Chapter 2 - Managing Risks

Question 1

Role of directors in implementing strategy in a risk approach

Answer 1

1. Responsibility for determining risk management strategy and monitoring risk and internal controls
2. Considers:
   * Control environment = Management approach to risk, attitudes and culture, philosophy and org structure
   * Internal control procedures = Policies and procedures established to achieve specific objectives

Question 2

Role of risk committee in implementing strategy in a risk approach

Answer 2

• Set up by the board if board does not wish to take responsibility for risk management
  1. Ensure system exists
  2. Set risk policy
  3. Assess risks
  4. Review internal audit work
  5. Review risk register
  6. Advise board
• If there is no risk committee, audit committee may take responsibility for risk management instead

Question 3

Role of risk manager (chief risk officer) in implementing strategy in a risk approach

Answer 3

• Supports board’s risk responsibilities and combines technical skills in managing risks with leadership and persuasive skills
  1. Leadership of enterprise risk management
  2. Establishing and promoting enterprise risk management
  3. Developing common risk management policies
  4. Establishing a common risk language
  5. Dealing with insurance companies
  6. Implementing risk indicators
  7. Allocation of resources based on risk
  8. Reporting to the CEO/board/risk committee as appropriate

Question 4

UK corporate governance code compromises:

Answer 4

1. Description of work of audit committee
2. Explanation of boards responsibilities
3. Confirmation that board has assessed comp’s emerging and principal risks, description of these risks and how they were identified and managed
4. How board reviewed effectiveness of risk management and internal control systems
5. Assessment of comp’s going concern status and whether material uncertainties exist
6. Explanation of comp’s prospects

Question 5

Sarbanes-Oxley Act requires comp’s to:

Answer 5

• Report on entity’s internal controls, assessment of their effectiveness
• Need to be independently verified

Question 6

Limitations on risk disclosures:

Answer 6

1. Board may be less wiling to disclose info due to commercial confidentiality
2. Directors may also fear that disclosures about certain risks will be misinterpreted
3. Directors may be motivated to include matters included in reports of competitors or those identified as best practice to demonstrate how they are managing the risks
4. Risks may also materialise or change over the year – have control systems been developed to meet changes
5. Reputation risks – disclosures may focus on threats to reputation that may have large impact on business (particularly product safety)

Question 7

What is risk appetite?

Answer 7

• Org’s willingness to accept risk in pursuit of value

* Range org chooses to actively pursue

Question 8

What is risk universe?

Answer 8

All possible performance outcomes that org will experience from its current strategy

Question 9

What is risk tolerance?

Answer 9

• Range of tolerable risks within extremes of risk universe

* Measure of what org does not wish to go beyond

Question 10

What is risk capacity?

Answer 10

Collection of tangible and intangible assets at an org’s disposal that allows it to take risks and absorb losses

Question 11

Attitudes toward risk:

Answer 11

1. Risk aversion:
   * Focuses on risk level
   * Org’s are willing to tolerate risk up to a point provided they receive acceptable return or risk is two-way or symmetrical (both positive and negative outcomes)
2. Risk seeking:
   * Focuses on return level
   * Activity should be undertaken if it results in higher returns

Question 12

How can we identifying conditions that leads to risk?

Answer 12

1. Physical inspection
2. Enquiries (e.g. about extent of product quality controls)
3. Monitoring changes in legislation/ regulation
4. Checking a copy of every letter + memo issued for early indication of major changes and new projects
5. Brainstorming with representatives of different departments
6. Checklists ensuring risk areas are not missed
7. Benchmarking internally and externally
8. Human reliability analysis

Question 13

TARA Model:

Answer 13

Low frequency, High severity = Transfer
Low frequency, Low severity = Accept
High frequency, Low severity = Control/ reduce
High frequency, High severity = Avoid/ abandon

Question 14

Risk Transfer:

Answer 14

• Insure risk or implement contingency plans.
• Risks can be transferred to internal departments, suppliers, customers or insurers
• Reduction of severity of risk will minimise insurance premiums

Risk sharing = partly held by org, partly transferred to someone else (insurance policy)

Question 15

Risk avoidance:

Answer 15

• Take immediate action
• Change major suppliers
• Abandon activities

Question 16

Risk reduction:

Answer 16

• Take some action
• Risks cannot be avoided altogether, simply reduced to acceptable level
• Enhanced control systems to detect problems
• Contingency plans to reduce impact
• Risk mitigation through risk diversification + hedging

Question 17

Other risk reduction strategies:

Answer 17

1. Contingency planning:
   * Information = gathered in advance
   * Responsibilities = what is to be done and by whom
   * Practice = simulations as realistic as possible and taken seriously by all involved and results should be monitored
2. Loss control:
   * Physical devices = sprinklers, fire extinguishers
   * Psychological factors = awareness + commitment
3. Procedural approach:
   * Rules + regulations = statute & corporate governance guidance
   * Codes = professional + ethical codes
   * Detailed authorisation or operating procedures
4. Risk pooling + diversification
   * Use portfolio theory to reduce overall risk levels
   * Geographical diversification across countries at different stages in trade cycle
   * Diversifying product base at different stages of product life cycle
   * Expand portfolio of business activities by taking over businesses operating at other stages of supply chain

Question 18

COSO Enterprise Risk Management Framework

Answer 18

• COSO believes that it is important to consider risk as part of strategy setting

1. Governance & culture
2. Strategy & objective setting
3. Performance
4. Review & revision
5. Info, communication and reporting

Question 19

What is the aim of ISO 31000 Risk Management?

Answer 19

• Aims to create and protect value

Question 20

ISO 31000 - Risk Management Policies:

Answer 20

Design: (PACED)
* Proportionate to the level of risk faced
* Aligned with all other activities
* Comprehensive
* Embedded within the org
* Dynamic and responsive to emerging trends
Operation:
* Limitations in available info actively considered
* Influence of human and cultural factors
* Continual improvement through learning and experience

Question 21

ISO 31000 - Risk Management Framework:

Answer 21

• Guidance on how to implement the principles
• Guidance on allocating roles, responsibilities and resources
• Guidance on establishing the org’s commitment to risk management
• The framework requires = design, implementation, evaluation and improvement

Question 22

ISO 31000 - Risk Management Process:

Answer 22

• Process may have to be repeated to achieve org’s objectives as some risks may not stay managed
• Start of process = orgs scope, context and criteria for factors such as culture, attitudes, skills and objectives
• Process continues by assessing risks (identification, analysis + evaluation)
• Concludes with risk treatment
• Process supporting activities = communication and consultation, monitoring + review, recording and reporting

Question 23

Three lines of defence:

Answer 23

1. First line of defence:
   * Management controls
   * Internal control measures
2. Second line of defence:
   * Financial control, Security, Risk management
   * Quality, Inspection, Compliance

• The first and second line of defence is under the control + direction of senior management

3. Third line of defence:
   * Internal audit
   * The third line of defence is outside scope of management – reports primarily to the board

Question 24

What is the risk register and what is its function?

Answer 24

1. Lists + prioritises the main risks, a monetary value should be allocated to each risk and interdependencies with other risks noted
2. Also details who is responsible for dealing with risks and the actions taken
3. Risk register is used for risk reporting and in allocating responsibility for managing, monitoring and reporting
4. Reports should show risk levels before controls are implemented and residual risk after controls are taken into account
5. Need to include comparisons of actual risks against predicted risks and feedback on action taken

Question 25

Internal risk reporting:

Answer 25

* Covers all stages of the risk management system * Needs to be carried out on a systematic, regular basis * Reporting of high impact likelihood risks may occur daily * Needs to ensure that significant changes in risk profile is notified quickly to snr management * Reporting system should indicate significant changes in business environment

Question 26

Evaluating dilemmas in a question:

Answer 26

1. Identify key facts 2. Identify relevant ethical issues and fundamental principles 3. Consider alternatives and their consequences 4. Make a recommendation 5. Justify recommendation * Public interest = collective well-being of the community an accountant serves * Social (people) and environmental (planet) issues are affected by risk management * Whistleblowing = raising concerns over alleged bribery and corruption within an org * Need to consider all stakeholders in any dilemma faced