ACCA P1 Governance, Risk and Ethics - 2011 - Study text - Emile Woolf Publishing
Подождите немного. Документ загружается.
Paper P1: Governance, risk and ethics
214 © Emile Woolf Publishing Limited
Risk and risk management
The nature of risk
The nature of risk management
Responsibilities for risk management
Elements of a risk management system
1 Risk and risk management
1.1 The nature of risk
Risk is usually associated with the possibility that things might go wrong, that
events might turn out worse than expected or that something bad might happen.
However, risk has a broader meaning. Risk exists whenever a future outcome or
future event cannot be predicted with certainty, and a range of different possible
outcomes or events might occur.
Risks can be divided into two categories:
pure risks
speculative risks.
Pure risk (downside risk)
Pure risk, also called downside risk, is a risk where there is a possibility that an
adverse event will occur. Events might turn out to be worse than expected, but they
cannot be better than expected.
For example, there might be a safety risk that employees could be injured by an item
of machinery. This is a pure risk, because the expectation is that no-one will be
injured but a possibility does exist.
Similarly, there might be a risk for a company that key workers will go on strike and
the company will be unable to provide its goods or services to customers. This is a
pure risk, because the expected outcome is ‘no strike’ but the possibility of a strike
does exist.
Speculative risk (two-way risk)
Speculative risk, also called two-way risk, exists when the actual future event or
outcome might be either better or worse than expected.
An investor in shares is exposed to a speculative risk, because the market price
of the shares might go up or down. The investor will gain if prices go up and
suffer a loss if prices go down.
Chapter 10: Identifying and assessing risk
© Emile Woolf Publishing Limited 215
An individual might ask his bank for a loan to buy a house, and the bank might
offer him a 10-year loan at a fixed rate of interest or at a rate of interest that
varies with changes in the official bank rate. The individual takes a risk with his
choice of loan. If he chooses a fixed interest loan, there is a risk that interest rates
will go up in the next 10 years, in which case he will benefit from the fixed rate
on his loan. On the other hand, interest rates might go down, and he might find
that he is paying more in interest than he would have done if he had arranged a
loan at a variable rate of interest.
Companies face two-way risk whenever they make business investment
decisions. For example, a company might invest in the development of a new
product, on the basis of sales and profit forecasts. Actual sales and profits might
turn out to be higher or lower than forecast, and the investment might provide a
high return, moderate return or low return (or even a loss).
Companies face both pure risks and speculative risks.
Pure risks are risks that can often be controlled either by means of internal
controls or by insurance. These risks might be called internal control risks or
operational risks.
Speculative risks cannot be avoided because risks must be taken in order to
make profits. As a general rule, higher risks should be justified by the
expectation of higher profits (although events might turn out worse than
expected) and a company needs to decide what level of speculative risks are
acceptable. Speculative risks are usually called business risk, and might also be
called strategic risk or enterprise risk.
Business decisions taken by management could involve both business risk (strategic
risk) and operational risk (downside risk).
Example
The following examples illustrate how there are both strategic risks and operational
risks in many decisions taken by management. The examples relate to a large public
company.
Management decision Comment on the risk
The company has commissioned a
software company to design a new
information system. The system
will be used for marketing analysis
and to sell goods to customers on-
line.
There are strategic risks with the new
system. These include the risk that customers
will not want to buy goods on-line, and the
risk that a competitor will develop a more
popular e-commerce web site.
There are also operational risks. These
include risks that the new system will fail to
function properly, and might suffer from
hardware or software faults. These risks can
be managed by operational controls.
Paper P1: Governance, risk and ethics
216 © Emile Woolf Publishing Limited
The company has a large customer
service centre where its employees
take telephone calls from
customers and deal with customer
complaints. On average, staff are
on the telephone talking to
customers for 75% of their working
time. Management have decided
that in order to increase profits,
staff levels should be reduced by
10% at the centre. It is estimated
that this will have only a small
effect on average answering times
for customer calls.
There is a strategic risk. The company might
lose some customers if the level of service
from the service centre deteriorates.
Management must judge whether the risk of
losing customers is justified by the expected
reduction in operating costs.
There are also operational risks. If employees
have to spend more time on the telephone
the risks of making mistakes or providing an
unsatisfactory service is likely to increase.
There might also be a risk that answering
times will be much longer than expected, due
to operational inefficiencies.
1.2 The nature of risk management
Risk management is the process of managing both downside risks and business
risks. It can be defined as the culture, structures and processes that are focused on
achieving possible opportunities yet at the same time control unwanted results.
This definition identifies the connection between risk and returns.
The safest strategy is to take no risks at all. However, this is an unrealistic
business strategy. All business activity involves some risk.
Business decisions should be directed towards achieving the objectives of the
company. The main objective is (usually) to increase value for shareholders over
the long term.
Strategies are devised for achieving this objective and performance targets are
set. The strategies should be consistent with the amount of business risk that the
company is willing to take, and the targets should be realistic for the chosen
strategies.
The strategies are implemented, and management should try to achieve the
stated objectives and performance targets, but at the same time should manage
the downside risks and try to limit the business risks.
A link between management of operational risk and management of strategic risk
can be seen in the following statement from a bank in the UK:
‘A priority for us is to maintain a strong control framework. This is the key for
delivering effective risk management. We have further strengthened risk analysis
and reporting so that risks and opportunities are identified, and have put timescales
and straightforward responsibilities in place at both group and division level for
risk mitigation strategies. Routine management information reporting still has risk
at the heart and balanced scorecards are used to ensure this is in the staff objectives.’
Chapter 10: Identifying and assessing risk
© Emile Woolf Publishing Limited 217
1.3 Responsibilities for risk management
Risk management is a corporate governance issue. The board of directors have a
responsibility to safeguard the assets of the company and to protect the investment
of the shareholders from loss of value. The board should therefore keep strategic
risks within limits that shareholders would expect, and to avoid or control
operational risks.
The Cadbury Report (1992) described risk management as 'the process by which
executive management, under board supervision, identifies the risk arising from
business . . . and establishes the priorities for control and particular objectives'.
The UK Code states that : “The board is responsible for determining the nature and
extent of the significant risks it is willing to take in achieving its strategic objectives”
and that ““the board should maintain sound risk management and internal control
systems.”
ICGN Corporate Risk Oversight Guidelines
The International Corporate Governance Network (ICGN) has issued guidelines on
responsibilities for the oversight and management corporate risk (2010).
The risk oversight process begins with the board. The board is responsible for
deciding the company’s risk strategy and business model, and it should
understand and agree the level of risk that goes with this. It should then have
oversight of the implementation by management of a strategic and operational
risk management system.
Management has the responsibility for developing and implementing the
company’s strategic and routine operational risk management system, within
the strategy set by the board and subject to board oversight.
Shareholders have responsibility for assessing the effectiveness of the board in
overseeing risk. Investors are not themselves responsible for the oversight of risk
in the company.
The ICGN Guidelines prove guidance on processes for the oversight of corporate
risk by the board and within the company, for investor responsibility and for
disclosures by a company on its risk management oversight processes.
Risk management and internal control
The UK Code states that “the board should, at least annually, conduct a review of
the effectiveness of the company’s risk management and internal control systems
and should report to shareholders that they have done so.” This review is likely to
be carried out by the audit committee, which should then report its findings to the
full board.
This means that the responsibilities of the board of directors and management for
risk management are the same as their responsibilities for the system of internal
control. Many of the comments in the previous chapter on internal control apply to
risk management generally.
For example, the Turnbull Guidance stated that in deciding the company’s policies
with regard to internal control, the board should consider:
Paper P1: Governance, risk and ethics
218 © Emile Woolf Publishing Limited
the nature and extent of the risks facing the company
the extent and categories of risk which it considers as acceptable for the
company to bear
the likelihood that the risks will materialise (and events will turn out worse than
expected)
the company’s ability to reduce the probability of an adverse event occurring, or
reducing the impact of an adverse event when it does occur
the cost of operating the controls relative to the benefits that the company
expects to obtain from the control.
These considerations should apply to strategic risks as well as to operational risk
and internal control systems.
In the same way, the UK Combined Code requires the board of directors to maintain
a sound system of risk management, and to carry out a review of effectiveness of the
risk management system at least once each year.
1.4 Elements of a risk management system
The elements of a risk management system should be similar to the elements of an
internal control system:
There should be a culture of risk awareness within the company. Managers and
employees should understand the ‘risk appetite’ of the company, and that
excessive risks are not justified in the search for higher profits.
There should be a system and processes for identifying, assessing and
measuring risks. When risks have been measured, they can be prioritised, and
measures for controlling or containing the risk can be made.
There should be an efficient system of communicating information about risk
and risk management to managers and the board of directors.
Strategies and risks should be monitored, to ensure that strategic objectives are
being achieved within acceptable levels of risk.
Organising for risk management
The responsibilities for risk management and the management structures to go with
it vary between organisations. Some companies employ risk management specialists
and in financial services there is a regulatory requirement in many countries for
banks and other financial service organisations to have well-structured risk
management systems.
It is useful to be aware of differences in organisation structures and responsibilities.
The board of directors of large public companies may be expected to review the risk
management system within their company on a regular basis, and report to
shareholders that the system remains effective. If there are material weaknesses in
the risk management system, a company may be required to provide information to
shareholders. In the UK for example the Combined Code requires the board of
directors or a committee of the board to review the system if risk management at
least once a year and report to shareholders that the system is effective.
The board may delegate this responsibility to the audit committee.
Chapter 10: Identifying and assessing risk
© Emile Woolf Publishing Limited 219
Alternatively, it may set up a risk committee of the board, and give the
responsibility to this special committee (of independent non-executive directors).
A company may decide that it needs a senior management committee to monitor
risks. This management committee may be chaired by the CEO and consist of the
other executive directors and some other senior managers. It may also include
professional risks managers or the senior internal auditor. The function of this
executive committee would be to co-ordinate risk management throughout the
organisation.
It would be responsible for identifying and assessing risks, and reporting to the
board. It may also formulate possible business risk management strategies, for
recommendation to the board.
It should also agree programmes for the design and implementation of internal
controls.
It should monitor the effectiveness of risk management throughout the company
(both business risk management and the control of internal control risks).
Risk management should therefore happen at both board level (with the
involvement of independent NEDs) and at operational level (with the involvement
of senior executives and risk managers). A past exam question has asked whether it
is better to have independent non-executives on a risk committee or executive
managers. The ‘correct’ answer is that it is appropriate to have both, but in separate
committees – one with monitoring responsibilities at board level and the other at
executive level with operational responsibilities. The risk management committee of
executives should be a source of information and advice or recommendations for
the board.
Paper P1: Governance, risk and ethics
220 © Emile Woolf Publishing Limited
Categories of risk
The need to categorise business/strategic risks
Categories of risk common to many types of business
Nature and importance of business and financial risks
Business risks in different business sectors
2 Categories of risk
2.1 The need to categorise business/strategic risks
A risk management system might be based on a categorisation of risks. There are no
standard risk classifications, because the nature of business risks varies between
different types of business.
The reason for categorising risks is to give some structure to the risk management
process. In many large companies, risk committees are established, and each
committee is responsible for identifying, assessing and measuring business risks in
a particular category. The risk committee then provides information on risk to
managers in a position of responsibility for taking decisions to control the risk, for
example by introducing new risk control measures.
The board of directors might use the same risk categories to provide their report on
internal control and risk management, or to discuss risk in their annual business
review (narrative report).
2.2 Categories of risk common to many types of business
Some types of business risk are common to many different industries. The Turnbull
Report mentioned the following risks that might be significant:
market risk
credit risk
liquidity risk
technological risk
legal risk
health, safety and environmental risk
reputation risk
business probity risk.
Each of these risks is explained below, with examples. The examples are
illustrations of cases where events turned out badly for companies. It is important to
remember, however, that risk management is not concerned about adverse events
that have happened in the past. It is about managing risks that exist now that could
affect events (and profits) in the future.
Chapter 10: Identifying and assessing risk
© Emile Woolf Publishing Limited 221
Market risk
Market risk is the risk from changes in the market price of key items, such as the
price of key commodities. Market prices can go up or down, and a company can
benefit from a fall in raw material prices or incur a loss from a rise in prices.
A company might be able to pass on higher prices of raw materials to the customer,
by raising the prices for its own goods or services. However, if it puts its price sup,
there might be a fall in total demand from customers. Higher prices, leading to
falling sales volume could result in lower profits (= ‘losses’).
Example
An oil company described one of its major risks as the risk of rising and falling oil
and chemical prices due to factors such as conflicts, political instability and natural
disasters.
The term ‘market risk’ can be applied to any market and the risk of unfavourable
price movements. A quoted company may therefore use the term ‘market risk’
when referring to the risk that its share price may fall.
Similarly a bank includes the risk of movements in interest rates and foreign
exchange rates within a broad definition of market risk.
Credit risk
Credit risk is the risk of losses from bad debts or delays by customers in the
settlement of their debts. All companies that give credit to customers are exposed to
credit risk. The size of the credit risk depends on the amount of receivables owed to
the company, and the ‘credit quality’ of the customers.
Credit risk is a major risk for commercial banks, because lending is a major part of
their business operations.
Liquidity risk
Liquidity risk is the risk that the company will be unable to make payments to settle
liabilities when payment is due. It can occur when a company has no money in the
bank, is unable to borrow more money quickly, and has no assets that it can sell
quickly in the market to obtain cash.
Companies can be profitable but still at risk from a liquidity shortage.
Example
Long-Term Capital Management (LTCM) was a hedge fund set up in 1994 by a
group of traders and academics. It was funded by many large investment banks. The
company ran into difficulties in 1998 when it found that it was unable to sell
securities that it held in some small financial markets, because there was insufficient
demand from investors. This led to a liquidity shortage. As the hedge fund became
desperate to obtain cash, it had to sell its assets at whatever prices it could obtain,
Paper P1: Governance, risk and ethics
222 © Emile Woolf Publishing Limited
and market prices fell. The fall in market prices resulted in big losses, and LTCM
was on the verge of collapse. Fearing that the US banking system would suffer
severe damage in LTCM did collapse, the US Federal Reserve Bank organised a $3.5
billion rescue package.
This major crisis happened because of the liquidity risk and market risk that the
hedge fund faced and was unable to manage successfully.
Technological risk
Technological risk is the risk that could arise from changes in technology (or
inadequacy of technological systems in use). When a major technological change
occurs, companies might have to make a decision about whether or not to adopt the
new technology.
If they adopt the new technology too soon, they might incur higher costs than if
they waited until later.
If they delay adopting the new technology, there is the risk that a competitor will
take advantage, and use the technology to gain market share.
Example
There are various examples of technological risk. The development of the internet,
for example, created a risk for many companies. Traditional banks were faced with
the risk that if they did not develop online banking (at a high cost), non-bank
companies might enter the market and take customers away from them.
The internet has also created risks for many retailing companies, which have had to
decide whether to sell their goods on the internet, and if so whether to shut down
their traditional retail outlets.
A technological risk currently facing manufacturers of televisions and media
companies is which format of high definition (HD) television they should support.
There are two competing formats, and only one seems likely to succeed in the
longer term.
Legal risk
Legal risk, which includes regulatory risk, is the risk of losses arising from failure to
comply with laws and regulations, and also the risk of losses from legal actions and
lawsuits.
Example
An example in 2006 was the decision by the US government to enforce laws against
online gambling. US customers were the main customers for on-line gambling
companies based in other countries. As a result of the legal action, the on-line
gambling companies lost a large proportion of their customer base, and their profits
– and share prices – fell sharply.
Chapter 10: Identifying and assessing risk
© Emile Woolf Publishing Limited 223
Health, safety and environmental risk
Health and safety risks are risks to the health and safety of employees, customers
and the general public. Environment risks are risks of losses arising, in the short
term or long term, from damage to the environment - such as pollution or the
destruction of non-renewable raw materials.
The risks faced by companies vary according to the nature of the business.
Companies are required to comply with health and safety regulations. This has a
cost. If they fail to comply with regulations, they could be liable to a fine if
government inspectors discover the failure to comply. If there is an incident in
which employees or customers suffer injury or ill health as a consequence of a
failing in health and safety control measures, the company could be exposed to
large fines from government and lawsuits from the individuals affected.
If a company fails to deal with environmental risks in a satisfactory way, it could
suffer losses in various ways. For example:
- It might be fined for a breach of anti-pollution regulations.
- It might suffer a loss of customers, for example if its reputation suffers as a
result of an incident in which severe damage is done to the environment,
such as a major oil spillage.
Reputation risk
Reputation risk is difficult to measure (quantify). It is the risk that a company’s
reputation with the general public (and customers), or the reputation of its product
‘brand’, will suffer damage. Damage to reputation can arise in many different ways:
incidents that damage reputation are often reported by the media.
Companies that might suffer losses from damage to their reputation need to be
vigilant and alert for any incident that could create adverse publicity. Public
relations consultants might be used to assist with this task.
Example
Some years ago, the owner of a popular chain of jewellery shops in the UK criticised
the quality of the goods that were sold in his shops. The bad publicity led to a sharp
fall in sales and profits. The company had to change its name to end its association in
the mind of the public with cheap, low-quality goods.
More recently, a manufacturer of branded leisure footwear suffered damage to its
reputation when it was reported that one of its suppliers of manufactured footwear
in the Far East used child labour and slave labour. Sales and profits (temporarily)
fell.
Many other companies that source their supplies from developing countries have
become alert to the risks to their reputation of using suppliers whose employment
practices are below the standards that customers in the Western countries would
regard as morally acceptable.