Lecture 1

• Board oversight in the identification and

management of risk
• The Role of Internal control in risk
management

SERVICE EXCELLENCE
 LECTURE OBJECTIVES
• Describe different meaning of risk
• Describe internal control measures in identifying and
managing risk
• Analyze the relevance of internal control systems as a
management tool in dealing with risk.
• Study the main classification of internal controls
• Understanding of Risk appetite and risk tolerance
• Exploring the role of risk management committee

SERVICE EXCELLENCE
 DIFFERENT MEANING OF
• RISKof meanings in business
The term risk has a variety
and everyday life. At its most general level, risk is
used to describe any situation where there is
uncertainty about what outcomes will occur.

• In probability and statistics, financial management,

and investment management, risk is often used in a
more specific sense to indicate possible
variability in outcomes around some expected
value.

SERVICE EXCELLENCE
 Cont.
• In other situations, the term risk may refer to the
expected losses associated with a situation. In
insurance markets e.g. it is common to refer to high-
risk policy holders. (meaning of risk in this context is
that the expected value of losses to be paid by the
insurer is high)

• Risk is also defined as uncertainty concerning the

occurrence of a loss. Some authors make a careful
distinction between objective risk and subjective risk.

SERVICE EXCELLENCE
 Cont.
• Risk as defined by the International Standards
ISO31000 as the ‘effect of uncertainty on
objectives, whether positive or
negative.
• Risk management is concerned with:
• 1. the identification, assessment and prioritisation
of risk and
• 2. measures to minimize, control and monitor the
probability or impact of adverse risk events or to
maximize benefits from opportunities.
SERVICE EXCELLENCE
 Risk Management: the Board perspective

• The identification, analysis, assessment, control, and

avoidance, minimization, or elimination of unacceptable
risks
• Risk management is an important part of planning for
businesses. The process of risk management is designed
to reduce or eliminate the risk of certain kinds of events
• The process of identification, analysis and either
acceptance or mitigation of uncertainty in investment
decision-making.
•

SERVICE EXCELLENCE
 Cont.
• Essentially, risk management occurs anytime an investor or
fund manager analyzes and attempts to quantify the
potential for losses in an investment and then takes the
appropriate action (or inaction) given their investment
objectives and risk tolerance.

• Inadequate risk management can result in severe

consequences for companies as well as individuals. For
example, the recession that began in 2008 was largely
caused by the loose credit risk management of financial
firms.

SERVICE EXCELLENCE
• The responsibility of the board effective risk
management came under close scrutiny following
the banking crisis in 2007-2008.
• Many banks were criticised for getting into
financial difficulty because of reckless business
strategies and failing to recognise the business
risk they were taking.
• Business risks are risk to profitability and
financial security that arise from factors in the
business environment, including competition,
over which management has no direct control.
SERVICE EXCELLENCE
• A business must take risk to make profit, but how
much risk should it be prepared to tolerate, and
would it be able to withstand ‘shocks’ in the
business environment if an unexpected event or
development were to occur. (COVID 19)
• The BOD has the responsibility for strategic
decisions on risk, and an important aspect of
corporate governance is for the board to
recognise its responsibilities and ensure that the
risk management system in the firm is effective

SERVICE EXCELLENCE
 INTERNAL CONTROL

• A company may fail to achieve its objectives because of

failures or weaknesses within its systems and operating
procedures, or due to human error, however these issues
could have been avoided or restricted by means of control.

• Internal control risks are risks of failures in systems and

procedures to achieve their intended purpose. They are
measures or arrangement that are intended to prevent
failures from happening, limiting their potential effect, or
identifying when a failure has occurred so that corrective
measures can be taken.

SERVICE EXCELLENCE
 Cont.

• COSO (committee of sponsoring organization of

the treadway commission’s) defined internal control
as ‘as process, effected by an entity’s board of
directors, management and other personnel,
designed to provide reasonable assurance
regarding the achievement of objectives in the
following categories:
• 1. Effectiveness and efficiency of operations
• 2. Reliability of financial reporting
• 3. compliance with applicable laws and regulations.

SERVICE EXCELLENCE
• Internal controls are part of the internal control systems.

• An internal control system consist of all the procedures, methods

and measures (control measures) instituted by the board of
directors and executive management to ensure that operational
activities progress in a proper fashion. OR

• An internal control system is the system that an organization has

for identifying operational, financial and compliance risks.

• Organizational measures for internal control are integrated into

operations, which means that they are performed simultaneously
with working processes or performed directly before or after
work is carried out.

SERVICE EXCELLENCE
 The purpose of internal control system and
internal controls
• 1. there should be controls to ensure that the
organization, its systems and procedures operate
in the way that is intended, without disruption or
disturbance.
• 2. There should be controls to ensure that assets
are safeguarded. E.g. There should be controls to
ensure that money received is banked and is not
stolen and that operating assets such as
equipment and computers are not damaged or lost

SERVICE EXCELLENCE
 Cont.
• 3. controls should include measures to reduce risk
of fraud
• 4. financial controls should ensure the
completeness and accuracy of accounting records,
and timely preparation of financial information.
• Controls should be in place to ensure compliance
with key regulations such as health, and safety
regulations or in the case of banks, anti-money
laundering regulations

SERVICE EXCELLENCE
CLASSIFICATION OF INTERNAL CONTROLS

• 1. Preventive controls: these are controls intended

to prevent an adverse risk event from occurring, eg.
To prevent opportunities for fraud by employees.
• 2. Detective controls: these are control for detecting
risk event when they occur, so that the appropriate
person is alerted and corrective measures taken
• 3. Corrective control: these are measures for
dealing with risk events that have occurred and
their consequences.

SERVICE EXCELLENCE
ELEMENT OF INTERNAL CONTROL SYSTEM

• 1. strategic risks are risk that arise in the business

environment and markets in which a company operates. Or
uncertainty regarding the firm’s financial goals and
objectives. For example if a firm enters a new line of
business, the line may be unprofitable.

• 2. Operating risk are risks that arise within an organisation

because of weakness in its systems, procedures,
management or personnel.
• The controls for these risk are ‘internal controls’ which is
applied within the control of the company.

SERVICE EXCELLENCE
 Cont.
• It is the responsibility of the board of the
company to ensure that the internal control
systems are effective in preventing losses from
risk event, or identifying risk event and taking
corrective actions when they occur.

SERVICE EXCELLENCE
 Risk management specialist
• A risk management specialist is someone who is
responsible for keeping a business on its feet and
bringing in profit.

• They are financial managers that use specific training,

skill and experience to identify possible risk that could
result in lower cash flow and higher insurance rate for
the business.

• These specialist assess risks and implement plans and

strategies to minimize business losses.
SERVICE EXCELLENCE
 The relevance of business risk for corporate governance
• The BOD has a responsibility to govern the company in the interest of
shareholders and other stakeholders. The responsibilities include:
• 1. decide the objective and strategic direction for the firm
• 2. approve detailed strategic plans put forward by management
• 3. monitor and review the implementation of those plans.

• An important objective of a commercial company is to make profit and the

firm’s strategies should be directed towards that.

• However, any business strategy involves taking risk and actual profit may be
higher or lower than expected.

• When very big risks are taken, a company might even become insolvent and
go out of business if actual events turn out much worse than anticipated.

SERVICE EXCELLENCE
• Bad corporate governance can result in
insolvency and collapse of a company, and
excessive risk taking is one aspects of poor
governance.
• The board should take risk into consideration
when it makes strategic business decisions.
• It should choose policies that are expected to be
profitable, but should limit the risk to a level that
it considers acceptable and should also take the
returns into consideration.

SERVICE EXCELLENCE
 Significance of Risk Mgt.

• The significance of risk management for

corporate governance was demonstrated forcibly
by the global banking crisis in 2007-2009.
• In the UK, the government initiated a review into
the failures in the banking industry and the report
was published in 2009.
• The report attributed the failure to poor
governance, and inadequate attention to risk
management.
SERVICE EXCELLENCE
 Responsibilities of Risk Management

• The responsibility for risk management is

delegated to executive management, but the board
• 1.Decides the risk appetite of the firm
• 2. Requires management to manage risks within
the board guidelines for risk appetite
• 3. Monitor the performance of management, to
ensure that the business is being managed within
the risk guidelines set by the board and
• 4. Monitors the risk management system to
ensure that is effective, and achieves its purpose

SERVICE EXCELLENCE
 Risk appetite and risk tolerance

• Companies should not avoid risk, because risk have to be

taken in order to make profit.

• However, the level of exposure to risk that a firms takes

should be justified by expected returns, and the risk should
not be so great that the losses would be unacceptably high if
event turn out bad.

• RISK APPETITE: is the level of risk that a company is

willing to take in the pursuit of its objective. Or it can be seen
as the combination of the desire to take on risk in order to
obtain a financial return and its risk capacity.

SERVICE EXCELLENCE
 Cont.

• THE DESIRE to take on risk, refers to the amount and

type of risk that the board of directors would like the firm
to have exposure to.

• RISK CAPACITY: is the amount of risk that the company

could accept without a serious threat to its financial
stability.

• RISK TOLERANCE: is the amount of risk that the

company is prepared to accept in order to achieve its
financial objectives. It is the range of deviation from a
specified target, or a maximum limit.

SERVICE EXCELLENCE
 Cont.
• Risk tolerance is therefore a quantified expression of the amount of
risk a company’s board allows the company to accept.

• Risk tolerance is the maximum loss that the board would be willing
to accept on a particular venture if events turn out bad. This type of
risk management is mostly found in banking and risk measures such
as Value at Risk (VaR) are used.

• Risk tolerance could be expresses in terms of a total ban on certain

types of business activity or behavior
• NB:
• Risk appetite should be reviewed regularly by the board, and
decisions should be taken about the scale of risk that is desired or
acceptable.

SERVICE EXCELLENCE
 Institute of Risk Management(IRM): Risk
appetite and risk tolerance
• The IRM in 2011 issued guidelines on risk appetite and risk
tolerance, which provide some useful insights.

• 1. risk appetite should be formulated within the context of the firm’s

risk management capability. Two aspects to risk management: one
is taking on risk and the other is exercising control over them. A firm
should not have a high risk appetite if its ability to control risk is
weak.

• 2. The UK corporate governance code focuses on risk at a strategic

level, whereas in practice there has to be coordination at strategic,
tactical and operational levels for risk management to make sense.

SERVICE EXCELLENCE
 Cont.

• 3. Risk appetite should be measurable, otherwise, statements about risk

appetite may be empty and vacuous.
• The risk appetite decided by the board should be within the company's
risk tolerance.
• Eg.
• A firm may be able to pursue business strategies where possible
outcomes may range between $100 profit and $40 loss over a three year
period. This would be the risk tolerance of the company.
• The board may decide that its risk appetite over the same period should
be within a range of $50 profit and $10 loss.
• Hence the firms risk appetite level would be less than the company’s risk
tolerance and management would be expected to implement strategies
that are appropriate for risk appetite rather than risk tolerance of the
company.

SERVICE EXCELLENCE
 IRM 5 guidelines test for Board to review
company's appetite for risk
• 1. Do managers, when they make decisions, understand the degree to which
they individually are permitted to expose the company to consequences of
an adverse risk event or situation?
• 2. Do managers understand their aggregate interlinked level of risk, so that
they can decide whether the company’s exposure to risk is acceptable or not.
• 3. does the board understand the aggregated risk for the company as a
whole?
• 4. Do managers understand that risk appetite is not constant and that the
board may change its risk appetite as the business environment and
conditions change?
• 5. Are risk decisions made with full consideration of the potential rewards or
returns?

SERVICE EXCELLENCE
 The Nature Of Risk
• Risk refers to the possibility that something unexpected or not
planned for will happen. This can be positive or negative.
• BUSINESS RISK: STRATEGIC AND OPERATING RISK
• Business Risk is the possibility a company will have lower
than anticipated profits or experience a loss rather than taking
a profit.
• Business risk is influenced by numerous factors, including
sales volume, per-unit price, input costs, competition, the
overall economic climate and government regulations.
• A company with a higher business risk should choose a
capital structure that has a lower debt ratio to ensure it can
meet its financial obligations at all times.
SERVICE EXCELLENCE
 Cont.
• Strategic risks are risks that occur and arise in the external
business environment in which a company operates. The risks
faced by a company are determined by the strategies that the
company pursues.
• Strategic risk is the risk that failed business decisions, or
lack thereof, may pose to a company
• Operating risks are risks of losses that arise through
ineffective controls within the processes and systems of a
company’s business operations.
• Operating risk is risk within an organization; strategic risk is
risk in the external environment. Operating risk can be
classified into three types of risk: operational risk, financial
risk (especially reporting risk), and compliance risk.

SERVICE EXCELLENCE
 Categories of Strategic Risk
• Reputation risk. The risk of loss in customer loyalty or customer support
following an event that damages the company’s reputation. Reputation risk
is often associated with risks arising from unethical behavior by a
company, including policies and practices that damage the environment or
affect human rights. This is considered in more detail in the chapter on
corporate social responsibility
• Competition risk. The risk that business performance will differ from
expected performance because of actions taken (or not taken) by business
rivals.
• Business environment risks. These are risks of significant changes in the
business environment from political and regulatory factors, economic
factors, social and environmental factors and technology factors (the so-
called ‘PEST’ factors). For example, business performance may be affected
by the introduction of new regulations, political upheaval in a country,
economic decline or growth, environmental issues, unexpected changes in
social habits, or technological change.

SERVICE EXCELLENCE
 Cont.
• Risks from external events. These are risks
that financial conditions may change, with
adverse changes in interest rates or exchange
rates, higher losses from bad debts or changes
in prices in financial markets (such as changes
in share prices).
• Liquidity risk. This is the risk that the
company will have insufficient cash to settle
all its liabilities on time, and so may be forced
out of business.

SERVICE EXCELLENCE
• Each industry and each company within an industry faces different
risks. The questions that management should ask are as follows.
• 1.What risks does this company face?
• 2. How can these risks be measured? It may be possible to assess
the risk in a business in terms of unpredictable variations in key
factors such as sales demand or market prices. High volatility is
associated with high business risk
• 3.For each of these risks, how would the company be affected if the
worst outcome came about, or if a fairly bad outcome happened?
• 4.What is the likelihood of a bad outcome for that risk item?
• 5.What is the company’s risk appetite or risk tolerance?
• 6. What should the company be doing to manage the risk, either by
avoiding it altogether or planning to deal with the problems that
will arise in the event of a bad outcome?

SERVICE EXCELLENCE
 Risk Committees and Risk Managers
• Risk committees:
• Responsibilities for risk management vary between companies. An
important distinction should be made between the arrangements
whereby responsibilities for risk management are fulfilled by:
• 1. the board; and
• 2. executive management.
• At board level, responsibility for reviewing the effectiveness of the
risk management system may be delegated by the board to the audit
committee, which is also likely to have responsibility for reviewing
the internal control system.
• Alternatively, the board may prefer to establish a separate risk
committee of the board

SERVICE EXCELLENCE
The advantages of having a separate risk committee
1. It can focus on risk issues and reviewing the company’s risk management
system, without having to concern itself with other issues (such as the
external auditors). It can give advice to the board on matters such as risk
appetite and risk strategy.
2. The composition of the board is not restricted by requirements of the
corporate governance code.
A risk committee should ideally consist mainly of Non Executive Directors
(NEDs) but should also have the finance director as a member.
If the audit committee had responsibility for the oversight of risk
management, the finance director could not be a committee member
(although he or she could be invited to meetings of the audit committee to
give their views).
At executive management level, however, there may be a risk committee
consisting of senior executives, chaired by the CEO. This committee
would be responsible for risk management at an operational level and
should report (through the CEO) to the board on risk matters.

SERVICE EXCELLENCE
 The role of a risk committee
• The role of a risk committee may include the following
responsibilities:
• 1. Providing assurance to the board that risk management
and processes for control over risk are effective.
• 2. Where risk areas seem to require particular attention,
making recommendations to the board.
• 3. Providing information to the board to help with strategy
formulation, for example with regard to risk appetite in the
company’s strategy.
• This is achieved by helping the board to understand the key
risks facing the company, its risk tolerances and its defenses
against those risks

SERVICE EXCELLENCE
 Risk management policies, systems and
procedures
• To enable the board of directors to carry out its responsibilities
for risk management effectively, there are two essential
requirements.
• 1 Board members should have an understanding of risks and
risk management.
• 2 There should be a risk management system in place that the
board as a whole or the appropriate board committee can review.
• Training in risk management should be particularly important
for members of the board committee (audit committee or risk
committee) with responsibility for reviewing the risk
management system.

SERVICE EXCELLENCE
 7 elements in an effective risk management system

Component
1 Internal there must be a culture within the
environment company that recognizes the
importance of risk management and
also ethical behavior

2 Objective setting there must be a process for setting

objectives for the company that are
consistent with the organization's
aims and the board’s risk appetite.

3 Risk there must be processes for

identification identifying potential threats and
opportunities in the business
environment (strategic risks) and
within the company’s operating
processes.
component

4 Risk assessment there must be processes for

assessing the significance of each
risk, and prioritizing them for
management action. the
significance of risks may be
assessed according to their
potential severity and also the
probability that a ‘risk event’ will
happen.

5 Risk response. For strategic risk, there should be

a process for deciding how to
respond to each risk and
‘manage’ the risk
6 Control For operational risks, financial reporting risks and
activities compliance risks, suitable internal controls should be
designed and implemented. the FRC Guidance states
that risk management and internal control systems
should be embedded in the company’s operations, and
should not be seen as an occasional compliance
exercise. When controls are embedded in operations, it
means that they are part of normal procedures, and are
put into effect as part of those normal procedures.
However, the cost and effectiveness of controls should
be assessed relative to the benefits they provide.

7 Information Relevant information relating to risks and controls

and should be identified, captured and communicated to
communication the people who need it.
6 Control For operational risks, financial reporting risks and
activities compliance risks, suitable internal controls should be
designed and implemented. the FRC Guidance states
that risk management and internal control systems
should be embedded in the company’s operations, and
should not be seen as an occasional compliance
exercise. When controls are embedded in operations, it
means that they are part of normal procedures, and are
put into effect as part of those normal procedures.
However, the cost and effectiveness of controls should
be assessed relative to the benefits they provide.

7 Information Relevant information relating to risks and controls

and should be identified, captured and communicated to
communication the people who need it.
• Risk identification A company should have a
procedure in place for reviewing and identifying the
risks it faces. Risks change over time, and risk
reviews should therefore be undertaken regularly.
• Strategic risk can be divided into three broad
categories:
• 1. Risks that arise from changes in the general
business environment (such as economic recession,
or significant technological changes).
• 2. Risks that arise in the industry in which the
company operates (such as a risk of decline in the
industry and falling customer demand).
• 3. Risks from unexpected actions by major
competitors

SERVICE EXCELLENCE
• Risk assessment :The assessment of risks calls for
procedures to assess the potential size of the risk. The
expected losses that could occur from adverse events or
developments depend on the:
• 1. probability that an adverse outcome will occur; and
• 2. size of the loss in the event of an adverse outcome.
• Where a risk is unlikely to materialize into an adverse
outcome, and the loss would in any case be small, no
management action might be necessary.
• Where the risk is higher, measures should be taken to
protect the organization so that the remaining exposure to
risk is within the company’s tolerance level and consistent
with its risk appetite.
SERVICE EXCELLENCE
• Risk responses: Risk responses are the measure taken to deal with
strategic risks that have been identified and assessed. The measures
taken to deal with each risk are decided by management, which is
accountable to the board for the measures they take.
• In broad terms, strategic risks can be dealt with by avoiding them
or by taking steps to limit the exposure.
• Some risks can be avoided. For example, a car manufacturer might
be concerned about the risk of losses at a subsidiary specializing in
car repairs, due to the strength of competition in the car repair
industry. It could decide to avoid the risk by selling the subsidiary.
• Many risks have to be accepted as an inevitable feature of
business. For significant risks, a company should decide what
measures might be necessary to reduce the risk to acceptable
proportions. Strategic risks may be reduced through any of the
following measures (some- times called the ‘4 Ts’).

SERVICE EXCELLENCE
• For strategic risks, the possible responses are to:
• 1.Tolerate. Accept the risk, because it is not a significant threat, or because
they are external risks (such as regulatory risks and market risks) over which
the company has no control.
• 2. Transfer. Move some or all of the risk to someone else, for example by
entering joint ventures to share risk or by purchasing insurance against risk
events.
• 3. Trim. Take suitable measures to reduce the risks – by reducing the
probability of an adverse risk event or by reducing the impact if a risk event
occurs
• 4. Terminate. Avoid the risk entirely, by withdrawing from the area of business
operations where the risk exists.
• Measures to manage risk may reduce the risk without eliminating the risk
entirely. When his happens, there is some residual risk, but this should be
within the level or limit that the board is prepared to tolerate. From a corporate
governance perspective, it should be a responsibility of the board to make sure
that risks are reviewed regularly and that management take suitable measures
to deal with them.

SERVICE EXCELLENCE
SERVICE EXCELLENCE