CHAPTER 2
RISK MANAGEMENT
1. Risk management
Definition
Having identified a range of risks, the next step is to do something about those risks.
In essence this is the process of risk management and that's what we will examine in
this chapter.
Let's look at the formal definition:
Risk management is the identification, assessment, and prioritisation of risks
followed by coordinated and economical application of resources to minimise,
monitor, and control the probability and/or impact of unfortunate events or to
maximise the realisation of opportunities.
A process to manage risks
The definition hints at the steps in the formal process of risk management we'll see
later in this chapter. We start the process off by identifying key risks. Next an
assessment and prioritisation process follows, whereby the risks with the greatest
importance (typically seen as those with the greatest impact and the greatest
probability of occurring) are handled first, while those of lower importance are
prioritised lower and may even be ignored.
We then go onto manage those key risks to reduce the likelihood of them
happening (e.g. put controls in place to prevent a fire) and/or reduce the impact (e.g.
obtain insurance so the loss is recompensed should a fire actually occur).
1
� Risk Management
Finally we monitor the situation to ensure that our risk management process
works and no changes are required. For example, a new fire risk could arise for
which we must set up procedures to manage.
Balancing spending on risk management with
benefits gained
Most risks can be minimised if enough money is spent on them, or extreme
measures taken. Building sites can be made extremely safe with very strict
procedures, the best staff training, safest equipment and a culture of safety being
embedded in the organisation.
A key question though, is just how much money and bureaucracy should be invested
in getting safer and safer, and where do you stop? There will come a point where so
much money is spent on safety and the bureaucracy and controls are so stringent
that the project is unprofitable and hence will not be viable.
Ideal risk management minimises spending on the management of risk while
also minimising the negative effects of the risks themselves and achieving a fair
balance between the two. What constitutes a fair balance is often a matter for the
directors to decide and will often relate back to their risk appetite.
Assets, threats and vulnerabilities
Risks are the combination of assets, threats and vulnerabilities.
2
� Risk Management
A risk exists where there is an asset under threat (the building under threat of
fire), and where there are vulnerabilities (no fire alarms).
Risk management seeks to reduce vulnerabilities and protect assets against threats
through different methods, for example, installing fire alarms.
2. Principles of good risk
management
ISO principles
It's now time for a few formal models, and our first comes from the International
Organisation for Standardisation (ISO) who have identified the following principles of
risk management. Let's take a look.
Risk management should:
• Create value – Resources expended to mitigate risk should be less than the
consequence of inaction, or put another way “the gain should exceed the
pain”, or it should cost less to avoid the loss.
• Be an integral part of organisational processes – E.g. standard safety
procedures repeated regularly by everyone in the organisation.
• Be part of decision-making – E.g. considering risk when doing investment
analysis, and part of the processes used in board meetings when making
decisions.
• Explicitly address uncertainty and assumptions – E.g. during an investment
appraisal, assumptions about future revenues and profits will be assessed to
examine the likelihood of those estimates materialising.
• Be systematic and structured – E.g. safety procedures are always followed no
matter what.
• Be based on the best available information – E.g. latest research on the
safest methods of operation.
• Able to be tailored – And so flexible to different circumstances as there may
be different risks in different situations e.g. one store at a retailer may have
different risks to another because it's in a different building.
3
� Risk Management
• Take into account human factors – E.g. human error.
• Be transparent and inclusive – So that all stakeholder needs are considered,
so, for instance, where higher risks are taken, shareholders will be informed.
• Be dynamic and responsive to change – So as the organisation changes, so
too are the controls to manage risk.
• Be capable of continual improvement and enhancement – For example,
accept when change is needed in order to practise caution.
• Be continually or periodically reassessed – To ensure that there aren't any
risks being overlooked.
Example
In the exam, you can compare these principles to those used in the scenario to
evaluate an organisation’s risk management process, so for example, let's look at the
following example:
Hunty Building had an excellent safety record until the last six months, where there
have been a number of on-site incidents, one in which two staff members were
severely injured. Six months ago, the business took on a new project unlike any they
had had before, which was authorised by the directors due to its extremely high
profitability, but the timescales were tight, meaning the project was rushed and new
staff brought in without the usual safety training. While the project was profitable,
the organisation was criticised for the project, and it has since lost a number of
tenders for new projects as a result.
So, let's look through the principles of good risk management one by one and see
which appear to have been adhered to and which have not – you might like to do
your own review before reading on...
• Create value – The project was profitable so value created, although there
were problems with tenders long term and so the project was not good value
long term.
• Be an integral part of organisational processes – No new processes seem
to have been integrated into standard procedures to take account of the
change in project type.
• Be part of decision making – The project appears to have been accepted
without the safety issues related to the new project type and the short
deadline having been considered.
4
� Risk Management
• Explicitly address uncertainty and assumptions – Uncertainties about the
new project type appear to have been ignored.
• Be systematic and structured – No new safety procedures seem to have
been implemented based on the new project type.
• Be based on the best available information – No research undertaken into
the safest methods of operation in this project type.
• Be tailor-able – Old procedures do not appear to have been tailored for the
new project type.
• Take into account human factors – A lack of training was made available to
new staff.
• Be transparent and inclusive – Little information in the scenario on this
point.
• Be dynamic and responsive to change – The key weakness was that controls
were not changed for the new project type and lack of time.
• Be capable of continual improvement and enhancement – Little
information in the scenario on this point.
• Be continually or periodically reassessed – No re-assessment undertaken of
existing controls prior to this new project, although you would hope they
would do so now!
3. Risk management process
Earlier in the notes, we saw that a natural risk management process falls out of the
definition. In this section, we'll take a more focused look at each of the specific steps
in the risk management process. There are 5 typical steps to be followed:
5
� Risk Management
Step 1 – Identify threats
You plan to go to dinner tonight. However, it might rain, and you don't want to ruin
your best clothes. There isn't a guarantee, but as long as there is uncertainty, there is
a threat.
Risks are about events that, when triggered, cause problems – you might get wet!
The event, in this case, is rain. Hence, risk identification should start with the source
of problems, the events that cause these risks.
Examples of risk sources which can create events are:
• Stakeholders of a project
• Employees of a company
• The weather (as in our example!)
• Political change
• Economic circumstances
• Technological change
• Competitors
6
� Risk Management
In fact, many of these sources can be related back to the PESTEL and Five Forces
factors we covered previously, and that can be a very useful way to remember them!
Threats can be related to sources so, for example, if we take competitors, we might
say threats are: lower prices, new products or innovations, improved quality or
service, better marketing, and so on.
Once a threat is identified, the events that may be triggered can be
investigated. For example, specific events related to competitors and lower prices
might be: sales at particular times of the year, price reductions to sell-off products
that haven't sold well or responding to our price reductions.
The chosen method of identifying risks may depend on culture, industry practice and
compliance. The identification methods are formed by templates or the development
of templates for identifying the source, problem or event. Common risk identification
methods are:
1. Objectives-based risk identification
Organisations and project teams have objectives. Any event that may endanger
achieving an objective partly, or completely, is identified as a risk. An objective
might be to make profits and so a competitor lowering prices would be a risk to
those profits.
2. Scenario-based risk identification
In scenario analysis, different scenarios are created of different possible futures. The
company might, for instance, consider the impact of changing exchange rates on the
business, and crucially the profits. Any event that triggers an undesired scenario is
identified as a risk, so that that scenario can be managed. In the case of foreign
exchange risk, some form of exchange rate hedging could be used such as forwards,
futures or options.
3. Taxonomy-based risk identification
Taxonomy-based risk identification is the use of a range of typical common risk
categories to identify risks (e.g. political risks, economic risks, financial risks).
4. Common-risk checking
In several industries, lists with typical known risks are available. Each risk in the list
can be checked for application to the organisation.
7
� Risk Management
5. Risk charting
Risks are compiled into a chart listing out:
Resources at risk
Threats to those resources
Modifying factors which may increase or decrease the risk
Consequences it wishes to avoid
Identifying Risks Example
Throughout this section, we'll use a simple example to demonstrate the process. Let's
take a small jewellery shop in a local town centre and identify a few (of the many
risks) they may face:
• Legislation not adhered to (e.g. health and safety)
• Theft
• Economy declines reducing demand
• Cash flow weaknesses so they can't pay suppliers as debts fall due
• Stock is purchased which can not be sold (or is sold at a loss)
• Errors in the accounting system
Step 2 – Assess the risks
Once risks have been identified, they must then be assessed as to their:
Potential severity of impact (generally a negative impact, such as damage
or loss)
The probability of occurrence
These quantities can be either simple to measure, in the case of the value of a lost
asset, or more difficult, as might be the case for a loss in profit caused by a new
competitor product. At times, educated guesses are the best that is possible when
assessing risk. That does not mean the risk should not be assessed, however; it's just
8
� Risk Management
important that an acceptance that all risks are not accurately quantifiable is brought
into the process too.
These risks can then be plotted on a risk map.
The risk map is a key method:
• Of analysing the risk – The more important the risk, the more important it is
that mitigating action is taken to reduce that risk
• Of reporting the risk – E.g. reporting of risks by the audit or risk committee
to the board or the board to the shareholders.
9
� Risk Management
Example
Let's map out the risks in the jewellery shop:
This highlights the real importance of our shop owner ensuring theft of expensive
items is dealt with (high probability, high impact), while conversely that perhaps at
the moment he doesn't need to worry about the changing economic circumstances
(low probability, medium to low impact). Although the impact of accounting errors is
relatively low, the fact that it's quite likely suggests some greater control over the
accounting process is needed.
Composite risk index
There have been several theories and attempts to quantify risks. Numerous different
risk formulae exist, but perhaps the most widely accepted formula for risk
quantification is:
Composite Risk Index = Impact of risk event x Probability of occurrence
10
� Risk Management
The impact of the risk event is commonly assessed on a scale of 1 to 5, where 1
and 5 represent the minimum and maximum possible impact of an occurrence of a
risk (usually in terms of financial losses).
The probability of occurrence is likewise commonly assessed on a scale from 1
to 5, where 1 represents a very low probability of the risk event actually occurring
while 5 represents a very high probability of occurrence.
The Composite Index thus can take values ranging (typically) from 1 through 25,
and this range is usually arbitrarily divided into three sub-ranges. The overall risk
assessment is then low, medium or high, depending on the sub-range containing
the calculated value of the Composite Index. For instance, the three sub-ranges could
be defined as 1 to 8, 9 to 16 and 17 to 25.
In our example, we might allocate the scores as follows:
1. Theft of expensive items = 5 x 4 = 20
2. Stock sold cheaply = 3 x 3 = 9
3. Cash flow weakness = 2 x 4 = 8
4. Legislation not adhered to = 2 x 3 = 6
5. Demand falls due to economy = 1 x 2 = 2
6. Errors in the accounting system = 5 x 1 = 5
Financial quantification of risk
The same formula can also be used to predict the financial impact of a risk, so if the
probability of fire happening at head-office is 25% and the impact would be
£100,000 then the expected value of 25% x £100,000 of £25,000 can be a useful
figure. This would, for instance, be the maximum worth spending on insurance each
year.
Difficulties in assessment
One fundamental difficulty in risk quantification is determining the probability (or
rate) of occurrence since statistical information is often not available on many past
incidents. In our previous example, we said that there was a 25% chance of a fire
occurring that would cause £100,000 of damage. Now how accurate is that
probability? Perhaps if we had 50 years of data saying that just such a fire happened
one in every four years, then maybe it is accurate, but in many cases we will not, and
it will simply be an estimate! Even if we did have that data, recent fire precautions
11
� Risk Management
might mean that the probability should be less than the historical average, but how
much less is very hard to predict.
Furthermore, evaluating the severity of the consequences (impact) is often quite
difficult. How much damage would the fire actually cause – it could be smaller or
larger than our £100,000 assumption. In many cases, that amount will again just be
an estimate.
Despite this, risk assessment should be undertaken and the best guesses produced.
Just because we can't get entirely accurate information on the fire does not mean we
should just ignore the risk!
Interactions of risks can also challenge the accuracy of risk assessment. Risks cannot
be seen in a stand-alone manner. If, for example, the economy were to weaken that
would impact customer demand for a product, particularly expensive jewellery.
However, it might also facilitate recruitment (with more people in the jobs market)
and help to be able to negotiate lower prices for purchases or rents on property
which might help mitigate the loss in customer demand.
Step 3 – Risk treatment/Management
Once risks have been identified and assessed, techniques to manage the risk tend
to fall into one or more of the four major (TARA) categories:
• Transfer - Sharing with another party, e.g. outsource or insure
• Avoid - Eliminate, withdraw from or not become involved
• Reduce- Control and mitigate
12
� Risk Management
• Accept - Accept the risk and budget for its possible occurrence
Let's examine each in more detail.
Risk transfer
This is where losses are passed on to another party so that the loss is taken or
shared.
This is usually done in one of two ways:
1. Insuring the risk and hence passing the ‘financial risk’ on to the insurance
company. The risk of a ring being stolen is a good one to pass on to an insurer
for instance.
2. Outsourcing – So that the risk is passed to the outsourcer as part of the
contract. If, for example, the jewellery shop was having an extension it might
be good to get an agreed price for the completed work, so that any
unforeseen issues are passed onto the builder and not the shop owner.
Note that some element of the risk is often retained by the company. In the event of
a fire, the business may be able to reclaim the financial losses resulting directly from
the fire but they are likely to lose out in other ways too. They might, for instance,
have a loss of profits during the period during which the shop is closed for
refurbishment, something which is unlikely to be recoverable from the insurer.
Risk avoidance
This typically involves not performing an activity that could carry risk.
Our jeweller might, for instance, never stock items worth more than £10,000 to
completely avoid the risk associated with holding such high value items.
On the downside, avoiding risks also means losing out on the potential gain that
accepting (retaining) the risk may have allowed – selling those higher value items for
instance. Another example would be not entering into a new business opportunity; it
avoids the risk, but also stops the possibility of earning more profits.
Risk reduction
Risk reduction involves reducing the severity of the loss or the likelihood of the
loss from occurring. For example, sprinklers are designed to put out a fire to reduce
the risk of loss by fire, while locks on doors reduce the risk of theft, as do security
guards.
13
� Risk Management
Our jeweller might put controls in place to reduce the risk of accounting errors (as
highlighted earlier). This could include:
• Checking the balance sheet balances
• Using control accounts
• Balancing the bank reconciliation
• Input checks
• Shop owner review of bookkeeper's work
• Using a reputed bookkeeper or accounting firm
Risk retention/acceptance
This is when you take the risk upon yourself, instead of transferring or avoiding it.
Retention involves accepting the loss, or benefit of gain, from a risk when it occurs.
Risk retention is a viable strategy for small risks where the cost of insuring or
managing the risk would be greater over time than the total losses sustained. i.e.
Cost of insuring/managing risk > losses sustained = Retain Risk
All risks that are not avoided or transferred are retained by default. This includes risks
that are so large or catastrophic that they either cannot be insured against or the
premiums would be infeasible.
Our jeweller might, for instance, accept small thefts, and not bother insuring for
those which in total are valued at less than £100. He might also accept that
occasionally staff will be ill and that will be out of his control, and he'll just have to
work harder that day to cover them being away.
Any risk which is not insured against or managed is known as retained risk.
Diversification
A specific method of risk reduction that can be used to mitigate an organisation’s
risk that is worth noting is diversification.
The simplest example of diversification is provided by the proverb "Don't put all your
eggs in one basket". Dropping the basket will break all the eggs!
14
� Risk Management
Placing each egg in a different basket is more diversified – if you just drop one, that
egg will break, but all the others will be okay. There is more risk of losing one egg,
but less risk of losing all of them.
An example of how diversification can be applied to reducing strategic business
risk would be:
Selling a wide range of products to avoid dependence on any single
product.
For instance, our jewellers might sell clocks, watches, rings, earrings, brooches
and necklaces to spread risk over a number of products so its not dependent
on the fashions of any one product type.
Operating in a wide variety of markets to avoid dependence on any single
market or currency.
For example, if the shop operated only on a high street in small town, they
would be entirely dependent on the shopping habits of people living in or
visiting the area. However, if the owner opened several shops in different
towns, or created a website on which to sell products, it would reduce the risk
of one of the markets shrinking and doing harm to the business.
Diversification is also a key way of reducing investment risk. In finance,
diversification means reducing risk by investing in a variety of shares, loans or
other assets. This has the affect of avoiding exposure to losses on any single
investment.
Further diversification can be obtained by investing in stocks from different
countries, and in different asset classes such as bonds, property, private equity,
infrastructure and commodities such as heating oil or gold. The wider the variety of
the investment portfolio, the less they depend on each other and the greater the
diversification.
However, diversification does not eliminate the risk that all assets will move in the
same direction. During recessionary times, the whole market for shares (and other
assets) tends to fall, so however well an investor is diversified in different types of
shares or other assets, they will still experience a loss.
Pooling
Pooling is a form of diversification where an organisation or department's different
risks are grouped together and recorded in one area, such as a designated risk
department, rather than being spread out in different areas. Pooling is a method of
representing risks, that can 'balance out' the various positive and negative risks.
15
� Risk Management
For example, pooling can be used to manage foreign exchange risks in multinational
organisations. A risk related to the London office buying dollars, might be countered
by the fact that at the same time New York office is buying pounds. By pooling the
risks, they, to some extent, balance each other out.
Create a risk management/treatment plan
For each risk identified as needing to be actively managed, appropriate controls or
countermeasures should be selected. For example, an observed high risk of computer
viruses could be mitigated by acquiring and implementing anti virus software.
A good risk management plan should contain a schedule for control implementation
and responsible persons for those actions.
Each approach must be approved by the appropriate level of management. For
instance, a risk concerning the image of the organisation should have top
management decision behind it whereas computer virus risks would be managed by
the IT department.
The risks and agreed methods of managing these risks are summarised in a Risk
Management/Treatment Plan, which documents the decisions about how each of
the identified risks should be handled.
Step 4 - Implementation
Implementation simply means taking the action agreed in the risk management
plan.
Example
Our jeweller will now need to action his risk management plan. This might, for
example, include:
• Purchasing insurance policies for the risks that have been decided to be
transferred to an insurer.
• Taking security measures to prevent theft.
• Not stocking items deemed to be too high risk.
• Changing his bookkeeper to someone more reliable.
16
� Risk Management
Step 5 - Review and control
Risk management plans should be updated periodically. There are two primary
reasons for this:
To evaluate whether the previously selected controls are still applicable
and effective. If our jewellery shop had three thefts in a month, we might
quickly conclude the security controls were not effective!
To evaluate the possible changes in risk level in the business
environment. Changes in procedures, technology, schedules, budgets, market
conditions, political environment, or other factors typically require
reassessment of risks.
Example
Again, let's take our jeweller; one risk identified was the loss of demand due to the
economy worsening. During boom times, that might be deemed very low likelihood
and not worth considering, but, if a recession hit, it would become more likely (and
move to the right in our risk map). We would also be in a better position to assess
the impact based on the depth of the recession, which may be higher than might
usually be expected.
An increase in thefts in other stores locally might also highlight the need for greater
security.
The world is a continually changing place and so our risks need to be continuously
re-evaluated.
17
� Risk Management
4. Gross vs. Net Risks
One of the issues we have when examining risks is whether to look at gross risks or
net risks.
For the moment, let's say that our jeweller has a number of items in our store. One is
a £10,000 diamond ring which is fully insured, and another is a £50 pair of earrings
which is of too low a value to be part of our insurance policy.
Gross risk is the risk before any mitigating action, such as insurance. It is useful as
it shows us the full extent of any risk we are taking to ensure that mitigating actions
are taken; and indeed, in this case, our jeweller has been sensible and insured the
diamond ring. He might also be sensible to ensure that the ring is kept locked up in a
safe when it's not out on display.
Net risk is the risk after all risk management measures and controls have been
taken into account. Here, our ring is fully insured, while the earrings are not. Our
net risk is actually higher for the earrings than the ring. In fact, perhaps it's the
earrings that should be locked up, not the diamond ring!
Now this example simplifies things – in reality the shop owner would still probably
prefer the earrings not be stolen, because of other factors like the distress that a theft
would have on our shop owner, and the hassle of completing insurance forms.
However, it does demonstrate nicely the key issues in relation to gross and net risks.
Often risk managers will be most focused on net risk, as this tells them about the
amount of risk left unmanaged and helps them decide whether that is acceptable
(our 'accept' strategy under TARA) or whether more controls are needed (our 'reduce'
strategy under TARA).
Internal auditors take a different approach, when they do their reviews. They tend
to focus on gross risks, as they ask the question “Are our biggest risks fully
18
� Risk Management
controlled?” They are concerned with the controls that are in place and whether
those controls are working, and this must be noted for risk managers also – it's all
very well thinking you have good controls, but if they are overridden in some way the
risk is again the gross risk.
Our jewellery shop owner may have a good insurance policy, but then forget to
renew it and suddenly be exposed to the full risk of theft of that expensive ring.
Jerome Kerviel lost €5bn at Societe Generale in 2008 – the net risks for the bank
seemed low due to the significant controls in place over excessive trading by traders
such as Mr Kerviel, but as soon as those controls were overridden by him the full
extent of the gross risk was revealed and, unfortunately for the bank, a huge loss
incurred.
5. Risk management methodologies
These seven steps are the bedrock of a range of standard methodologies which
provided a detailed step-by-step approach for managing risk in organisations. The
key ones you need to learn are the COSO Enterprise Risk Management model and
ISO31000:2018 approach covered in later chapters.
They tend to be variations on the same basic steps. One such example is CIMA’s own
risk management cycle. It outlines the following steps for risk management:
19
� Risk Management
You'll notice that this is simply another variation of the generic steps at the start of
this chapter – the five steps there simply having been split out into seven for this
model.
Unlike the COSO model, CIMA's risk management cycle is not specifically mentioned
in the syllabus, so you don’t need to learn it. Instead, simply be aware that the
various methodologies are based on the same overall structure which is what we’ve
been through in this chapter.
6. Problems with risk management
Risk management isn't problem-free. Managing an organisation's risks effectively can
be a difficult process. Here are some of the key reasons:
Subjective
Everyone has a different perspective, and hence probability and impact can often
be subjective, making the degree of risk hard to assess. The best approach to
managing the risk is also often subjective – should we reduce the risk or transfer it?
20
� Risk Management
Bureaucracy
Prioritising the risk management processes too highly can make the organisation or
project overly bureaucratic, with every process requiring detailed controls. For
example, there may be rules that mean a purchase order needs authorisation from a
number of different staff which, in turn, leads to delays in getting the item.
Stifles innovation
A bureaucratic and a risk-averse approach may also result in a lack of innovation and
losing competitive edge to faster-moving competitors.
In organisations with too many controls, risky projects may simply be avoided;
whereas small, flexible, organisations with little bureaucracy may simply “go for it”.
While the risk of failure is avoided, the competitor who took the risk and was
successful may now get a competitive edge.
Expensive and resource intensive
Spending too much time assessing and managing unlikely risks can also divert
resources that could be used more profitably elsewhere. There are also costs
associated both with the risk management process (e.g. risk committee and risk
manager salaries) and the controls that are put in place to manage risk (e.g. costs of
insurance or security measures).
Human error
Human failures such as simple errors or mistakes can lead to inadequate responses
to risk, such as incorrect risk assessment.
Controls can be circumvented
Controls can be circumvented by collusion of two or more people or by an IT-literate
employee, and management has the ability to override risk management decisions.
People are often motivated by personal gain and not managing risk, and so may
circumvent controls for those reasons. Jerome Kerviel at Societe Generale lost €5bn
through circumventing the bank's controls over trading.
21
