Chapter 1 – Risk
Risk is a quantifiable dispersion of possible outcomes of an activity, the combination of probability
and consequences of an event occurring, the chance that future results may not be as anticipated.
Can be downside (also known as pure), involving the possibility of loss with no chance of gain, like
disruption to business processes, theft, fraud, fire, health & safety risks etc. Or can be upside which
makes them often two-way risks, as can be up or downside – this two-way risk is often referred to as
speculative risk, where results can be better or worse than expected (or speculative), like assessing
the risk of a new product launch which may perform better or worse than planned, or savings may
be higher/lower etc.
Need to identify sources of risk in order to be able to assess and measure them, those risks that
affect achievement of overall objectives. Risk is inherent whenever an outcome is not inevitable or
guaranteed. Though uncertainty arises from ignorance and lack of info, making it difficult to forecast
future conditions, due to uncertainty over outcomes and probabilities associated, in which case as
much info needs to be obtained as possible to make a maximum informed decision.
Risks can generate competitive advantage, and increase financial returns, hence, why they are taken.
Take higher risks to generate greater intangible (better quality info) and tangible (decreased costs,
increased revenue) returns and greater competitive advantage, and taking less risks makes the
business less dynamic.
For some risks, there is an associated market rate of return (quoted equity), an expectation of
shareholders required dividend and/or capital growth. Some risks may not have a market rate of
return, like technology risk like with new software investments for example, which the market might
not compensate for.
Low-risk activities will likely result in lower ability to generate competitive advantage, and there may
only be limited competitive advantage available. However, some low-risk activities may generate
higher competitive advantage, and should therefore be pursued, but are often few and far between.
Higher risk activities can generate both low or high competitive advantage, if low then will avoid due
to taking risk for little reward or low likelihood of rewards. For high-risk activities that have the
ability to generate higher competitive advantage, then worth investigating due to the potential
greater returns. If a business does not take some risk, then it will normally be limited to activities
that provide little competitive advantage and returns, or a very low likelihood that competitive
advantage and thus greater returns will be achieved.
CIMA’s risk management cycle
Starts with establishing the risk management group and setting goals, as well as business strategy
feeds into identifying risk areas understand and assess scale of risk areas development of risk
response strategy implement strategy and allocate responsibilities implementation and
monitoring of controls review and refine process and do it again (repeat cycle). Meanwhile, all
of stages feed back into collecting the information required for effective decision making.
Identifying and categorising risks
Using risk categories can help identify and assess risks, these categories are not set as they will differ
between organisations dependent on the specific circumstances relevant to their environment.
General risk categories tend to be as follows:
1. Political, legal and regulatory
,Regulatory regimes that the business operates within, may be strict rules to abide by with high
regulations, but even those business that operate in regimes with looser regulations, will still face
some regulatory risk, like international legislation (i.e., employment law). Can constitute political
risk, dependant on political stability and institutions within that country, may be risk of new
elections of parties that introduce tax changes, or privatisation of public sector entities etc.
Can be legal risk or litigation risk of possibility of legal action against the company, for acts of
negligence towards public sector organisations, or manufacturing companies could be sued for
product defects etc. Regulatory risk is the risk that the organisation will be affected by changes in
regulations, which may be applicable across the board, or industry specific regulations. There is also
compliance risk, losses that may arise from not complying with laws or regulations, compliance
should form part of internal controls.
2. Business risk
Risks faced due to the nature of their operations and products/services, like heavy reliance on one
key supplier, or key customer, or one product line – lack of diversification. Strategic risks are faced as
a result of strategic decisions that impacts long-term prospects, like the choice of growth by
acquisitions rather than organic growth for example, these are identified and assessed at senior
management/director level. Strategic risks may disrupt an entire industry, not just the prospective
business.
There are product risks, risk of customers not buying new products, or a decline in sales and
demand, risk of product launches not taking off as expected. Commodity price risk, unexpected
increases or falls in prices of a key commodity like oil, or fuel prices, faced by companies that provide
commodities, or rely on the use of them in their business. Product reputation risk, an adverse event
that might jeopardise reputation, like adverse public attitudes to a product, or changes in customer
perceptions or social trends.
Operational risk, losses from business operations due to inadequate or failed internal processes,
people and systems, or external events, risk of fraud or employee malfeasance, need internal
controls to manage these types of risk. Finally, contractual inadequacy risk is another business risk,
where a lack of planning may result in negotiated contract terms not being sufficiently fulfilled. May
arise from timings not being achieved on a contract, can mitigate by setting terms to respond to such
conditions.
3. Economic risk
Risk of changes in the economy affecting the business, like inflation, unemployment rates,
international trade relations or fiscal policy decisions by government – considered to be external
risks.
The 2008 credit crunch was an example of a global economic crisis. Contributing factor 1 the sub-
prime mortgage lending, US faced recession in 2001 following from 9/11 and bursting of Dot com
bubble, which lead federal reserve to cut interest rate, encouraging house buyers, which increased
house prices due to greater demand, lending criteria then relaxed due to government pressure,
offering mortgages to high risk individuals, which were known as “sub-prime mortgages”, became 1
in 5 mortgages by 2005, banks were protected due to higher house values meaning loans could be
recovered if borrowers were to default. Mortgages were affordable, but then inflation lead interest
rates to rise making them unaffordable, particularly where introductory offers lapsed, increasing the
number of mortgage defaults, which lead to the house price boom ending, which then led banks
,being unable to recover funds as house prices dropped and more defaults were occurring. Inflation
raised to 4% which is not particularly high, but sub-prime lenders took out greater mortgages due to
the favourable rates, which left them exposed to significant interest repayments on their mortgages.
Contributing factor 2 collateralised debt obligations (CDO’s), mortgage lenders could sell on
mortgage debt to other banks and financial institutions, offering an insurance for the original
lenders, sharing the risk of sub-prime mortgages. They sold CDO bonds in three tiers – tier 1 was
senior or investment grade debt, low risk with low return, tier 2 being “mezzanine tranche”, medium
risk, medium return, and tier 3 was “equity tranche”, with higher risk and high return. The income
from selling these CDO’s was used to pay tier 1 first, then tier 2 and finally tier 3, if borrowers
defaulted then tier 3 suffered first and so on, creating the waterfall effect. Losses became so severe
that even tier 1 investors ended up losing out, due to bond value falling as a result of perceived risks.
Contributing factor 3 Debt-rating organisations, the CDO’s became credit-rated by risk agencies,
they gave risky tier 1 debt bundles AAA ratings, which would normally be associated with low risk,
encouraging other banks and institutions to buy them not realising the risk levels associated, this is
an example of regulatory failure in the financial system.
Contributing factor 4 banks are usually very highly geared, less than 10% capital structure made
up of equity. Loss of asset value would wipe out equity, and cause asset-based securities to be sold
on the market, but no buyers as the assets were toxic, leading to negative equity.
Contributing factor 5 credit default swaps, alternative to CDO’s, mortgage lenders of sub-prime
mortgages could buy insurance through credit default swaps (CDS’s), which then lead the
underwriters to suffer when the level of defaults began to increase.
Contributing factor 6 risk-takes, companies and institutions taking the risk did not understand
those risks, some were easy to understand but others were far more complex.
These factors contributing to the economic risk, lead to the collapse of major financial institutions,
some went bust, others needed saving. Lehman Brothers went bust, 10 times the size of Enron,
which provoked panic, froze short-term lending and initiated the liquidity crisis. Also, the US
government put together a bailout package for the AIG for 85bn dollars, the UK lent Northern Rock
27bn dollars after its collapse in 2007.
This then led to the credit crunch, as banks usually inter-lend which meant that insufficient funds
could not be raised by other banks and institutions due to others going bust, but also existing banks
couldn’t afford to lend due to deterioration of their balance sheet positions, and they began to
doubt credit-worthiness of other banks, causing a shortage of liquidity in money markets. Many
companies usually use short-term finance, but in multiples as revolving credit to take advantage of
cheaper interest on shorter term debt, but the credit crunch meant that these firms could not
refinance their loans.
Governments than began to intervene to prop up major institutions, and to inject funds into the
money markets and stimulate liquidity, through loans, guarantees and equity purchases. Usually,
central banks would raise lending by cutting interest rates, but when interest rates are already too
low, then central bank must invest money into the economy directly, known as quantitative easing,
through buying financial assets like bonds, using money created out of thin air, and the institutions
selling those assets will have new money to boost the money supply. The UK then put the QE
programme on hold, leaving governments in high levels of debt and thus high interest repayments.
, Further implication was the recession, which governments would try to overcome by spending to
increase demand, but high levels of debt meant that they made major cuts in spending instead.
There was also the issues with refinancing government debt through bonds as existing debt reached
maturity, which was a bigger problem for countries with short maturity on national debt, as
refinancing needs become more frequent. Others needed help from the international monetary fund
(IMF), Greece was rescued with 110bn euros, Ireland bailout of 85bn euros.
4. Financial risk
The risk of a change in financial condition like an exchange rate, interest rate, customer credit rating,
goods prices. Credit risks is potential losses due to bad debts, exposure to this risk is dependent on
level of credit sales, credit policies, credit terms offered, credit risk quality of debtors, credit vetting
and assessment process, and debt collection procedures. Currency risk is the risk of movements in
foreign exchange rates, the value of one currency in relation to another. Interest rate risk is the risk
of unexpected gains/losses due to a rise/fall in interest rates, can come from borrowing or investing.
There is also the gearing risk, exposure to high gearing and large amounts of borrowing.
5. Technology risk
Risk that technology changes will occur to present new opportunities (upside), or threaten existing
processes (downside). Possibility that technological change will occur, can be two-way due to threats
and opportunities. There was the Dot.com boom, speculation that internet-based companies would
take over established brick and mortar companies, leading to companies investing as a protective
measure, but when the bubble burst many investors suffered financial collapse.
Cyber risk is a key focus area now, risk of financial loss, disruption or damage to a business’s
information technology systems.
6. Environmental risk
Risk from changes in environmental conditions, like climate change or natural disasters, some
industries may perceive as low risk, but others that are more affected by it would be greater risk to
them, like insurance companies who have to pay out in these conditions, and forms part of their
policy premiums. Changes to the environment may be out of the organisations control, but others
may be within, things like oil spillages or pollution to the environment. Sustainability should
therefore be considered, and supply materials back after consumption to reduce their
environmental impact.
7. Fraud risk
Business vulnerability to fraud, more prominent for some businesses than others and therefore
require stronger internal controls, it is considered a controllable risk. The size of the fraud risk is a
factor of the probability/likelihood of fraud occurring, and the extent of the losses arising if fraud
occurs. Should be managed by fraud prevention, minimising opportunities for fraud, and fraud
detection and deterrence.
8. Corporate reputation risk
The better a reputation, the greater risk there is of losing that reputation as impacts would be
significant. Can be eroded through adverse media, and poor customer perceptions, could arise from
environmental, social, or health & safety performance for example. Some organisations use public
relations and advertising to promote an environmentally friendly image, which would result in
upside risk due to the rewards that an improved reputation generate. However, for many it is a
Risk is a quantifiable dispersion of possible outcomes of an activity, the combination of probability
and consequences of an event occurring, the chance that future results may not be as anticipated.
Can be downside (also known as pure), involving the possibility of loss with no chance of gain, like
disruption to business processes, theft, fraud, fire, health & safety risks etc. Or can be upside which
makes them often two-way risks, as can be up or downside – this two-way risk is often referred to as
speculative risk, where results can be better or worse than expected (or speculative), like assessing
the risk of a new product launch which may perform better or worse than planned, or savings may
be higher/lower etc.
Need to identify sources of risk in order to be able to assess and measure them, those risks that
affect achievement of overall objectives. Risk is inherent whenever an outcome is not inevitable or
guaranteed. Though uncertainty arises from ignorance and lack of info, making it difficult to forecast
future conditions, due to uncertainty over outcomes and probabilities associated, in which case as
much info needs to be obtained as possible to make a maximum informed decision.
Risks can generate competitive advantage, and increase financial returns, hence, why they are taken.
Take higher risks to generate greater intangible (better quality info) and tangible (decreased costs,
increased revenue) returns and greater competitive advantage, and taking less risks makes the
business less dynamic.
For some risks, there is an associated market rate of return (quoted equity), an expectation of
shareholders required dividend and/or capital growth. Some risks may not have a market rate of
return, like technology risk like with new software investments for example, which the market might
not compensate for.
Low-risk activities will likely result in lower ability to generate competitive advantage, and there may
only be limited competitive advantage available. However, some low-risk activities may generate
higher competitive advantage, and should therefore be pursued, but are often few and far between.
Higher risk activities can generate both low or high competitive advantage, if low then will avoid due
to taking risk for little reward or low likelihood of rewards. For high-risk activities that have the
ability to generate higher competitive advantage, then worth investigating due to the potential
greater returns. If a business does not take some risk, then it will normally be limited to activities
that provide little competitive advantage and returns, or a very low likelihood that competitive
advantage and thus greater returns will be achieved.
CIMA’s risk management cycle
Starts with establishing the risk management group and setting goals, as well as business strategy
feeds into identifying risk areas understand and assess scale of risk areas development of risk
response strategy implement strategy and allocate responsibilities implementation and
monitoring of controls review and refine process and do it again (repeat cycle). Meanwhile, all
of stages feed back into collecting the information required for effective decision making.
Identifying and categorising risks
Using risk categories can help identify and assess risks, these categories are not set as they will differ
between organisations dependent on the specific circumstances relevant to their environment.
General risk categories tend to be as follows:
1. Political, legal and regulatory
,Regulatory regimes that the business operates within, may be strict rules to abide by with high
regulations, but even those business that operate in regimes with looser regulations, will still face
some regulatory risk, like international legislation (i.e., employment law). Can constitute political
risk, dependant on political stability and institutions within that country, may be risk of new
elections of parties that introduce tax changes, or privatisation of public sector entities etc.
Can be legal risk or litigation risk of possibility of legal action against the company, for acts of
negligence towards public sector organisations, or manufacturing companies could be sued for
product defects etc. Regulatory risk is the risk that the organisation will be affected by changes in
regulations, which may be applicable across the board, or industry specific regulations. There is also
compliance risk, losses that may arise from not complying with laws or regulations, compliance
should form part of internal controls.
2. Business risk
Risks faced due to the nature of their operations and products/services, like heavy reliance on one
key supplier, or key customer, or one product line – lack of diversification. Strategic risks are faced as
a result of strategic decisions that impacts long-term prospects, like the choice of growth by
acquisitions rather than organic growth for example, these are identified and assessed at senior
management/director level. Strategic risks may disrupt an entire industry, not just the prospective
business.
There are product risks, risk of customers not buying new products, or a decline in sales and
demand, risk of product launches not taking off as expected. Commodity price risk, unexpected
increases or falls in prices of a key commodity like oil, or fuel prices, faced by companies that provide
commodities, or rely on the use of them in their business. Product reputation risk, an adverse event
that might jeopardise reputation, like adverse public attitudes to a product, or changes in customer
perceptions or social trends.
Operational risk, losses from business operations due to inadequate or failed internal processes,
people and systems, or external events, risk of fraud or employee malfeasance, need internal
controls to manage these types of risk. Finally, contractual inadequacy risk is another business risk,
where a lack of planning may result in negotiated contract terms not being sufficiently fulfilled. May
arise from timings not being achieved on a contract, can mitigate by setting terms to respond to such
conditions.
3. Economic risk
Risk of changes in the economy affecting the business, like inflation, unemployment rates,
international trade relations or fiscal policy decisions by government – considered to be external
risks.
The 2008 credit crunch was an example of a global economic crisis. Contributing factor 1 the sub-
prime mortgage lending, US faced recession in 2001 following from 9/11 and bursting of Dot com
bubble, which lead federal reserve to cut interest rate, encouraging house buyers, which increased
house prices due to greater demand, lending criteria then relaxed due to government pressure,
offering mortgages to high risk individuals, which were known as “sub-prime mortgages”, became 1
in 5 mortgages by 2005, banks were protected due to higher house values meaning loans could be
recovered if borrowers were to default. Mortgages were affordable, but then inflation lead interest
rates to rise making them unaffordable, particularly where introductory offers lapsed, increasing the
number of mortgage defaults, which lead to the house price boom ending, which then led banks
,being unable to recover funds as house prices dropped and more defaults were occurring. Inflation
raised to 4% which is not particularly high, but sub-prime lenders took out greater mortgages due to
the favourable rates, which left them exposed to significant interest repayments on their mortgages.
Contributing factor 2 collateralised debt obligations (CDO’s), mortgage lenders could sell on
mortgage debt to other banks and financial institutions, offering an insurance for the original
lenders, sharing the risk of sub-prime mortgages. They sold CDO bonds in three tiers – tier 1 was
senior or investment grade debt, low risk with low return, tier 2 being “mezzanine tranche”, medium
risk, medium return, and tier 3 was “equity tranche”, with higher risk and high return. The income
from selling these CDO’s was used to pay tier 1 first, then tier 2 and finally tier 3, if borrowers
defaulted then tier 3 suffered first and so on, creating the waterfall effect. Losses became so severe
that even tier 1 investors ended up losing out, due to bond value falling as a result of perceived risks.
Contributing factor 3 Debt-rating organisations, the CDO’s became credit-rated by risk agencies,
they gave risky tier 1 debt bundles AAA ratings, which would normally be associated with low risk,
encouraging other banks and institutions to buy them not realising the risk levels associated, this is
an example of regulatory failure in the financial system.
Contributing factor 4 banks are usually very highly geared, less than 10% capital structure made
up of equity. Loss of asset value would wipe out equity, and cause asset-based securities to be sold
on the market, but no buyers as the assets were toxic, leading to negative equity.
Contributing factor 5 credit default swaps, alternative to CDO’s, mortgage lenders of sub-prime
mortgages could buy insurance through credit default swaps (CDS’s), which then lead the
underwriters to suffer when the level of defaults began to increase.
Contributing factor 6 risk-takes, companies and institutions taking the risk did not understand
those risks, some were easy to understand but others were far more complex.
These factors contributing to the economic risk, lead to the collapse of major financial institutions,
some went bust, others needed saving. Lehman Brothers went bust, 10 times the size of Enron,
which provoked panic, froze short-term lending and initiated the liquidity crisis. Also, the US
government put together a bailout package for the AIG for 85bn dollars, the UK lent Northern Rock
27bn dollars after its collapse in 2007.
This then led to the credit crunch, as banks usually inter-lend which meant that insufficient funds
could not be raised by other banks and institutions due to others going bust, but also existing banks
couldn’t afford to lend due to deterioration of their balance sheet positions, and they began to
doubt credit-worthiness of other banks, causing a shortage of liquidity in money markets. Many
companies usually use short-term finance, but in multiples as revolving credit to take advantage of
cheaper interest on shorter term debt, but the credit crunch meant that these firms could not
refinance their loans.
Governments than began to intervene to prop up major institutions, and to inject funds into the
money markets and stimulate liquidity, through loans, guarantees and equity purchases. Usually,
central banks would raise lending by cutting interest rates, but when interest rates are already too
low, then central bank must invest money into the economy directly, known as quantitative easing,
through buying financial assets like bonds, using money created out of thin air, and the institutions
selling those assets will have new money to boost the money supply. The UK then put the QE
programme on hold, leaving governments in high levels of debt and thus high interest repayments.
, Further implication was the recession, which governments would try to overcome by spending to
increase demand, but high levels of debt meant that they made major cuts in spending instead.
There was also the issues with refinancing government debt through bonds as existing debt reached
maturity, which was a bigger problem for countries with short maturity on national debt, as
refinancing needs become more frequent. Others needed help from the international monetary fund
(IMF), Greece was rescued with 110bn euros, Ireland bailout of 85bn euros.
4. Financial risk
The risk of a change in financial condition like an exchange rate, interest rate, customer credit rating,
goods prices. Credit risks is potential losses due to bad debts, exposure to this risk is dependent on
level of credit sales, credit policies, credit terms offered, credit risk quality of debtors, credit vetting
and assessment process, and debt collection procedures. Currency risk is the risk of movements in
foreign exchange rates, the value of one currency in relation to another. Interest rate risk is the risk
of unexpected gains/losses due to a rise/fall in interest rates, can come from borrowing or investing.
There is also the gearing risk, exposure to high gearing and large amounts of borrowing.
5. Technology risk
Risk that technology changes will occur to present new opportunities (upside), or threaten existing
processes (downside). Possibility that technological change will occur, can be two-way due to threats
and opportunities. There was the Dot.com boom, speculation that internet-based companies would
take over established brick and mortar companies, leading to companies investing as a protective
measure, but when the bubble burst many investors suffered financial collapse.
Cyber risk is a key focus area now, risk of financial loss, disruption or damage to a business’s
information technology systems.
6. Environmental risk
Risk from changes in environmental conditions, like climate change or natural disasters, some
industries may perceive as low risk, but others that are more affected by it would be greater risk to
them, like insurance companies who have to pay out in these conditions, and forms part of their
policy premiums. Changes to the environment may be out of the organisations control, but others
may be within, things like oil spillages or pollution to the environment. Sustainability should
therefore be considered, and supply materials back after consumption to reduce their
environmental impact.
7. Fraud risk
Business vulnerability to fraud, more prominent for some businesses than others and therefore
require stronger internal controls, it is considered a controllable risk. The size of the fraud risk is a
factor of the probability/likelihood of fraud occurring, and the extent of the losses arising if fraud
occurs. Should be managed by fraud prevention, minimising opportunities for fraud, and fraud
detection and deterrence.
8. Corporate reputation risk
The better a reputation, the greater risk there is of losing that reputation as impacts would be
significant. Can be eroded through adverse media, and poor customer perceptions, could arise from
environmental, social, or health & safety performance for example. Some organisations use public
relations and advertising to promote an environmentally friendly image, which would result in
upside risk due to the rewards that an improved reputation generate. However, for many it is a
