cgma - risk questions print

7/27/2019 CGMA - Risk Questions Print

1/14

Risk questions

a CGMA should ask relating

to process innovation

CGMA

tools


2/14

Risk questions a CGMA hld a rlag prc va2

tw wr m prg accg b, AiCPA a CiMA, av rma j vr ab Carr Gba Maagm AccasM (CGMA)ga va a b rcg pr maagm accg.t raa ga rcg m a a cmm maagm

acca w cp a rv rg b prrmac. CGMAga r ar r CPA w ayg maagm accg xprcr aca r w mmbr Carr i Maagm Acca.


3/14


Risk questions A CGMA should AskRelAtinG to PRoCess innoVAtion

Innovation is widely regarded as an important driver o business value. Yet thedrivers are many and can be aected by global events, regional occurrences,industry specic regulations or unique corporate/organisational challenges.

Process innovation is about doing things a better way;

either through developing new processes and deliverymethods or nding radically dierent ways o doingbusiness. This can be as simple as redening a keystep within a manuacturing unction, or as complex

as a complete restructuring o the organisation.

Technology is oten the change trigger, an examplebeing the game-changing eect o e-commerce upon

book and music retail.

There is no doubt that innovation is exciting and has

great potential or increasing competitive advantage but as CGMAs we need to understand both sides othe story. What are the key risks that a new processbrings to your organisation? How can YOU achieve

the greatest eciency benet while at the same timeensuring that you have addressed the related risk

actors? This paper sets out a ramework or CGMAsto work through, identiying the key questions that will

enable your organisation to establish a risk appropriatelevel o innovation.

An organisations tolerance or risk, as dened by

COSO1 is:

...the acceptable level o variation in perormancerelative to the achievement o objectives.

Setting tolerance levels in support o strategic

objectives is:

...a precondition or determining risk response andrelated control activities.

This includes ocusing the objectives in the areas ooperations, external nancial reporting, external non-

nancial reporting, internal reporting and compliance.

How can we encourage the building o value throughinnovation, while managing the associated risk?

Although risk is a subjective area, heavily infuencedby organisational risk appetite and culture, theollowing approach will help CGMAs map risk and

identiy broad risk response areas. A more specicresponse can then be developed using internalknowledge.

Risk category Examples

Operational risks relating to the activities carried outwithin an organisation. May include systems, people,

products and processes.

Business interruption during implementation Human error

Process design ailure

Financial risks can sometimes be outside anorganisations control, but can oten be infuencedby its actions.

Th t o xhg t ttio ooverseas operations

Hvig iit h to t obigtio

Environmental risks arising rom changes in the political,economic, social and nancial environment. Includesstrategic risk.

Game-changing competitor innovation Natural disaster aecting supply chain Poorly inormed senior management decisions

Organisational risks relating to the behaviour oindividuals and groups within the business.

Failure to consider the impact o process changeupon sta

Reputational risks aecting the way in which theorganisation is viewed by its stakeholders.

Unoreseen operational issues leading to losso customers and market share


4/14


The rst step is to identiy the risks that can be

addressed through innovation. One approach to thisis through environmental analysis, which essentiallyasks the question whats going on?, both nowand in the uture. The discussions that have been

occurring within your organisation, whether asaterthoughts rom a meeting, in the boardroom, orormalised as strategic teams, are already dening

whats going on. From this, innovative responsescan be developed.

What industry are we in?*

What has changed in the industry were in?

What has changed within our organisation/

department/etc.?

What are we doing to keep up with the change?Is our approach proactive or reactive?

What are our competitors doing?

How has what weve addressed thus ar impactedoutcomes?

Which new products have we/our competitorsdeveloped or produced within the past year?

What new processes have we/our competitorsimplemented or ceased within the past year?

It is essential that this scanning process is carried outon a regular basis, to monitor or new risks arisingand changes to existing risks.

A guidance paper on risk appetite and tolerance can be ound at

http://www.theirm.org/publications/documents/IRMRiskAppetiteFullweb.pdf

For the latest news and views on risk and

innovation, visit the CGMA risk spotlight:

http://www.cgma.org/Resources/Pages/

risk-and-innovation.aspx

*What industry are we in?

On the ace o it, the answer to this question

may seem obvious. However, long-established

rms have allen victim to bankruptcy as a

direct result o not understanding wider industry

boi. Th hotoghi ti

company Kodak, developed one o the rstdigital cameras in 1975. Amid ears that the

new technology would cannibalise sales o

their core lm products, the camera was never

taken to market. Kodak missed out on an

enormous business development opportunity

through considering themselves to be in the

narrow photographic lm industry, rather than

a wider industry relating to image making and

storytelling.
http://www.theirm.org/publications/documents/IRMRiskAppetiteFullweb.pdfhttp://www.cgma.org/Resources/Pages/risk-and-innovation.aspxhttp://www.cgma.org/Resources/Pages/risk-and-innovation.aspxhttp://www.cgma.org/Resources/Pages/risk-and-innovation.aspxhttp://www.cgma.org/Resources/Pages/risk-and-innovation.aspxhttp://www.theirm.org/publications/documents/IRMRiskAppetiteFullweb.pdf


5/14


The next stage is to understand the potential impact

o the risks related to our new process, and whatis at stake should the risk arise. I the impact issignicant, we need to ask the questions what doesthis mean for us? and what must we do?

What are the eects i implementation succeeds, orails?

How will we react to ailure? What is plan B?

I we succeed, is the change sustainable? I it is ashort-term x, what is the long-term plan?

How would the change impact our current businessmodel, strategies, etc.?

Do we need a NEW process, or can we adapt an

existing one or a similarly robust result?

Is the change best done internally or with a 3rd party?Which is more appropriate in terms o resources?

Can parts o process, etc. be implemented? Or can itbe implemented in phases?

Are the controls intended or this change already inexistence? Can we place reliance on something wealready have?

We also need to consider the resource implicat ions:what will it cost?

What existing resources do we have? (time,people, tools)

What are the costs and benets o managing thenew process?

What is the ultimate cost in time, resources, andmoney? Is this viable?

Can we control the associated risks withoutcompromising quality/strategy/reputation?

Finally, consider organisational tolerance or thisspecic risk, and how success and ailure will bemeasured.

There is more than one way o mapping risk; theCGMA tool How to communicate risks using a heat

map2 details one approach. In this example, wewill map and prioritise the risk using a likelihood/

consequences matrix and the TARA (Transer,Accept, Reduce, Abandon) risk response measures.

MEDIUM RISK: high impact, low probability

Transfer

HIGH RISK: high impact, high probability

Reduce/Abandon

MEDIUM RISK: low impact, high probability

Reduce/Accept

LOW RISK: low impact, low probability

Accept

Risk signicance can be judged by the

tiity o i, ho it i. Th ot

signicant risks are those capable o undermining

the strategy, long-term viability or reputation o

th ogitio. Th y i to itiy ti

i i th otxt o yo bi.

Impact o risk

Probability

ofoccurrence


6/14


tARA r rp mar:

Transfer: Can we transer all or part o the risk

elsewhere? The usual transer o risk is to take outan insurance policy, but risk can also be shared with

other parties, or example by outsourcing or settingup joint ventures.

Accept: Sometimes there is no option but to accept

the risk, particularly i the cost o managing orcontrolling the risk outweighs the benet. However,i a risk has been identied, contingency plans muststill be made. Business continuity plans are a good

example o this.

Reduce: Can we reduce the risk? Examples o risk

reduction techniques include the development ointernal control systems covering all nancial andnon-nancial activities. The COSO rameworkstates that internal controls consist o ve integrated

elements:

1. Control environment: management attitude and

philosophy regarding controls

2. Control procedures and activities: the actual

policies in place

3. Risk assessment: identiying controllable and

uncontrollable risks

4. Inormation: should be timely, accurate,understandable and relevant

5. Monitoring: in order to ensure the system isworking eciently

Remember that the answers to your quest ions maybe ound externally as well as internally. Ask your

ront line sta what customers are saying to them,and check your companys acebook, twitter andother social media accounts. Consider emergingproblem-solving trends such as crowdsourcing to

understand new ideas that may help you. In lookingoutside the organisation, youll be able to betteraddress and reduce your risks.

Abandon: In extreme cases, the only option may

be to leave the area o operations where the riskhas arisen, by closing down or divesting operations.From an innovation angle, this could mean choosingto discontinue development o a particular product,process or service.

The risk response can also be ormulated using amore visual approach, integrating risk questions and

TARA responses with a process map, as below. Thisincremental and iterative approach ensures that allacets o the risk are considered.

RISK PROCESS MAP #1


7/14

Risk PRoCess MAP #1

IdenTIfIed rIsk

Whats going on?

Consider:

Internal environmentext viot

Organisational strategy

OperaTIOnal effecTs

A CGMA should also ask...What does that mean or us?

Consider:

exitig oAvailable resourcesImpact on strategy

d r avgfca mpac?

i rmaagab?

Accept the risk,

but monitor orchanges

Considerabandoning

the risk

n

n

Y

Y

Continue onnext page


8/14

resOurce ImplIcaTIOns

A CGMA should also ask...What will it cost?

Consider:

Development costsOperational costs

Sta costs

pracTIcal cOnsIderaTIOns

A CGMA should also ask...What must we do?

Consider:

Risk toleranceRisk measurement

Risk response options

Cr w rar r rc

r

d c maagg r wg

bf?

Ar crrg a rab g

jy c?

n

n

Y

Y

Consider thebest way to

reduce the risk

Consider:

Strengthening controls

Alternative courseso action

Abandoning risk

Considerreducing costsby transerring

the risk

Implement newprocess, monitoringthe risk environment


9/14


This process map leads to a go/no go decision;

however it is important to recognise that riskmanagement does not stop once a decision has beenmade. Even i a choice has been made to accept therisk, it is essential to scan or new risks and changes

to existing risks and their controls, on a regularbasis.

The ollowing example uses the ctitious case oBadger Ltd. to illustrate how the process map maybe used in practice.

Badger Ltd. are a well established manuacturero widgets, and have historically perormed well

within an extremely competitive market with over20 national competitors producing broadly similarproducts. They are currently the market leader, with

a strong reputation or quality and customer service.

Badgers main competitor, Fox, has recentlyimplemented a new manuacturing technology on

their Widget2 production line, which has enabledthem to make signicant eciency savings and

eliminate waste. As a result Fox have been able toreduce the sales price o the Widget2 (a product alsosupplied by Badger) by 30%.

Badgers senior management team are concernedabout the potential long-term impact o this new

technology upon their market share, and have askedthe management accountant, a CGMA designationholder, to report upon this risk. The managementaccountant uses the process mapping tool to

identiy the key questions the management teammust address, as detailed below. This enables themanagement team to consider all risk areas beore

making their nal decision.

RISK PROCESS MAP #2

Skip Process Map


10/14

Risk PRoCess MAP #2

IdenTIfIed rIsk

Whats going on?

What has changed in the industry were in?Our main competitor is using a new manuacturingtechnology that is more efcient than ours and is

reducing our proft margins substantially.

d r avgfca mpac?

Financial impact:HIGHTimescale: IMMEDIATE

i rmaagab?

WHaT are THeOperaTIOnal effecTs

What does that mean or us?

Which processes must we change in order to compete?What scale o implementation is needed?

What is the cost o implementing and maintaining new technology?

Accept the risk,but monitor or

changes

Considerabandoningthe risk by

discontinuingproduction o

Widget2

n

n

Y

Y

Continue onnext page


11/14

WHaT are THe resOurce ImplIcaTIOns

What will it cost?

What are the development costs?

What are the machine related costs?How long will it take to make the required change?

What are the stang implications?What are the training costs?

What is the cost oNOT managing the risk?

WHaT are THe pracTIcalcOnsIderaTIOns?

What does this mean or us?What must we do?

What is our tolerance o this specic risk?How do we measure this risk?Wht xitig o i ?

Can we transer the risk?Can we reduce the risk?

Cr w rar r rc

r

d c maagg r wg

bf?

Ar cr

rg a rab g jy c?

n

n

Y

Y

Consider thebest way to

reduce the risk

Consider ways to

improve and strengthencontrols

Considerreducing costsby transerring

the risk

Begin detailed

scoping and planningor implementation onew technology


12/14


At the mid-point o the process map, the senior

management team must ocus upon how they mighttranser or reduce the risk. Having consideredall options, the management team eel thatoutsourcing production o the Widget2 is likely to

compromise quality. Attention is thereore switchedto reducing the risk, and it is decided that Badgermust implement similar, or better, manuacturing

processes than Fox to improve eciency, maintaincompetitive advantage and cut costs.

The risk management process does not stop once

a nal decision has been made; Badger mustcontinue to scan or and address risks throughoutthe implementation o the new technology.Common reasons or ailure o a new project revolve

around levels o commitment, co-ordination andcommunication across all stakeholders, and themanagement accountant has a key role to play in

helping the senior management team address theseissues and ensure that the implementation is asuccess.

Thi too h b vo t o wi g o o, whih yo o th

CGMA website. You may also nd the ollowing useul when ocusing upon inormed decision-making

in your organisation.

How to develop non-nancial KPIs

http://www.cgma.org/Resources/Tools/Pages/develop-non-nancial-kpis.aspx

How to turn data into decisions

http://www.cgma.org/Resources/Tools/Pages/turn-data-into-decisions.aspx

How to communicate risks using a heat map

http://www.cgma.org/Resources/Tools/Pages/communicate-risks-using-heatmap.aspx

How to evaluate enterprise risk management maturityhttp://www.cgma.org/Resources/Tools/Pages/evaluate-enterprise-risk-management.aspx
http://www.cgma.org/Resources/Tools/Pages/develop-non-financial-kpis.aspxhttp://www.cgma.org/Resources/Tools/Pages/turn-data-into-decisions.aspxhttp://www.cgma.org/Resources/Tools/Pages/communicate-risks-using-heatmap.aspxhttp://www.cgma.org/Resources/Tools/Pages/evaluate-enterprise-risk-management.aspxhttp://www.cgma.org/Resources/Tools/Pages/evaluate-enterprise-risk-management.aspxhttp://www.cgma.org/Resources/Tools/Pages/communicate-risks-using-heatmap.aspxhttp://www.cgma.org/Resources/Tools/Pages/turn-data-into-decisions.aspxhttp://www.cgma.org/Resources/Tools/Pages/develop-non-financial-kpis.aspx


13/14


Distribution o this material via the internet doesnot constitute consent to the redistribution o it in

any orm. No part o this material may be otherwisereproduced, stored in third party platorms and

databases, or transmitted in any orm or by anyprinted, electronic, mechanical, digital or othermeans without the written permission o the owner

o the copyright as set orth above. For inormationabout the procedure or requesting permission toreuse this content please email [email protected]

The inormation and any opinions expressed in thismaterial do not represent ocial pronouncements

o or on behal o AICPA, CIMA, the CGMAdesignation or the Association o International

Certied Proessional Accountants. This materialis oered with the understanding that it does not

constitute legal, accounting, or other proessionalservices or advice. I legal advice or other expert

assistance is required, the services o a competentproessional should be sought. The inormationcontained herein is provided to assist the reader

in developing a general understanding o the topicsdiscussed but no attempt has been made to coverthe subjects or issues exhaustively. While everyattempt to veriy the timeliness and accuracy o

the inormation herein as o the date o issuancehas been made, no guarantee is or can be given

regarding the applicability o the inormation oundwithin to any given set o acts and circumstances.

2013, Chartered Institute o Management Accountants. All rights reserved.

F

1. Internal Control - Integrated Framework,

COSO, May 2013

2. http://www.cgma.org/Resources/Tools/DownloadableDocuments/communicate-

risksusing-heat-map.pdf
mailto:[email protected]://www.cgma.org/Resources/Tools/DownloadableDocuments/communicate-risksusing-heat-map.pdfhttp://www.cgma.org/Resources/Tools/DownloadableDocuments/communicate-risksusing-heat-map.pdfhttp://www.cgma.org/Resources/Tools/DownloadableDocuments/communicate-risksusing-heat-map.pdfhttp://www.cgma.org/Resources/Tools/DownloadableDocuments/communicate-risksusing-heat-map.pdfhttp://www.cgma.org/Resources/Tools/DownloadableDocuments/communicate-risksusing-heat-map.pdfhttp://www.cgma.org/Resources/Tools/DownloadableDocuments/communicate-risksusing-heat-map.pdfmailto:[email protected]


14/14

Th aoitio o Ittio cti poio aott, ajoint venture o AICPA and CIMA, established the CGMA designation

Chartered Institute oManagement Accountants26 Chapter StreetLondon SW1P 4NPUnited KingdomT. +44 (0)20 7663 5441

f. +44 (0)20 7663 5442

CIMA has oces in the ollowing locations: Australia, Bangladesh, Botswana, China,Ghana, Hong Kong SAR, India, Ireland, Malaysia, Nigeria, Pakistan, Poland, Russia,Singapore, South Arica, Sri Lanka, UAE, UK, Zambia, Zimbabwe.

American Institute o CPAs1211 Avenue o the AmericasNew York, NY 10036-8775T. +1 2125966200f. +1 2125966213

www.cgma.org

June 2013

cGma, cHarTered GlOBal manaGemenT accOunTanT, th cGma ogo t o th aoitioo Ittio cti poio aott. assOcIaTIOn Of InTernaTIOnal cerTIfIed prOfessIOnalaccOunTanTs th assOcIaTIOn Of InTernaTIOnal cerTIfIed prOfessIOnal accOunTanTs ogo t o th ai Ititt o cti pbi aott. Th t git i th uit sttand in other countries.
http://www.cgma.org/http://www.cgma.org/