Risk and risk

management

https://www.youtube.com/watch?v=fXsDzYx2fPI
https://www.youtube.com/watch?v=-E-jfcoR2W0
What is risk?

2
3
 4

Anything that could negatively

impact the entity’s ability to
meet its business objectives

“
 5

The possibility that events will

(or will not) occur and affect
the achievement of strategy
and business objectives

“
 6

Risk exists whenever a future

outcome or future event
cannot be predicted with
certainty, and a range of
different possible outcomes or
events might occur.

Degree of
uncertainty
“ Outcome
must
matter
 POSSIBILITY OF HEAVY RAIN

Degree of uncertainty? Does it matter?

Cooking a home cooked meal

Going to the beach for a long awaited

vacation

POSSIBILITY OF HEAVY RAIN

Degree of uncertainty? Does it matter?

Institutional mass in the school grounds

Offering a new academic program

7
 8

Is risk and uncertainty the

same?

“
 9

Risk, from a business

perspective, can also be viewed
as “taking advantage of
opportunities”.

“
Organization Definition

International Organization for Standardization Risk the effect of uncertainty on objectives, and
(ISO) an effect is a positive or negative deviation from
what is expected.

Traditional risk definitions combine a potential

event with probability and severity.

ISO points out that risk is goal specific.

Institute of Internal Auditors Risk is 'the possibility of an event occurring that

will have an impact on the achievement of
objectives. Risk is measured in terms of impact
and likelihood.'

Institute of Risk Management Risk is the combination of the probability of an

event and its consequences. Consequences are
either positive or negative.
10
What are the
categories of risk?

11
 PURE SPECULATIVE

Downside Risk Two Way Risk

Is a risk where there is a Is a risk where the actual

possibility that an adverse future event or outcome
event will occur. Events might be either better or
might turn out to be worse worse than expected.
than expected, but they
cannot be better than
expected.

12
 Situation Comment

The company has commissioned a software SPECULATIVE RISK

company to design a new information system. the risk that customers will not want to buy
The system will be used for marketing analysis goods on-line, and the risk that a competitor will
and to sell goods to customers online. develop a more popular e-commerce web site.

PURE RISK
the new system will fail to function properly, and
might suffer from hardware or software faults.

13
Take Note…

Companies face BOTH pure and speculative risks.

○ Pure risks are risks that can often be controlled either by
means of internal controls or by insurance. These risks might
be called internal control risks or operational risks.
○ Speculative risks cannot be avoided because risks must be
taken in order to make profits. As a general rule, higher risks
should be justified by the expectation of higher profits
(although events might turn out worse than expected) and a
company needs to decide what level of speculative risks are
acceptable. Speculative risks are usually called business risk,
and might also be called strategic risk or enterprise risk.
CATEGORIES OF BUSINESS
RISK
 Market Risk

Credit Risk

Liquidity Risk

Technological Risk

Legal Risk

Health, safety, and environmental risk

Reputation risk

Business probity risk

Market Risk
Market risk is the risk from
changes in the market price of
key items, such as the price of
key commodities. Market prices
can go up or down, and a
company can benefit from a fall
in raw material prices or incur a
loss from a rise in prices.
 Credit risk is the risk of losses
Credit Risk from bad debts or delays by
customers in the settlement of
their debts. All companies that
give credit to customers are
exposed to credit risk. The size
of the credit risk depends on the
amount of receivables owed to
the company, and the ‘credit
quality’ of the customers.
 Liquidity risk is the risk that the
company will be unable to make
payments to settle liabilities
Liquidity Risk when payment is due. It can
occur when a company has no
money in the bank, is unable to
borrow more money quickly,
and has no assets that it can
sell quickly in the market to
obtain cash. Companies can be
profitable but still at risk from a
liquidity shortage.
 Technological risk is the risk
that could arise from changes in
technology (or inadequacy of
technological systems in use).
Technological Risk
When a major technological
change occurs, companies
might have to make a decision
about whether or not to adopt
the new technology.
 Legal risk, which includes
regulatory risk, is the risk of
losses arising from failure to
comply with laws and
regulations, and also the risk of
Legal Risk losses from legal actions and
lawsuits.
 Health and safety risks are risks
to the health and safety of
employees, customers and the
general public. Environment
risks are risks of losses arising,
in the short term or long term,
from damage to the
Health, safety, and environmental risk
environment - such as pollution
or the destruction of non-
renewable raw materials.
 It is the risk that a company’s
reputation with the general
public (and customers), or the
reputation of its product ‘brand’,
will suffer damage. Damage to
reputation can arise in many
different ways: incidents that
damage reputation are often
reported by the media.
Reputation risk
 Probity means honesty and
integrity. Business probity risk is
the risk of losses from a failure
to act in an honest way.

Business probity risk

 Market Risk

Credit Risk

Liquidity Risk

Technological Risk

Legal Risk

Health, safety, and environmental risk

Reputation risk

Business probity risk

 OUTPUT ALERT!!!!

1 2 3 4 5
OUTPUT ALERT

Form a team of 5 members.

Divide the team into sub-teams of 3 and 2.
The sub-team of 3 will be fielded to a Quizbowl.
The sub-team of 2 will lead the Risk Map Output and will appear in
the Risk Map video.

27
Review!

The University owns all the buildings used for

its three campuses. It also has school buses
and other properties needed for the operation
of a school.
Over the recent years, the area in which the
school’s third campus operates has seen a
change in weather patterns, resulting in more
frequent flooding.
28
The university is acquiring a new lot to serve
as an expansion of its main campus
The University’s accounting system has gone
full automation. Of particular interest is the
automated approval of university expenditures

29
Risk Management

30
COSO Definition

Risk management is a process, applied in

strategy setting across the enterprise,
designed to: identify potential events that may
affect the entity, and manage risks within its
risk appetite, to provide reasonable assurance
regarding the achievement of the entity’s
objectives.

31
COSO Definition

Risk management is a process, applied in

strategy setting across the enterprise,
designed to: identify potential events that may
affect the entity, and manage risks within its
risk appetite, to provide reasonable assurance
regarding the achievement of the entity’s
objectives.

32
 33

Risk management is a
corporate governance issue.

“
COSO Definition

Risk management is a process, applied in

strategy setting across the enterprise,
designed to: identify potential events that may
affect the entity, and manage risks within its
risk appetite, to provide reasonable assurance
regarding the achievement of the entity’s
objectives.

34
 35

“… manage risk in creating, preserving, and

realizing value”

Identify Assess Respond Monitor

“
Risk Identification

A company needs to understand what risks it

faces, both in its environment and markets
(strategic risks) and internally (operational
risks).
○ This may be aided by the creation of a risk
committee. These are committees of managers
from several departments or functions.
Having identified risks, it is therefore necessary
to assess the importance of each risk, in order
to:
○ rank the risks in order of significance (order of
priority), and
○ identify the risks that are the most significant, and
○ identify the significant the risks where control
measures are urgently needed.
Risk Assessment

This is the stage of actually assessing the risk,

and is also called risk profiling or risk mapping.
To assess each risk, it is necessary to consider
the likelihood that losses will occur as a
consequence of the risk, and the size or
amount of the loss when this happens.
Risks may be measured or assessed
quantitatively or qualitatively.
Sample risk map
Sample risk map
Risk assessment is an
ONGOING process!
Risk Response
Monitor the risk
COSO Definition

Risk management is a process, applied in

strategy setting across the enterprise,
designed to: identify potential events that may
affect the entity, and manage risks within its
risk appetite, to provide reasonable assurance
regarding the achievement of the entity’s
objectives.

44
Reflect on this:

You are the risk manager for ABC

Hotels, Inc, a major hotel chain that
primarily caters to international tourists
and the Class A market.

Despite the cancellation of many event

bookings and room reservations owing
to the pandemic, management is not
keen on lowering the rates as they wish
to maintain their reputation as the hotel
for the elites.

An inspection of the financial reports

reveal that, while the company has
enough liquid assets, it may not be
enough to keep paying its over 5,000
employees. Additional expenses also
need to be incurred because of the
imposed capacity limits and sanitation
requirements.
45
COSO Definition

(Enterprise) Risk management is a process,

applied in strategy setting across the
enterprise, designed to: identify potential
events that may affect the entity, and manage
risks within its risk appetite, to provide
reasonable assurance regarding the
achievement of the entity’s objectives.

46
Objectives

Efficiency and effectiveness of operations

Compliance with laws and regulations
Reliability in financial reporting

47
Essentials of Risk
Management

48
Risk Management Essentials

Language
Process
Ratings
Response

49
Risk Response

Risk diversification
Risk transfer / risk sharing
Hedging
TARA Framework

50
Risk Diversification

“Do not put all your eggs in one basket”

The purpose of diversification is to invest in a

range of different business activities, and build
up a portfolio of different business activities

51
Risk diversification

A diversification strategy by a company might be appropriate

provided that its management have the skills and experience to
manage the portfolio of different business activities.
A diversification strategy by a company is much more risky (and
less appropriate) when it takes the company into unrelated
business activities.
Risks are not reduced significantly by diversifying into different
activities where the risks are similar, so that if there is an adverse
change in one business activity, there is a strong probability that
adverse changes will also occur in the other activities.

52
Risk transfer/ risk sharing

Risk sharing involves collaborating with

another person and sharing the risks jointly.
Common methods of risk sharing in business
are partnerships and joint ventures.

53
Hedging

Hedging risk means creating a position

(making a transaction) that offsets an exposure
to another risk.

54
The TARA Framework
for risk management
T ransfer
A void
R educe
A ccept
57
H
T A

R#3: Risk of theft of R#1: Transmission

school property due to face to face
classes

Probability

A R

R#2: Risk of damage

R#4: Risk of damage
to reputation
to classrooms

L H
Impact

58
 #1: Hiring a negligent
teacher.
H
#2: Student
organizations that
System based promote communism.
System based
detective preventive
#3: Data breach.

Probability

People based People based

detective preventive

L H
Impact

59
Risk based approach
RISK BASED APPROACH

It is an approach to decision-making based on

a detailed evaluation of risks and exposures,
and policy guidelines on the level of risk that is
acceptable (risk appetite).
The risk-based approach takes the view that
some risk must be accepted, but risk
exposures should be kept within acceptable
limits.
For example, the customs and immigration
department at a country’s airports might have
a policy of checking the baggage of every
passenger arriving in the country by
aeroplane, because the policy objective is to
eliminate smuggling of prohibited goods into
the country by individuals.
With a risk-based approach, the department will take
the view that some risk of smuggled goods entering the
country is unavoidable. The policy should therefore be
to try to limit the risk to a certain level. Instead of
checking the baggage of every passenger arriving in the
country, customs officials should select passengers
whose baggage they wish to search. Their selection of
customers for searching should be based on a risk
assessment – for example what type of customer is
most likely to try to smuggle goods into the country?
Enterprise Risk
Management
Frameworks

64
65
ISO 31000 framework

66
 67

The Board should oversee that

a sound enterprise risk
management (ERM)
framework is in place to
effectively identify, monitor,
and manage key business risks.
(SEC Code of Corporate Governance)

“
Thanks!
Any questions ?

68
Credits

Special thanks to all the people who made and

released these awesome resources for free:
Presentation template by SlidesCarnival
Photographs by Unsplash

69