Download - Business Risk Management Policy
-
7/30/2019 Business Risk Management Policy
1/19
R ISK AND ITS MANAGEMENT
The term Risk in simple
words means The
difference between an
expected return and the
realized return of the
business, of an investment
etc. Risk is always
attached with the business
or of an investment where
there is a chance of high
return for the principal
party
High Risk
High Return
Low Risk
Low Return
Businesses or individualsface variety of Risk or
Uncertainty during
decision making e.g. a
person want to invest his
two million rupees he can
deposit in National
Savings to earn fixed
monthly income and have
option to invest foreign
exchange like dollar to
earn more money. In later
case there is a chance of
more profit as well as
change of loss. The losses
can also be categories into
Direct losses Vs Indirect
losses
Direct losses are those
losses which cannot be
minimized or unavoidable
e.g. due to failure of
Electricity Company will
bear direct loss in the
form of direct labor cost,
wasted motions and
production of product but
on the other hand indirect
losses are those losses
which can be minimized
or avoidable. For abusiness concern indirect
losses
are extremely important
major types of indirect
losses arise from risks
faced by business
concerns are
1. Loss of normal
profit the
major
examples are
-
7/30/2019 Business Risk Management Policy
2/19
sudden
decrease in
earning
available for
common
stockholders
2. Extra
Operating
Expenses also
bear by the
organization in
the shape of
Repairs and
maintances,
expenses using
other
alternatives
e.g. generator
oil or diesel
expenses etc.
3. Higher cost of
funds and
foregone
investment
4. Bankruptcy
costs best
example in my
point of view
legal cases
against
company and
expenses in the
form of
lawyers fee
and legal
proceeding
fees etc
Risks facing Business &
individuals
Business risks are those
risks facing by a business
organization day to day
these risks are short term
and long term and
required effective
planning, decision making
to survive in the market.
Major types of business
risks are
Price risk: Relates to
prices i.e. input price and
output price that directly
affect the cash flows of
the business. Price risk is
a long term risks of the
business concern.
Input price risk: Price risk
that directly relates to the
Raw material, Labour and
Factory overhead e.g.
Manufacturing concern
facing day to day
-
7/30/2019 Business Risk Management Policy
3/19
variations in Input price
risk due to which
organizations faces price
competitions to survive in
the market.
Output price risk: output
price risk directly relates
to selling price that an
organization demands for
it goods and services like
Commodity price risk:
includes coal, copper,
electricity, oil & gas that
are inputs for some firms
and outputs for others.
Exchange price risk:
changes in price risk due
to the factor of foreign
exchange rates. Interest
Rate Risk: another factor
of change in output price
risk is changes in bank
interest rate due to which
cost of borrowing funds
increases that affects the
cash inflows and outflows
of the business.
Credit Risk: Credit risk
relates to the credit policy
of the organizations for
their customers and
suppliers e.g. mostly
business firms face some
credit risk in the shape of
bad debts on account
receivables accounts that
directly impact or reduce
the business cash inflows
as well as reduced the
business working capital.
Pure risk: pure risk
directly relates to the
business management and
affects business activity in
some cases e.g. Damage
of assets e.g. risk relates
to physical damage, theft
etc. Worker Injury: e.g.
risk related to injury and
disability of workers that
results in compensations.
Employ Benefit: e.g. those
obligations associated
with organization on
death, illness and
disability of employees.
Legal Liability: e.g. risk
associated with
organization due to non
compliances of country
laws and regulations.
-
7/30/2019 Business Risk Management Policy
4/19
Personal Risk: risk
associated with
individuals and families
are personal risk major
personal risks are: Earning
Risk: e.g. Potentional
fluctuation in the families
earnings due to disability,
aging, unemployment and
death of income earners.
Medical Risk: e.g. risk
that relate to health or life
of individual in case of
critical diseases like
AIDS. Physical Assets
and Liability: e.g. risk
faces by families incase of
loss or liability suits for
non payments of physical
assets that it owns like
home automobiles,
jewellery etc.
Financial Assets: e.g. risk
associated with
individuals in the form of
gain or loss on financial
assets like shareholders,
investments/bonds etc.
RISK MANAGEMENT
Risk management process
consists of identification,
evaluation and
measurement,
implementation and
monitoring of
management process
performance. This
management process is
general framework and is
applicable to business as
well as individual risks.
METHODS OF
MANAGEMENT
Loss Control:- loss
control consist two
general approaches to loss
control i-e. Reducing the
level of risky activities
e.g. business agreements
legally bound or shifting
attentions to less risk
product line from risk
product.
Loss Financing:-
management of business
potential risks through e.g.
insurance, hedging and
other contractual
agreements for risk
transfers like involvement
of banking sector.
-
7/30/2019 Business Risk Management Policy
5/19
Internal Risk
Reduction:- Management
of business risk associated
with internal processes
e.g. diversification their
activities like job
specialization concept or
putting right person for
the right job &
investment in information
to obtain superior forecast
of expected losses e.g.
MIS or Planning and
Budgeting forecasting
department are the best
examples of Investment in
information.
UNDERSTANDING
THE COST OF RISK
Cost risk of a business
reflects the upcoming
losses faces by the
organization during the
fiscal year because of
fluctuation of cost e.g. per
unit cost increase will
reduce earnings of the
business.
COMPONENTS
OFCOST RISK
Major cost of risk has five
main components
Expected cost of losses:
includes both direct &
indirect losses in direct
losses we consider e.g.
repairing, replacing,
damaged asset, and cost of
paying workers
compensation claims to
injured workers. Indirect
losses we considered e.g.
reduction in net profits
due to consequences of
direct losses.
Cost of loss control:
includes those cost that an
organization bears to
reduce the frequency and
severity of accidents e.g.
cost of testing the product
for safety prior to its
introduction/ marketing
Cost of loss financing:
cost of loss financing
reflects that cost that bear
on loss financing e.g.
insurance premium is the
best example of cost of
loss financing.
-
7/30/2019 Business Risk Management Policy
6/19
Cost of internal risk
management methods:
cost that an organization
utilize to reduce business
uncertainty internally e.g.
fee / charges of risk
manager appointed by
management for particular
project of business to
reduce uncertainty
Cost of residual
uncertainty: cost of
residual uncertainty is the
combination of loss
control cost, loss
financing cost, and
internal risk reduction cost
is collectively called cost
of residual uncertainty.
RISK FRAMEWORK
Obvious risk are no real
threat, given a reasonable
alert management
however it is unintended
consequences that
challenge our common
sense and experience
The risk framework is
composed of three major
domains of business risks.
Ownership risks: the risk
associated with acquiring,
maintaining and disposing
off assets considered other
number of group risks i-e.
external threats e.g.
competitors, govt
regulations, product
markets etc. custodial
risks e.g. obsolescence,
theft form store etc. and
other hazard/ disasters and
accidental losses & other
opportunity cost .
Process risk: the risk
associated with putting
assets to work to achieve
objectives considering
those groups of risks
hazard / accidental loss,
errors / omission, frauds
etc.
Behavioral risks: the risk
associated with both
acquiring, maintaining
and disposing of human
assets considering these
risks e.g. productivity
loss, dysfunctional
workplace and
opportunity cost etc.
-
7/30/2019 Business Risk Management Policy
7/19
MANAGING RISK
There are variety of ways
to manage the
organization risk which
includes
Diversity : the best
example of diversity is
Job specialization or
putting right person for
the right job.
Transfer : through
different businesses or
transactions insurances we
are able to transfer loss to
other party.
Control : through proper
internal control we can
also business risk of the
organizations internally.
Avoid : through avoid
policy we shifting our
product line from risky
product to less risky
product line.
Share : In share policy we
share our loss with
another party to reduce
risks.
-
7/30/2019 Business Risk Management Policy
8/19
CHAPTER 2
BUSINESS R ISK ANALYSIS
Business risk analysis is
an effective, efficient tool
for decision making that
also considering the
consequences of
alternatives. Today all
business decisions
considered after risk
analysis because everybusiness decision have
short term as well as long
term impact on the
business life. Business
risk analysis includes risk
assessment e.g.
identification and
measuring business risks
and risk management e.g.
includes how to
minimized the business
risk or how to managed or
tackle the business risks.
Risk Assessment:
Business risk assessment
includes quantitative and
qualitative evaluation of
exposures arising due to
some risky business
activity. In risk
assessment we considered
these groups of elements.
1. Risk identification:
In risk identification
we identify and
classify business risk
and the most
important their chart
eristic e.g. Externalrisk: includes
competitors risk,govt
policy for the industry
etc. and in Internal
risk: business strategy
of the business
regarding business
risks etc.
2. Risk measurement &
evaluations: we
considered what types
of losses faces by
organization in the
form of direct losses
and indirect losses and
trying to forecast the
possible
consequences.
3. Risk prioritization:
in risk prioritization
-
7/30/2019 Business Risk Management Policy
9/19
we prioritize the
business risks in direct
and indirect losses
form and find how the
risks are related to
each other e.g. failure
of electricity results
cuts of product
production which is
direct impact and must
be top priority how to
tackle this issue to
finish further other
indirect losses.
Risk Management
There is variety of ways to
manage the organization
risk which includes
Diversity : The best
example of diversity is
Job specialization or
putting right person for
the right job.
Share : In share policy we
share our loss with
another party to reduce
risks e.g. business
insurance policy is the
best example of share risk.
Transfer : Through
different businesses or
transactions insurances we
are able to transfer loss to
other party.
Control : Through proper
internal control we can
also business risk of the
organizations internally
e.g. organization
hierarchy/ Organization
structured.
STRATEGIC RISK
Strategic risk is defined as
the risk associated with
future business plans and
strategies, including e.g.
plans for entering new
business lines, expanding
existing services through
mergers and acquisitions,
enhancing infrastructure,
etc.
To mitigate strategic risk,
management should have
a strategic planning
process that addresses its
business goals and
objectives. Because
businesses often rely on
third-party service
-
7/30/2019 Business Risk Management Policy
10/19
providers the strategic
plan should also include a
comprehensive vendor
management program.
Different units in the
organization puts assets to
work through
management process and
internal control system
and unit objectives linked
to the organizations
overall goals. Risk in the
form of uncertain changes
in the environment, can
affect the assets and or the
management process. The
effects of risks depend
also in part on the nature
of the assets and the types
of management processes
and controls. Management
by its strategic risks
policy or through typically
monitors the organizations
through internal control or
auditor can tackle these
business risks.
Risk Terms: an
expression of the
probability that an event
or action may adversely
affect the organization
Risk may involve positive
or negative consequences
although most positive
consequences are know as
opportunities and most
negative consequences are
called threats or risks.
Consequences are tangible
outcomes/results
consequences of risk can
vary in severity depending
on a number of factors
e.g. the assets at risk, the
type of threat, the duration
of the consequences and
the effectiveness of
controls in place etc. the
risk of the business
particular activity may
high, medium or low
reflects infact probability
of occurrence which may
be great, average or
remote.
Risk and Opportunity:
Opportunity = What is
Possible? Opportunity is
the positive view of a
particular business
transaction / activity
-
7/30/2019 Business Risk Management Policy
11/19
where as Risk The
possibility of suffering
harm or loss; danger or A
factor, thing, element, or
course involving uncertain
danger; a hazard or The
danger or probability of
loss to an insurer etc.
-
7/30/2019 Business Risk Management Policy
12/19
CHAPTER 3
THE ROLE OF INTERNAL
CONTROL
Business controls are the
process to mitigate
business risk or in simple
words controls are set of
processes or procedures to
accomplish or achieving
our business goals and
objectives and prevent
from risky consequences
and alert management to
take corrective actions.
Internal controls are
categories into negative
controls and positive
controls. Negative
controls create obstacles
that slow the business
process from reaching its
objectives e.g.
unnecessary verification
of business transactions
by multiple authorities
such as govt. controls in
Pakistan where as positive
controls assist to
achieving the business
goals e.g. appointment of
internal auditors assist
stakeholders to show the
true and fair view of the
businesss financial
statements.
Models of internal
control
Committee of
sponsoring organization
(COSO)
Criteria of control
committee (COCO)
Committee of
sponsoring organization
(COSO): COSO was the
first general model of
internal control to be
accepted by a wide
professional audience
COSO published internal
control framework in
1992 COSO is based on
the principle of universal
applicability the internal
control process should
same from bottom to top
level e.g. job
-
7/30/2019 Business Risk Management Policy
13/19
specialization concept
policy putting right person
to the right jobs use this
concept in professional
organization today from
bottom to top level
management to increase
efficiency and
effectiveness and to
reduce wasted motions.
COSO report evaluates
internal control as a
process, affected by an
entitys board of directors,
management and other
personnel which is
designed to provide
reasonable assurance
regarding the achievement
of objectives in one or
more categories: e.g.
effectiveness and
efficiency of operations,
reliability of financial
reporting, compliance
with applicable laws and
regulations to the
company stakeholders
regarding safeguarding
assets from loss or
unauthorized use.
According to COSO
report internal control
having five components i-
e. monitoring, information
and communication,
control activities, risk
assessment e.g. SWOT
analysis of business, and
control environment e.g.
discipline and structure,
management s
philosophy, competence
of the entitys people etc.
COSO Sequence:
Establish Objectives
Assess Risk
Determine Control
Required
Explanation of
Establish Objectives
According to COSO
approach to effective &
efficient control required
to establish the business
objectives because the
main objective of internal
control is to ensure that
establish objectives are
achieved.
Explanation of Assess
Risk
-
7/30/2019 Business Risk Management Policy
14/19
Assess risk is the second
step in the COSO
sequence assess risk
consist of identification,
measurement and
prioritization of risky
events.
Explanation of
Determine Control
Required
Determine control
required is the third step
of the COSO sequence to
mitigate risks identified
and to reaching the goals
required.
Criteria of Control
Committee (COCO)
COCO model of internal
control developed by The
Canadian Institute of
Chartered Accountants
COCO focuses on four
important parts i-e. Do we
have the right objectives?
e.g. Companys Vision,
mission Statements. Do
we have appropriate
control activities? e.g.
SMART goals of the
business etc. Do we have
capability, commitment
and right environment in
place? e.g. job
specialization / putting
right person to the right
job, shared ethical values,
an atmosphere of mutual
trust etc. Do we monitor,
learn and adapt? e.g. 360O
performance evaluation
system etc.
Cadbury and Other
National Models
The Cadbury commission
in the Uk has focused
their effort on defining
internal financial control
nevertheless, they have
developed a control model
that is very close to the
general model used by
COSO. The Cadbury
model includes
safeguarding assets as part
of the effective and
efficient operations unlike
the original version of
COSO. The main point
covered by Cadbury
model
-
7/30/2019 Business Risk Management Policy
15/19
Monitoring and
corrective action
Control Activities
Identification of risks,
Control Priorities, and
objectives as defined in
COSO as well as in
COCO model.
-
7/30/2019 Business Risk Management Policy
16/19
CHAPTER 4
THE BUSINESS R ISK
ASSESSMENT
Business risk
assessment includes
quantitative and
qualitative evaluation of
exposures arising due to
some risky business
activity. In risk
assessment we assessed
the risk at three levels
Strategic Level
Project/ Program /
Process Level
Operational Level
Strategic Risk Assessment
Strategic risk is the
current and
prospective impact on
earnings or capital
arising from adverse
business decisions,
improper
implementation of
decisions, or lack of
responsiveness to
industry changes.
This risk is a function
of the compatibility
of an organizations
strategic goals, the
business strategies
developed to achieve
those goals, the
resources deployed
against these goals,
and the quality of
implementation. The
resources needed to
carry out business
strategies are both
tangible and
-
7/30/2019 Business Risk Management Policy
17/19
intangible. They
include
communication
channels, operating
systems, delivery
networks, and
managerial capacities
and capabilities. The
organizations
internal
characteristics must
be evaluated against
the impact of
economic,
technological,
competitive,
regulatory, and other
environmental
changes.
Here are the seven steps
for conducting a Strategic
Risk Assessment:
1. Achieve a deep
understanding of the
strategy of the
organization,
2. Gather views and data
on strategic risks,
3. Prepare a preliminary
Strategic Risk Profile,
4. Validate and finalize
the Strategic Risk Profile,
5. Develop a Strategic
Risk Management Action
Plan,
6. Communicate the
Strategic Risk Profile and
Strategic Risk
Management Action Plan,
and
7. Implement the Strategic
Risk Management Action
Plan.
These steps define a basic,
high-level process and
allow for a significant
amount of tailoring and
customization in their
execution to reflect the
maturity and capabilities
of the organization.
PROJECT RISK
ASSESSMENT
The benefits of risk
management in projects
are huge. You can gain a
lot of money if you deal
with uncertain project
events in a proactive
manner. The result will be
that you minimize the
-
7/30/2019 Business Risk Management Policy
18/19
impact of project threats
and seize the opportunities
that occur. This allows
you to deliver your project
on time, on budget and
with the quality results.
The 10 golden rules to
apply risk management
successfully in your
project
Make Risk
Management Part
of Your Project
Identify Risks Early inYour Project
Communicate About
Risks
Consider Both Threats
and Opportunities
Prioritise Risks
Analyse Risks
Plan and Implement
Risk Responses
Register Project Risks Track Risks and
Associated Tasks
OPERATIONAL RISK
MANAGEMENT:
An operational riskis, as
the name suggests, a risk
arising from execution of
a company's business
functions. It is a very
broad concept which
focuses on the risks
arising from the people,
systems and processes
-
7/30/2019 Business Risk Management Policy
19/19
through which a company
operates. It also includes
other categories such
as fraud risks, legal risks,
physical or environmental
risks. One of the best
method to risk assessment
done by a specialist
involved in workplace
risks.
Health risk: including
exposure to toxins,
radiation and infectious
organisms. Safety risks:
including exposure to
equipment, machinery and
work processes.
Environmental /Physical
risk: including exposure
to climate and terrain etc.
http://en.wikipedia.org/wiki/Fraudhttp://en.wikipedia.org/wiki/Legal_riskhttp://en.wikipedia.org/wiki/Fraudhttp://en.wikipedia.org/wiki/Legal_risk