
will reduce risk. Employees will be more aware of the risks facing the business and build it into their
decision-making process.
q
Dual sourcing Using more than one supplier for key goods or services reduces the risk of a
disruption to that supply.
q
Diversification A single site operation will reduce risk by setting up a second production site. For a
larger organisation, it is possible to reduce risk by diversifying into a different area - such a portfolio
will reduce the variability of returns to shareholders. However, it is important to balance the
diversification against the risk of the larger, more diverse organisation losing focus. Many large
multinationals which have grown through diversification have realised that they can generate further
value by dividing into re-focused businesses.
q
Marketing Reducing risk does not have to be a negative process. For example, ice cream
manufacturers' major risk is the weather - people tend to eat more ice cream in hotter weather. As
there is nothing that can be done about the weather, the luxury ice cream manufacturers changed
their marketing strategy to promote ice cream as an all year round product.
q
Case Study 2: Adapting to risk in the theatre
Theatre involves taking significant risks. Anthony Blackstock, the Head of Finance of The Royal
National Theatre and a Member of the Society of London Theatre sees the management of risk as one
of his responsibilities.
Risk in the theatre is characterised by the following factors:
Extreme exposure to market failure: productions can close after very short runs.q
Very low reliability of market research.q
Even productions with well known names and formulae can flop.q
Reduced opportunities to market test with the decline of pre-West End tours.q
Very limited opportunities to develop the production after opening (the successful re-launch of
Martin Guerre is one of the few instances where this has been achieved).
q
High dependence on people of talent being available and fulfilling their promise.q
Taking these high risks results in high profitability for the one in ten productions that thrive. A further
two out of ten make modest returns. The remaining seven productions make a loss.
Adapting to risk
Commercial theatre
Active producers are mainly independent management-owned SMEs. Producers show characteristics
of 'virtual' organisations. Commercial theatre has adapted to reduce risk by taking the following
measures:
A low fixed overhead base.q
Separate financing of each production, mainly by investors willing to speculate in very high risk
ventures.
q
Flexibility of stakeholders' (i.e. investors', producers', creators') contractual right to participate in
income and profits.
q
Engagement of creative teams and performers on freelance basis: very low exposure to
termination payments.
q
Flexible contracts with theatre owners for extension and curtailment of runs.q
High investment in understudies to cover absences of actors.q
In addition, commercial theatre's dependence on transfers from subsidised producers allows risk free
market testing.
The increasing success of major producers has generated resources for successful branding and
Technical Focus - Issue 10 - 01/97
file:///C|/TechFocus/Business Risk Manag/tf10_3d/tf10_3d.htm (2 of 5) [11/10/1999 16:49:39]

20. world wide marketing of shows, particularly major musicals.
Grant-aided theatre
Grant-aided theatres such as the National Theatre receive a subsidy (at 40% to 50% of total turnover)
allowing the artistic directors to 'take risks', set exemplary standards and provide wider social access
to productions. However, these subsidised companies need to control risks as they are subject to
charity law constraint.
In addition to many of the measures listed above, grant-aided theatre can reduce risk by the following
measures:
The Royal National Theatre operates a repertory system in its three separate theatres -
therefore it can significantly reduce risk by juggling of simultaneous productions to best effect.
q
The establishment of a brand name can create market reliability.q
Successful productions can be transferred to commercial producers to eliminate financial risk,
but retain some return.
q
Transfer the risk
It is sometimes possible to eliminate risk by transferring it. Either the whole activity can be transferred away
from the organisation or the activity can be retained but the legal or financial risk transferred using insurance
products. Specialist financial risks can be transferred using treasury products. The principle of risk transfer is
to exchange an uncertain future position for a certain current position (usually, however, at a cost).
Subcontracting By subcontracting a risky process it is possible to transfer the risk to a specialist. In
this situation a fixed price is traded against the risk of retaining the activity. Generally the
subcontractor will have more experience in the process and they will incur less risk. However, the
inherent reduction in control needs itself to be properly managed to avoid a potential increase in risk. It
is also possible to transfer some risks by including a clause relating to this in supplier agreements. For
example, a contract with a supplier could specify that they were responsible for the goods in transit. It
is important that all major contracts are reviewed for risk implications.
q
Insurance This is the traditional method of reducing or eliminating risk. A company will always need
to purchase insurance as it is required by law for certain risks, such as employer liability and motor
insurance.
It is important to review your insurance policies critically. It may be possible to reduce premiums by
taking steps within the organisation to reduce the risk. For example, the fire premium may be reduced
if a sprinkler system is installed. It is also important to be aware of any conditions that the insurance
company require Ð if these are not adhered to, the insurance may be invalidated.
The levels of insurance should also be monitored regularly. For example, property prices can
fluctuate, so it is important that the level of buildings insurance covers the cost of rebuilding the
property in the event of a fire.
The principles of risk management apply when assessing insurance needs. Many organisations still
take out fully comprehensive car insurance, when they are taking risks of millions of pounds elsewhere
in the business.
With the aid of a good advisor it is possible to be more creative in using insurance and make the most
of the more specialist products that are currently being developed.
Two practical issues to consider when using insurance
The true cost is ignored When using insurance to manage risk, the cost is often taken as a
central overhead and not allocated to operating processes. Allocating insurance premiums to
processes focuses attention on the true costs of that process and makes it easier to assess the
costs and benefits of different risk management strategies.
Another way of doing this is to take high deductibles: the business unit is then forced to take on
the costs of the first part of the loss.
r
Other ways of managing risk are ignored Just because something is insured doesn't mean that
the risk can be ignored. It is rare that insurance will cover all the costs of the incident. For
example, a machine may break down and the insurance policy will cover the cost of repair.
However, there may not be cover for the loss of profits resulting from the loss of production
caused by the downtime. There may also be costs associated with failing to meet contract
r
q
Technical Focus - Issue 10 - 01/97
file:///C|/TechFocus/Business Risk Manag/tf10_3d/tf10_3d.htm (3 of 5) [11/10/1999 16:49:39]

21. commitments, or loss of customer goodwill.
Treasury products It is possible to purchase a wide range of treasury products to cover interest rate
and currency fluctuations. When choosing the product it is important to decide whether the objective is
to eliminate the risk entirely (for example, to take out a forward foreign exchange rate contract) or to
simply eliminate the negative effect of the risk but allow advantage to be taken of any potential
benefits (such as an option).
q
Accept the risk
Some risks will be retained in the business, especially those with a low likelihood or low impact. It is also
possible to retain part of the risk such as deductibles on insurance. A high deductible provides the safety net
for a disaster, whilst retaining the rest of the risk within the organisation.
Self insurance Some risk retention may be formalised as self insurance, and for a larger company
this may involve setting up a captive (in house) insurance company. Captive insurance companies are
particularly useful for larger companies which can take on substantial risks, but would like to build up
reserves to cover them. They can also be useful for specialist industries where insurance may be very
expensive. It is not, however, necessary to have a captive insurance company to build up reserves. If
they are logically based (perhaps underpinned by actuarially valid underwriting considerations) they
could be carried as a liability on the balance sheet.
Again, it is important to record claims on self-insured risks, just as with insured risks so that this
information is available for future decision making. For some smaller risks, the claims handling can be
extremely time consuming and may be a reason why the risk is insured. Many large insurance
companies now provide a claims processing service for larger companies which chose to self insure
these smaller risks.
q
Business continuity planning One of the key methods of planning for mainly high-impact,
low-likelihood risks (such as the loss of core services) is business continuity planning. The benefit of
having a business continuity strategy is that the business can continue to operate after a critical event;
thus helping to protect profits and aid customer retention. Using the information gained from the risk
analysis, the critical incidents affecting the core services are assessed and a plan developed to
maintain those core services.
q
Steps in creating a plan
Identify core servicesq
Prepare and document the contingency plan to cover these core services There are a number
of proprietary software packages on the market that can help with the development of the plan.
q
Training and communication Ensure that everyone involved knows what their role is in the event of
a disaster.
q
Test the plan Many plans are developed and then filed away. It is essential to test the plan in a
realistic situation. This may cause inconvenience but it is essential to test the plan in a worst case
situation such as a serious problem arising outside normal office hours.
q
Adapt the plan The plan must be updated following testing and as a result of any changes to the
business.
q
Review and update the plan Regular reviews should be scheduled and carried out.q
Reporting risks
A document should be produced which summarises the key risks facing the business and includes the
following information:
A description of the risk.q
The impact of the risk on the business.q
The likelihood of the risk happening.q
The manager responsible for managing the risk.q
The existing controls in place.q
Any further actions needed to reduce risk.q
The timescale for further actions.q
Case Study 3 shows how Interior plc reports on and monitors the financial risks it faces.
Technical Focus - Issue 10 - 01/97
file:///C|/TechFocus/Business Risk Manag/tf10_3d/tf10_3d.htm (4 of 5) [11/10/1999 16:49:39]

22. Cover page & Preface
Introduction
What is business risk and why is it so important?
A practical guide to assessing business risk
Establish the business framework
Identify the risks
Measure the risk
Deal with the risks
Monitoring
Conclusions
Appendix 1 Examples of factors increasing risk levels
Appendix 2 Further reading and information
Faculty Home Page
ICAEW Home Page
© ICAEW 1997. All rights reserved.
ISBN 1 85355 640 8
Technical Focus - Issue 10 - 01/97
file:///C|/TechFocus/Business Risk Manag/tf10_3d/tf10_3d.htm (5 of 5) [11/10/1999 16:49:39]

23. Monitoring
Once the risk management exercise has been performed, it is important to keep up to date. One of the
simplest ways to achieve this is to combine it with an existing business planning exercise such as strategic
planning or budgeting, although many businesses do prefer to keep these activities separate in order to
retain focus on the task in hand. The risk management strategies should also be updated in the event of any
significant change in the business, such as a new product launch or an acquisition. Building in an early
warning system can help monitor key risks in the business. This can take the form of information in a monthly
report, eg, as statistics on insurance claims and other incidents or financial ratios.
Case Study 3: Interior plc
Financial risk monitoring
Interior plc is a 200 employee company of professionals specialising in high quality and complex
interior construction of offices, retail premises and hotels. Founded in 1989, it has prospered through
six of the most difficult years the UK property and construction industries have known - providing
property advice and management for occupiers, developers, banks and institutions. Its annual turnover
is around £120m with profits before tax of approximately £2m.
The company is, therefore, a high volume, low margin business, and so small changes to margins
earned have a magnified effect on the bottom line. In 1995, through a successful management buy-out
the company became independent.
As the new board, including three non-executive directors established itself, the financial director -
Mark Garratt - started to consider how best to monitor and report financial risks that affected the
business. His thinking developed along the lines of a risk monitoring report which in some way related
the risks taken, their value and the total level of risk that the board should consider. Since its initial
presentation, the document has been discussed, modified and developed but is now considered as
one of the key indicators of the board's performance and facilitates decision-making relating to new
ventures and risks.
In the example below (see Table 1), the method by which the monitor works is clearly shown in that
financial risks are identified, their values recorded and the probability of loss is assessed. A weighted
value is then produced for each category and accumulated. This total is then compared as a
percentage of net assets to enable users of the monitor to understand how much of the net worth of
the company is being put at risk or the maximum that is currently committed.
Clearly, the percentages are subjective to an extent as in most of the categories there have been no
losses at all in the past. It could perhaps best be described as an experience-based, reasoned
approximation - ie, a 'gut-feel'.
The monitor is a snap shot, but the trends are also important and these could be shown graphically.
The report is purely financial and does not cover other corporate risks which are monitored by other
methods, but it is regularly reviewed and refined and new categories could readily be considered in the
future. Given that a significant part of the board's responsibilities concern fiduciary duties this risk
monitor provides considerable assistance in assessing stewardship of the company's assets.
Technical Focus - Issue 10 - 01/97
file:///C|/TechFocus/Business Risk Manag/tf10_3e/tf10_3e.htm (1 of 3) [12/10/1999 11:40:06]

24. Case Study 3: Financial Risk Monitor
Actual values Weighted values
Risk
factor
Maximum
expected
£
This
month
£
Last
month
£
Maximum
expected
£
This
month
£
Last
month
£
Performance bonds
- collateral - default
bonds 3% 1,000,000 300,000 420,000 30,000 9,000 12,600
Debtors over 60
days 5% 250,000 150,000 200,000 12,500 7,500 10,000
Uncertified amounts
on fixed price
contracts 50% 100,000 25,000 50,000 50,000 12,500 25,000
Retentions more
than six months late 5% 100,000 50,000 75,000 5,000 2,500 3,750
Investments 100% 100,000 68,000 68,000 100,000 68,000 68,000
Project provisions
for losses 100% 100,000 - - 100,000 - -
Advanced payments 10% 150,000 100,000 150,000 15,000 10,000 15,000
Total 1,800,000 693,000 963,000 312,500 109,500 134,350
Total net assests 2,490,000 2,490,000 2,380,000
Percentage of net
assets 13% 4% 6%
Table 1 Illustrative actual and weighted values
Cover page & Preface
Introduction
What is business risk and why is it so important?
A practical guide to assessing business risk
Establish the business framework
Identify the risks
Measure the risk
Deal with the risks
Monitoring
Conclusions
Appendix 1 Examples of factors increasing risk levels
Appendix 2 Further reading and information
Faculty Home Page
ICAEW Home Page
© ICAEW 1997. All rights reserved.
ISBN 1 85355 640 8
Technical Focus - Issue 10 - 01/97
file:///C|/TechFocus/Business Risk Manag/tf10_3e/tf10_3e.htm (2 of 3) [12/10/1999 11:40:06]

25. Managing business risk is an important exercise for all organisations, large or small. It is important to adopt a
structured approach so that all risks are identified, measured and then appropriate action is taken. Risk
management activities should be co-ordinated across the organisation.
Implementing an integrated risk management programme will ensure that the organisation is better prepared
to deal with all eventualities, and it can also help in planning for the future. Being aware of and addressing all
the significant risks facing the business will help ensure the long term survival of the organisation and can
enhance the value of the business.
Cover page & Preface
Introduction
What is business risk and why is it so important?
A practical guide to assessing business risk
Establish the business framework
Identify the risks
Measure the risk
Deal with the risks
Monitoring
Conclusions
Appendix 1 Examples of factors increasing risk levels
Appendix 2 Further reading and information
Faculty Home Page
ICAEW Home Page
© ICAEW 1997. All rights reserved.
ISBN 1 85355 640 8
Technical Focus - Issue 10 - 01/97
file:///C|/TechFocus/Business Risk Manag/tf10_4/tf10_4.htm [11/10/1999 16:50:26]

26. Examples of factors increasing risk levels
The issues listed below will all increase the level of risk facing a business.
This list has been developed by consultation with senior finance managers. It is not meant to be exhaustive
but it is hoped that it will provide a useful checklist to ensure that organisations are addressing some of the
current issues facing businesses.
Increasing pace of change Businesses are having to change rapidly and frequently in order to cope
with a changing environment.
q
Globalisation of markets The opening up of markets is changing the competitive threats.q
More demanding consumer The advent of more and more freely available information such as the
internet and ever higher customer service expectations will put more pressure on companies.
q
Increased litigiousness Organisations are turning to the courts more frequently to resolve
commercial problems. Even if a case against an organisation is successfully defended the legal and
other costs can be significant.
q
Change of government A change of government could impact many areas of business.
Organisations need to understand what a change of government could mean to them and also,
prepare for this by making contact with potential future cabinet.
q
EMU Businesses need to prepare for the effects of monetary union.q
Costs of compliance Every year more regulations and restrictions come into force, but few are taken
away.
q
Year 2000 Many older IT systems stored the date as a two digit number (i.e. 1996 as 96), there will
therefore be problems in the new millennium with date calculations.
q
Reliance on IT Many organisations are totally dependent on IT for significant parts of their business.
It is important that the business could continue to function in the event of a major systems failure or a
power failure.
q
Liability of directors The responsibility of directors is increasing.q
Concern about the environment Environmental issues are high profile at the moment. Some
companies have been forced to spend large amounts of money, reverse corporate decisions and
suffer a large amount of bad publicity as a result of not considering environmental issues before
making key decisions.
q
Inflation There is mixed opinion as to whether inflation is going to be high or low in the future.
Organisations need to prepare for a high inflation climate (high interest rates, wage demands). In a
low inflation situation it is important to adjust investment criteria.
q
Media influence The power of the media is increasing.q
Shareholder influence As evidenced by the recent outcry at director's pay levels, shareholders,
particularly independent shareholders, are exercising their influence.
q
Empowerment The empowerment of employees is lessening management's control.q
Cover page & Preface
Introduction
What is business risk and why is it so important?
A practical guide to assessing business risk
Establish the business framework
Identify the risks
Measure the risk
Deal with the risks
Monitoring
Conclusions
Appendix 1 Examples of factors increasing risk levels
Technical Focus - Issue 10 - 01/97
file:///C|/TechFocus/Business Risk Manag/tf10_5a/tf10_5a.htm (1 of 2) [11/10/1999 16:50:54]

27. Appendix 2 Further reading and information
Faculty Home Page
ICAEW Home Page
© ICAEW 1997. All rights reserved.
ISBN 1 85355 640 8
Technical Focus - Issue 10 - 01/97
file:///C|/TechFocus/Business Risk Manag/tf10_5a/tf10_5a.htm (2 of 2) [11/10/1999 16:50:54]

28. Further reading and information
Books
Most of the books available on the subject of risk management focus on the management of financial risks,
usually including complicated formulae. The following books concentrate on broader business risks.
Business risk management *
Ritchie, B and Marshall, D, Chapman & Hall (1993)
More of a textbook - some useful information and theories but more geared to business school user
than a practical guide.
q
Complete Guide to business risk management *
Sadgrove, K, Gower (1996)
An all round practical guide giving methods of controlling risks.
q
Handbook of risk management
Kluwer (Loose leaf service)
A comprehensive guide to the analysis, identification and measurement of corporate risk.
q
Managing business risk - an integrated approach *
Economist Intelligence Unit (1995)
Results of a survey of major businesses.
q
Managing industrial risk *
Woodhouse, J, Chapman & Hall (1993)
Focuses on risks facing manufacturing industries.
* In Institute Library
q
Journals
There are a number of specialist journals available. These are mainly issued by the insurance industry and
tend to focus on specialist insurance products.
Information
Accounting and insurance firms
Most of the larger firms offer a specialist integrated risk management consultancy service.
q
The Institute of Risk Management 0171 709 9808
The Institute issues a monthly journal for members plus a number of other publications and a video
(which are also available to non-members).
q
Cover page & Preface
Introduction
What is business risk and why is it so important?
A practical guide to assessing business risk
Establish the business framework
Identify the risks
Measure the risk
Deal with the risks
Monitoring
Conclusions
Appendix 1 Examples of factors increasing risk levels
Appendix 2 Further reading and information
Faculty Home Page
ICAEW Home Page
© ICAEW 1997. All rights reserved.
Technical Focus - Issue 10 - 01/97
file:///C|/TechFocus/Business Risk Manag/tf10_5b/tf10_5b.htm (1 of 2) [11/10/1999 16:51:15]

29. ISBN 1 85355 640 8
Technical Focus - Issue 10 - 01/97
file:///C|/TechFocus/Business Risk Manag/tf10_5b/tf10_5b.htm (2 of 2) [11/10/1999 16:51:15]