Chartered Institute of Management Accountants Strategic Level P3
P3 Risk Management
Structure
A.Enterprise risk (25%)
1. Risk
2. Risk management
B.Strategic risk (25%)
3. Strategy risk
4. Reputational risks
5. Corporate governance
C.Internal controls (25%)
6. Internal controls
7. Internal audit
D.Cyber risk (25%)
8. Cyber security threats
9. Cyber security processes
10.Cyber security tools, techniques and reporting
Jack Gould 1 of 33
,Chartered Institute of Management Accountants Strategic Level P3
P3A1 Risk
• Uncertainty (unquantifiable): arises from ignorance and a lack of information/knowledge;
uncertainty is reduced by obtaining as much information as possible before decision-making
• Numerous possible outcomes but probability of each outcome is not known; thus mathematical
modelling is not possible, hence future cannot be predicted under conditions of uncertainty
• Risk (quantifiable): the chance that future events do not happen/results may not be as expected;
all businesses face risk in the variability of future potential returns
• Numerous possible outcomes and probability of each outcome is known; thus enabling use of
mathematical modelling, to improve reliability of forecasts
• CIMA definition: condition in which there exists a quantifiable dispersion in possible outcomes
• ISO Guide 73 definition: combination of the probability of an event and its consequences
• Expected impact of uncertain future events on objectives: allow for both upside & downside
• Downside (pure) risk: possibility of loss, with no chance of gain; risk often thought of as bad
• Example: disruption due a power cut, losses from theft/fraud, damage to assets from a fire, a customer goes bankrupt
• Upside (speculative) risk: actual results may be better than expected; risk can be good
• Example: new product launch more successful than planned; savings from an investment higher than expected
• Why incur risk?: to generate higher returns (financial & intangible) and thus be more competitive,
a business must be willing to take on more risk; high risk usually = high return. Conversely, not
accepting risk tends to make a business less dynamic and implies a ‘follow the leader’ strategy
• Routine: low activity risk low ability to gain competitive advantage
• Identify and develop: low activity risk high ability to gain competitive advantage
• Avoid: high activity risk low ability to gain competitive advantage
• Examine carefully: high activity risk high ability to gain competitive advantage
• Systematic (market) risk: risk of company being affected by general, macro-economic factors
(cannot be diversified away); ie recession, interest rates, exchange rates
• Unsystematic (specific) risk: risk of company being affected by factors specific to the company/
industry; ie systems failure, R&D, success, labour strikes
RISK CATEGORISATION
Political, legal, and regulatory risk: arise due to the regulatory regime the business operates in
• Political risk: risk due to political instability (ie: stability of government, corruption, different
religious beliefs, ethnic tensions, nationalisation of industry), depending on country in which the
business operates; consider differences between the home and target country
• Legal/litigation risk: risk that legal action/litigation will be brought against the business
• Regulatory risk: risk of changes in regulation affecting the way a business must operate; may
apply to businesses in general or to specific industries
• Compliance risk: risk of losses (ie fines, penalties) due to non-compliance with law/regulations
Business risk: arise due to nature of business operations/products; some are inherently more risky
• Strategic risk: risk that business strategies (ie acquisitions) will fail; possible consequences of
strategic decisions impacting long-term future of the business
• Product risk: risk that new product launches will fail/loss of interest in existing products
• Commodity price risk: risk of exposure to unexpected rise/fall in key commodity prices
• Product reputation risk: risk of an event adversely impacting a product’s reputation or image
• Operational risk: risk of losses due to inadequate, inefficient or failed day-to-day processes;
businesses implement internal control systems to manage operational risks, ie:
• Staff leaving due to dissatisfaction • Human error
• Failure of internal communications • Information technology failure
• Inferior product quality compared to rivals • Raw materials wasted during the production process
• Fraud risk: risk of exposure to fraud/vulnerability of the business to fraud; some business are
more vulnerable (ie banks) thus have stronger internal control systems to manage fraud:
• Fraud prevention: opportunities to commit fraud are minimised
• Fraud detection and deterrence: measures designed to identify fraud after it has occurred
• Employee malfeasance risk: risk of exposure to criminal actions of staff (other than fraud), ie:
• Deliberately making false representations about a product/service to achieve sales
• Committing a criminal offence by failing to comply with statutory requirements
• Contractual inadequacy risk: risk contract terms do not fully cover against all potential outcomes
Economic risk: arise due to changes in the economy that affect the business; ie: unemployment,
inflation, international trade relation, recession (ie 2008 financial crisis), disposable income levels
Contributory factors to 2008 financial crisis Implications of 2008 financial crisis
• US sub-prime mortgage lending • Banks’ financial structure • Collapse of major financial institutions • Recession and austerity measures
• Collateralised debt obligations (CDOs) • Credit default swaps • The credit crunch • Problems refinancing government debt
• Debt rating agencies • Risk-takers • Government intervention
Jack Gould 2 of 33
,Chartered Institute of Management Accountants Strategic Level P3
Financial risk: arise due to changes in financial conditions, ie: exchange rate, interest rate, credit
rating of a customer, price of goods
• Credit risk: risk of losses due to non-payment by customers/debtors; exposure depends on:
• Volume of credit sales • Credit risk of customers • Credit vetting and assessment
• Credit policy and terms • Debt collection procedures procedures
• Political risk: risk arising from actions taken by a government that affect the business; finances
• Currency risk: risk of fluctuations in the foreign exchange rate
• Interest rate risk: risk of unexpected gains/losses due to changes in interest rates
• Gearing risk: risk arising from the way a business is financed (debt vs equity)
• Cash flow risk
Technology risk: technological changes may either present new opportunities or threaten to make
existing processes inefficient/obsolete, ie: early 2000s dot.com bubble
Cyber risk: issues with information technology systems may cause financial loss, disruption,
damage to a business; focus area for modern business
Environmental risk: arises due to change in the environment, ie: climate change or natural disaster
(ie 2011 Japan Tsunami); business sustainability should be considered to ensure long-term survival
Corporate reputation risk: is a down-side risk for many organisations, as the better the reputation
of the business, the more risk there is of losing that reputation, which can be quickly eroded due to:
• Adverse media comments or scandals • Health & safety performance
• Opinion of the general public or specific groups • Perception of untrustworthy goods/services
• Poor environmental practices
Risk in international operations: subject to additional risk factors; organisation may face a huge
risk by deciding to trade internationally, due to:
• Litigation: not fully understanding local legislation/legal system thus being more prone to legal risk
• Credit: more difficult and expensive to case debt of overseas customers
• Transportation: greater risk of losses as items in transit may be lost/damaged/held up at customs
• Financial risk: foreign currency exchange risk
• Cultural differences: risk the business does not adapt to culture of various countries it operates in
Jack Gould 3 of 33
, Chartered Institute of Management Accountants Strategic Level P3
P3A2 Risk management
• Risk management: process of managing risks the business is inevitably subject to in attempting
to achieve corporate aims; proactively attempt to reduce chance of a risk having adverse an
impact, by reducing the likelihood of an event occurring and/or reducing the event’s actual impact
• Reconciling conformance with performance (IFAC, 1999):
• Traditional view: protect business against • New approach: take advantage of
losses via conformance procedures and opportunities to increase returns and improve
hedging techniques; to avoid downside risk performance; to benefit from upside risk
• Control threats: bad things happen • Maximise return: good things might not happen
Enterprise Risk Management (ERM): a process, applied in strategy and across the enterprise,
designed to identify potential events that may affect the entity, and manage risk to be within its risk
appetite, to give reasonable assurance regarding achievement of entity objectives (COSO, 2003)
• 6 key principles:
• Align risk management with business strategy • Comprehensive and holistic approach to risk management
• Consideration of a broad range of risks • Risk management is everyone’s responsibility: tone set at the top
• Creation of a risk aware culture • Board embeds risk management culture into business operations
• COSO (2003) cube ERM Framework: 3D matrix reflecting the relationships between…
• 4 objectives: reflect responsibilities different • 4 organisation levels: emphasise importance
needs of different executives across the entity of managing risks across the entity as a whole
1. Strategic 3. Reporting 1. Subsidiary 3. Division
2. Operations 4. Compliance 2. Business unit 4. Entity
• 8 components: must function effectively for risk management to be successful
1. Internal environment: tone of the entity, risk management philosophy and risk appetite
2. Objective setting: align objectives with entity mission and consistent with risk appetite
3. Event identification: identify internal/external events which impact achievement of entity aims
4. Risk assessment: analyse likelihood/impact of risks, as basis to determine their management
5. Risk response: develop set of actions that align risks with entity risk tolerances and appetite
6. Control activities: policies and procedures to carry out risk responses effectively
7. Information and communication: relevant information identified and communicated in a way
that enables people to carry out their responsibilities
8. Monitoring: entire ERM process is monitored and modifications made
• COSO (2017) helix ERM Framework update (integrating strategy with performance): not
designed to replace the cube, which remains relevant and provides useful background; COSO
encourages entities to identify the framework that works best for their situation
• 5 components: double helix update recognises changes to the business environment
1. Governance and culture: internal environment and emphasises the importance of tone of the
entity; includes ethical behaviour and understanding entity risk appetite
2. Strategy and objective setting (key update focus): importance of ensuring ERM and objectives
are aligned to risk appetite in strategic planning, to minimise risk of choosing wrong strategy
3. Performance: combines components 3-5 from cube
4. Review and revision: policies and procedures to help risk responses be effectively carried out,
via selection of key metrics; ensure entire ERM process is monitored and modifications made
5. Information, communication and reporting: relevant information identified and communicated
in a way that enables people to carry out their responsibilities; report to correct people/levels
• Benefits of ERM
• Enhanced decision-making by integrating risks
• Reduced performance fluctuations and fewer interruptions to operations
• Improved investor confidence, hence greater shareholder value
• Focus of management attention on most significant risks
• Common language of risk management understood throughout entity
• Increased ability to benefit from upside risk; while reduced susceptibility to downside risk
• Reduced cost of finance via effective risk management
• Improved resource utilisation
Risk management and shareholder value (EY): EY developed a model for shareholder value as
the sum of the value of a what company does now and value of what they could do in the future:
• Shareholder value = Static NPV of existing business model + Value of future growth options
• EY’s 4 stages of good risk management: good risk management allows a business to exploit
opportunities for future growth while protecting shareholder value already created
1. Establish what shareholders value about the company: by talking to the investment community
and linking value creation process to key performance indicators
Jack Gould 4 of 33