A. LECTURE 1: Introduction
• Nature of risk:
- Risk: ‘the condition in which there exists a quantifiable dispersion in the
possible outcomes from any activity’
ie a ‘threat’ based on experience or likelihood
Results/ Outcomes will differ to those expected
- Risk perspectives:
Downside risk: something goes wrong – effect is damaging
Upside risk: outcome is better than expected
- A company’s appetite for risk drives its activities – opening new ventures,
new products, etc
- Uncertainty: ‘inability to predict the outcome from an activity due to a lack of
information about the input/ output relationship or about the environment
within which the activity takes place’
- Organisational risks are inevitable:
Management must consider:
what level of risk is acceptable? (risk appetite)
how total risks should be effectively managed? (risk strategy)
- Categorising risks:
• Risk and Return:
- Return on productive assets expected by a company: - depends on the risks
of investments
- Expected returns should be:
higher for investments that are more risky
lower for low-risk investments/ activities
- The same relation exists for investors:
debt capital: creditors’ returns (coupon/ interest) are lower due to assured
payment schedules & collateral
, equity shareholders: bear more risk, expect higher returns in long-term
(capital and dividends)
- Risk:
unavoidable (part of life!)
taking controlled informed risk is sensible
uncontrolled/ uninformed risk is problematic
- In Business:
competitive and dynamic environment
embrace risk (profit = reward for risk-taking!)
BUT: how much risk? Expected returns?
• Risk-based management:
Risk audit/ mapping identifies and evaluates risks then puts in place a robust,
effective and appropriate control system for the management of those risks
There is no definitive system of risk management, though a suitable approach
includes
- 3. Risk assessment:
Once identified, organisations need to consider:
+ nature of risk and implications: type of risk: eg key person risk, natural
disaster, terrorist attack, regulatory restriction (sanctions) etc
+ potentially severity of impact: business critical or just a temporary
annoyance?
+ frequency and/ or probability
- 4. Risk profiling:
+ diagrammatical representation: chart or graph, plot series of risks on map
+ typical risk map: 2 scales: X axis – severity of loss, Y axis – frequency of loss
+ managing risks: depending on the position on the risk map
, Examples: Risk map:
- 5. Risk quantification:
+ process of evaluating and priortising risks – subjective
+ quantify risk:
usually best to do so in monetary terms
different ways of quantifying the impact of risk
. statistical inference, eg expected values of loss (EV)
. financial modelling, eg Value at Risk (VaR)
. decision trees and matrices for conditional probabilities
. computer simulations, eg Monte Carlo simulation
. sensitivity (‘what-if’) analysis
- 6. Risk Management:
+ risk prioritization due to significance
+ policies which may be adopted:
accept it: dependent on materiality, ignore immaterial risks
abandon it: implement an exit strategy from operation
, control it: build in safeguards to operational process
transfer it: in full (or in part) to a third party (eg insurance)
- 7. Review process & feedback:
+ risk based approaches: requires embedded system for continual risk
management
+ elements:
. full support from Board of Directors – allocate responsibility and
accountability for risks
. culture of risk-awareness amongst employees
. continual process of reviewing and reassessing risks
. early warning indicators to detect any shifts in risks since previous
assessment
+ residual risk: ‘exposure to risk (loss) once known risks have been accounted
for’ – eg systematic/ systemic risk (non-diversifiable risk)
• Risk Management Strategies:
- Committee of Sponsoring Organisations of the Treadway Commission (COSO)
– 2004
- Emphasised the need for ERM
- Key characteristics:
+ a process intertwined with existing operations
+ operated by staff at every level of the organization
+ applied in strategy setting
+ applied across the enterprise
+ identify risk events within its risk appetite
+ provides reasonable assurance to management
+ geared to achievement of objectives
• Controlling risks:
- Identifying risks is only half the problem
- Organisations:
Consider appropriate forms of control to manage risks:
+ organizational structure
+ governance
+ management accounting controls
+ audit
+ ethical codes
• Nature of risk:
- Risk: ‘the condition in which there exists a quantifiable dispersion in the
possible outcomes from any activity’
ie a ‘threat’ based on experience or likelihood
Results/ Outcomes will differ to those expected
- Risk perspectives:
Downside risk: something goes wrong – effect is damaging
Upside risk: outcome is better than expected
- A company’s appetite for risk drives its activities – opening new ventures,
new products, etc
- Uncertainty: ‘inability to predict the outcome from an activity due to a lack of
information about the input/ output relationship or about the environment
within which the activity takes place’
- Organisational risks are inevitable:
Management must consider:
what level of risk is acceptable? (risk appetite)
how total risks should be effectively managed? (risk strategy)
- Categorising risks:
• Risk and Return:
- Return on productive assets expected by a company: - depends on the risks
of investments
- Expected returns should be:
higher for investments that are more risky
lower for low-risk investments/ activities
- The same relation exists for investors:
debt capital: creditors’ returns (coupon/ interest) are lower due to assured
payment schedules & collateral
, equity shareholders: bear more risk, expect higher returns in long-term
(capital and dividends)
- Risk:
unavoidable (part of life!)
taking controlled informed risk is sensible
uncontrolled/ uninformed risk is problematic
- In Business:
competitive and dynamic environment
embrace risk (profit = reward for risk-taking!)
BUT: how much risk? Expected returns?
• Risk-based management:
Risk audit/ mapping identifies and evaluates risks then puts in place a robust,
effective and appropriate control system for the management of those risks
There is no definitive system of risk management, though a suitable approach
includes
- 3. Risk assessment:
Once identified, organisations need to consider:
+ nature of risk and implications: type of risk: eg key person risk, natural
disaster, terrorist attack, regulatory restriction (sanctions) etc
+ potentially severity of impact: business critical or just a temporary
annoyance?
+ frequency and/ or probability
- 4. Risk profiling:
+ diagrammatical representation: chart or graph, plot series of risks on map
+ typical risk map: 2 scales: X axis – severity of loss, Y axis – frequency of loss
+ managing risks: depending on the position on the risk map
, Examples: Risk map:
- 5. Risk quantification:
+ process of evaluating and priortising risks – subjective
+ quantify risk:
usually best to do so in monetary terms
different ways of quantifying the impact of risk
. statistical inference, eg expected values of loss (EV)
. financial modelling, eg Value at Risk (VaR)
. decision trees and matrices for conditional probabilities
. computer simulations, eg Monte Carlo simulation
. sensitivity (‘what-if’) analysis
- 6. Risk Management:
+ risk prioritization due to significance
+ policies which may be adopted:
accept it: dependent on materiality, ignore immaterial risks
abandon it: implement an exit strategy from operation
, control it: build in safeguards to operational process
transfer it: in full (or in part) to a third party (eg insurance)
- 7. Review process & feedback:
+ risk based approaches: requires embedded system for continual risk
management
+ elements:
. full support from Board of Directors – allocate responsibility and
accountability for risks
. culture of risk-awareness amongst employees
. continual process of reviewing and reassessing risks
. early warning indicators to detect any shifts in risks since previous
assessment
+ residual risk: ‘exposure to risk (loss) once known risks have been accounted
for’ – eg systematic/ systemic risk (non-diversifiable risk)
• Risk Management Strategies:
- Committee of Sponsoring Organisations of the Treadway Commission (COSO)
– 2004
- Emphasised the need for ERM
- Key characteristics:
+ a process intertwined with existing operations
+ operated by staff at every level of the organization
+ applied in strategy setting
+ applied across the enterprise
+ identify risk events within its risk appetite
+ provides reasonable assurance to management
+ geared to achievement of objectives
• Controlling risks:
- Identifying risks is only half the problem
- Organisations:
Consider appropriate forms of control to manage risks:
+ organizational structure
+ governance
+ management accounting controls
+ audit
+ ethical codes
