Corporate Governance and

Business Ethics
Risk Management
22 March 2022
 Risk Management : What is it?
• The word ‘risk’ carries a pretty negative connotation
• It’s often used as a catch all term for things that can go
wrong in a business.
• Risk can be a really positive factor in business.
• An effective risk management strategy is more that just
a way to stave off disaster.
• Proper management of risk can actually make better
business outcomes.
 Risk Management : What is it?
• Risk management is the process of identifying,
assessing and controlling threats to an
organization's capital and earnings.
• These risks stem from a variety of sources
including:
i. Financial uncertainties
ii. Legal liabilities
 Risk Management : What is it?
iii. Technology issues
iv. Strategic management errors
v. Accidents
vi. Natural disasters , Vis Major/act of God/force
majeure
 Vis Major/Act of God/Force majeure

• Vis major is a Latin term that means "superior

force"
• Usually used interchangeably with Act of God
and Force Majeure
• It describes an irresistible natural occurrence
that causes damage or disruption
 Vis Major/Act of God/Force Majeure
• The loss or damage is neither caused by nor
preventable by humans—even when exercising the
utmost skill, care, diligence, or prudence
• Examples of vis major include hurricanes, tornadoes
, floods, and earthquakes.
• Insurance contracts often exclude coverage for
damage caused by vis major, such as tornadoes,
hurricanes, earthquakes, and floods
 Enterprise Risk Management
• A successful risk management program helps an
organization consider the full range of risks it
faces.
• Risk management also examines the relationship
between risks and the cascading impact they
could have on an organization's strategic goals.
 Enterprise Risk Management
• Holistic approach to managing risk is sometimes
described as enterprise risk management because
of its emphasis on anticipating and understanding
risk across an organization
• In addition to a focus on internal and external
threats, Enterprise Risk Management (ERM)
emphasizes the importance of
managing positive risk.
 Enterprise Risk Management
• Positive risks are opportunities that could
increase business value or, conversely, damage
an organization if not taken.
• Indeed, the aim of any risk management
program is not to eliminate all risk but to
preserve and add to enterprise value by making
smart risk decisions
 Risk appetite
• Risk appetite focuses on the level of risk that an
organization deems acceptable
• We don't manage risks so we can have no risk.
• We manage risks so we know which risks are
worth taking, which ones will get us to our goal,
which ones have enough of a pay-out to even
take them
 Risk appetite
• Thus, a risk management program should be
intertwined with organizational strategy.
• To link them, risk management leaders must first
define the organization's risk appetite-- i.e., the
amount of risk it is willing to accept to realize its
objectives.
 Risk Tolerance
• Risk tolerance focuses on the acceptable level of
variation around risk objectives.
• Both risk appetite and risk tolerance set boundaries
of how much risk an entity is prepared to accept.
• An example of a risk appetite statement would be
when a company says it does not accept risks that
could result in a significant loss of its revenue base.
 Risk and the Pareto Rule
• When the same company says it does not wish to
accept risks that would cause revenue from its top
10 customers to decline by more than 10%, it is
expressing a risk tolerance definition
• Note the Pareto Rule!!
• The 80 : 20 rule, otherwise known as the Pareto
Principle/Rule, is one of the most helpful concepts
for life and any event of life
 Risk and the Pareto Rule
• The Pareto Principle states that 20 percent of your
activities will account for 80 percent of your results
• It is however not a hard and fast mathematical law, it is a
concept developed by a 19th century, Italian economist,
Vilfredo Pareto
• Pareto noticed that 80 percent of the pea pod harvest
from his garden came from 20 percent of his pea plants
• Consider risk using this principle.; 20 % of risk taking will
Risk Appetite vs Risk Tolerance
 Purpose of Risk Management
• When risk is not managed effectively, corporate
governance deteriorates
• Consequently corporations that do not manage risk
end up incurring huge losses
• A better framework of corporate governance
includes strong Risk oversight that tends to
decrease the risk of financial crises
 Purpose of Risk Management
• The agency conflict between shareholders and
managers influences risk management
behaviour that affects a firm’s performance
• CEO duality is another element of corporate
governance that may have different implications
on a firm’s performance and its risk
management behaviour
 Purpose of Risk Management
• The board and relevant committees should work
with management to promote and actively cultivate
a corporate culture and environment that
understands and implements enterprise-wide risk
management.
• Comprehensive risk management should not be
viewed as a specialized corporate function,
• Instead should be treated as an integral, enterprise-
 Types & Impact of Risk Management
• As an oversight matter, the Board should seek to
promote an effective, on-going risk dialogue with
management
• Design the right relationships between the board
and its standing committees as to risk oversight
and ensure appropriate resources support risk
management systems.
 Types & Impact of Risk Management
• Risk management should be tailored to the specific
company, but, in general, an effective risk
management system will
i. Adequately identify the material risks that the
company faces in a timely manner
ii. Implement appropriate risk management
strategies that are responsive to the company’s
risk profile, business strategies, specific material
 Types & Impact of Risk Management

iii. Integrate consideration of risk and risk

management into strategy development and
business decision-making throughout the
company
iv. Adequately transmit necessary information with
respect to material risks to senior executives and,
as appropriate, to the board or relevant
committees.
 Pure Risk Vs Speculative Risk & Insurance

• In general, the term risk refers to the probability

of some undesirable event.
• There is Pure Risk and Speculative Risk
 Pure Risk
• In pure risk there are only two possibilities:
1. Something bad happening
2. Nothing happening
• It is unlikely that any measurable benefit will
arise from a pure risk
• An example is a house will enjoy a year with
nothing bad occurring to
 Pure Risk
• Or there will be damage caused by a covered
cause of loss (fire, wind, etc.)
• Predicting the outcomes of a pure risk is
accomplished (sometimes) using the law of large
numbers, a priori data or empirical data
 Pure Risk/Absolute risk
• A Priori data depends on deductive reasoning to
make predictions about the future
• Empirical data (also known as "a posteriori" data)
depends on data gathered from past events
• It is about trying to predict the future based on what
has happened in the past
• Pure risk, also known as absolute risk, is insurable.
 Speculative Risk:
• Three possible outcomes exist in speculative risk:
1. Something good happening (gain)
2. Something bad happening (loss)
3. Nothing happening (staying even).
 Speculative Risk:
• Gambling and investing in the stock market are
two examples of speculative risks
• Each offers a chance:
1. To make money
2. Lose money
3. Or walk away even
 Speculative Risk:
• Both gambling and investing carry a speculative risk
• Gambling is designed to enrich one party
• The odds are always in favour of the gambling house
• Investing is designed to enrich all involved - all
participants win or lose together.
• Speculative risk is not insurable in the traditional
insurance market
 Speculative Risk
• There are other means to hedge speculative risk
such as diversification and derivatives
• Derivatives are sometimes used to hedge a
position (protecting against the risk of an
adverse move in an asset) or to speculate on
future moves in the underlying instrument.
 Speculative Risk
• Portfolio diversification is a concept used in the
financial industry to describe how to get the most
out of investing in various asset classes.
• "Don't Put All Your Eggs in One Basket," as the
English proverb goes, indicates don't rely on one
investment vehicle for profits because any
unforeseeable occurrence can undermine the entire
investment
 Divisions and Tasks of Risk management
• Specific types of actions that the board and
appropriate board committees may consider as part
of their risk management oversight include the
following:
i. Review with management the company’s risk
appetite and risk tolerance and assess whether the
company’s strategy is consistent with the agreed-
upon risk appetite and tolerance for the company
Divisions And Tasks Of Risk Management
iii. Establish a clear framework for holding the
CEO accountable for building and maintaining
an effective risk appetite framework
iv. Providing the board with regular, periodic
reports on the company’s residual risk status
Divisions And Tasks Of Risk Management
v. Review with management the categories of
risk the company faces
vi. Review risk concentrations and risk
interrelationships
vii. Review the likelihood of occurrence risks
viii. Review the potential impact of those risks
 Divisions and Tasks of Risk management
viii.Take mitigating measures and action plans to be employed if a given
risk were to materialize
ix. Review with management the ways in which risk is
measured on an aggregate, company-wide basis
x. Set the aggregate and individual risk limits (quantitative and
qualitative, as appropriate)
xi. Put in place the policies and procedures to hedge against or
mitigate risks and the actions to be taken if risk limits are
exceeded
 Improving Risk Oversight
1. Review with management the assumptions and
analysis underpinning the determination of the
company’s principal risks
2. Review with committees and management the
board’s expectations as to each group’s respective
responsibilities for risk oversight and management
of specific risks to ensure a shared understanding
as to accountabilities and roles
 Improving Risk Oversight
3. Review the company’s executive compensation
structure to ensure it is appropriate in light of the
company’s articulated risk appetite and risk culture
and to ensure it is creating proper incentives in
light of the risks the company faces
4. Review the risk policies and procedures adopted
by management, including procedures for
reporting matters to the board and appropriate
committees and providing updates, to assess
 Improving Risk Oversight
5. Review internal systems of formal and informal
communication across divisions and control
functions to encourage the prompt and
coherent flow of risk-related information
 Improving Risk Oversight
• Review reports from management, independent
auditors, internal auditors, legal counsel,
regulators, stock analysts and outside experts as
considered appropriate regarding risks the
company faces and the company’s risk
management function
 Cybersecurity Risk

The ever-increasing dependence on technological

advances that characterizes all aspects of business and
modern life has been accompanied by a rapidly growing
threat of cybercrime, the cost of which, according to
a 2017 report by Herjavec Group, is expected to grow to
more than $6 trillion annually by 2021
 Cybersecurity Risk
• The hacking of computer networks have
highlighted, network security breaches, damage
to IT infrastructure and theft of personal data,
trade secrets and commercially sensitive
information are omnipresent risks that pose a
significant financial and reputational threat to
companies of all kinds.
 Cybersecurity Risk

• Corporate leaders should implement

comprehensive cybersecurity risk mitigation
programs, deploying the latest defensive
technologies without losing focus on core security
procedures like employee training, and ensuring
that the board is engaged in cyber risk oversight.
 Cybersecurity Risk

• As cybersecurity risk continues to rise in

prominence, so too has the number of
companies that have begun to specifically situate
cybersecurity and cyber risk within their internal
audit function.
 Impact of Risk Management
• Risk isn’t something to be sacred of.
• It’s not a spectre that threatens to ruin your business
at any moment.
• It is a factor in the way you do business, but a factor
that can be effectively managed.
• If your risk management strategy is applied
correctly, risk can actually help to make your
business better.
 Positive Benefits of Risk Management
1. Safety
2. Productivity
3. Bottom Line
 1. Safety

• Implementation of the right risk management

strategy will make the workplace a safer place to
be
• The benefits of a safer workplace go way beyond a
reduction in workers’ compensation claims.
• Safer employees will be happier in their roles and
more productive
 1. Safety

• This leads to better quality work and a better

atmosphere to work in.
• It also allows workers to focus on the most
important parts of their job, because the risks
are taken care of.
 2. Productivity

• Whether its in manufacturing of consumer goods,

building skyscrapers, or providing legal advice all
business sell a product.
• Though the day-to-day processes may be different,
every business has its own version of a production
line.
• Effective risk management strategy means
analysing that production line and finding ways to
 2. Productivity

• That means allowing the organisation to stay

safe from risks and work more effectively.
• A risk free production line will inevitably be
more productive.
 3. Bottom Line
• An effective risk management strategy saves money
long before the insurance policies
• Greater efficiency and fewer losses mean lower
operational costs and more profit.
• Good risk management will also reduce your
exposure to risk, which will lead to cheaper
premiums or even allow you to reduce your level of
coverage.
 Take home Exercises
• Risk can be a really positive factor in your business. Discuss
how?
• An effective risk management strategy is more that just a
way to stave off disaster. Discuss
• Proper management of risk can actually make a better
business. Analyse this assertion
 Take home Exercises
How does a pure risk differ from a speculative risk?
a) A pure risk always has an environmental cause whereas a
speculative risk always involves human error
b) A pure risk can be measured in probability terms whereas a
speculative risk cannot.
c) A pure risk is not subject to regulatory control but a speculative risk
always is.