Risk and Risk Management
Risk and Risk Management
Risk and Risk Management
Categories of Risk
1. Pure Risk
- also called as “Downside Risk”
- there is a possibility that an adverse event will occur; events might meet what is
expected, might turn out worse than expected, but cannot be better than expected
2. Speculative Risk
- “Two-way risk”
- actual future event or outcome might be better or worse than expected
Risk Management
Committee of Sponsoring Organizations of the Treadway Commission (COSO) – a
process, applied in strategy setting1 across the enterprise, designed to: identify potential
events that may affect the entity, and manage risks2 within its risk appetite3, to provide
reasonable assurance regarding the achievement of the entity’s objectives4.
1It is a corporate governance issue
2Risk management process: identify, assess, respond, monitor; aims to create, preserve,
and realize value
a) Risk Identification – company needs to understand what risks it faces, both in its
environment and markets (strategic risks) and internally (operational risks); aided
by creation of risk committee (managers from several departments/functions)
Assessment of their importance in order to: (i) rank the risks in order of
significance; (ii)identify the risks which are most significant; (iii) identify the
significant risks where control measures are urgently needed
c) Risk Response
d) Monitor the risk – to determine if the response was sufficient to contol the risk
3
Risk appetite – amount of risk that an org is willing to accept in pursuit of value
Risk capacity – amount of risk that you can take
4
Objectives – (i) efficiency and effectiveness of operations; (ii) compliance with laws
and regulations; (iii) reliability in financial reporting
Risk Response
1. Risk diversification – purpose is to spread the risk
Management must have the skills and experience to manage the portfolio of
different business activities
Unrelated business activities are more risky and less appropriate
Not wise and nor are the risks reduced significantly by diversifying into activities
with similar risks
2. Risk transfer/Risk sharing – involves collaborating with another person and sharing the
risks jointly; common methods are partnerships and joint ventures
3. Hedging – creating a position (making a transaction) that offsets an exposure to another
risk
4. TARA Framework (Transfer, Avoid, Reduce, Accept) or S for Share
High I & Low P – TRANSFER/SHARE: REDUCE
People based preventive
High I & High P – AVOID
System based preventive
Low I & Low P – ACCEPT
People based detective
Low I & High P – TRANSFER/SHARE: REDUCE
System based detective
The Board should oversee that a sound enterprise risk management framework is in place to
effectively identify, monitor, and manage key business risks. (SEC Code of Corporate
Governance)
COSO is sponsored jointly by five major professional associations headquartered in the United
States:
a.the American Accounting Association (AAA),
b.the American Institute of Certified Public Accountants (AICPA),
c.Financial Executives International (FEI),
d.The Institute of Internal Auditors (IIA), and
e. the National Association of Accountants (now the Institute of Management Accountants
[IMA])