TOPIC 1: INTRODUCTION TO RISK MANAGEMENT
1) Meaning of Terms
2) Importance of Risk Managements
3) Objectives of Risk Management
4) Principles of Risk Management Sources of Risks
5) Types of Risks
6) Outcome of Risks
7) Effects of Risks
MEANING OF TERMS
Project risk is an uncertain event or condition that, if it occurs, has an effect on at least one project objective. Objectives can include scope, schedule, cost, and quality. A risk may have one or more causes and, if it occurs, it may have one or more impacts. A cause may be a requirement, assumption, constraint, or condition that creates the possibility of negative or positive outcome. For example, a cause may be requiring a permit or having limited personnel assigned to the project. The risk event is that the permit may take longer than planned, or the personnel may not be adequate for the task. If either of these uncertain events occurs, there will be a consequence on the project cost, schedule, or quality. Risk conditions could include aspects of the project environment that may contribute to project risk such as poor project management practices, or dependency on external participants that cannot be controlled. Risk Management, in general, is a process aimed at an efficient balance between realizing opportunities for gains and minimizing vulnerabilities and losses. It is an
integral part of management practice and an essential element of good corporate governance. Risk Management should be an endlessly recurring process consisting of phases which, when properly implemented, enable continuous improvement in
decision-making and performance improvement.
Information Security (IS) Risk Management can be a part of an organization’s wider Risk Management process or can be carried out separately. Given that Information Technology in general (and Information Security in particular), incorporates state of the art technology that is continuously changing and expanding, it is recommended that IS Risk Management be established as a permanent process1
within the organization.
IMPORTANCE OF RISK MANAGEMENT
1. Risk management makes jobs safer
Health and safety are critical parts of a risk manager’s role. They actively seek out problem areas in the organization and look to address them. They use data analysis to identify loss and injury trends and implement strategies to prevent them from reoccurring.. This clearly benefits employees in physical work environments, such as construction, but can also help office employees and those in similar positions through methods such as ergonomics. A safer workplace is better for everyone and is dramatically impacted by risk management.
2. Risk management enables project success
No matter the department, risk managers can help employees succeed with their projects. Just as they assess risks and develop strategies to maximize organizational success, they can do the same for individual projects. Employees can reduce the likelihood and severity of potential project risks by identifying them early. If something does go wrong, there will already be an action plan in place to handle it. This helps employees prepare for the unexpected and maximize project outcomes.
3. Risk management reduces unexpected events
Most people don’t like surprises, especially when it has an organizational impact A risk manager’s goal is to map out all potential risks and then work to prevent them or best manage them. It’s impossible to think of every possible risk scenario and address them all, but a risk manager makes unpleasant surprises less likely and severe. Risk manager or the risk management department should be the first place an employee turns to when it seems like something serious could go wrong.
4. Risk management creates financial benefits
The risk department should not be viewed as a cost centre for the organization. In fact, it directly creates value. With trend analysis, risk managers can spot high-frequency events and work to minimize repetitive losses. Incidents will be less likely to occur and have less of an impact when they do, potentially saving the organization thousands if not millions of dollars. Risk managers are also the experts who procure the appropriate levels of insurance to maximize the financial impact of the risk management program.
5. Risk management saves time and effort
Employees at all levels spend time submitting data into the risk management department when incidents occur. These tasks are often completed in disjointed and inefficient ways. By streamlining these tasks, the risk department is able to alleviate the burden of tedious data submission from employees, allowing them to direct time and energy towards their true roles. With a solid process in place, it is easy for employees to buy-in to high ROI risk management initiatives and facilitate risk managers’ roles and reap the benefits of a formal risk management program.
6. Risk management improves communication
Horizontal and vertical communication are essential for organizational and employee well-being. They promote understanding of internal and external issues and help everyone work together effectively. While many employees know this, it can be difficult to put into practice if some parties don’t understand the impact it can have. Risk managers can help. They aid horizontal communication by providing a centralized touchpoint for all risk data and providing reports and analysis. Risk managers promote vertical communication by setting expectations and relating data to organizational goals. Each additional method of communication benefits employees.
7. Risk management prevents reputational issues
Many risks involve a reputation factor: something happens that causes the public to negatively view the organization. Reputational issues could impact individual employees as well, even if they weren’t actually involved. A formal risk department greatly decreases the likelihood of this fallout. When an incident inevitably occurs, a formal risk management program and processes will quickly contain the event and lower the chance of escalation and widespread negative consequences.
8. Risk management benefits culture of performance
A strong risk management culture is better for all parties: frontline employees, risk managers, executives, and decision-makers. It creates a mind-set of prevention and safety that permeates the organization and influences the actions of employees. It sets expectations of performance and sends a positive image to the public.
9. Risk management guides decision-making
Decision-making is a challenging process, especially when making significant choices that will have a large impact on future success. Risk management data and analytics can guide employees in making wise strategic decisions that will help meet and exceed company objectives. They can also advise on the strengths and weaknesses of a decision alternative and provide recommendations on what risks to pursue and which to avoid. The risk department is an excellent source of guidance for employees in all areas.
OBJECTIVES OF RISK MANAGEMENT
1. Ensure the management of risk is consistent with and supports the achievement of
the strategic and corporate objectives.
2. Provide a high-quality service to customers.
3. Initiate action to prevent or reduce the adverse effects of risk.
4. Minimize the human costs of risks, where reasonably practicable.
5. Meet statutory and legal obligations.
6. Minimize the financial and other negative consequences of losses and claims.
7. Minimize the risks associated with new developments and activities.
8. Be able to inform decisions and make choices on possible outcomes.
PRINCIPLES OF RISK MANAGEMENT
The Project management body of knowledge (PMBOK) has laid down 12 principles.
This principles are an amalgamation of both PMBOK and ISO principles. The various
1. Institutionalization of Risk Management:
Every organization is affected to varying degrees by various factors in its environment (Political, Social, Legal, and Technological, Societal etc.). There are also marked differences in communication channels, internal culture and risk management procedures. The risk management should therefore be able to add value and be an integral part of the organizational process.
2. Involvement of Stakeholders:
The risk management process should involve the stakeholders at each and every step of decision making. They should remain aware of even the smallest decision made. It is further in the interest of the organization to understand the role the stakeholders can play at each step.
3. Organizational Objectives:
When dealing with a risk it is important to keep the organizational objectives in mind. The risk management process should explicitly address the uncertainty. This calls for being systematic and structured and keeping the big picture in mind.
4. Reporting: In risk management communication is the key. The authenticity of the information has to be ascertained. Decisions should be made on best available information and there should be transparency and visibility regarding the same.
5. Roles and Responsibilities: Risk Management has to be transparent and inclusive. It should take into account the human factors and ensure that each one knows it roles at each stage of the risk management process.
6. Support Structure: Support structure underlines the importance of the risk management team. The team members have to be dynamic, diligent and responsive to change. Each and every member should understand his intervention at each stage of the project management lifecycle.
7. Early Warning Indicators: Keep track of early signs of a risk translating into an active problem. This is achieved through continual communication by one and all at each level. It is also important to enable and empower each to deal with the threat at
8. Review Cycle: Keep evaluating inputs at each step of the risk management process
– Identify, assess, respond and review. The observations are markedly different in each cycle. Identify reasonable interventions and remove unnecessary ones.
9. Supportive Culture: Brainstorm and enable a culture of questioning, discussing. This will motivate people to participate more.
10. Continual Improvement: Be capable of improving and enhancing your risk management strategies and tactics. Use your learning’s to access the way you look at and manage ongoing risk.
TYPES OF RISKS
There are many other types of risks of concern to projects. These risks can result in cost, schedule, or performance problems and create other types of adverse consequences for the organization. For example:
1. Strategic risks result from errors in strategy, such as choosing a technology that can’t be made to work.
2. Financial risk is the possibility of losing money on an investment or business venture. Some more common and distinct financial risks include credit risk, liquidity risk, and operational risk.
3. Reputational risk refers to the potential for negative publicity, public perception or uncontrollable events to have an adverse impact on a company’s reputation, thereby affecting its revenue. Reputational risk strikes without warning and shifts your corporate landscape.
4. Operational risk includes risks from poor implementation and process problems such as procurement, production, and distribution.
5. Market risks include competition, foreign exchange, commodity markets, and interest rate risk, as well as liquidity and credit risks.
6. Legal risks/Compliance Risks arise from legal and regulatory obligations, including contract risks and litigation brought against the organization.
7. Risks associated with external hazards, including storms, floods, and earthquakes; vandalism, sabotage, and terrorism; labour strikes; and civil unrest.
8. Competitive Risk is a probability, a chance that your competitor’s actions will negatively affect your business. The term signifies the potential losses your firm or organization may experience because of the competitive forces of other businesses in your field. There are many factors that might influence the competitive risk, for instance, competitor’s innovations, pricing, available resources, favourable location, efficient distribution, effective promotion, etc-
Most Common Project Risks
1. Scope Risk
This risk includes changes in scope caused by the following factors:
Scope creep – the project grows in complexity as clients add to the requirements and developers start gold plating.
Hardware & Software defects
Change in dependencies
2. Scheduling Risk
There are a number of reasons why the project might not proceed in the way you scheduled. These include unexpected delays at an external vendor, natural factors, errors in estimation and delays in acquisition of parts. For instance, the test team cannot begin the work until the developers finish their milestone deliverables and a delay in those can cause cascading delays.
To reduce scheduling risks use tools such as a Work Breakdown Structure (WBS) and RACI matrix (Responsibilities, Accountabilities, Consulting and Information) and Gantt charts to help you in scheduling.
3. Resource Risk
This risk mainly arises from outsourcing and personnel related issues. A big project might involve dozens or even hundreds of employees and it is essential to manage the attrition issues and leaving of key personnel. Bringing in a new worker at a later stage in the project can significantly slow down the project.
Apart from attrition, there is a skill related risk too. For instance, if the project requires a lot of website front end work and your team doesn’t have a designer skilled in HTML/CSS, you could face unexpected delays there.
Another source of the risk includes lack of availability of funds. This could happen if you are relying on an external source of funding (such as a client who pays per milestone) and the client suddenly faces a cash crunch.
4. Technology Risk
This risk includes delays arising out of software & hardware defects or the failure of an underlying service or a platform. For instance, halfway through the project you might realize the cloud service provider you are using doesn’t satisfy your performance benchmarks. Apart from this, there could be issues in the platform used to build your software or a software update of a critical tool that no longer supports some of your functions.
Ask, the risk that the project will fail to produce results consistent with project
Some Types of Risks Discussed
1. Financial Risk
What Is Financial Risk?
Financial risk is the possibility of losing money on an investment or business venture. Some more common and distinct financial risks include credit risk, liquidity risk, and operational risk.
Financial risk is a type of danger that can result in the loss of capital to interested parties.
For governments, this can mean they are unable to control monetary policy and default on bonds or other debt issues.
Corporations also face the possibility of default on debt they undertake but may also experience failure in an undertaking the causes a financial burden on the business.
Financial markets face financial risk due to various macroeconomic forces, changes to the market interest rate, and the possibility of default by sectors or large corporations.
Individuals face financial risk when they make decisions that may jeopardize their income or ability to pay a debt they have assumed.
Effects of Financial Risks
Loss of confidence especially if the customers suspect that there can be a bankruptcy in the near future. Customers often need assurance that the bank can be sufficiently stable to deliver on promise.
Loss in shareholders‟ value.
Demotivation of employees in a struggling firm as they sense increased job insecurity and few prospects of advancement.
Movement of best staff to posts in safer companies – Companies are forced to sell off their profitable operations in an attempt to raise cash
The cost of paying for lawyers’ fees, accountants‟ fees, court fees and management time increases.
Ways of mitigating Financial Risks
1. Develop a Solid Plan
One of the first steps to help entrepreneurs reduce the financial risks of a new business is to develop a business plan. This gives you an idea of whether or not your new business has a chance at success or ends in failure landing you in the poorhouse.
2. Perform Quality Control Tests
You should implement customer service reviews of your products or services before offering them on a wide scale. Have a test group or beta test so you can improve them before your real launch. This will give you a greater chance of success in your venture. It help you avoid launching a product that is going to need major work in order to be a viable product.
3. Keep Good Records
Establish a record keeping system that works from the very beginning of your new enterprise. If you create a filing system and keep up with paper work, it can save you both time and money when it’s time to pay your bills or file your taxes.
4. Limit Loans
If you must start out with a business loan, make it as low as you can comfortably manage while still providing enough capital and cushion to ensure success. To reduce your financial risk, only take out a loan if you need to, and try to keep it as low as you can. If it is possible to fund your business without loans, that would be ideal to reduce your financial risks.
5. Keep Accounts Receivable Low
In order to stay in business, you need to collect on whatever product or service you are selling. Keep track of your accounts receivable and make sure your customers are paying invoices on time. Your success or failure depends on the ability to bring the money into your cash flow.
6. Diversify Income
Whenever possible, have income from more than one source. If your business doesn’t make it, having a backup plan to keep you out of bankruptcy is good business sense.
7. Buy Insurance
Purchase insurance against death, disaster, and any other thing you feel could potentially jeopardize your business. Although it will cost you some money to buy insurance, the peace of mind it brings is well worth the cost if it protects you from losing everything.
8. Save Money
Save as much money as you can. Build up some cushion as extra “insurance” in case disaster befalls your business and you have to close shop. This means you may need to focus on improving your personal finances and having your own personal emergency fund before you start a business.
Types of Financial Risks
Credit risk -also known as default risk—is the danger associated with borrowing money. Should the borrower become unable to repay the loan, they will default. Investors affected by credit risk suffer from decreased income from loan repayments, as well as lost principal and interest. Creditors may also experience a rise in costs for collection of the debt.
Challenges to Successful Credit Risk Management
Inefficient data management. An inability to access the right data when it’s needed causes problematic delays.
No group wide risk modelling framework. Without it, banks can’t generate complex, meaningful risk measures and get a big picture of group wide risk.
Constant rework. Analysts can’t change model parameters easily, which results in too much duplication of effort and negatively affects a bank’s efficiency ratio.
Insufficient risk tools. Without a robust risk solution, banks can’t identify portfolio concentrations or re-grade portfolios often enough to effectively manage risk.
Cumbersome reporting. Manual, spreadsheet-based reporting processes overburden analysts and IT.
Ways of Managing Credit Risk
• Establishing a credit policy from determining how much credit to give an on
• Dealing with late payers and non-payers
• Assessing customers application for credit
• Establishing Collection procedures and credit motoring
• Security of payment of the credit
• Monitor customers payment records and receive credit terms
Liquidity risk occurs when an individual investor, business, or financial institution cannot meet its short-term debt obligations. The investor or entity might be unable to convert an asset into cash without giving up capital and income due to a lack of buyers or an inefficient market.
Ways of reducing Liquidity Risks
1. Identify Liquidity Risks Early
A liquidity deficit at even a single branch or institution has system-wide repercussions, so it’s paramount that your bank be prepared before a shortfall occurs. Your liquidity management process should include a forward-looking framework to project future cash flows from assets, liabilities and items not on your balance sheet. This frame work should include:
The ability to conduct risk analysis on extreme, hypothetical situations
The maintenance of liquid assets to serve as a cushion in case of a possible shortfall
2. Monitor & Control Liquidity Regularly
Once you’ve identified and forecasted your bank’s liquidity risk, you need to actively monitor and control any risk exposures or funding needs. Ensure that your liquidity risk monitoring and control tools include the following indicators and metrics:
Global liquidity indicators
Business-specific liquidity indicators
Advanced cash flow forecasting
All relevant regulatory ratios
3. Conduct Scheduled Stress Tests
Just like any professional facility must practice for fire drills or emergency procedures, your bank needs to conduct regular financial stress tests to anticipate different potential liquidity shortfalls. Your stress tests should include both short-term and long-term scenarios that identify sources of liquidity strain and that ensure all exposures align with your established liquidity risk tolerance.
Confirm that your regularly scheduled stress tests include the following scenarios:
Market-wide stress scenarios of individual variables
Market-wide stress scenarios of multiple, combined variables
4. Create a Contingency Plan
Using the results of your stress tests, adjust your liquidity risk management strategies accordingly. Then, use these new policies and positions to develop a formal Contingency Funding Plan (CFP) that clearly articulates your bank’s plan for overcoming liquidity shortfalls in various emergency situations. Hedging against investment risk A hedge is an investment position intended to offset potential losses or gains that may be incurred by a companion investment. A hedge can be constructed from many types of financial instruments, including stocks, exchange-traded funds, insurance, forward contracts, swaps, options, gambles, many types of over-thecounter and derivative products, and futures contracts. Examples of hedging include:
Forward exchange contract for currencies
Currency future contracts
Money Market Operations for currencies
Forward Exchange Contract for interest
Money Market Operations for interest
Future contracts for interest
Covered Calls on equities
Short Straddles on equities or indexes
Bets on elections or sporting events
A hedging strategy usually refers to the general risk management policy of a financially and physically trading firm how to minimize their risks. As the term hedging indicates, this risk mitigation is usually done by using financial instruments, but a hedging strategy as used by commodity traders like large energy companies, is usually referring to a business model (including both financial and physical deals)
Back-to-back (B2B) is a strategy where any open position is immediately closed, e.g. by buying the respective commodity on the spot market. This technique is often applied in the commodity market when the customers’ price is directly calculable from
visible forward energy prices at the point of customer sign-up Tracker hedging is a pre-purchase approach, where the open position is decreased the closer the maturity date comes.e.g If you know that most of the consumers demand coal in winter to heat their house, a strategy driven by a tracker would now mean that you buy e.g. half of the expected coal volume in summer, another quarter in autumn and the remaining volume in winter. The closer the winter comes, the better are the weather forecasts and therefore the estimate, how much coal will be demanded by the households in the coming winter. Delta-hedging mitigates the financial risk of an option by hedging against price changes in its underlying. It is called like that as Delta is the first derivative of the option’s value with respect to the underlying instrument’s price. This is performed in practice by buying a derivative with an inverse price movement. It is also a type
of market neutral strategy. Risk-reversal is an option position that consists of being short (selling) an out of the money put and being long (i.e. buying) an out of the money call, both with the same maturity. A risk reversal is a position which simulates profit and loss behavior of owning an underlying security; therefore it is sometimes called a synthetic long. This is an investment strategy that amounts to both buying and selling out-of-money options simultaneously.
Reputational risk refers to the potential for negative publicity, public perception or uncontrollable events to have an adverse impact on a company’s reputation, thereby affecting its revenue. Reputational risk strikes without warning and shifts your corporate landscape.
Effects of Reputation Risk
Loss of Trust
Bad publicity can come in the wake of an exposed lie or inaccuracy. Sometimes advertising is used to pump up businesses’ capabilities and consumers’ expectations. When an organization fails to follow through with promises, customers, employees and partners are more likely to question the truthfulness of all the organization’s current and future messages. Regaining trust can be difficult and time-consuming.
Effects on Sales In general, bad publicity negatively affects sales and damages the long-term success of larger established businesses. Product accessibility can also decrease with bad publicity, and potential consumers might have fewer opportunities to purchase products.
Damaged Brand Equity
Brand equity can suffer long-term damage as a result of bad publicity. This is especially evident for companies that must recall their products because of safety or health hazards.
Damaged Brand Association
Brand association refers to the deep-seeded attitudes and feelings a customer has toward a product or company. Changing attitudes and brand associations can take a great deal of time and can also be costly, as a company might be forced to invest in additional advertising and campaigns to correct negative attitudes. Damaged brand association also leaves room for competition to move in on a customer base, which can also reduce sales.
Managing Reputational Risk
i. Effective board oversight: Reputation risk management starts at the top. Strong board oversight on matters of strategy, policy, execution, and transparent reporting is vital to effective corporate governance, which is a powerful contributor to sustaining
reputation. Ultimately governed by the board, reputational risk management may require clear accountability, leadership, and engagement across numerous teams.
ii. Integration of risk into strategy setting and business planning: The board and executive management must ensure that risk is not an afterthought to strategy setting and business planning. Reputation risk must be considered a material risk and strategic risk. Reputation risk management is inextricably linked to the company’s risk management and crisis management disciplines, as well as to the alignment of strategy and culture with the enterprise’s commitment to quality and operational excellence.
iii. Priority focus on identification of risks through stakeholders’ lens: The executive team and board of directors should ensure that there is a focus on improving stakeholder experiences. These are the accumulation of day-to-day interactions that customers, employees, suppliers, regulators, shareholders, lenders, and other stakeholders have with a company as a result of its business operations, branding, and marketing. If internalized and acted upon, they are a powerful driving force for improving and sustaining reputation within the marketplace.
iv. Effective communications, image, and brand building: Building brand recognition unique to a business is vital to market success and, when all else is working well, augments reputation. Typically, the best companies have powerful and distinctive messaging; establish accountability for results with metrics, measures and monitoring; work social media effectively; and passionately live up to their values every day.
v. Crisis planning/operational resilience/risk assessment plans/scenario planning:
Formalize a crisis response program and practice. Effective management of a crisis event can mitigate potential reputational damage. Establishing an effective crisis management framework can allow organizations to integrate the right processes, roles, and governance into existing contingency plans. Knowing when to mobilize a crisis response, how to manage decision-making, what information to communicate to which stakeholders, and how to coordinate communications across different Teams Often
vi. Strong corporate values supported by appropriate performance incentives: The executive team needs to ensure alignment of performance incentives with corporate values to shape and influence the corporate culture end to end. Also, executives and directors need to pay attention to the warning signs posted by the independent risk management function and in audit reports evidencing the possibility
of dysfunctional behavior.
vii. Positive culture regarding compliance with laws, regulations, and internal policies:
Senior executives, with board oversight, should ascertain that effective internal controls over compliance matters are implemented. In addition, effective auditing and monitoring capabilities to evaluate compliance effectiveness should be in place to ensure the above capabilities are functioning as intended.
viii. Strong control environment:
A critical component of internal control, the control environment lays the foundation for a strong culture and management’s commitment to integrity and ethical values— and the oversight provided by the board of directors in carrying out its responsibilities.
Ix Early warning system
Embedding risk sensing into an organization’s risk governance program can allow companies to continually identify emerging threats. To spot potential risks, many leading companies perform 24/7 monitoring of traditional and social media outlets as well as internal data sources. Monitoring teams can support daily reputational threat sensing as well as the organization’s crisis management response process.
Operational risk is the prospect of loss resulting from inadequate or failed procedures, systems or policies. E.g (Business interruption • Errors or omissions by employees •
Product failure • Health and safety • Failure of IT systems • Fraud • Loss of key people
• Litigation • Loss of suppliers.)
Operational risks are generally within the control of the organisation through risk assessment and risk management practices, including internal control and insurance.
Effects of Operational Risks
Huge financial loss through internal and external fraud
Legal costs on litigation
Ruined reputations that can ultimately lead to the downfall of an organization.
Loss of lives and employees
Decrease in productivity
Loss of customers and business
Managing Operational Risks
• Clearly identified senior management to support, own and lead on risk management
• Existence and adoption of a framework for risk management that is transparent and repeatable
• Risk is actively monitored and regularly reviewed
• Management of risk is fully embedded in the management process and consistently applied
• Clear communication with all staff
• Management of risks is closely linked to the achievement of objectives.
One of the key operational risks to any organisation is business interruption. To manage this risk, organisations must have a robust Business Continuity Plan. BCM now embraces both the creation of a ‘non-stop’ infrastructure and operational capability, as
well as recovery from operational failure.
Five key steps in Business Continuity Management:
1. Assessing and objective setting.
2. Critical process identification.
3. Business impact analysis.
4. Business continuity planning (BCP).
5. Monitoring, testing and improving.
Fraud comes in many forms but can be broken down into three categories: asset misappropriation, corruption, and financial statement fraud.
a. Asset misappropriation
These are schemes in which an employee steals or exploits its organization’s resources. Examples of asset misappropriation are stealing cash before or after it has been recorded, making false expense reimbursement claims, and/or taking non-cash assets
of the organization.
b. Financial statement fraud
These are schemes that involve omitting or intentionally misstating information in the company’s financial reports. This can be in the form of fictitious revenues, hidden liabilities or inflated assets.
Corruption schemes happen when employees use their influence in business transactions for their benefit while violating their duty to the employer. Examples of corruption are bribery, extortion, and conflict of interest.
i. Know Your Employees
Fraud perpetrators often display behavioural traits that can indicate the intention to commit fraud. Observing and listening to employees can help you identify potential fraud risk. It is important for management to be involved with their employees and take time to get to know them.
ii. Make Employees Aware/Set up Reporting System
Awareness affects all employees. Everyone within the organization should be aware of the fraud risk policy including types of fraud and the consequences associated with them. Those who are planning to commit fraud will know that
management is watching and will hopefully be deterred by this
iii. Implement Internal Controls
Internal controls are the plans and/or programs implemented to safeguard your company’s assets, ensure the integrity of its accounting records, and deter and detect fraud and theft. Segregation of duties is an important component of internal control that can reduce the risk of fraud from occurring. Documentation is another internal control that can help reduce fraud. Consider the example
above; if sales receipts and preparation of the bank deposit are documented in the books, the business owner can look at the documentation daily or weekly to verify that the receipts were deposited into the bank
iv. Live the Corporate Culture
A positive work environment can prevent employee fraud and theft. There should be a clear organizational structure, written policies and procedures and fair employment practices.
v. An open-door policy can also provide a great fraud prevention system as it gives employees open lines of communication with management.
vi. Monitor your data. In the past, this meant monitoring transactional data to proactively identify anomalies indicative of fraud. Now, however, fraud can be committed in a variety of ways, including uploading sensitive data to the “cloud,” emailing company information, and saving sensitive information on a smartphone or sharing via social media. It’s essential to safeguard your
company’s information to ensure it is not shared outside of your business in a malicious manner. Monitoring technology that promptly notifies you when company data is leaving the office, or when shared online, is readily available.
Talk with your data security professional for the appropriate solution to monitor and secure your sensitive data.
vii. Establish proactive communication with employees around fraud.
Hold regular training on fraud and ethical behavior in the workplace and establish a chain of command in dealing with suspected fraudulent activity so that your employees are well-equipped to deal with any ethical dilemmas.
viii. Implement company policies on confidentiality and nondisclosure.
Upon hiring, employees should be given information on confidentiality policies they must sign and agree to. If an employee violates the company policy, they should know that there will be consequences. If an employee leaves the organization, enforce agreed-upon nondisclosure terms.
ix. Set up a whistle blower hotline.
Whistle blower hotlines often generate a wide range of reports – implement a few guiding principles around the type of matters that get reported to the audit committee, including significant deficiencies in internal control, senior management malfeasance, accounting irregularities, theft and financial losses, and broad deviations from the organizations anti-fraud policies.
x. Hire the right people.
Thorough vetting of new hires remains critical. All too often, the unfounded belief a former employer won’t share anything of value keeps references from being checked – but if you don’t ask, you will never know. Pick up the phone and check those references.
4. Legal risk/Regulatory Risks
This is the potential loss that a company or individual could face as the result of a legal issue. It could be a claim made against them, a change in the law or failure to take the proper legal measures to protect themselves.
Types of legal risk There are four types of legal risk. Legal risk arises from contracts, regulations, litigation, and structural changes to the market.
Contracts create business relationships that channel money into an organization as revenue and out of an organization as expenses. Contracts can relate to assets and liabilities. Contract risk threatens organizational health quietly and chronically.
Identifying contract risk requires examination of the contract from both the counterparty’s perspective as well as your organization’s perspective. Contracts cut both ways. Either party can breach. To uncover the risk associated with a single contract, examine each major provision — performance obligations — and ask, “What happens
if we breach this provision and what happens if the other party breaches this
provision?” The list of contract risks will quickly grow.
Employee conduct, intellectual property ownership, business practices, and more produce lawsuits. Litigation risk receives the lion’s share of attention in the media and in the boardroom. Litigation is not necessarily the most pernicious legal risks.
Prior to litigation, we need to identify the areas of uncertainty that affect our objectives.
Risk management is not fortune telling. Instead, we want to narrow the possible outcomes from particular events.
Organizations invest significant sums to prevent litigation. It is helpful to weigh the cost of the risk management against the possible outcomes.
For good or ill, government regulations infect every sector of the economy. Those regulations set standards of care, impose requirements, demand reports and filings. With each regulation comes creates the risk of a fine, penalty, or injunction to inspire
compliance. Some regulations cross industries, such as tax, and labour and employment. Regulations can focus on specific practices, such as clinical trials, consumer product protection, or financial disclosures.
Structural changes to the market typically come from sweeping statutory changes.
Managing Legal Risks
Define legal risk and its boundaries with other risk areas
Assess legal risk using a robust framework informed by data and scenario planning
Define legal risk appetite at an individual risk and organization wide level prioritizing and focusing resources on risk management activities effectively
Apply the appropriate model to ensure appropriate accountability, independence and assurance over legal risks
Report legal risks and the effectiveness of controls to the board and appropriate committees against a clear risk framework
Include objective key risk indicators in their reporting
Use technology in the management of legal risk to provide broader risk and control oversight and visibility across the organization.
Example of Regulatory Risk
Occupational risk, specifically, deals with the probability of injury or illness occurring as a result of hazards within the workplace. Some examples of safety hazards include the operation of moving parts or vehicles, functioning in slippery or entangled
conditions, or working with explosive materials. Effects of Occupational Risks -The effects of such occupational hazards are trauma,
sometimes post-traumatic stress disorder (PTSD), anxiety disorders, depression, loss of dignity, suicide attempts, lowered self-esteem, loss of trust from men, early aging, loss of freedom (autonomy), absenteeism, injuries, disability
Risk Management process of Occupational Risks involves several activities, namely:
Identification of exposed workers – particular attention should be given to:
workers with special needs, such as pregnant women, young workers, aging workers and workers with disabilities;
maintenance workers, cleaners, contractors and visitor
Characterization of tasks, work equipment, materials, and work procedures;
Identification and characterization of safety measures in use;
Identification of work accidents and occupational diseases related with the workplace in analysis; and
Identification of legislation, standards or company regulations related to the workplace in analysis.
Several means can be used to support these activities. For instance:
Direct observation while the job is being performed – walkthrough;
Interviews with workers and managers;
Check work accidents and occupational diseases records;
Check equipment/machine technical data;
Examine material safety data sheets regarding chemical substances used in workplace;
Consider legislation, standards and company regulations applicable to the
workplace under study.
Strategic risk is the risk that failed business decisions may pose to a company. Strategic risk is often a major factor in determining a company’s worth, particularly observable if the company experiences a sharp decline in a short period of time
Strategic risks are those that arise from the fundamental decisions that directors take
concerning an organisation’s objectives. Essentially, strategic risks are the risks of failing to achieve these business objectives.
They include risks associated with developing and marketing those products or services, economic risks affecting product sales and costs, and risks arising from changes in the technological environment which impact on sales and production.
Sources of strategic risk can be any of the following:
Mergers, acquisitions and other competition
Market or industry changes
Changes among customers or in demand
Human resource issues, such as staffing
Financial issues with cash flow, capital or cost pressures
IT disasters and equipment failure
Relationship issues, eg with suppliers
Strategies for identifying strategic risk
There are many different strategies you can use to identify strategic risk.
i. Brainstorm in a group
Brainstorming involves a group of people working together to identify potential risks, failure modes, and hazards. Often these sessions involve discussions around risk causes and options for risk treatment. Brainstorming is a popular way to identify risk in
addition to key controls.
ii. Conduct a team-based exercise
Many companies conduct team-based exercises to get participants thinking about risks.
SWIFT (Structured What If Technique) is a popular choice that involves a facilitator using a list of prompt phrases to encourage participants to identify risk.
Interview key stakeholders
You can conduct an interview with select people to ask others for their perspectives.
Structured interviews are often used when designing the risk management framework, and involve consultations with key stakeholders. An interview is a good option if you need to assess risk appetite within the company.
iii. Send out a survey
Similar to structured interviews, although involving a larger number of people, surveys can also be used to gather different perspectives on risk and control effectiveness. For example, if you want to assess a company’s risk culture, you can send surveys to assess
the internal control environment. Many companies send surveys on an annual basis to assess staff understanding of key risk and governance policies and procedures.
iv. Use different types of analyses
a. Scenario analysis- an approach where participants receive a story or description of a future event, and reflect on the potential consequence and causes of the risk. Scenario analyses are useful for identifying opportunities for fraud within the company.
b. Fault Tree Analysis- a technique used for analysing factors that contribute to an undesired event. For example, if a company is working to improve customer service, fault tree analysis allows you to state the objective in reverse (“How can we annoy our customers?”), and prompts participants to identify potential causes that would annoy customers.
c.Bow tie analysis- a diagrammatic approach that is used to describe, link, and analyze the pathways of risk from causes to consequences.
d.Incident analysis- a technique used to identify problems that occurred within a company, analyze the frequency of occurrence, and uncover the root cause(s).
Managing Strategic Risks –Practical
Increasing the frequency and budget for monitoring and managing strategic risks Continuous monitoring of strategic risks
Increased executive staffing assigned to managing strategic risks
Set policy for social media for personal use and provide sessions to educate
[employees] about risks (Restrict [internal use of] social media outlets and regularly monitors for appropriate usage of information)
Come up with conduct risk framework -have a program of values training
Create new focus on gathering data and appreciating external perspectives from “outside” sources, including customers, bloggers, information trend setters, and marketplace and security analysts
Learning from other companies and industries- to see how they are identifying certain risks and how they are performing a risk assessment.”
Example of Strategic Risk
Competitive Risk is a probability, a chance that your competitor’s actions will negatively affect your business. The term signifies the potential losses your firm or organization may experience because of the competitive forces of other businesses in your field. Oftentimes, especially if a business is operating in the conditions of a healthy competitive market, competitive risks may actually result in numerous improvements such as better quality control, cost reductions, improved product quality, and so on.
There are many factors that might influence the competitive risk, for instance, competitor’s innovations, pricing, available resources, favorable location, efficient distribution, effective promotion,
Managing Competitive Risks
i. Set up a team.
Select key people from each of your company departments–risk management, marketing, human resources, finance, IT and legal. Invite external experts and your suppliers. Form a competitive-risk assessment team that works to help the company to
comprehend the extent of competitive risks it faces.
ii. Identify your competitors. Locate other businesses in the same segment. Gather information regarding their products and future from information available in the
public domain. Study the areas of their research and how much they have invested.
Evaluate whether these competitors pose a threat to your market position.
iii. Develop new technology. Invest more in research and development activities.
Keep track of developments taking place in your primary field and in other closely associated areas. Anticipate where the future is headed. Develop newer products with significant value addition over the competition.
iv. Focus on customers.
Develop feedback mechanisms to keep track of customer expectations. Before you decide on a new product to develop, check if it’s going to satisfy consumers’ needs. View your product through the eyes of the person who’s going to buy it. Determine what you need to include in order to make sure people prefer your product over your competitor’s. Maintain balance between technological development and customer
V. Monitor market dynamics.
Be on the lookout for risks that can translate into business opportunities. In most cases, the more profitable the activity, greater the level of risk. Get your team to brainstorm and come up with ideas to turn risk into profit. Discuss worst-case scenarios and come up with strategies to handle them. people of Strategic Risk
SOURCES OF RISKS
Risk sources are fundamental drivers that cause risks in a project or organization. There are many sources of risks, both internal and external to a project. Risk sources identify where risks can originate.
1.Project size and complexity- effort hours, calendar, time ,estimated budget, team size number of resources, number of sites, number of business units, number of system interfaces ,number of dependencies on other projects, number of dependencies on other systems
2.Requirements -Complex requirements, unrealistic performance standards
3Change Impact- Replacement or new system, impact on business policies, Impact on business processes, impact on organizational structure Impact on system operations
4.Organization Strategy- Changes to project objectives, Lack of priorities, Lack of project management “buy-in” and support ,Inadequate project funding
5.Stakeholder involvement- All key stakeholders not identified, missing “buy-in” from a key stakeholder, stakeholder needs not completely identified key stakeholders not fully engaged
6.Schedule- Estimate assumptions are not holding true, schedule contingency is not adequate
7.Technology- Missing technical data, use of unproven technology, use of non standard technology
8.Vendors and Suppliers Contract types ,risk-reward elements, procurement process, experience with vendor/supplier
9.Project Management-Lack of experience, poor leadership, poor communications, lack of contingency plans, inadequate risk management.
OUTCOME OF RISKS
1. Poor User Adoption-poor results/underperformance
User adoption refers to the process of getting your team members to actually follow a process, use the tools you have mandated and stick to the methodology. If they don’t do this, you’ll have poor results because your colleagues are not working to a standard, best practice way of managing risk.
2. Unrealized Benefits
Risks can kill a project’s benefits overnight, or they could be slowly eaten away through inefficient management practices. When your team isn’t working efficiently, every additional admin task adds cost and time to your project, which in turn has an impacton how quickly your benefits can be delivered – if they are delivered at all.
3. Late-running Projects
Unforeseen risks can significantly slow down a project because it takes time to understand them, analyse them and prepare management plans to monitor, act on and track them.
Delays can also happen when risk management activities take longer than you expected and they push out other activities on the project schedule.
4. Overspent Budgets
Risk management costs money. However, the cost of dealing with poor risk management if a risk materializes and becomes a real issue for your business, is normally far, far more. Budget overruns happen when risks and the associated actions related to managing them effectively aren’t budgeted for. Overspends are also common when a risk isn’t identified at all – and then the project team has to find money from somewhere to do something about it before the project falters.
5. Unhappy Clients
Clients don’t want to be involved in something that is perceived to be high risk. They need to know what you are doing to mitigate any potential threats and that you’ve got a sensible Plan B in place.
6. Reputational Damage
Your clients need to have confidence that you are effective at handling risk. This leads on from the point above: dissatisfied customers are a huge risk to your organization’s reputation. One bad review can have far-reaching implications for future work.
7. Project Failure
Ultimately, the worst case scenario for failing to adequately manage risk is that your project fails. It never completes or never delivers anything of value. The objectives in the business case aren’t reached and you waste all that investment in time and effort that has gone into your project to date.
EFFECTS OF RISKS
i. Product or project failure – It’s a story as old as business itself. A new business opens its doors or a company unveils a new product to much fanfare just to see it flame out in short order.
ii. Loss of profits, financial loss –Risks lead to some sort of financial loss, be it in the form of fines, lost sales, or even lower share values.
iii. Fines /legal suits – Not having a formal risk management process in place puts your organization at risk of fines or sanctions from state and even industry-specific regulatory bodies. On an operational level, companies who do not evaluate risks associated with innovations or general operations will fail to spot hazards and take steps to avoid them. This translates to huge loses of money for compensation and paying law firms.
iv. Employee Turnover – It is completely normal for a certain number of employees to leave an organization. This can occur for several reasons, both personally and professionally, however, when there is a high rate of employee turnover, there are likely other factors in play. Not identifying the risks associated with talent retention and properly managing those risks – could lead to a higher rate of employee turnover, which of course hinders your ability to meet goals and creates more expense for recruiting new talent.
v. Customer Dissatisfaction – Customers (…or donors or volunteers in the context of a non-profit) are what keeps the lights on at any organization. If there is dissatisfaction for any reason, they will pick up and move their business to a competitor, and they are likely to be vocal about the situation on social media. Rebuilding that trust can take a long time depending on the situation.
A company that does not consider risks that can affect their customers are setting themselves up for trouble.
vi. Missed Opportunities – Not identifying threats and opportunities to achieving business objectives can also lead to missed opportunities. While this may not seem like a big deal on the surface, missing opportunities can lead to a loss of market share and
vii. Negative or Damaged Reputation – This consequence of ignoring risk management is similar to customer dissatisfaction, but its impact is more significant since it usually involves nefarious activities within an organization instead of a mere mishap.
viii. Business Failure – You can say business failure is the culmination of all of the other damaged reputation, product failures, and financial loss can all cascade and force companies into the worst position – having to close its doors.