bbk3253 |risk management · pdf file1 bbk3253 |risk management prepared by khairul anuar...
TRANSCRIPT
1
BBK3253 | Risk ManagementPrepared by Khairul Anuar
Lecture 4
• Internal and External Risk
• Risk Management & Corporate Governance
• Diversifiable & Non-diversifiable Risk
www.notes638.wordpress.com
2
3
Risk Environment and Context
• The first step in managing risk is to scan all factors contributing to the environment in which risk has to be managed.
• Normally, the factors are divided into two:
external and
internal factors.
4
External Factors
• Establishing the external factors involves familiarisation with:
1. Laws and Regulation
• Laws and regulation can have an effect on the capability of an organization to achieve the objective and targets. For example, some laws and regulation may prevent the organisation from doing certain things that they normally do. On the other hand, some laws and regulations can benefit the organisation.
2. Economy
• Some countries may have very volatile economies which can affect the market while some other countries may have a matured economic environment. Other effects like economic cycle, inflation, unemployment will have an impact on businesses
5
External Factors
3. Corporate Governance Requirements
• In Malaysia, the Securities Commission Malaysia has released the Malaysian Code on Corporate Governance (MCCG); this is to be implemented by companies listed in the Bursa Malaysia to foster a strong culture of corporate governance. All organisations listed under the Bursa Malaysia are required to comply with the MCCG.
4. Government
• Many organisations have relationships with government bodies such as ministries, which they are dependent on in terms of policies, financing and operations.
6
External Factors
(5) Stakeholders’ Expectations
• Most organisations have a number of interdependencies which impact the organization’s risk management. These interdependencies are called extended enterprise.
• Some example of interdependencies include government bodies, partner organisations, customers, contractors, suppliers, employees and others.
• Stakeholders’ expectations may affect the way we normally deal with specific risks. They may be unwilling to accept the risk management actions which appear effective for the organisation.
• It is quite common for organisations to overlook stakeholders’ expectations when managing risks.
7
Internal Factors
• Once you are familiar with the external factors, you need to assess the internal factors which involves understanding the following:
1. Organisation’s capabilities in terms of resources and knowledge;
2. Internal stakeholders;
3. Objectives and the organization’s strategies to achieve them;
4. Values and cultures;
5. Policies and processes; and
6. Governance structure, business structure, roles and accountabilities.
8
Corporate Governance in Malaysia
• Risk Management is incorporated into Malaysian Code of Corporate Governance (MCCG).
• MCCG is issued by the Securities Commission Malaysia to strengthen the corporate governance culture among public listed companies.
• The latest issuance in 2012 is focused on strengthening the structure and composition of the Board.
9
Corporate Governance in Malaysia
10
Corporate governance:
1. Is an obligation placed on the board of an organisation; and
2. It ensures stakeholders’ confidence in the ability of the organisation to achieve outcomes (revenue, profit, market share, etc.).
• MCCG is compulsory for companies listed under Bursa Malaysia.
• However, other organisations are encouraged to adopt the principles and recommendations of the MCCG 2012. This is to ensure those companies achieve the desired financial target and are sustainable.
Corporate Governance Principles and
Recommendation
11
• The MCCG has identified 8 principles of good corporate governance culture.
• Along with the principles, it has addressed several recommendations to be implemented by the Board of Directors (BOD) and management team of an organisation.
Corporate Governance Principles and
RecommendationPrinciple 1: Establishing clear roles and responsibilities;
Principle 2: Strengthening composition;
Principle 3: Reinforcing independence;
Principle 4: Fostering commitment;
Principle 5: Upholding integrity in financial reporting;
Principle 6: Recognising and managing risk;
Principle 7: Ensuring timely and high quality disclosure; and
Principle 8: Strengthening the relationship between company and shareholder.
12
Implementation of Principle 6: Recognising and
Managing Risk
13
• Principle 6 is related to risk management in which it requires the BOD of an organisation to establish a sound framework to manage risk.
“Risk management framework and internal controls system
The board is required to establish a sound framework to
determine the company’s level of risk tolerance and actively
identify, assess and monitor key business risks.”
• In doing so, the BOD has to ensure that the organization’s risks are being identified, assessed and monitored actively to safe guard shareholder’s investments and the organsation’s assets.
• The BOD also needs to disclose in the annual report the main
features of the organization’s risk management framework.
Principle 6 : RECOGNISE AND MANAGE RISKS
14
Principle 6 : RECOGNISE AND MANAGE RISKS
15
Recommendation 6.1The board should establish a sound framework to manage risks.
Commentary• The board should determine the company’s level of risk tolerance and
actively identify, assess and monitor key business risks to safeguard shareholders’ investments and the company’s assets.
• Internal controls are important for risk management and the board should be committed to articulating, implementing and reviewing the company’s internal controls system.
• Periodic testing of the effectiveness and efficiency of the internal controls procedures and processes must be conducted to ensure that the system is viable and robust.
• The board should disclose in the annual report the main features of the company’s risk management framework and internal controls system.
Principle 6 : RECOGNISE AND MANAGE RISKS
16
Recommendation 6.2The board should establish an internal audit function which reports directly to the Audit Committee.
CommentaryThe board should establish an internal audit function and identify a head of internal audit who reports directly to the Audit Committee. The head of internal audit should have the relevant qualifications and be responsible for providing assurance to the
Evaluation of Compliance
• It is common that the BOD establish a risk and compliance committee with responsibilities to:
(a) Oversees the risk profile;
b) Make its annual declaration on risk; and
(c) Approve policies and processes for managing risk.
• The committee has free access to senior management, risk and financial control personnel in carrying out its duties.
17
Implementation of Principle 6: Recognising and
Managing Risk
18
• Figure 1.5 illustrates the interrelation between corporate governance, risk management and the risk assessment process.
Interrelation between corporate governance, risk management and the risk assessment process
19
Interrelation between corporate governance, risk management and the risk assessment process
Figure 1: The interrelation between corporate governance, risk management and the risk
assessment process Source: Chapman (2013)
20
• The Board Of Directors (BODs) faces a challenging task of effectively overseeing the organization’s enterprise-wide risk management to balance the way risks is being managed and to add value to the organisation.
• In principle, risk oversight is the role of the BODs. However, many approaches to risk oversight fail to link risks to strategic business objectives.
• Figure 2 shows an example of an effective risk oversight structure of Smith Group plc.
Effective Risk Oversight
21
Figure 2: Example of effective risk oversight structure
Source: http://www.smiths.com
Effective Risk Oversight – Smiths Group plc
22
Figure: Example of effective risk oversight structure
Source: http://www.smiths.com
Effective Risk Oversight – Smiths Group plc
Managing riskThe diagram summarises how Smiths Plc manage risk• The Board has ultimate responsibility for our risk management
policies and for ensuring we have an effective system of internal control.
• The executive and operational management assess the risks facing our businesses and respectively create and implement our risk management policies.
• The Audit Committee ensures appropriate oversight of risk management and is supported by our internal audit function, which tests the effectiveness of our controls and identifies areas for improvement.
23
Pure Risk & Speculative Risk
Pure risk – condition where there are 2 possible outcomes:a. A chance of loss, orb. No loss
• Hence, there is no a possibility of a gain• Examples – flood, road accident, unemployment, illness and death• There is no opportunity for the people who are directly affected to gain from this
outcome
Speculative risks – situation where there are 3 possible outcomes – a chance of loss, no loss, or a gain• Example – investors who invests in shares of a company faces speculative risk as
there is a chance that he may gain or lose from the investment depending on future prices of the share
• Other examples – starting a new business, investing in commodities
Insurance companies only insure pure risks, but not speculative risk With pure risk, people generally try to minimise the probability of its occurrence With speculative risk, people are more willing to assume the risk because there is a
chance of gain
Systematic & Unsystematic Risk
• Systematic risk arises on account of the economy-wide uncertainties and the
tendency of individual securities to move together with changes in the market. This
part of risk cannot be reduced through diversification. It is also known as market risk.
• Includes such things as changes in GDP, inflation, interest rates, etc.)
• Unsystematic risk arises from the unique uncertainties of individual securities. It is
also called unique risk. Unsystematic risk can be totally reduced through
diversification. Also known as unique risk and asset-specific risk
Includes such things as labor strikes, part shortages, etc.
24
25
Diversifiable & Non-diversifiable Risk
Diversifiable risks – risks that involve only a small proportion of people from a relatively large group , and be reduced by diversification. This type of risks does not involve the whole population or economy• Example – investing only one type of stock is riskier compared to
portfolio of 20 different stock of various industries
Non-diversifiable risks – risks that involve a large number of people of the whole economy• Example – a stock market crash, inflation, natural disasters such
earth quake
26
Diversification and risk
27
Insurable & Non-insurable Risk
• Risks that are insurable are pure risks, i.e. that involve a chance of loss of loss
• Non-insurable risks are those that involve speculative risks (when a gain is a one of the outcomes) and also non-diversifiable risks (i.e. when the risks involves the whole economy or a large number of people
• Insurability of risks depends on whether it is pure or speculative risk, and Whether it is a diversifiable or non-diversifiable risk
28
Case Study – UMW Holdings Berhad
29
Case Study – UMW Holdings Berhad
(a) First Line of Defence
The first line of defence is provided by senior management. Management
Committee members, Heads of Operating Companies and Heads of Corporate
Divisions are accountable for all risks and internal controls assumed under their
respective areas of responsibility. Senior management is also responsible for
creating a risk-awareness culture, which will ensure greater understanding of the
importance of risk management and internal control whilst ensuring its
principles are embedded in key operational processes and in all projects.
(b) Second Line of Defence
The second line of defence is provided by the Risk Management, Compliance
and Integrity functions. These functions are responsible for monitoring the risk
management and internal control activities in the Group to ensure effective
implementation and compliance with the Group’s policies and guidelines.
30
Case Study – UMW Holdings Berhad
(c) Third Line of Defence
The third line of defence is provided by the Group Internal Audit Division
(“GIAD”). GIAD provides independent assurance of the adequacy and
reliability of the risk management processes and system of internal control, and
ensures compliance with risk-related regulatory requirements.