C3-Identification, assessment and measurement of risk

The impact upon the stakeholders

Risk Assessment
Risk Attitudes and Risk awareness
Externally reporting on internal control and risk
Accurate information for risk management
Concepts of objective and subjective risk perception
Related risks

The impact upon the stakeholders

Businesses have to be aware of stakeholder responses to risk

Shareholders
They can affect the market price of shares by selling them or they have the power
to remove management.
2 options:
1. Shareholders prefer a steady income from dividends
2. Shareholders are more concerned with long-term capital gains

Debt providers and creditors

Debt providers are concerned about threats to the amount the organisation owes
They can take various actions such as:

denial of credit,
higher interest charges or
ultimately putting the company into liquidation

Employees
Employees will be concerned about threats to their job prospects (money,
promotion, benefits and satisfaction) and ultimately threats to the jobs themselves.
If the business fails, the impact on employees will be great.
However if the business performs poorly, the impact on employees may not be so
great if their jobs are not threatened.

Customers and suppliers

Suppliers can provide short-term finance.
As well as being concerned with the possibility of not being paid, suppliers will be
concerned about the risk of making unprofitable sales.
Customers will be concerned with threats to their getting the goods or services
that they have been promised, or not getting the value from the goods or services
that they expect.

Risk assessment
Risk assessment is the process of evaluating the importance of a risk by
making an estimate of two variables:
1. The probability of the risk event being realised
Probability refers to the likelihood of the risk materialising and is expressed
either as a percentage or as a proportion of one (e.g. a 0.5 risk is considered
to be 50% likely).
2. The impact that the risk would have if it were realised
The impact refers to the value of the loss if the risk event were to
materialise.
The estimated values of these two variables can be plotted on a risk assessment
map, where the two axes are impact and probability (see below).

Then, different risk management strategies can be assigned depending

upon the area of the map the risk is plotted in.

ACCEPT (LOW - LOW)

Risks assessed at low probability and low impact can be accepted or
tolerated

TRANSFER (HIGH - LOW)

Those with high impact but low probability are often transferred or shared.
Insure risk or implement contingency plans.
Reduction of severity of risk will minimise insurance premiums.

MONITOR (LOW - HIGH)

Risks with low impact but high probability are typically reduced

AVOID (HIGH - HIGH)

Those with high impact and high probability are typically avoided.
Take immediate action to reduce severity and frequency of losses, e.g.
charging higher prices to customers or ultimately abandoning activities.

Board Evaluation of risk

Depends on:

Risk appetite of company

Maximum risk a business can take (capacity)
Risk that cant be managed (residual risk)

Risk Attitudes and Risk awareness

Risk Attitudes
Risk Attitudes / Appetite
The overall risk strategy determines the overall approach to risk.
1. Risk Appetite
This determines how risks will be managed.
Some will be risk averse and some will be risk seekers, younger companies
often need to be risk seekers and more established companies risk averse
2. Risk Capacity
Risk capacity indicates how much risk the organisation can accept.
The overall strategy of an organisation will therefore be affected by risk
strategy, risk appetite and risk capacity.
Risk is a good thing because

Makes a business more competitive

Prevents just following the leader
Comes with rewards

ALARP
(As low as reasonable practicable)

A risk is more acceptable when it is low (and less acceptable when it is

high).
Risks cannot be completely eliminated, so each risk is managed so as to be
as low as is reasonably practicable because we can never say that a risk has
a zero value.

For example, It would be financially and operationally impracticable to

completely eliminate health and safety risks
This does not mean becoming complacent, so we maintain a number of
controls that should reduce the probability of the risks materialising,
Risk awareness

describes the ability of an investor to recognise and measure the risk

associated with a given investment.

Externally reporting on internal control and risk

The audit committee has a major role in promoting dialogue between the external
auditors and the board.
Corporate governance should be improved if the views of the external auditors are
given greater consideration, since implementing their feedback should improve
control systems.
If internal auditors carry out the audit, they should be familiar with the
organisation, its systems and procedures, culture and the regulations that affect it.
The internal auditors should be able to carry out a well-targeted audit and report
in a way that is appropriate and helpful for the organisation.
However internal auditors may suffer from the disadvantages of:

lack of independence
over- familiarity

An internal audit may be undermined by internal politics and divisions.

An external auditor may provide:

an unbiased, fresh view

a higher degree of confidence to external stakeholders
knowledge of best practice and current developments more up-to-date
a better awareness of certain risks than internal auditors do.

Accurate information for risk management

Accurate risk assessment should:

Make sure the assessment covers all relevant risks.

Ensure the severity and frequency of risks are fairly assessed.

Sources of information

The information comes from a wide variety of sources.

A) The directors' own efforts
Directors will receive reports from the audit committee and risk committee.
Regular visits by the directors to operations should help the directors
understand the environment.
B) Reports from subordinates
All staff with supervisory responsibilities should report on a regular basis to
senior managers, and senior managers should report regularly to directors.
C) Lines of communication
There should be normal communication channels through which staff can
communicate their concerns.
Workers should be able to pass on information concerning wrongdoing
(whistleblowing).
D) Reports from control functions
Organisational functions that have a key role to play in internal control
systems must report on a regular basis to the board and senior
management.
One example is the need for a close relationship between internal audit and
the audit committee.
The human resources function should also report regularly to the board
about personnel practices in operational units.
Poor human resource management can often be an indicator of future
problems with controls, since it may create dissatisfied staff or staff who
believe that laxness will be tolerated.
E) Reports on activities
The board should receive regular reports on certain activities.
A good example is major developments in computerised systems.
As well as board approval before the start of key stages of the development
process, the board needs to be informed of progress and any problems
during the course of the project, so that any difficulties with potentially
serious consequences can be rapidly addressed.

Concepts of objective and subjective risk perception

Some risk calculations can be made with some degree of objectivity whilst others
rely more on subjective assessment.
There is an important distinction, then, between objective and subjective
assessments.
Objective
A risk can be objectively assessed if we can scientifically measure the
probability of a given outcome or predict, with some certainty, the impact.
I can predict with some confidence, for example, based on past data, the
number of working days likely to be lost in a given year through absenteeism
of employees.
Subjective
I can predict with much less certainty, the probability that the stock market
will rise or fall on a given day. In such a situation, I must use more subjective
judgement

Related risks
Related and correlated
Related risks

These are risks that vary because of the presence of another risk.
This means they do not exist independently and they are likely to rise and
fall in importance along with the related one.
Risk correlation is a particular example of related risk.

Positively Correlated

Risks are positively correlated if one will fall with the reduction of the other
and increase with the rise of the other.

Negatively correlated

They would be negatively correlated if one rose as the other fell.

Example
Often environmental and reputation risks are positively correlated - the
more attention spent on how the business interacts with the environment
means their environmental risk is lower and also their reputation risk