MODULE 2 – IDENTIFYING AND ASSESSING RISK

What is risk?
Risk: unrealized future loss arising from a present action or inaction.
• Risks are the opportunities and dangers associated with uncertain future events.
• A company cannot function without taking any risk.
• Risks help to generate higher returns.
• Not accepting risk tends to make a business less dynamic. Incurring risk also implies that the
returns from different activities will be higher i.e. the ‘benefit’ being the return for accepting risk.
• The benefits can either be financial or non-financial in nature.
• Risks help a business to gain competitive advantage.

Why manage risk?

• To identify new risks that may affect the company so an appropriate risk management strategy can
be determined.
• To identify changes to existing or known risks so amendments to the risk management strategy can
be made. For example, where there is an increased likelihood of occurrence of a known risk, strategy
may be amended from ignoring the risk to possibly insuring against it.
• To ensure that the best use is made of opportunities.
• Risk management is a key part of Corporate Governance. It is required by the Combined Code
and codes of other jurisdictions.
5 Step of risk assessment
1. Identify hazard
2. Identify people who might be affected
3. Evaluate risk and decide on precautions
4. Record significant findings and implementations
5. Review and update
 Risk Grid

• Focusing on low-risk activities can easily result in a low ability to obtain competitive advantage –
although where there is low risk there is also only a limited amount of competitive advantage to be
obtained.
• For example, a mobile telephone operator may produce its phones in a wide range of colours.
There is little or no risk of the technology failing, but the move may provide limited competitive
advantage where customers are attracted to a particular colour of phone.
• Some low-risk activities, however, will provide higher competitive advantage. When these can
be identified, then the activity should be undertaken because of the higher reward. or example, the
mobile phone operator may find a way of easily amending mobile phones to make them safer
regarding the electrical emissions generated.
• High-risk activities can similarly generate low or high competitive advantage.
• Activities with low competitive advantage will generally be avoided. There remains the risk that
the activity will not work, and that the small amount of competitive advantage that would be
generated is not worth that risk.
• high-risk activities may generate significant amounts of competitive advantage. These activities are
worth investigating because of the high returns that can be generated.

ALARP Principle
• As we cannot eliminate risk altogether the. Risks are a part of life, after all. But risk must be
controlled.
• Time, money and resources are needed to reduce risks. You are not expected to spend infinite
resources and money on eliminating all risks.
• How could you stay in business if that was the case? You would never make a profit, forever
chasing the impossible - zero risks.
• We have ALARP (As Low As Reasonably Practicable) principle, simply states that residual risk
should be as low as reasonably practicable
• Taking into consideration, the costly nature of risk reduction, The ALARP principle expresses a
point at which the cost of additional risk reduction would be grossly disproportionate to the
benefits achieved.
For example:
An extreme example to clarify the point:
– A company spending a million pounds to prevent a member of staff suffering from a bruised knee is
grossly disproportionate.
– A company spending a million pounds to prevent a major explosion capable of killing 150 people is
proportionate
 ALARP tools
 Optioneering
 Codes and standards
 Good practice and engineering Judgement
 Risk assessment and cost benefit analysis
 Peer review and benchmarking
 Stakeholder consultation

Rules of thumb
 The more complex the project, the more complex the decision and the more sophisticated the tools
required.
 The higher the risk, the more comprehensive and robust the ALARP assessment needs to be.

Risk management
Process of reducing the possibility of adverse consequences either by reducing the likelihood of an
event or its impact or taking advantage of the upside risk.
A business typically faces many risks like product risk, market risk, credit risk, currency risk,
reputation risk, interest rate risk, political risk, legal risk, economic risk. financial risk, technology
risk, environmental risk, H&S risk, etc.

• Risk identification – Risks are identified by key stakeholders. Risks must be identified before they
can be managed.
• Risk assessment – Risks are evaluated according to the likelihood of occurrence and impact on the
organisation. This assessment provides a prioritised risk list identifying those risks that need the most
urgent attention.
• Risk planning – This involves establishing appropriate risk management policies. Policies include
ceasing risky activities through to obtaining insurance against unfavourable events. Contingency
planning involves establishing procedures to recover from adverse events if they occur.
• Risk monitoring – Risks need to be monitored regularly. If risks change or new risks are identified,
these are added to the risk assessment for correct categorisation and action.

Types of risk
Strategic risks are those risks that arise from the possible consequences of strategic decisions
taken by the organization.
For example: risk of a merger/acquisition not working out. These also arise from the way that an
organisation is strategically positioned within its environment. These are high-level risks and should
be identified and assessed at senior management and board level. PESTEL and SWOT techniques
could be used to identify these risks.
Operational risks refer to potential losses that might arise in business operations. For example: risks
of fraud, poor quality production, lack of inputs for production. These risks are comparatively of low
level and can be managed by internal control systems.
BUSINESS RISK
• Generic risks are those risks that affect all businesses. For example: changes in the interest rates,
non-compliance with company law, etc.
• Specific risks are those risks that affect individual business sectors. For example: rise in the prices of
petrol will affect a transport company more than an audit firm.

Risk identification

Examples of sector risks

Sector-specific risks vary depending on the industry sector.
Good sources of identifying these risks are the business pages of quality newspapers or their
associated websites. Reading these pages a few times a week will keep you up to date with events in
the business world and the reasons for them.
Here are four sectors and a summary of the risks affecting each (some comments being drawn from
newspaper reports to show how knowledge does help here):
• Examples: An inability to attract good-quality staff as academic salaries fall below those in
business.
• A major private university is established that is attractive to typical applicants to this university.
• Research income threatened by poor financial position of donors to major projects.
• Admissions policy of university is portrayed by media as discriminatory.
• Government policy for funding further education is diverted in favour of other types of institution.
Assessment of risk

Impact on stakeholders
 Risk map
• A common qualitative way of assessing the significance of risk is to produce a ‘risk map’:
• The map identifies whether a risk will have a significant impact on the organisation and links
that into the likelihood of the risk occurring.
• The approach can provide a framework for prioritising risks in the business.
• Risks with a significant impact and a high likelihood of occurrence need more urgent attention than
risks with a low impact and low likelihood of occurrence.
• The significance and impact of each risk will vary depending on the organisation: – e.g. an increase in
the price of oil will be significant for airline company but will have almost no impact on a financial
services company offering investment advice over the internet.
• The severity of a risk can also be discussed in terms of 'hazard'. The higher the hazard or impact
of the risk, the more severe it is.
 Risk perception

Tools and techniques for qualifying risks

• Scenario planning: in which different possible views of the future are developed, usually through a
process of discussion within the organisation.
• Sensitivity analysis: in which the values of different factors which could affect an outcome are
changed to assess how sensitive the outcome is to changes in those variables.
• Decision trees: often used in the management of projects to demonstrate the uncertainties at each
stage and evaluate the expected value for the project based on the likelihood and cash flow of each
possible outcome.
• Computer simulations: such as the Monte Carlo simulation which uses probability distributions and
can be run repeatedly to identify many possible scenarios and outcomes for a project.
• Software packages: designed to assist in the risk identification and analysis processes.
• Analysis of existing data: concerning the impact of risks in the past.
 Risk Registers
The risk register is a very important and practical risk management tool that all companies
should have these days. It takes several days, if not weeks, to produce, and needs to be reviewed and
updated regularly – mainly annually (in conjunction with corporate governance guidelines).
The risk register is often laid out in the form of a tabular document with various headings:
(1) The risk title – stating what the risk might be.
(2) The likelihood of the risk – possibly measured numerically if a scale has been set e.g. 1 is
unlikely, 5 is highly likely.
(3) The impact of the risk should it arise. Again this might be graded from,say, 1 (low impact) to 5
(high impact).
(4) The risk owners name will be given – usually a manager or director.
(5) The date the risk was identified will be detailed.
(6) The date the risk was last considered will be given.
(7) Mitigation actions should be listed i.e. what the company has done so far to reduce the risk. This
might include training, insurance, further controls added to the system, etc.
(8) An overall risk rating might be given e.g. 1–10, so that management can immediately see which
risks are the ones they should be concentrating on.
(9) Further actions to be taken in the future will be listed (if any).
(10) The 'action lead' name will be detailed i.e. who is responsible for making sure that these future
actions are implemented.
(11) A due date will be stated – by when the action has to be implemented.
(12) A risk level target might be given i.e. a score lower than that given in step 8 above. This might
mean that by implementing a control, the risk rating is expected to lower from, say, 8 to, say 2 (the
target risk level).

Board of directors
• The board of directors (BOD) determine the level of risk which the organization can accept in order
to meet its strategic objectives.
• BOD makes sure that the risk management strategy is communicated to the rest of the
organization and integrated with all the other activities.
• It reviews risks and identifies and monitors progress of the risk management plans.
• It will determine which risks will be accepted, which cannot be managed, or which it is not cost-
effective to manage, i.e. residual risk.

Embedding risk
• The aim of embedding risk management is to ensure that it is part of the way in which a business is
done. It includes embedding risk in systems and embedding risk in culture.
• Systems: This refers to ensuring that risk management is included within the control systems of an
organization.
• Culture: Embedding risk into culture and values means that risk management is ‘normal’ for the
organization. Establishing reward systems which recognise that risks have to be taken in practice (e.g.
not having a ‘blame’ culture),

TARA/SARA model
• Transfer/Share – Risks could be transferred wholly or partially to a third party, so that if an adverse
event occurs, the third party suffers all or most of the loss. Eg: Insurance.
• Avoid – This refers to avoiding a risk altogether by not investing or withdrawing from the business
area completely.
• Reduce – This refers to reducing the risk either by limiting exposure in a particular area or decreasing
the adverse effects through use of internal controls.
• Accept – This refers to simply accepting the risk & bearing the consequences it may bring. This is
also called risk retention.

Risk and Corporate Governance

• One link between risk and corporate governance is the shareholders' concerns about the relationship
between the level of risks and the returns achieved.
• Another is the link between directors' remuneration and risks taken.
• If remuneration does not link directly with risk levels, but does link with turnover and profits
achieved, directors could decide that the company should bear risk levels that are higher than
shareholders deem desirable.
• It has therefore been necessary to find other ways of ensuring that directors pay sufficient attention to
risk management and do not take excessive risks.

Corporate governance guidelines require directors to:

• Establish appropriate control mechanisms for dealing with the risks the organization faces
• Monitor risks themselves by regular review and a wider annual review
• Disclose their risk management processes in the accounts