CGR 510

Risk Management

Assignment 02

Assignment 02

Semester 1 2018

Prepared for:

Prepared by: Sadia Kamrul Kabeer

Student Number: B1702147

Date Submitted: 06/09/2019

 Assignment 02

A local biscuit manufacturing company is currently going through tough times. They have
hired your services as a risk management expert to advise them as to how to manage various
risks being faced by them so that they can continue to trade as a going concern. You have
done your feasibility study and have identified various business risks being faced by the
company. You have classified these risks under the following four categories:

a) Risks that have high impact and high likelihood of occurrence.

b) Risks that have high impact but less likelihood of occurrence.

c) Risks that have low impact and low likelihood of occurrence.

d) Risks that have low impact and high likelihood of occurrence

1. For each of the risks identified under each category above, identify and describe
how the company might transfer, reduce or accept the risk.

Local Biscuit Company, AYBC Sdn Bhd is classified to be in the FMCG sector. The company
specializes in the manufacturing and sale of biscuits and cake, which bring in about 65% and
35% of total annual revenue, respectively. In the following report, we will list out various risk
issues, the risk, how of then can occur and how it will impact, risk response. To classify the
risks, we will use the following matrix: There are four (4) quadrants and two (2) axes in
the matrix. In this context, we will consider risk
in terms of two dimensions to decide the risk
response:

i. Likelihood: The chances of the risk

event actually taking place based on
frequency and circumstances.
ii. Impact: The consequences of this risk
event, if it takes place.

In the rest of the report, we will list out the risk

events and rank them according to likelihood
(low, medium, high) and impact (low, medium,
Fig 1: Risk Matrix high). Then we will insert the risks in the matrix
to see where it falls.
Generally, there are five (5) main types of
responses. We can (i) accept, (ii)

2|Page
 Assignment 02

mitigate/reduce, (iii) transfer, (iv) avoid and/or, (v) exploit the risk event. In a typical sense,
the risks in blue quadrant and sometimes green quadrants can be accepted. This simply
means, the business can easily weather the risk event and does not have to waste resources
because the risk is low. If the risk event falls in the orange quadrant, it means the risk has a
high likelihood of happening (precedent) but not much impact on organizational process.
Then we can mitigate and/or accept the risk. Overall the risk event will not have much
impact, however we can mitigate the frequency of the risk and reduce aggregate impact
levels, if any. The yellow quadrant risks have a medium probability of happening, and they
will have medium impact and may adversely affect the business activities. The best response
would be to avoid the risk, if possible. If not, we can mitigate or transfer the risk to lessen
impact. The red quadrant is frequent considered danger zones for the organization. Risk in
this quadrant need to be managed effectively in order to minimize impact. If the risk is
unavoidable (like drastic market risks or climate risks), then we have to mitigate and transfer
the impact of the risk. Where possible, the risk must be avoided in its entirety. As for risk
response exploit the risk, this needs to be assessed on a case by case basis. Market risks need
not always be adverse. If the risk event brings opportunities like a currency movement or
market trend in favour of the company, then these should be taken advantage of.

  Risk Identified Likelihoo Impact Risk Action

d Response
Operational Risk
R1 Machine Med-High High Mitigate/ Equipment Failure can be avoided by scheduling
Breakdown Avoid regular maintenance and equipment updates.
There should be a consistent monitoring of the
equipment’s life.

R2 Batter Low-Med High Mitigate/ Contamination is avoidable by enforcing strict

Contamination Avoid quality control i.e wearing gloves while handling
the batter, strict cleaning methods and schedules
for the vats and other surfaces.

R3 Lack of trained Med High Mitigate Provide employee training on manufacturing and
employees in packing methodology and cleanliness.
plant
R4 Material delay High High Mitigate Establish strict contracts with suppliers; recruit
contingency supplies; have buffer stocks for raw
materials
R5 Wastage due to Low Low Accept Manufacturing mistakes are unavoidable; proper
manufacturing training can be implemented in stages to reduce
mistakes wastage of output and input materials

3|Page
 Assignment 02

R6 Safety Risk in Med High Mitigate Provide training to workers in health and safety
handling Oven matters that include handling of different fire
hazard equipment
R7 Illegal Labour High Low Avoid Avoid using illegal labour by establishing
recruitment policies with HR department.

R8 Raw Material Med -Low Low Accept Inventory errors can happen due to record keeping
Inventory but errors; a digitization of the process can mitigate
errors mitigate this error by slow building of IT infrastructure of
the Warehouse

R9 Finished Low Med- Avoid Inventory errors can happen due to record keeping
Product Shelf Low errors; a digitization of the process can mitigate
life of this error by slow building of IT infrastructure of
perishable item the Warehouse.
SOP should include strict time schedules on
expiry dates and product-write-off dates. The
Warehouse manager should be held accountable
for this process

R1 Fire Hazard High High Mitigate Provide training to workers in health and safety
0 from the kilns and matters that include handling of different fire
Transfer hazard equipment.
Insurance for fire accidents.
R1 Contaminated Low High Mitigate Establish strict contracts with suppliers.
1 Raw Material Quality Control before accepting delivery for raw
materials should be established.

R1 Unclear Low High Avoid The recipe and methodology of the product needs
2 Product to be well-documented, along with all quality
Specification control stages and methods. Thus, all process can
for be followed using established processes to go
manufacturing according to manufacturing standards.

Market Risk
R1 Increase in Med Med Accept Increase in labour costs are usually imposed via
3 Labour Costs government regulations. It is better to accept these
regulations and look for tax cuts via
environmental contributions.

R1 Raw Material High Med Mitigate There's only a limited way that these can be dealt
4 Price or Accept with except to be careful with purchase
fluctuation or Exploit agreements with supplies
R1 Market Trends Med High Med Mitigate Following the market trend to exploit
5 or Accept opportunities and respond to market demands.
or Exploit
R1 Increased Med Med Mitigate Following the market trend to exploit
6 Competition or Accept opportunities and respond to customer demands.
or Exploit Investing in R&D to come up with competitive
products.
Marketing and sales based approach

4|Page
 Assignment 02

R1 Consumer Med High Mitigate Following the market trend to exploit

7 Trends or Accept opportunities and respond to customer demands.
or Exploit Investing in R&D to come up with competitive
products.
Marketing and sales based approach
Conduct survey and analysis of sales data to
evalaute customer demands and respond

Strategic Risk
R1 Organisation High High Mitigate The BoD of need set the tone of the organisation
8 has low risk to seek out risks and opportunities and come up
culture with an effective Risk Management Plan

R1 Organisational Med-High High Avoid or ABYX will face risks to its image due to the any
9 Image & Mitigate quality control issues from their products or any
Reputation illegal actions taken by ABYX representatives. To
avoid this, the company will implement strict
quality control measures by releasing documented
methodologies for internal controls and running
trainings for employees every 6 month.
Company will also release an integrity policy
based on ISO 37001 Anti Bribery Management
System to strengthen the culture of integrity
within the organisationa.

Table 1.1 Risk Card

ABYX Company Sdn Bhd

In the table above, various types of risks have been identified, rated and the response and
action for the risk management plan has been put in place to deal with risks in each category.

2. Design and apply a risk map for the company.

A risk map is visualization too that allows the organization and to communicate specific risks
that that is faced by the business. It will help the organization prioritse the risk identified and
plan to manage the risks. The objective of this map is to build an understanding of the
orgnisational risk profile and risk appetite (Margaret Rouse).

5|Page
 Assignment 02

The risk map is a matrix where the likelihood

is represented on one axis and the impact of
the same risk is plotted on the other axis.
Overall, risk rating can be achieved through
this and the risk will fall on the map. The risk
map is quantified by different colours: blue
for low likelihood and impact, then green,
yellow, orange and finally, red. Normally, in
the FMCG sector, orange and red risks are
Fig 2: Risk Matrix

considered severe in nature and in need of

instant attention. Yellow quadrant risks require consistent monitoring lest they move into
orange or red zones. Essential red and orange are high heat zones and blue and green are low
heat zones (Etti Baranoff et al, 2009).

Using Table 1.1, the Risk Issues are plotted on a Risk Map to see which zones each risk issue
will fall into.

Fig 3: Risk Map

6|Page
 Assignment 02

Thus, using the above Risk Map:

Green Zone: R5, R8 and R9

Yellow Zone: R7, R12, R15 and R18

Orange Zone: R1, R2, R3, R6, R11, R14

Red Zone: R4, R10, R18, R19

The Green Zone depicts risks that do not require immediate attention, however the
organization acknowledges the risks and monitors them for updates. The Yellow Zone is a
little more pressing, because it can cause some impact to business activities. The managers
accountable will be monitoring the yellow zone risks closely and management plant is laid
out in case the risks move to orange or red zones. The orange or red zones are severe and
catastrophic risk zones. Upon identification of these risks, immediate internal controls need to
put into place manage the risks before they result in damage to business or its operations.

The prudent thing to do, once all the risks are identified, is to assign responsibility to
employees in various management positions throughout the organization to deal with the
implementation of the internal controls that can be design by risk manager, auditor along with
functional management input. These controls are set up. It is crucial to monitor the controls
and their effectiveness against the real time processes to evaluate where there are process
weaknesses and gaps.

A constant monitoring of the risk map and frequent updates are necessary. Organisations will
effective Risk Management Framework have schedules Risk Assessment of their business
activities to evaluate possible new risks events or an adjustment in the severity and frequency
in documented risks. The risk map needs to updates upon conducting risk assessment to
prioritise these possible changes. Risk Management should be an iterative process and
establish a risk assessment and risk map is a key to making sure it is.

3. How do identify, understand and apply interrelationships among risks?

The interconnectedness of global economy of the current day and age has evolved risk
management into a complex undertaking. Organisations have increasingly layered
environments and process factor which require more comprehensive risk management
techniques. The essential takeaway here is that risk events do not occur in isolation and effect
only risk owners, but are connected on different levels and have multi-layered consequences.
The movements towards Enterprise Risk Management System acknowledges that risks and
operations of organization will interrelate and sometimes need to be managed together within
the context of the overall mission.

The business leaders and senior management have to consider emerging attention on
international supply chains, global financial system, cyber and reputational risks.
7|Page
 Assignment 02

Consider strategic risks like reputation threats. This will never occur in isolation. Reputation
risk is a consequent risk of a prior risk event. This prior risk event could have been a quality
risk, sales risk, financial risk or cyber risk. This allows us to view that risks are
interconnected. Sometimes the likelihood or impact of one risk can massively influence or
trigger another risk event. The reputation risk event, in turn, can trigger the financial standing
of the business, the customer perception and social media impacts.

Therefore, it is essential not to think of risks in isolation but rather to look at their
interrelationships when formulating risk responses and a risk management plan.

Below are a few ways to make sure an organization approaches a holistic risk management
plan where interrelationships between risks do not fall outside of risk assessment and
management process (Dave Brosnan):

Keep an eye on existing risk issues:

With new threats and opportunities every day, it easy for business to forget about more
traditional threats and business continuity issues. However, left unchecked, this older risks
can pose a myriad of dangers. Once the fundamental risks are well-managed, the
management can turn its eye towards newer and harder-to-understand risk. If the organization
has an embedded ERM process then the risks will already be identified across the
organization by process of brainstorming on the parts of various stakeholders and functional
heads. These should be communicated between the different stakeholders. At this point, the
organization can use Interpretive Structural Modelling to figure out interdependences of risk
where they exist by having expert group determine the relationship between the risk factors.
This is relationship is represented via an adjacent matrix, which provides an initial impression
of how, what order and through which factors, various risks may result in the causation of
failed objective. This followed by determining the reachability matrix, which will provide a
binary representation of directed relationship between the risks. Lastly, the reachability
matrix will be decomposed into different levels in the form of structural models, an algorithm
based process to group risk into different levels, by their interrelationships. The final result is
a multilevel structural model, interpretive in nature, where relationship among risks are
clarified ( Rick Gorvett, 2007).

Co-ordination:

Less than 20% of business assets (intangible assets) are insured. This is a gross oversight
since brand value tops the list of business continuity issues. Insurance industries will need to
provide better risk reduction solutions for intangible risks. Risk management need to push for
a coordination across all functioning departments of the firm to make sure they all have a
good view of interconnected risks. Insurance Companies will need to work with brokers to
provide better solutions to protect against reputation, supply chain and cyber risks to meet the
needs of emerging business.

8|Page
 Assignment 02

4. Explain the concept risk culture and how to inculcate a good risk culture in the
company. Comment on the principle risk culture failure tendencies of organisations.

“Cultivation of a consistent ‘risk culture’ throughout firms is the most important element in
risk management.” – IIF, Final Report on Market Best Practices for Financial Institutions and
Financial Products, August 2008”

To avoid a narrow, structured understanding of risk culture, it is necessary to be able to see

the concept of risk culture as a holistic approach to setting the tone of the organization. In
order to fully understand the concept of risk culture, it is first imperative to define what it is:

“The norms of behavior for individuals and groups within an organization that determine the
collective ability to identify and understand, openly discuss and act on the organization’s
current and future risks.”

Of course, there is no concrete way of “measuring” a risk culture, although some diagnostic
tools can come in handy when attempting t understanding the approach to risk in
organizational culture. IRM has created a framework that attempts to understand how a
prevailing risk culture can be embedded within the organization. This gives us the various
levels of the organization and its individuals “field” to evaluate the performance of the
different edicts of framework.

Risk Culture

Organisational Culture

Behaviours
Personal Ethics
Personal
Predisposition
to risk

Fig 4: Based on the IRM Risk Culture Framework

The framework clearly depicts that the core of the risk cultures is absolutely rooted in the
senior management’s personal dispositions and risks. Without it the Risk Culture would have
no foundation. The personal disposition or risk attitudes will influence behavior of the

9|Page
 Assignment 02

managements and subsequently dictated what the accepted norms of behavior in the
organizational culture is. This is what the risk culture of the organization would ultimately
start thriving because the organization would focus on risk based audits and management.

A strong risk culture will see these behavioral norms as sustaining a common set of standards
to define an approach to risk-taking. These standards behave as basic assumptions that are
shared by organizational stakeholders up to an unconscious level and fundamentally shape
the organization’s view towards risk to itself. Simply put a strong risk culture perceives and
take charge attitude toward risk management as the norm, rather than conscious effort.

In order to inculcate a good risk culture within the company, the company will need to
(Cindy Levy et al, 2010) (Alex Dowdalls):

i. Provide a clear, well communicated risk strategy from the Board. Risk Culture is the
responsibility of the Board. Senior executives and management need to be aware of
their influence on the risk culture awareness within the organisation They should
draft a clear risk vision, strategy and appetite and communicate with clarity to all
organizational levels.
ii. Have high standards of analysis and information sharing at all organizational levels by
using a structure framework to map out desired risk culture and measure the perceived
risk culture and its effects.
iii. Show rapid escalation of threats and concerns,
iv. Show role-modeling behavior that is visible and contributes to the strong risk culture
by senior management.
v. Iteratively review actions and preconceptions
vi. Provide Incentives for people to think about overall organisational health by
promoting the idea of “doing the right thing.”

The Code of Ethics or other formal organization material will set the limitations of
acceptable behavior in the organization. Studies show that organisations that foster a positive
and strong risk culture tend to thrive (Kenneth McIvor, 2019). An organization seeking to
adopt a positive risk culture needs to start at the very top, owner or director level attitudes.
Only then can it be cascaded down as a “norm”.

The principles sources of risk culture failures can be divided into four major groups (Cindy
Levy et al, 2010):

i. Transparency of Risk
 Poor Communication: The kind of culture where the warning signs of internal and
external risks are not communicated openly within the bowels of the organization:
for ex: a construction firm where significant delays in the project schedule kept
catching management by surprise because of the lack to process to generate
insights from collected information that aggregate small issues.
 Unclear Risk Appetite: The senior management/Board of Directors do not
communicate their risk appetite (Risk Appetite: The limitation on which risks
organization can bear and which need to be dealt with).

10 | P a g e
 Assignment 02

 Lack of insight: The kind of organizational culture where there is a failure to

understand all the risks that are being faced or does not fully comprehend that risk
is an organizational wide concern and not just for risk specialists.
ii. Acknowledgment of Risk
 Overconfidence: The idea that the organization is immune from risks because of
their position or talent eg: the energy trading company whose belief that they were
market experts eventually led to their downfall, as they kept on taking too many
risks.
 No challenge: A culture where individuals do not have the freedom and flexibility
to challenge each other’s ideas, attitudes and actions. Eg: The leading European
bank where senior management was not open to any internal debate which led to
disastrous decision making.
 Fear of bearing bad news: The inhibition in organizational stakeholders toward
passing any kind of negative news or awareness of past mistakes. Eg: MRSA
outbreak where junior staff was too afraid to report early signs, for fear of
criticism and blame.
iii. Responsiveness to Risk
 Indifference: The kind of organization which will associate a negative connotation
to situational responses or any type of initiatives undertaken for risk responses.
 Slow response: The response to external changes requiring an internal response or
decision or innovation is too slow because of denial or lack of urgency on the part
of the senior management. : Collapse of overleveraged hedge fund due to slow
response to market shift.
iv. Respect for Risk
 Beat the system: The risk appetite is not properly aligned with the organisation’s
risk profile, leaving too much room for inappropriate activities being
implemented.
 Gaming: Individual functional units will take risks for their own benefit that are
outside of the organizational risk appetite. Eg: GoldmanSachs who facilitated
business with Jho Low, even though he had been denied client status multiple
times in the past via the compliance staff.

11 | P a g e
 Assignment 02

12 | P a g e
 Assignment 02

REFERENCES
(n.d.). 5 Ways To Manage Risk. Retrieved from http://www.dbpmanagement.com/15/5-ways-
to-manage-risk
Baranoff, E., Brockett, P. L., & Kahane, Y. (2009). Risk Management for Enterprises and
Individuals. Saylor Foundation.
Brosnan, D. (2019). Retrieved from https://www.cnahardy.com/news-and-
insight/insights/english/joined-up-risks-require-joined-up-thinking?
utm_source=slipcase&utm_medium=affiliate&utm_campaign=slipcase
Dowdalls, A. (2018, June 11). The route to a strong risk culture – 5 tips. Retrieved from
https://axveco.com/the-route-to-a-strong-risk-culture-5-tips/
Gorvett, R. (2007). Measuring Operational Risk Interdependencies using Interpretive
Structural Modeling . Researchgate.
Levy, C. I., Lamarre, E., & Twining, J. (2010). Taking control of organizational risk culture.
McIvor, K. (2019, May 29). 3 drivers of epic risk culture failures. Retrieved from
https://www.willistowerswatson.com/en-SG/Insights/2019/05/3-drivers-epic-risk-
culture-failures
I. R. M., & P. R. O. T. I. V. I. T. (n.d.). Risk Culture Resoucres for Practitioners. Institute of
Risk Management.
Rouse, M. (n.d.). What is risk map (risk heat map)? - Definition from WhatIs.com. Retrieved
from https://searchcompliance.techtarget.com/definition/risk-map

13 | P a g e