BSCI 271

Risk Management
SU - E5

Picture Source: https://unsplash.com/photos/Zdf3zn5XXtU

 Learning outcomes
On completion of this SE5 you should be able to:

SUE5 Risk management: fundamentals

Reflect on and discuss risk and risk management as well as the nature thereof within
organisations (Y1.3, 1.4 & 1.7)
• In respect of an enterprise risk management framework (Y2.3), reflect on and discuss the:
• Risk management strategy (Y2.3.1 & Y2.2.2);
• Risk management process (Y2.3.2);
• Risk management structure (Y2.3.3); and
• Risk management culture (Y2.3.5).
• Evaluate and make proposals regarding an organisation’s risk management framework,
process, structures and culture.

SUE5 Risk management process

Discuss the various elements in the risk management process (Y2.3.2).

• Make proposals regarding an organisation’s risk mitigating controls (Y6.2 & Y6.4)
• Identify and evaluate risks within a problem statement/ case study (Y4)
 Study material

Operational risk management - Young (3rd edition)

We will look at specific sections of chapters – 1,2,4,5 and 6

 Risk: basic principles

The uncertainty that an event could cause positive or negative results if it occurs – Young, Par 1.2

measured in terms of impact (low to high) and likelihood (low to high)

Organisations are potentially confronted with various types of

risks to (Y1.4)
expected return

Standards, benchmarks or guidance for organisations to

manage risk management (Y1.7, general awareness for 1 or
2 marks each) eg:
• Basel (Banking industry)
• COSO (United States)
• King (South Africa)
risk • Sarbanes-Oxley (United States)
 Classification of risks
Y1.4
• Financial risks – risk exposures that will lead to a direct financial loss & negatively
influence profitability
• Non-financial risks – risks exposures that could negatively influence the operations &
ultimately incur losses of a quantitative or qualitative nature, indirectly influencing
profitability.
 Risk management framework

Risk management framework- the combination of an organisation’s attitude,

procedures and actions in response to the various types of risks exposed to, detailed in its
risk management strategy, process, structures and culture.

Risk management framework (Y2.3)

• risk management strategy (Y2.3.1) – sets out the overall mission, goals &
objectives for managing risks linked to stakeholder value
• risk management process (Y2.3.2) – the components of a risk
management process to be followed when managing risks exposures
• risk management structure (Y2.3.3) – the governance structures for risk
management, & roles & responsibilities for managing risks in each business unit
• risk management culture (Y2.3.4) – the value adding activities & the main
principles for managing risks
 Risk management strategy
Risk management strategy - approach to, planning and activities implemented
by an organisation to manage risk
5 Steps
Risk management strategy process (Y2.3.1)
• Collate data - collate data regarding business strategy & objectives, understand risk
management requirements, including resources, & mitigation tools. draw risk profile.
• Evaluate data – draw a risk profile, indicating the likelihood od occurrence & impact
• Risk appetite (Y2.3.2) – determine the business tolerance for potential loss due to
risk
• Formulate Risk management objectives (e.g. cost v benefit, time
frame, CSF’s & KPI’s) - determine the short, medium & long term objectives for
managing risks. Formulate short term objectives. Action plans
• Monitoring and reporting – continuous monitoring of the execution of the risk
management action plan. Continuous identification & evaluation of risk exposure, and the
adequacy of controls.
Risk management strategy

(Y2.3.1)
 Risk management process

Risk management process – steps, actions and procedures during which specific
risks to the organisation are identified and addressed
Risk management process = structured activities providing management assurance that all risks are being managed

5 Steps
Risk management process (Y2.3.2)
• Risk identification (Y2.3.2 ) – define and understand the nature of the risk that is faced.
Commitment to risk management. Acknowledging risk exposure (please note that Young
chapter 4 specifically deals with operational risk identification. This chapter can assist to gain
perspective for discussion type questions on risk identification)
• Risk evaluation / assessment (Y2.3.2 & Y5.3.1) – assessment & measurement of the
identified risk exposures. Quantification of exposure, its potential & severity
• Implementing appropriate controls (Y2.3.2; Y6.2 & Y6.4) – application of techniques
to reduce the probability of loss.
• Risk financing – financially providing for the consequences of risk, eg insurance or risk-
based pricing
• Risk monitoring – ensuring the effectiveness of the risk management system &
techniques applied. May use on-going system testing or auditing.
Risk management process
 Generic responses to risk – Key risk mitigating decisions

High

(Y6.2) Transfer risk to 3rd party Avoid business decisions

Figure 6.2 e.g. insurance policy that could result in
unacceptable losses
Major

Transfer Avoid TARA fw

Impact

Accept consequence of Develop and implement

Risk event control measures to prevent
or minimise losses
Minor

Accept Reduce

Unlikely Almost certain

Low Likelihood High

Caution on generic responses / apply to scenario

 Risk management structures

Risk management structures- an organisation’s structures to govern its risk management

framework, including an assignment of roles and responsibilities (Y2.3.3)
• senior management
• risk management (specialists)
• business/ operational management
• risk compliance and monitoring functions

Risk management is the responsibility of all levels of management. These levels can be split
into 3 main levels; (Y2.3.3)
• top management – Board of directors should ensure that appropriate corporate
governance frameworks are established & operating, And that a risk management
committee exists,
• risk management group – responsible for setting policies & strategies & for
monitoring,
• business management – responsible for risk management within the various units.
Creating a culture of risk awareness.
Risk management structures
(Y2.3.3)
 Risk management culture
Risk management culture – the corporate or organisational shared values in respect of
managing risks (Y2.3.5)

Risk management culture must be established throughout the organisation to ensure the
active involvement of all employees.
 Risk management culture

In addition to the above shared values, additional features of a successful

risk culture may include; (Y2.3.5)

• Adequate risk management skills & knowledge.

• Transparent & timely risk information available at the required
management levels,
• A commitment to ethical principles by all employees,
• A consistent attitude from top management regarding risk taking &
risk avoidance,
• Clear accountability & ownership of risks & risk areas
• Effective risk reporting & constantly learning from experience
• Appropriate risk taking behaviour
 Risk management

 Risk Identification & Evaluation (Y4.2 + Y4.4)

 Risk Mitigating Controls (Y6.2 + Y6.4)

 Process for Risk Identification (Y4.2)
Risk identification – Identification of various vulnerabilities created by
employees, internal processes and systems, and external events (Y4.2)

The Upside & Downside of Risk (Y4.2.1)

= Continues
process

Figure 4.2 (Young)

Risk Identification Procedures (Y4.4)

Figure 4.3 (Young)

 Risk Mitigating controls (Y6.2)
Entails the activity that is aimed at prevention of losses, the minimisation of the
consequences of losses that may arise from any risks facing an organisation, and
the handling of an adverse event in advance or as it occurs.

Preventive controls – to prevent a loss event from occurring, eg, segregation of

duties to avoid fraud & errors by employees

Detective controls – ensures that a loss event is identified as soon as it occurs,

in order to control the effect on the organisation, to avoid re-occurrence, e.g.
Quality Assurance (Think of IT controls)

Contingency controls – to ensure the sustainability of the organisation or

business area once a risk event has occurred, e.g., a back-up site for an IT
system
Risk Mitigating controls (Y6.2)

reduce

Figure 6.2 (Young)

Pillars of Risk control (Y6.4)

Figure 6.4 (Young)

Any questions ??
Source: https://unsplash.com/photos/nN5L5GXKFz8