Risk-management as a foundation of organisational success Flashcards
(25 cards)
3 key aspects of risk-man’s role in an org
- Reducing uncertainty
- Anticipation and resilience
- Supporting the internal control environment
Risk-management and uncertainty (2)
- There is always a desire to reduce the uncertainty in our understanding of probability and impact of risks
- Risk-man can be used as an information-gathering tool - more data means a clearer picture
Risk-management and anticipation (2)
- Important to anticipate and predict risk events so that the probability of negative events can be reduced, and positive ones increased
- Not all risks can be identified (anticipated), and even if they can, their probability and impact may be difficult to quantify with accuracy or affect
Risk-management and resilience (2)
- Black swan events are hard to predict and cannot be quantified => cannot be anticipated
- Risk-man can help orgs respond effectively to, and recover quickly from, risk events that have not been anticipated = resilience
3 ways in which orgs may invest in resilience (names of types)
- Effective crisis management
- Business continuity management
- Organisational learning
Investing in resilience - what is effective crisis management?
Responding quickly to mitigate the immediate effects of unanticipated events as they unfold
Investing in resilience - what is business continuity management?
Recovering quickly from the aftermath of an unanticipated event to ensure the org is able to maintain its operations and achieve its objectives
Investing in resilience - what is organisational learning?
Reviewing past unanticipated events in order to improve future resilience
Supporting the internal control environment - Negatives of risk events which occur due to a breakdown in internal control arrangements (3)
- Very costly
- Damage reputation
- Divert attention from strategic and operational priorities
Other than through regular risk-man activities, 3 specialist internal control management tools that can be used to strengthen internal control
- Risk-based compliance reviews
- Internal audits
- External audits
Strengthening internal controls - risk-based compliance reviews (2)
- Most orgs assess whether employees are complying with applicable laws and regulations
- More detailed and frequent reviews conducted in areas with higher risk of non-compliance or consequences of non-compliance are higher
Strengthening internal controls - internal audits (2)
- Conducted by most orgs to check effectiveness and efficiency or operational processes
- Can identify failures in design or application of risk controls
Strengthening internal controls - external audits (2)
- External auditors review annually whether fin. reporting controls are adequate
- Many go beyond fin. reporting to review broader governance and internal control environment, as this impacts financial statements as well (espec. going concern statement)
What do orgs generally focus on re. the link between risk and strategy?
Assessing and managing the risks that arise from a chosen strategy or different components of a strategy
Linking risk to strategy - there remains a further need to strengthen the strategic-risk framework to include: (4)
- Initiation of a strategic review
- Assessment of alternative strategies
- Execution of a strategy
- Monitoring and managing risks arising from a chosen strategy
Advantages of linking risk to strategy: (2)
- Allows for clearer assessment of aggregate risks related to a particular strategy
- Enables board-level discussions on whether alternative strategies present a more attractive risk/return choice for an org
Why are boards the key players in linking risk to strategy? (2)
- Responsible for formally approving risk appetite
- Responsible for strategy
5 new processes and behaviours boards are incorporating into more significant role in linking risks to strategy:
- Challenging management on key risk-appetite assumptions and definitions
- Seeking more comprehensive assurances on how non-financial risks are monitored, inc. quantification
- Encouraging management to discuss risks in relation to strategy
- Hiring independent external advisors to evaluate risks of sizeable acquisitions
- Connecting internal audit function to strategic planning and risk-man functions
2 ways in which additional value can be created through risk (rather than preserved)
Exploiting risk as a part of day-to-day operations
Strategic risk taking
Difference between day-to-day risk taking and strategic risk taking
Day-to-day risk-taking = optimisation opportunities found within existing risk-man framework based on current strategy
Strategic risk-taking = making strategic business decisions that may leaf to an overall increase in total value, often requiring a recalibration of existing risk-man framework
Real world example of successful positive risk taking
Facebook’s acquisition of instagram when it was not revenue making for USD1 billion.
Now its revenue is USD5 billion and it has a valuation of USD100 `billion
4 barriers holding orgs back from strategic risk-taking:
Corporate culture - management does not support strategic risk-taking
Lack of risk prioritisation - higher priority placed on day-to-day risks at expense of missing the bigger pictures
Failure to perform adequate due diligence - management and board uncomfortable to take strategic risks due to improperly conducted risk/benefit analysis
Lack of designated risk manager to stay on top of emerging trends and navigate strategic risk-taking ideas
Creating value through risk - Org’s with which two risk related characteristics are most likely to see their value significantly eroded or destroyed?
- Promote excessively high-risk-taking behaviours
- Have inadequate compliance monitoring or training procedures
Creating value through risk - role of the board (
Boards assume an active role in assessing value-creating risk-taking opportunities as they have a breadth of knowledge and experience
Board should understand different value-creating initiatives, and be provided with sufficient information (by management) to allow for oversight
Any knowledge gap on the board re. evaluating risk-taking opportunities should be addressed (third part expert could be hired)
