ENTERPRISE RISK
LU1: RISK
Risk can be viewed as a hazard or threat, as an uncertainty or an opportunity.
The Chartered Institute of Management Accountants’ (CIMA) (2011:10) defines business risk facing
an entity as those that effect the achievement of the entity’s overall objectives that should be
reflected in its strategic aims.
Risk consists of downside risk and upside risk. Downside risk involves the possibility of loss with no
chance of gain. Upside risk is where the results could be better than expected and speculative in
nature (Kaplan 2014.:2)
1 WHAT IS RISK
There are many different ways of defining risk including the following:
 Risk is a condition in which there exists a quantifiable dispersion in the possible outcomes
from any activity. (CIMA)
 Risk can be defined as the combination of the probability of an event and its consequences
(ISO Guide 73)
 Risk in business is the chance that future events or results may not be as expected.
Risk is ‘the degree of variability from expectation’”. Risk can be viewed as a hazard or threat, as an
uncertainty or an opportunity. Companies both public or private, including Not-For-Profit concerns
and Non-Governmental Organizations cannot run away from risk since there is always a variation
between what is expected and what transpires. Business endeavors are always surrounded by many
risks and the higher the risks associated with an entity, the higher the potential level of return.
Since risk is the degree of variability, it therefore implies that risk can be measured, and various
methods are used to measure risk, including Value at Risk (VaR), Regression analysis to mention by
just a few among others.
Risk is often thought of as purely bad (pure or ‘downward’ risk), but risk can also be good i.e., the
result may be better than expected (speculative or ‘upside’ risk) as well as worse.
In order to assess and measure the risks that an organization faces, a business must be able to
identify the principal sources of risk. Risks facing an organization are those that affect the
achievement of its overall objectives (which should e reflected in its strategic aims). Risk should be
managed and there should be strategies for dealing with risk.
- The term ‘risk’ is often associated with the chance of something ‘bad’ will happen, and that a future
outcome will be adverse. This type of risk is called ‘downside’ risk or pure risk. Which is a risk
involving the possibility of loss, with no chance of gain.
E.g. pure risk are the risk of disruption to business from a severe power cut, or risk of losses from
theft or fraud, the risk damage to assets from a fire or accident, and risks to the health and safety of
employees at work.
- Not all risks are pure risks or downside risk. In many cases, risk is two-way, and actual outcomes
might be either better or worse than expected. Two-way risk is sometimes called speculative risk. In
many business decisions, there is an element of speculative risk – and management are aware that
actual results could be better or worse than forecast.
E.g. example, a new product launch might be more or less successful than planned, and the savings
from an investment in labor-saving equipment might be higher or lower than anticipated.
There are also fundamental risks, speculative and particular risks.
- Fundamental risks are those risks intrinsic to a population or environment normally
because of hazards which may be natural and affect everyone.
- Particular risks on the other hand are as a result of individual operations and are specific
to the particular entity.
- Speculative risks are those which results in uncertain level of return, whether upside or
downside.
A risk factor is an incident, event or condition that may cause certain risks to emerge.
- For good decisions to be made, which take into cognizance the risks by an entity, these
factors should be identified first. Risk factors may also be regarded as sources of risks.
- Risk differs from uncertainty in the sense that uncertainty is not measurable and there is
usually no information that can be gathered to speculate the occurrence or non-occurrence
of an uncertainty.
-Risk is inherent in a situation whenever an outcome is not inevitable. Uncertainty, by contrast,
arises from ignorance and a lack of information. Uncertainty because there is insufficient
information about what the future outcomes might be or their probabilities of occurrence.
-Risk is inherent in a situation whenever an outcome is not inevitable. Uncertainty by contrast, arises
from ignorance and a lack of information. By definition, the future cannot be predicted under
conditions of uncertainty because there is insufficient information about what the future outcomes
might be or their probabilities of occurrence.
-In business, uncertainty might be an element to be considered in decision-making. E.g., there might
be uncertainty about how consumers will respond to a new product or a new technology, or how
shareholders will react to a cut in the annual dividend. Uncertainty is reduced by obtaining as much
information as possible before making any decision.
1.2 WHY INCUR RISK
Incur risk to gain Competitive advantage and increase financial return.
It is important that risk is inevitable from the perspective of any entity. A choice to run an
economic activity results in particular risks.
It is generally the case that firms must be willing to take higher risks if they want to achieve higher
returns:
 To generate higher returns a business may have to take more risks to be competitive.
 Conversely, not accepting risk tends to make a business less dynamic and implies a “follow
the leader” strategy.
 Incurring risk also implies that the returns from different activities will be higher – ‘benefit’
being the return for accepting risk.
 Benefits can be financial – decreased costs, or intangible – better quality information.
 In both cases, these will lead to the business being able to gain competitive advantage.
For some risks, the level of risk is rewarded with a market rate of return e.g. quoted equity – where a
shareholder invests in a company with the expectation of a certain level of dividend and capital
growth. However, for other risks there may not be a market rate of return e.g. technology risk –
where a company invests in new software in the hope that it will make their invoice processing more
efficient. The important distinction here is that the market compensates for the former type of risk
but might not for the latter.
BENEFITS OF TAKING RISKS
- Focusing on low-risk activities can easily result in a low ability to obtain competitive advantage –
although where there is low risk there is also only a limited amount of competitive advantage –
although where there is low risk there is also only a limited amount of competitive advantage to be
obtained. For e.g. a mobile telephone operator may produce its phones in a wide range of colors.
There is little or no risk of the technology failing, but the move any provide limited competitive
advantage where customers are attracted to a particular color of phone.
- Some low-risk activities, however, will provide competitive advantage – when these can be
identified. If these can be identified, then the activity should be undertaken because of the higher
reward. For e.g. the mobile phone operator may find a way of easily altering mobile phones to make
them safer with regard to the electrical emissions generated. Given that customers are concerned
about this element of mobile phone use, there is significant potential to obtain competitive
advantage. However, these opportunities are few and far between.
- High-risk activities can similarly generate low or highly competitive advantage. Activities with low
competitive advantage will generally be avoided. There remains the risk that the activity will not
work, and that the small amount of competitive advantage that would be generated is not worth
that risk.
- Other high-risk activities may generate significant amounts of competitive advantage. These
activities may be worth investigating because of the high returns that can be generated. E.g. a new
type of mobile phone providing, say, GPS features for use while travelling, may provide significant
competitive advantage for the company; the risk of investing in the phone is worthwhile in terms of
the benefit that could be achieved.
- The point is, therefore, that if a business does not take some risk, it will normally be limited to
activities providing little or no competitive advantage, which will limit its ability to grow and provide
returns to its shareholders.
LU2 CIMA RISK
MANAGEMENT CYCLE
The CIMA risk management cycle is a clockwise circular movement, based on the principle of
continued feedback that is inherent in management control systems.
The CIMA risk management cycle is a clockwise circular movement, based on the principle of continued feedback that is
inherent in management control systems.
- The figure below indicates the flow of information needed to make decisions.
- No matter which risk exposure an entity finds itself susceptible to, the CIMA risk management cycle is useful as it
aims to assist entities to have the ability to identify and develop appropriate risk responses.
- The cycle is also developed with consideration of the entity’s strategic management efforts and is situational to
an entity. Though the steps of the cycle are not unique to a specific entity’s the approach to managing such risks
will be unique and the cycle considers such.
The risk Management cycle is a very important tool for your exam.
Process in managing risk,
1.
2.
3.
4.
5.
6.
7.
Strategy of the organization, goals of organization.
Identify risk areas of the business.
Understand and assess scale of risk – risk mapping
Develop responses to risk – mitigation.
Implement and allocate responsibilities.
Monitor
Review and refine the process. (Do-it again)
LU3 TYPES AND SOURCES OF
RISK FOR BUSINESS
ORGANISATIONS
The identification of risks is driven by the strategic objectives of the organization.
- Risks are categorized to streamline the management of similar risks with similar
controls/control measures suitable for the specific kind of risk.
- Many organizations categories risks into different types of risk.
- The categorization of risks contributes to management and employees’ risk awareness
leading to an effective risk management programmed, whereby controls and other risk
mitigating actions are introduced and monitored.
- The use of risk categories can help with the process of risk identification and assessment.
- There is no single system of risk categories. The risk categories used by companies and other
organizations differ according to circumstances. Some of the more commonly-used risk
categories are described below.
The following risk categories exist:
• Political, legal, and regulatory. - Risk that the organization’s value and position could be affected
due to the political environment in which it operates. These risks are external to the business. These
are the risks that businesses face because of the regulatory regime that they operate in.
- Political – Risk due to political instability.
- Legal/litigation risk – Risk that legal action will be brought against the business.
- Regulatory risk – risk of changes in regulation affecting the business.
- Compliance risk – Risk of non-compliance with the law resulting in fines/penalties etc.
• Business risk. - Risks caused by the nature and type of business operations. Business risks can be
further broken down into different categories.
Risk business facing owing to the nature of their operations and products. Some businesses for
instance are reliant on a single product or small range of products, or they could be reliant on a small
key group of staff.
- Strategy risk – risk that business strategies (e.g. acquisition/product launches) will fail.
- Product risk – risk of failure of new product launches/loss of interest in existing products.
- Product reputation risk – risk of change in product’s reputation or image.
- Commodity price risk – risk of a rise in commodity prices (e.g. oil).
- Operational risk – risk that business operations may be inefficient, or business processes
may fail. Employee wrongdoing risk.
- Contractual inadequacy risk – Risk that the terms of a contract do not fully cover a business
against all potential outcomes.
- Fraud and employee malfeasance – considered separately later.
• Economic risk. - Risk that changes in the economy could affect the business. These risks are
external to the business.
These changes could be inflation, unemployment rates, international trade relations or fiscal policy
decisions by government.
• Financial risk. Risks that arise due to changes in financial conditions. You should be familiar with
the different types of financial risk.
Financial risk is a major risk that affects businesses, and this risk is studied in much more depth in F3,
an awareness of financial risk is sufficient for P3.
Financial risk is the risk of a change in a financial condition such as an exchange rate, interest rate,
credit rating of a customer, or price of a good.
The main type of financial risk are:
- Credit risk – risk of non-payment by customers.
- Political risk – Risk arising from actions taken by government that affect financial aspects of
the business.
- Currency risk – risk of fluctuations in the exchange rate.
- Interest rate risk – risk that interest rates change.
- Gearing risk – Risk in the way a business is financed (debt vs equity) (sometimes this is
considered part of interest rate risk)
• Technology risk. Information technology risks that present downside risks such as computer
malfunctions or new developments that present upside risk and the chance to gain a competitive
advantage.
Risk that changes will occur that either present new opportunities to businesses, or on the downside make their existing processes obsolete or inefficient.
- Cyber risk – Cyber risk is a focus are for organizations now. It is the risk of financial loss,
disruption, or damage to an organization caused by issues with the information technology
systems they use.
• Environmental risk. Arises from changes in the environment.
Risk that arises from changes in the environment such as climate change or natural disasters. Some
businesses may perceive this risk to be low, but for others, e.g. insurance can be more significant.
• Corporate reputational risk. Often as a result of other risk categories which create bad publicity
for the organization i.e. pollution caused due to operational activities is an environmental risk and
could be a significant reputational risk. Damage caused by reputational risk must be addressed with
an ethical response. This is covered in detail in topic 4.
A good reputation can be very quickly ended if companies suffer adverse media comments or are
perceived to be untrustworthy.
This could arise from environmental performance, social performance, health & safety performance.
• Fraud and employee malfeasance risk. Loss due to fraudulent activities or deliberate wrongdoing
by employees or management. Some businesses are more vulnerable than others to fraud and as a
result have to have stronger controls over fraud and as a result have to have stronger controls over
fraud. Fraud risk is a risk that is considered controllable by most businesses.
• International risk. Results from trading abroad.
- Culture – knowledge of local culture.
- Litigation –
- Credit – chasing debts is more difficult and more expensive.
- Items in transit – transporting goods great distances.
- Financial risk – foreign exchange and interest rate risk.
You should be familiar with the different types of all risk categories mentioned above where
applicable.
RISK MANGEMENT
LU1: DEFINITION OF RISK
MANAGEMENT
1.1 CIMA’s official terminology (2019:38) defines
risk management as:
“The process of understanding and managing the risks that an organization is subject to in
attempting to achieve its corporate objectives.”
“The process of (planning, organizing, leading, controlling and coordinating resources)
understanding and managing the risks (do not vary too much from what is expected) that an
organization is subject to in attempting to achieve its corporate objectives.”
There is a natural progression in managing risk associated with compliance and prevention
(downside); through managing to minimise the risk of uncertainty; to managing opportunity risk (the
upside) needed to increase and sustain shareholder value.
 The traditional view of risk management has been one of protecting the organization from
loss through conformance procedures and hedging techniques – this is about avoiding the
downside risk.
 The new approach to risk management is about taking advantage of the opportunities to
increase overall returns within business – benefiting from the upside risk.
 The below diagram shows how risk management can reconcile the two perspectives of
conformance and performance.
Risk management is the process to reduce significant risks facing the entity in a cost-effective
manner to contribute to the achievement of the entity’s objectives.
1.2 ENTERPRISE RISK MANAGEMENT
Enterprise risk management is the term given to the alignment of risk management with business
strategy and the embedding of a risk management culture into business operations.
Enterprise Risk Management (ERM) defines risk management as follows:
The Committee of Sponsoring Organisations of the Treadway Commission (COSO) (2003) developed
Enterprise Risk Management which defines risk management as follows:
“A process affected by an entity’s board of directors, management and other personnel, applied in
strategy setting across the entity. This process is designed to identify potential events that may
affect the entity and manage risks to be within the entity’s risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives.”
An approach used by the board, minimize variability from what is expected/accepted. Align
magnitude of risk and risk appetite.
ERM aligns risk management with business strategy to promote a risk management culture
throughout the organization.
The key principles of ERM include:
 Considered of risk management in the context of business strategy.
 Risk management is everyone’s responsibility, with the tone set from the top.
 The creation of a risk aware culture.
 A comprehensive and holistic approach to risk management.
 Consideration of a broad range of risks (strategic, financial, operational and compliance).
 A focused risk management strategy, led by the board (embedding risk within an
organization’s culture).
The COSO ERM Framework is represented as a three-dimensional matrix in the form of a cube which
reflects the relationship between objectives, components and different organization levels.
PICTURE ERM FRAMEWORK



The four objectives (strategic, operations, reporting and compliance) reflect the
responsibility of different executives across the entity and address different needs.
The four organizational levels (subsidiary, business unit, division and entity) emphasize the
importance of managing risks across enterprise as a whole.
The eight components must function effectively for risk management to be successful.
The eight components are closely aligned to the risk management process addressed previously, and
also reflect elements from the COSO view of an effective internal control system:
1.3 RESPONSIBILITIES
Risk management is the process to reduce significant risks facing the entity in a cost-effective
manner to contribute to the achievement of the entity’s objectives.
Exam questions will require in depth knowledge and application. The above theory of Risk
Management Frameworks are merely useful starting points.
Familiarize yourself with the benefits of ERM and complete the ‘Test your understanding’ questions
in the prescribed study text.
LU2: RISK APPETITE &
CAPACITY
A risk management strategy needs to be developed to ensure that the risk exposure of the
organization are consistent with its risk appetite. At the very least, the risk management capability
within the organization should be sufficient to:
 Review its internal control system and its adequacy at least annually.
 Ensure that controls are property implemented, and
 Monitor the implement and effectiveness of controls.
A basic framework for developing a risk management strategy is shown below:
Risk appetite is the acceptable level of risk the entity is willing to accept to create value. It is
determined by the ‘risk capacity’ and ‘risk attitude’.
Familiarize yourself with the corresponding work in the prescribed study text and complete the ‘Test
your understanding’ questions.
-
-
-
Risk appetite can be defined as the amount of risk an organization is willing to accept in
pursuit of value. This may be explicit in strategies, policies, and procedures, or it may be
implicit. It is determined by:
 Risk Capacity – the amount of risk that the organization can bear, and
 Risk attitude – the overall approach to risk, in terms of the board being risk averse
or risk seeking.
The way that the organization documents and determine the specific parts of it’s risk
strategy should link to the business strategy and objectives.
Overall risk management strategy is concerned with trying to achieve the required business
objectives with the lowest possible chance of failure. The tougher the business objectives
with the lowest possible chance of failure. The tougher the business objectives, however,
the more risks will have to be taken to achieve them.
Residual risk is the risk a business faces after its controls have been considered.
However, the investment by the organization in risk strategy should be largely determined by the
performance requirements of its business objectives and strategy.
LU3: IDENTIFYING,
MEASURING AND ASSESSING.
RISK IDENTIFICATION












Physical Identification
Inspect Documents
Enquiries
Brainstorming
Checklists
Benchmarking
External Events
Internal events
Leading event indicators
Trends and root causes
Escalation triggers
Event interdependencies
Examining different types of risks faced by an organization. Some risks will be relatively easily borne
by business, but others will be more difficult and more serious in their implications.
With reference to the ERM Framework above, risk identification will often be done by the Risk
Committee or risk management specialists. These risks should be recorded in a risk register.
3.2 RISK REGISTER
A risk register is a summary of identified risks, listed, described and assessed/measured (based on
their potential impact and likelihood).
Familiarise yourself with the key components of a risk register as noted in the prescribed study text.
Risk register is a very important and practical risk management tool that should be used by all
companies. It takes several days, if not weeks, to produce, and needs to be reviewed and updated
regularly – often annually (in conjunction with corporate governance guidelines).
The risk register is often laid out in the form of a tabular document with various headings:
Activity
Based on the Beans Aroma case study noted in activity 1 of this study unit there is a growing number
of pirate attacks off the Somalian coast, which could result in delayed delivery dates for the coffee
beans (raw material) or the coffee beans (raw material) being lost or stolen.
The risk is that the operations department may be unable to manufacture coffee without the raw
material or that unacceptable delays occur while the raw material is at sea. The impact of this
occurring with a rating scale of 5 (five) is 5 out of 5. The likelihood is probably 4 out 5. This is an
inherent risk rating of 5 x 4 = 20 (out of a maximum of 5 x 5 = 25). This is critical.
Assume the Board has decided to negotiate insurance for the shipments and/or to find a feasible
alternative supplier. This will reduce the impact of the risk to 2 out of 5 and the likelihood to 3 out of
5. This is a residual risk rating of 2 x 3 = 6. This is a medium residual risk.
REQUIRED
Indicate how this risk could be documented and tracked on a risk register.
Feedback on activity
The acceptability of the medium residual risk rating will depend on management’s risk appetite.
Remember risk is necessary to gain a competitive advantage and to increase financial returns.
Methods to reduce/mitigate risks have to be cost effective to avoid losing the benefit of taking the
risk.
3.3 RISK IDENTIFICATION
• One risk identification method will not be enough to identify all the risk exposures.
• The risk identification process must be supported by consulting with as many people inside the
entity as possible. These include management, internal audit and key employees.
• Risk identification is a continuous process.
Study the methods to identify risk in the prescribed study text.
3.3.1 Activity on risk identification
Consider the following case study of Beans Aroma (Pty) Ltd, a coffee manufacturer based in South
Africa. The entity’s differentiating factor is that it sources unrefined/raw coffee beans from a small
region in Ethiopia. These coffee beans are roasted using a refined process to produce an aromatic
and rounded flavour. The coffee is expensive and targets a niche (exclusive) segment of the market.
The following information was noted based on recent discussions with key stakeholders including:
The Chairman of the Audit Committee (an independent non-executive director), Chief Executive
Officer (CEO), Chief Financial Officer (CFO), Chief Risk Officer (CRO) and key members of
management, including the head of the legal department:
• The entity has a strong financial position to facilitate financing future projects.
• The entity has an excellent distribution network across South Africa.
• This distribution network is used to supply two large retailers with stores across South Africa.
• Only one of the retailers has placed their order for the next quarter.
• Based on market research, Beans Aroma’s aromatic and rounded coffee blends will be very
popular in the fast growing Russian and Brazilian markets.
• The economic down turn in South Africa is a concern as expensive coffee is a luxury item and there
are inexpensive substitutes.
• Beans Aroma has a contract with an international company for the coffee beans to be shipped in
special containers from Ethiopia to South Africa. The shipping company has expressed concerns
about the growing number of pirate attacks off the Somalian coast but has indicated that alternative
routes are not economically viable. The attacks have resulted in some cargo being lost or stolen and
the shipping company not achieving the delivery dates.
• There is currently a legal dispute over the patent rights of one of the coffee blends sold by Beans
Aroma.
• The company has a strong and stable base of employees with very good succession planning.
• Beans Aroma has a strong and recognisable brand in South Africa.
REQUIRED
a. Draft a SWOT (Strengths, Weaknesses, Opportunity and Threat) analysis.
b. Draft a PESTEL analysis.
SWOT analysis for Beans Aroma (Pty) Ltd
NOTE:
This is a SWOT analysis, but based on the above, a number of significant risks can be identified. The
assessment of the risks resulting from the threats and weaknesses will be more significant than the
advancement of the strengths and opportunities. This is apparent because the threats and
weaknesses need to be addressed to ensure the sustainability of the entity before committing time
and resources to the enhancement of strengths or achievement of opportunities.
b. PESTEL analysis:
3.4 QUANTIFICATION OF RISK EXPOSURES
As part of the process to quantify the risk exposure (impact or likelihood) a company may be
required to calculate the ‘value of risk’. These results will then be used to determine the severity of
the potential impact or the likelihood if the risk occurs.
Quantification of risk is important in understanding the extent and significance of risk exposure. This
can be done by measuring the impact of the risk factor (such as exchange rates) on the total value of
the company, or on individual item such as cash flow or costs:
 Risks that are identified should be measured and assessed. The extent to which this can be
done depends on the information available to the risk manager.
 In some companies, particularly in the banking and insurance industries, many risks can be
measured statistically, based on historical information.
 In many other situations, the measurement of assessment risk depends on management
judgement.
Quantification techniques include:
• expected values and standard deviation
• volatility
• value at risk – see detailed explanation in the prescribed study text
• regression analysis– see detailed explanation in the prescribed study text
• simulation analysis – see detailed explanation in the prescribed study text
Expected Values And Standard Deviation
The standard deviation is a measure of the dispersion of the possible values of a given factor, such as
cash flow, form the expected value or mean. Thus the standard deviation provides a measure of
volatility – the greater the standard deviation, the greater the risk involved.
Volatility
Another way of assessing risk might be looking at potential volatility. For example, a company might
calculate an expected value based on a range of probabilities but also assess the potential variation
from that expected outcome (range or standard deviation).
Value At Risk
Value at risk (Var) allows investors to assess the scale of the likely loss in their portfolio at a defined
level of probability. It is becoming the most widely used measure of financial risk and is also
enshrined in both financial and accounting regulations.
VAR assumes that investors care mainly about the probability of a large loss. The VAR of a portfolio
is the maximum loss on a portfolio occurring within a given period with a given probability (usually
small).
 Calculating Var involves using three components: a time period, a confidence level and a loss
amount or percentage loss.
 Statistical methods are used to calculate a standard deviation for the possible variations in
the value of the total portfolio of assets over a specific period of time.
 Assuming that possible variations in total market value of the portfolio are normally
distributed, it is then possible to predict at a given level of probability the maximum loss that
the bank might suffer on its portfolio in the time period.


A bank can try to control the risk in its asset portfolio by setting target maximum limits for
value at risk over different time periods (one day, one week, one month, three months, and
so on).
Var may be calculated as standard deviation x Z-score (Z-score can be found from the normal
distribution tables).
Regression Analysis
This can be used to measure a company’s exposure to several risk factors at the same time. This is
done by regressing changes in the company’s cash flows against the risk factors (changes in interest
rates, exchange rates, prices of key commodities such as oil). The regression coefficients will indicate
the sensitivities of the company’s cash flow to the risk factors.
The drawback with this technique is that the analysis is based on historical factors which may no
longer be predictors of the company in the future.
Simulation Analysis
This is used to evaluate the sensitivity of the value of the company, or its cash flows, to a variety of
risk factors. These risk factors will be given various simulated values based on probabilities
distributions, and the procedure is repeated several times to obtain the range of results that can
give an expected value and measure of the risk.
This technique can be complex and time-consuming to carry out and is limited by the assumptions of
the probability distributions.
Other methods of measuring or assessing the severity of an identified risk include:
 Scenario planning – forecasting various outcomes of an event.
 Decision tress – use of probabilities to estimate an outcome.
 Sensitivity Analysis – asking “what-if” questions to test the robustness of a plan. Altering one
variable at a time identifies the impact of that variable.
Drawbacks of the quantification of risk
Once a risk has been quantified, there is a problem – whether anyone really knows what it means.
Unless you are a trainee or qualified accountant (or similar) this is unlikely, hence risks are often left
unqualified.
LU4: RISK
RESPONSE/MITIGATION
STRATEGY
3.5 RISK MAPPING OR ASSURANCE
A common qualitative way of assessing the significance of risk to produce a ‘risk map’ or sometimes
called an ‘assurance map’ or sometimes called an ‘assurance map’.
 The Board, the Risk Committee, the Audit Committee and senior management from various
departments will all be involved in the preparation of the map.
 The map identifies whether a risk will have a significant impact on the organization and links
that into the likelihood of the risk occurring.
 The approach can provide a framework for prioritizing risks in the business.
 Risks with a significant impact and a high likelihood of occurrence need more urgent
attention than risks with a low impact and low likelihood of occurrence.
 A well-structured risk map will highlight where there are gaps in assurances over significant
risk areas.
 Also, duplicated or potentially burdensome assurance processes may be identified.
 Risks can be plotted on a diagram, as shown below:
It is important, as part of the risk management strategy, to consider all the available methods to
treat/reduce/mitigate risks. This includes to
• avoid the risk
• transfer the risk
• pool the risk
• risk diversification
• reducing the risk
• hedging the risk
• sharing the risk
Avoid the risk
- A company may decide that some activities are so risky that they should be avoided.
- This will always work but is impossible to apply to all risks in commercial organizations as
risks must be taken to make profit.
Transfer the risk
- In some circumstances, risk can be transferred wholly or in part to a third party.
- A common example of this is insurance. It does reduce/eliminate risks, but premiums must
be paid.
Pool risks
-
Risks from many different transactions can be pooled together: each individual transaction
has its potential upside and its downside. The risks tend to cancel each other out and are
lower for the pool than each item individually.
- For example, it is common in large group structures for financial risk to be managed
centrally.
Risk Diversification
- Diversification is a similar concept to pooling but usually relates to different industries or
countries.
- The idea is that the risk in one area can be reduced by investing in another area where the
risks are different or ideally possible.
- A correlation coefficient with a value to – 1 is essential risk is to be nullified.
- More detail on risk diversification:
 Risk can be reduced by diversifying into operations in different areas, such as into
Industry X nd Industry Y, or into Country P and Country Q.
 Poor performance in one area will be offset by good performance in another area,
so diversification will reduce total risk.
 Diversification is based on the idea of ‘spreading the risk’; the total risk should be
reduced as the portfolio of diversified businesses gets larger.
 Diversification works best where returns from different businesses are negatively
correlated (i.e. move in different ways). It will however, sill work as long as the
correlation is less than +10.
 Example of poor diversification – swimming costumes and ice cream – both reliant
on sunny weather for sales.
 Spreading risk relates to portfolio management, as an investor or company spreads
product and market risks.
 The most common form of diversification attempts to spread risk according to the
portfolio of companies held within a group – based on links within the supply chain.
Sharing - Spreading risk by portfolio management
Within an organization, risk can be spread by expanding the portfolio of companies held. The
portfolio can be expanded by integration -linking with other companies in the supply chain, or
diversification into other areas.
This is development beyond the present product and market, but still within the broad confines of
the industry.
 Backward integration refers to development concerned with the organization, e.g. raw
materials, machinery and labour.

Forward integration – refers to development into activities that are concerned with the
organization’s output such a distribution, transport, servicing, and repairs.
 Horizontal integration – refers to development into activities that compete with, or directly
complement, an organization’s present activities. An example of this is a travel agent selling
other related products such as travel insurance and currency exchange services.
Unrelated diversification
This is development beyond the present industry into our products and/or markets that may bear no
clear relationship to their present portfolio. Where appropriate an organization may want to enter
into a completely different market to spread its risk.
Problems with diversification
 If diversification reduces risk, why are there relatively few conglomerate industrial and
commercial groups with a broad spread of business in their portfolio?
 Many businesses compete by specializing, and they compete successfully in those areas
where they excel.
 Therefore, it is difficult for companies to excel in a wide range of diversified businesses.
There is a possible risk that by diversifying too much, an organization might become much
more difficult to manage. Risks could therefore increase with diversification, due to loss of
efficiency and problems of management.
 Many organizations diversify their operations, both in order to grow and reduce risks, but
they do so into related areas, such as similar industries (e.g. banking and insurance, film and
television, production, and so on) or the same industry but in different parts of the world.
 Relatively little advantage accrues to the shareholders from diversification. There is nothing
to prevent investors from diversification. There is nothing to prevent investors from
diversifying for themselves by holding a portfolio of stocks and shares from different
industries and in different parts of the world.
Reducing the risk
 Even if a company cannot totally eliminate risks, it may reduce them to a more acceptable
level by a form of internal control.
 The internal control would reduce either the likelihood of an adverse outcome occurring or
the size of a potential loss.
 The costs of the control measures should justify the benefits from the reduced risk.( More
on CH5)
Hedging the risk
 Hedging is considered in detail in F3
 The concept of hedging is reducing risks by entering into transactions with opposite risk
profiles to deliberately reduce the overall risks in a business operation or transaction.
Sharing the risk
 A company could reduce risk in a new business operation by sharing the risk with another
party.
 This can be a motivation for entering into a joint venture.
Companies may not always be able to totally eliminate its risks and may choose to only reduce
them to an acceptable level by implementing internal controls. Internal controls should aim to
reduce the potential impact and likelihood of risks in a cost-effective manner.
Companies may not always be able to totally eliminate its risks and may choose to only reduce
them to an acceptable level by implementing internal controls. Internal controls should aim to
reduce the potential impact and likelihood of risks in a cost-effective manner.
LU9: RISK MANAGEMENT
ROLES AND RESPONSIBILITIES
The board of directors, audit committee, risk committee, risk management group led by the risk
manager and internal audit function all have roles and responsibilities within the risk management
process.
The responsibilities of the audit committee will be discussed in more detail in Topic 5 and the
responsibilities of internal audit will be discussed in Topic 6 and 7.
With reference to the ERM integrated framework in study unit 1 of this topic, the board of directors
is ultimately responsible for risk management within the organisation. However, some of the
responsibilities could be delegated to sub-committees within the organisation.
Also remember that every employee is responsible for risk management and should report potential
risks to management or through a whistleblowing hotline.
If the company being considered is divisional there may be a risk officer for each division who will
help to identify and manage tactical and operational level risks.
All employees have a role and responsibility for risk too. You should be aware possible risks (through
policies issued and training given) and you should be audible if you believe a risk needs to be
managed (by reporting it to your manager or by whistleblowing).
Remember that you will have 1.8 minutes per mark in the exam, i.e. 45 minutes to complete a 25
mark question.
SUMMARY
Study the chapter summary in the prescribed study text.
Note that the models and frameworks discussed in this topic are only a starting point for answering
most exam questions which will require the application of knowledge.
This topic links with various other topics which will be discussed later, but especially with the next
topic, which relates to ‘Internal Control’ dedicated to managing risk.
Exam resources:
Remember to scratch the panel at the front of your prescribed study text to reveal your unique pass
key to the www.En-gage.co.uk website for additional study resources.
You can also search the CIMA website for past exam papers.
Past Unisa exam papers are available under Official Study Resources on the MAC4867 – Performance
Strategy myUnisa site.
Good luck with the exams!