CORPORATE RISK MANAGEMENT

Introduction
Risk management is an essential dimension of good management practice. The Cadbury Report listed having a process in place to identify major business risks as one of the key procedures of an effective control system. This was confirmed in the Hampel Report. In particularly, requirements for a formal risk management procedure have been developed by some areas of the public sector, especially the NHS and the Housing Corporation. Guidance (Rutteman 1994) developed after the Cadbury report on reviewing the effectiveness of internal financial control recommended that directors of public limited companies should consider risk management as one of five criteria (as in the COSO report), as follows: control environment identification and evaluation of risks and control objectives information and communication control procedures monitoring and corrective action.

The Rutteman report considered that risk management should include: Identification and evaluation of risks and control objectives Identification of key business risks in a timely manner Consideration of the likelihood of risks crystallising and the significance of the consequent financial impact on the business. Establishment of priorities for the allocation of resources available for control and the setting and communicating of clear objectives@. Risks may affect the organisation=s ability to survive; successfully compete; maintain its financial strength and positive public image; and maintain the overall quality of its service provision. The Economist Intelligence Unit defines risk as: The threat that an event or action will adversely affect an organisation=s ability to meet its business objectives and executive its strategies successfully. In many organisations internal audit is directly involved in the risk management function of the business. In other organisations internal audit is involved in reviewing this function. Whether or not internal audit is directly involved with risk management internal auditors should be aware of the general principles of risk management that this section aims to cover. Some organisations may be unnecessarily risk adverse or there may be some areas of the organisation that take a more conservative or more gung ho attitude to risk than is generally considered to be prudent by the organisation. Developing a formal risk management procedure should enable an organisation to review its attitude to risk and consider the level of risk That is considered to be acceptable. This level of risk should then be adopted in all departments across the organisation. In some departments this will mean introducing further controls and risk reduction mechanisms. In other departments controls may be relaxed as a less cautious attitude to risk is now found to be acceptable.

The Risk Management Cycle

97499793.doc

Page 1

Risk management requires the following steps to be undertaken: 1. establish a business framework identify all risks measure risks deal with risks monitor arrangements. Establish a business framework

A clear business framework should be developed for risk management. This should be documented within a formal risk management policy. This should include: corporate attitude to risk and its risk appetite - the types and levels of risk that are considered acceptable; responsibilities for risk management - risk should be considered during all management initiatives, but specific risk management aspects should be assigned to named managers; an outline of the formal risk management procedures review and reporting timetables; procedures to ensure a suitable level of risk awareness and communication across the organisation. The policy needs to be clearly documented and communicated to all managers and relevant staff. Training in risk management will be needed across the organisation to ensure that the policy is understood and a common business risk language is developed. The setting of clear, documented corporate and departmental objectives is a precondition for risk management. Responsibility for risk management rests ultimately with the Board (or equivalent) who should retain responsibility for the major risks the organisation faces. However, it will be necessary to assign responsibility for the day-to-day management of specific risks to the organisation=s managers and staff. All levels of managers and staff should be responsible and actually feel they are responsible for the management of risk in their particular area. The Board should adopt a formal risk management policy and consider the major risks the organisation faces and how these are to be managed. The Audit Committee should have direct involvement in monitoring the organisation=s risk management process and considering its effectiveness. A formal risk management process should also be adopted at senior management and departmental level (and section level in larger organisations). Each department should develop a risk register (map or matrix) (see below part 5) as part of this process and report on this at least annually to the senior management team. The senior management team should in turn report annually to the Board on the way that the organisation as a whole is managing its significant risks. 2. Identify all risks

97499793.doc

Page 2

Managers should be aware of the risks in their area of responsibility. However, each organisation will benefit from ensuring that the identification and assessment of risks is conducted in a structured way at each level within its management hierarchy. This should include a top down approach at corporate level; a bottom up approach at departmental or section level; and an analysis of the links between these two approaches. The senior management team and departmental managers should be responsible for conducting detailed identification of the risks the organisation faces in achieving its corporate objectives. Departmental meetings should: brainstorm risks facing each activity undertaken; identify existing controls to mitigate risks and further action that is necessary; name managers responsible for each risk and associated control action; agree monitoring action to be undertaken. As the Board has a different perspective to the organisation=s managers, it should also be involved in the identification of the organisation=s corporate risks. It should also be involved to ensure that the relative significance of various risks across the organisation can be assessed and to ensure that suitable resources can be assigned for managing these risks. Risks may be identified from a series of risk categories, for example: political/policy financial health & safety legal/regularity corporate issues commercial operational reputational

A variety of more elaborate risk models have been developed to facilitate the process of risk identification in different sectors and types of organisation. One model that is frequently quoted is provided at Appendix A to this section. Appendix B provides the common risk themes that emerged from the Housing Corporation=s pilot risk management sites. A further aid to the identification of risks may be to consider the two aspects of risk: cause - who or what causes the exposure to happen. This can be a type of person (eg staff or public); an event (eg fire, flood); or it can be the absence of appropriate action. effect - the logical outcome of the potential risk turning into an actual exposure. This should be described qualitatively (eg additional cost, loss of income).

When identifying risks many managers will identify the effect of the symptom of a risk. However, to enable risks to be effectively managed the underlying reason for the risk exposure or its cause will have to be identified.

97499793.doc

Page 3

3.

Measure risks

There are two aspects or dimensions to measuring risk: the impact of the risk - what is the potential damage that the organisation faces? the likelihood of the risk - how likely is it that the damage will occur?

One approach to measuring risks is by assigning monetary values and probabilities to each risk. However, it is more practical to assign ratings to each aspect, for example: Level 1 2 Impact The organisation would not survive. Major impact on the achievement of the organisation=s business plan and the quality of its overall services. Significant impact on the success of the business and quality of its services. Some impact on the organisation=s staff and minor effect its clients. Insignificant impact on the organisation or its staff. Likelihood Certain Probable (likely to happen each year). Possible (could happen in the next three years). Unlikely (may happen in the next five years) Remote Probability more than 80% 50% - 80%

3 4 5

25% - 50% 5% - 25% less than 5%

The degree of sophistication that is necessary when considering the level of significance of risks should be carefully considered. The approach adopted should be kept as simple as possible. At one extreme risks could just be assigned to one of the four quadrants in a risk evaluation matrix such as the one included in section four below. As a compromise the impact and likelihood of a risk could be identified as being high, medium or low. A number of organisations have found that control self assessment type workshops are a useful means of identifying and assessing the significance of the risks that the organisation faces. In this case a facilitator (perhaps an internal auditor) will help a group of managers to brainstorm the full range of risks that exist. They will then collectively determine the significance of each of the individual risks. Sensitivity analysis is another way of analysing the effect of certain risks on an organisation. For example, if an organisation faces the risk of a rise in interest rates, the effect of a 5% increase in the rates on its financial plans could be calculated. The combined effect of various risks could also be calculated. For example, business plans are usually developed using certain assumptions about the future. Sensitivity analysis could be used to explore the effect of each of the variables moving in a positive or a negative direction. This will provide an indication of the volatility of the organisation=s plans when faced with the occurrence of certain favourable or unfavourable events. The assumptions on which sensitivity analysis is presented need to be explained carefully. In

addition, the limitations of sensitivity analysis should be made clear. These include: it requires detailed modelling of often complex causal relationships as they will occur in the future; and selection of the amounts by which to flex key variables should not be taken as forecasts of the changes that might occur but as indicators to allow users of sensitivity information to make their own forecasts.

4.

Deal with risks

The process of identifying and measuring risks is usually referred to as risk profiling. Once the risks have been profiled there are four ways of dealing with them: avoid accept transfer reduce

Risks may be accepted if they have a low impact or are not likely to occur. Risks with a high impact but low likelihood may be accepted, but plans should be developed to ensure the continuation of the smooth running of the organisation if they crystallise. Risks may be reduced by improving internal controls by, for example implementing internal audit recommendations. Risks need not, and often cannot, be eliminated, but they should be reduced to a level that is acceptable to the organisation. Insurance is the usual way of transferring risks especially high impact risks that cannot be accepted. As an alternative the risk may be transferred by contracting out certain functions. If the risk is too great for the organisation and it is not practical to reduce the risk then the risk should be avoided. For example, it may be better for a college to avoid the risk of establishing a new course if the demand cannot be assessed clearly. Risk Evaluation Matrix High Contingency planning and insurance Avoid or reduce through corporate risk management and improved internal controls

Impact

Accepted

Low

Reduce through cost effective internal controls or plan to bear the impact High Probability

5.

Monitor Arrangements

Once a complete cycle of the risk management process has been undertaken, it is important that it is kept up to date. A full review of the risks that the organisation faces should be undertaken at least once every three years In addition, each year the risk management process at each level within the organisation should be formally reviewed, the risks that have crystallised and any changes to the impact or probability of each significant risk should be considered. One way to achieve this is to combine it with existing business planning routines such as revising the strategic plan or developing annual budgets. This could be achieved by requiring managers to complete and report risk matrices for their area of responsibility. An example of a format for such a risk matrix is shown below: Risk Matrix
Operational and financial risks Manager responsible Method of dealing with risk

Action
What Who When

Monitoring activity and outcome

How Who When

Where necessary further action should be agreed to deal with unacceptable outstanding risks. Departments should report to senior management and senior management should report all significant risks to the Board.

Risk Management and the Role of Internal Audit

The extent that internal audit is directly involved in corporate risk management is very variable. A recent survey in the private sector found that in over half of the companies surveyed the risk management and internal audit functions had been combined. In contrast the Housing Corporation in their guidance on risk management state that: is ... unlikely It that the objectives of internal audit could be met if it were to form part of the risk management strategy [of a housing association]. This is because if internal audit is directly involved in the risk management process it would be difficult for it to report independently to senior managers and members on its effectiveness. However, internal audit=s professional experience of identifying risks and recommending cost effective means of managing them will mean that their involvement in the process should help to ensure that risk identification is as comprehensive as possible and that all the significant risks identified are effectively managed. Risk management is a dimension of management and should therefore remain the responsibility of the managers of the organisation. However, it may be effective for internal audit to play a facilitation role in enabling managers to identify the full range of risks that they face and their relative significance to the organisation. This could include internal audit

facilitating control self assessment workshops across the organisation to identify and assess key risks. In addition, internal audit can play a useful role in reviewing the organisation=s risk management process and reporting to senior managers and the audit committee on its effectiveness and the extent that it can be relied upon to identify and manage the main risks that the organisation faces. It is fundamental that internal audit addresses the organisation=s most significant risks. Internal audit will be more successful if its view of the organisation=s most significant risk exposures is aligned with that of the organisation=s senior managers. The strategic internal audit plan should cover all those systems that are necessary to manage the risks that the organisation=s managers have identified as being particularly significant. The development of the strategic audit plan will be made more efficient if the audit needs assessment process is integrated with the organisation=s risk management procedures. A clear distinction should be drawn between internal audit (acting as internal consultants) providing advice and assistance on risk management and internal audit taking responsibility for and taking key decisions about its design and operation. Where internal auditors are directly involved in the risk management process other audit staff should then be responsible for any reviews of this system.

Conclusions
Risk management is a vital aspect or dimension of management and business planning. To be effective it should include the following two aspects: bottom up risk identification of significant issues at departmental level to ensure that staff are extensively involved in the process and risk management becomes an accepted dimension of planning; a top-down strategic review of risks from the Board=s perspective to ensure that all risks to achievement of corporate objectives are identified and action on most significant risks is prioritised. The benefits of adopting a formal approach to corporate risk management will include ensuring that an opportunity is available for: clearly identifying all the significant risks that the organisation faces; setting the evaluation of these risks in the context of the organisation=s corporate objectives; prioritising risks to ensure that management and resources are focused on the critical areas; developing a suitable level of risk awareness by managers and staff; ensuring a positive attitude to risk management and knowledge of the organisation=s policy towards risk.

APPENDIX A ARTHUR ANDERSEN=S BUSINESS RISK MODEL ENVIRONMENT RISK

Competitor Catastrophic Loss Markets Sensitivity Sovereign/Political Shareholder Relations Capital Availability Financial

Legal Regulatory Industry

PROCESS RISK
OPERATIONS RISK Customer Satisfaction Human Resources Product Development Efficiency Capacity Performance Gap Cycle Training Sourcing Obsolescence/ Shrinkage Compliance Business Interruption Product/Service Failure Environmental Health and Safety Trademark/ Brand Name Erosion EMPOWERMENT RISK Leadership Authority/Limit Outsourcing Performance Incentives Change Readiness Communications FINANCIAL RISK Price Interest Rate Currency Equity Commodity Financial Instrument Liquidity Cash Flow Opportunity Cost Concentration Credit Default Concentration Settlement Collateral INFORMATION PROCESSING/TECHNOLOGY RISK Relevance Integrity Access Availability Infrastructure INTEGRITY RISK Management Fraud Employee Fraud Illegal Acts Unauthorised Use Reputation

INFORMATION FOR DECISION MAKING RISK

OPERATIONAL Pricing Contract Commitment Performance Measurement FINANCIAL Budget and Planning Completeness & Accuracy Accounting Information STRATEGIC Environmental Scan Business Portfolio Valuation

Alignment Completeness and Accuracy Regulatory

Financial Reporting Evaluation Taxation Pension Fund Investment Evaluation Regulatory Reporting

Performance Measurement Organisation Structure Resource Allocation Planning Life Cycle

APPENDIX B COMMON RISK THEMES FACING HOUSING ASSOCIATIONS Government Policy Corporation Tax Housing Benefit regulations Financial Management Financial losses Fraud Availability of loan finance Treasury Management Interest rates Capacity Derivatives Inflation Public Perception Abuse of residents Abuse of tenants Contracts Care contracts Ability of contractors to deliver development contracts Competition From other social housing providers From the private sector Personnel Recruitment of suitable staff Retention of key staff eg chief executive Health and Safety Employees Residents Information Technology IT strategy IT failure eg year 2000 problem Housing Corporation Approved Development Programme Regulation of rent levels

APPENDIX C GUIDE TO FURTHER READING 1. 2. 3. 4. Business Risk Management - Technical Focus Number 10 (January 1997) ICEAW Tel: 0171 920 8486 Managing Business Risk - an integrated approach; Economist Intelligence Unit (1995) ISBN 0-85058-850-2 Complete Guide to Business Risk Management Sadgrove, K, Gower (1996) ISBN 0-566-07551-2 Risk Management for Registered Social Landlords; detailed guidance and executive summary (March 1997). Housing Corporation Circular on Risk Management (R218/98) issued in May 1998. Tel: 0171393 2228. Controls Assurance Project - NHS Executive November 1996 Control Model Implementation: Best Practices Roth, J, IIA-USA (1997) ISBN 0-89413-390-X Managing Risk - Institute of Internal Auditors Professional Briefing Note 13 (June 1998) Control Self Assessment for risk management and other practical applications Edited by Keith Wade and Andy Wynne published by Wiley 1999 ISBN 0 471 98619 4

5. 6. 7. 8.