Chapter 10: Risk and the risk management process

Chapter learning objectives

Upon completion of this chapter you will be able to:

  • define and explain risk in the context of corporate governance
  • explain the dynamic nature of risk assessment
  • explain the importance and nature of management responses to changing risk assessments
  • define and compare (distinguish between) strategic and operational risks
  • define and explain the sources and impacts of common business risks
  • describe and evaluate the nature and importance of business and financial risks
  • recognise and analyse the sector- or industry-specific nature of many business risks
  • identify, and assess the impact upon, the stakeholders involved in business risk
  • explain and analyse the concepts of assessing the severity and probability of risk events
  • describe and evaluate a framework for board level consideration of risk
  • explain and assess the ALARP (as low as reasonably practicable) principle in risk assessment and how this relates to severity and probability
  • evaluate the difficulties of risk perception including the concepts of objective and subjective risk perception
  • explain and evaluate the concepts of related and covariant risk factors
  • explain and assess the necessity of incurring risk as part of competitively managing a business organisation.

1 Risk and corporate governance

  • The issue of corporate governance and how to manage risk has become an important area of concern across the world.
  • As was seen in an earlier chapter, reviews such as the UK Turnbull Committee have identified risk management as key to effective internal control.
  • In turn, following good corporate governance procedures (including having sound internal control systems) will decrease the impact of many risks on an organisation.
  • Risk analysis is best carried out in the context of the OECD principles of good corporate governance.
  • An overriding risk is that an organisation fails to meet the appropriate corporate governance regulations.

OECD principles of good corporate governance

2 Necessity of risk and risk management

A risk can be defined as an unrealised future loss arising from a present action or inaction.

  • Risks are the opportunities and dangers associated with uncertain future events.
  • Risks can have an adverse ('downside exposure') or favourable impact ('upside potential') on the organisation's objectives.

Why incur risk ?

  • To generate higher returns a business may have to take more risk in order to be competitive.
  • Conversely, not accepting risk tends to make a business less dynamic, and implies a 'follow the leader' strategy.
  • Incurring risk also implies that the returns from different activities will be higher – 'benefit' being the return for accepting risk.
  • Benefits can be financial – decreased costs, or intangible – better quality information.
  • In both cases, these will lead to the business being able to gain competitive advantage.

Benefits of taking risks

Consider the following grid in terms of the risks a business can incur and the benefits from undertaking different activities.

Focusing on low-risk activities can easily result in a low abilityto obtain competitive advantage – although where there is low riskthere is also only a limited amount of competitive advantage to beobtained. For example, a mobile telephone operator may produce itsphones in a wide range of colours. There is little or no risk of thetechnology failing, but the move may provide limited competitiveadvantage where customers are attracted to a particular colour of phone.

Some low-risk activities, however, will provide higher competitiveadvantage – when these can be identified. If these can be identified,then the activity should be undertaken because of the higher reward. Forexample, the mobile phone operator may find a way of easily amendingmobile phones to make them safer regarding the electrical emissionsgenerated. Given that customers are concerned about this element ofmobile phone use, there is significant potential to obtain competitiveadvantage. However, these opportunities are few and far between.

High-risk activities can similarly generate low or high competitiveadvantage. Activities with low competitive advantage will generally beavoided. There remains the risk that the activity will not work, andthat the small amount of competitive advantage that would be generatedis not worth that risk.

Other high-risk activities may generate significant amounts ofcompetitive advantage. These activities are worth investigating becauseof the high returns that can be generated. For example, a new type ofmobile phone providing, say, GPS features for use while travelling, mayprovide significant competitive advantage for the company; the risk ofinvesting in the phone is worthwhile in terms of the benefit that couldbe achieved.

The point is, therefore, that if a business does not take somerisk, it will normally be limited to activities providing little or nocompetitive advantage, which will limit its ability to grow and providereturns to its shareholders.

The As Low As Reasonably Practicable Principle. (ALARP)

As we cannot eliminate risk altogether the ALARP principle, simplystates that residual risk should be as low as reasonably practicable.Taking into consideration, the costly nature of risk reduction.

  • The ALARP principle expresses a point at which the cost of additional risk reduction would be grossly disproportionate to the benefits achieved.
  • The ALARP principle is usually applied to safety critical, high integrity systems where health and safety risks cannot be eliminated e.g. Oil rigs.
  • An extreme example to clarify the point:
    • A company spends a million pounds to prevent a member of staff suffering from a bruised knee is obviously grossly disproportionate. Whereas a company spending a million pounds to prevent a major explosion capable of killing 150 people is obviously proportionate.

Further information on the ALARP principle.

The concept of "reasonably practicable" lies at the heart of the British health and safety system.

It is a key part of the general duties of the Health and Safety atWork Act 1974 and many sets of health and safety regulations that we andLocal Authorities enforce.

Also the ALARP principle is defined as below and encapsulated in the Health and Safety Executive's (HSE):

5 steps to risk assessment guidelines:

" 'Reasonably practicable' is a narrower term than 'physically possible'… a computation must be made by the owner in which the quantum ofrisk is placed on one scale and the sacrifice involved in the measuresnecessary for averting the risk (whether in money, time or trouble) isplaced in the other, and that, if it be shown that there is a grossdisproportion between them – the risk being insignificant in relationto the sacrifice – the defendants discharge the onus on them."

Why manage risk ?

Management needs to manage and monitor risk on an ongoing basis for a number of reasons:

  • To identify new risks that may affect the company so an appropriate risk management strategy can be determined.
  • To identify changes to existing or known risks so amendments to the risk management strategy can be made. For example, where there is an increased likelihood of occurrence of a known risk, strategy may be amended from ignoring the risk to possibly insuring against it.
  • To ensure that the best use is made of opportunities.

Managing the upside of risk

Historically, the focus of risk management has been on preventingloss. However, recently, organisations are viewing risk management in adifferent way, so that:

  • risks are seen as opportunities to be seized (as discussed above)
  • organisations are accepting some uncertainty in order to benefit from higher rewards associated with higher risk
  • risk management is being used to identify risks associated with new opportunities to increase the probability of positive outcomes and to maximise returns
  • effective risk management is being seen as a way of enhancing shareholder value by improving performance.

3 Risk management

  • Risk management is therefore the process of reducing the possibility of adverse consequences either by reducing the likelihood of an event or its impact, or taking advantage of the upside risk.
  • Management are responsible for establishing a risk management system in an organisation.
  • The process of establishing a risk management system is summarised in the following diagram:

Risk management process

The process of risk management

Enterprise Risk Management (ERM)

  • Risk management has transformed from a 'department focused' approach to a holistic, co-ordinated and integrated process which manages risk throughout the organisation.
  • Drivers for this transformation include globalisation, the increased complexity of doing business, regulatory compliance/corporate governance developments, and greater accountability for the board and senior management to increase shareholder value.
  • These drivers mean that an organisation and its board must have a thorough understanding of the key risks affecting the organisation and what is being done to manage them. ERM offers a framework to provide this understanding.

Enterprise risk management

Enterprise Risk Management (ERM) can be defined as the:

'process effected by an entity's board of directors, management andother personnel, applied in strategy setting and across the enterprise,designed to identify potential events that may affect the entity, andmanage risk to be within its risk appetite, to provide reasonableassurance regarding the achievement of entity objectives.'

Enterprise Risk Management – Integrated Framework, the Committee of Sponsoring Organisations, COSO, 2004

Principles of ERM

The key principles of ERM include:

  • consideration of risk management in the context of business strategy
  • risk management is everyone's responsibility, with the tone set from the top
  • the creation of a risk aware culture
  • a comprehensive and holistic approach to risk management
  • consideration of a broad range of risks (strategic, financial, operational and compliance)
  • a focused risk management strategy, led by the board (embedding risk within an organisation's culture – see more in chapter 12).

The COSO ERM framework reflects the relationships between:

  • The four objectives of a business (strategic, operations, reporting and compliance) which reflect the responsibility of different executives across the entity and address different needs.
  • The four organisational levels (subsidiary, business unit, division and entity) which emphasise the importance of managing risks across the enterprise as a whole.
  • The eight components that must function effectively for risk management to be successful.

COSO ERM framework matrix

The COSO ERM framework is represented as a three dimensional matrixin the form of a cube which reflects the relationships betweenobjectives, components and different organisational levels.

Components of the ERM framework

The eight components are closely aligned to the risk managementprocess addressed above, and also reflect elements from the COSO view ofan effective internal control system (discussed in chapter 8):

  • Internal environment: This is the tone of the organisation, including the risk management philosophy and risk appetite (see more in the next chapter).
  • Objective setting: Objectives should be aligned with the organisation's mission and need to be consistent with the organisation's defined risk appetite.
  • Event identification: These are internal and external events (both positive and negative) which impact upon the achievement of an entity's objectives and must be identified.
  • Risk assessment: Risks are analysed to consider their likelihood and impact as a basis for determining how they should be managed.
  • Risk response: Management selects risk response(s) to avoid, accept, reduce or share risk. The intention is to develop a set of actions to align risks with the entity's risk tolerances and risk appetite.
  • Control activities: Policies and procedures help ensure the risk responses are effectively carried out.
  • Information and communication: The relevant information is identified, captured and communicated in a form and timeframe that enables people to carry out their responsibilities.
  • Monitoring: The entire ERM process is monitored and modifications made as necessary.

Benefits of effective ERM include:

  • enhanced decision-making by integrating risks
  • the resultant improvement in investor confidence, and hence shareholder value
  • focus of management attention on the most significant risks
  • a common language of risk management which is understood throughout the organisation
  • reduced cost of finance through effective management of risk.

Test your understanding 1 - Holistic approach to risk

A national chain of fast food retailers has suffered a largeincrease in counterfeit $20 and $50 bank notes being received in itsstores from customers in the capital city's region. This has led to asignificant impact on profitability in this region that has threatenedits ability to meet financial targets.

The finance team decided to manage this financial risk by imposing aseries of new profit protection controls that were implementedimmediately by all stores across the country. These measures were:

  • All bank-notes to be tested for authenticity by counterfeit note detector pen.
  • All $20 bank notes to be tested for authenticity using a UV (ultra-violet) light detector as well as the detector pen.
  • $50 notes will no longer be accepted by any stores.
  • Any counterfeit notes taken by an individual working on a till would be recovered by the business from that persons' next wage payment.
  • Any suspected counterfeit notes will be confiscated by store supervisor and handed over to the police. The customer will be issued with a receipt and advised that they must contact the police directly to take the matter further.
  • Any store employees who do not follow these procedures will face disciplinary action which may include dismissal from the company.


Evaluate the impact of these procedures on the business. Youranswer should consider the impact on the customers, employees and thecompany.

4 Risk identification: Strategic and operational risks

Strategic risks:

  • risks arising from the possible consequences of strategic decisions taken by the organisation
  • also arise from the way that an organisation is strategically positioned within its environment
  • should be identified and assessed at senior management and board or director level
  • PESTEL and SWOT techniques can be used to identify these risks (more will be seen on these in Paper P3).

Operational risks:

  • refer to potential losses that might arise in business operations
  • include risks of fraud or employee malfeasance, poor quality production or lack of inputs for production
  • can be managed by internal control systems.

Strategic and operational risks

Strategic risks:

  • are risks arising from the possible consequences of strategic decisions taken by the organisation. For example, one company might pursue a strategy of growth by acquisitions, whilst another might seek slower, organic growth. Growth by acquisition is likely to be much more high-risk than organic growth, although the potential returns might also be much higher
  • strategic risks will also arise from the way that an organisation is strategically positioned within its environment. A company may decide to expand into higher or lower risk areas perhaps by manufacturing new products or simply enhancing older products
  • strategic risks should be identified and assessed at senior management and board or director level.

Operational risks:

  • refer to potential losses that might arise in business operations
  • can be defined broadly as 'the risk of losses resulting from inadequate or failed internal processes, people and systems, or external events' (Basel Committee on Banking Supervision)
  • include risks of fraud or employee malfeasance as well as risks from production (such as poor quality) or lack of production (not having inputs available at the correct time)
  • can be managed by internal control systems.

Test your understanding 2

Identify examples of strategic and operational risks which might face a telecommunications company.

5 Risk identification: Business risks

Business risk refers to the classic risks of the world of business such as uncertainty about demand for product (Product risk.)

The P1 Examiner - David Campbell explains..............." Businessrisks are strategic risks that threaten the health and survival of thewhole business."

The risks businesses face will vary greatly between companies andderive from a number of different sources, including those shown below.

In the exam you may be required to identify risks, or types orrisk, facing a business. The risks listed below are not exhaustive butillustrate many of the typical risks that affect a business.

  • Market risks. Risks which derive from the sector in which the business is operating, and from its customers.
  • Product risk. The risk that customers will not buy new products (or services) provided by the organisation, or that the sales demand for current products and services will decline unexpectedly.
  • Commodity price risk. Businesses might be exposed to risks from unexpected increases (or falls) in the price of a key commodity.
  • Product reputation risk. Some companies rely heavily on brand image and product reputation, and an adverse event could put its reputation (and so future sales) at risk.
  • Credit risk. Credit risk is the possibility of losses due to non-payment, or late payment, by customers.
  • Currency risk. Currency risk, or foreign exchange risk, arises from the possibility of movements in foreign exchange rates, and the value of one currency in relation to another.
  • Interest rate risk. Interest rate risk is the risk of unexpected gains or losses arising as a consequence of a rise or fall in interest rates.
  • Political risk. Political risk depends to a large extent on the political stability in the countries in which an organisation operates and the attitudes of governments towards protectionism.
  • Legal, or litigation risk arises from the possibility of legal action being taken against an organisation.
  • Regulatory risk arises from the possibility that regulations will affect the way an organisation has to operate.
  • Compliance risk is the risk of losses, possibly fines, resulting from non-compliance with laws or regulations.
  • Technology risk arises from the possibility that technological change will occur.
  • Economic risk refers to the risks facing organisations from changes in economic conditions, such as economic growth or recession, government spending policy and taxation policy, unemployment levels and international trading conditions.
  • Environmental risk faces a business due to the environmental effects of its operations, such as pollution resulting from business activity or restrictions on the supply of natural resources to the business due to environmental factors.
  • Health and safety risks. Many companies engage in potentially hazardous activities, such as coal mining, that can give rise to injury or the loss of life.
  • Business probity risk is related to the governance and ethics of the organisation.
  • Derivatives risk refers to the risks due to the use of financial instruments.
  • Entrepreneurial risk This is the necessary risk associated with any new business venture or opportunity.
  • Financial Risk  This is a major cause of business risk, and can be further defined as:
    • Gearing risk. Gearing risk for non-bank companies is the risk arising from exposures to high financial gearing and large amounts of borrowing
    • Liquidity risk relates to the possibility of a company's cash inflows not being sufficient to meet its cash outflows.

Business risks

Market risks. Risks which derive from the sector in which the business is operating, and from its customers. These risks can apply to:

  • resource (not being able to obtain the required inputs)
  • production (risks in poor manufacturing, etc.)
  • capital markets (not being able to obtain necessary finance)
  • liquidity (the risk of having insufficient cash for the day-to-day running of the business).

Product risk. The risk that customers will not buy newproducts (or services) provided by the organisation, or that the salesdemand for current products and services will decline unexpectedly. Anew product launched onto the market might fail to achieve the expectedvolume of sales, or the take-up might be much slower than expected. Forexample, the demand for 'third generation' (3G) mobile communicationsservices has grown much slower than expected by the mobile telephoneservice providers, due partly to the sluggish development of suitablemobile phone handsets of its credit rating.

Commodity price risk. Businesses might be exposed to risksfrom unexpected increases (or falls) in the price of a key commodity.Businesses providing commodities, such as oil companies and commodityfarmers, are directly affected by price changes. Equally, companies thatrely on the use of commodities could be exposed to risks from pricechanges. For example, airlines are exposed to the risk of increases infuel prices, particularly when market demand for flights is weak, and soincreases in ticket prices for flights are not possible.

Product reputation risk. Some companies rely heavily onbrand image and product reputation, and an adverse event could put itsreputation (and so future sales) at risk. Risk to a product's reputationcould arise from adverse public attitudes to a product or from negativepublicity: this has been evident in Europe with widespread hostility togenetically-modified (GM) foods.

Credit risk. Credit risk is the possibility of losses due tonon-payment, or late payment, by customers. The exposure of a companyto credit risks depends on factors such as:

  • the total volume of credit sales
  • the organisation's credit policy
  • credit terms offered (credit limits for individual customers and the time allowed to pay)
  • the credit risk 'quality' of customers: some types of customer are a greater credit risk than others
  • credit vetting and assessment procedures.

Liquidity risk relates to the possibility of a company'scash inflows not being sufficient to meet its cash outflows. This mayarise from poor credit control or cash management, and may show itselfin late payment to suppliers, or even in downgrading of its creditrating.

Currency risk. Currency risk, or foreign exchange risk,arises from the possibility of movements in foreign exchange rates, andthe value of one currency in relation to another.

Interest rate risk. Interest rate risk is the risk ofunexpected gains or losses arising as a consequence of a rise or fall ininterest rates. Exposures to interest rate risk arise from borrowingand investing.

Gearing risk. Gearing risk for non-bank companies is therisk arising from exposures to high financial gearing and large amountsof borrowing.

Political risk depends to a large extent on the politicalstability in the countries in which an organisation operates and theattitudes of governments towards protectionism. A change of governmentcan sometimes result in dramatic changes for businesses. In an extremecase, e.g. an incoming government might nationalise all foreignbusinesses operating in the country. Even in countries with a stablepolitical system, political change can be significant, e.g. an incominggovernment might be elected on a platform of higher, or lower taxation.

Legal, or litigation risk arises from the possibilityof legal action being taken against an organisation. For manyorganisations, this risk can be high. For example, hospitals andhospital workers might be exposed to risks of legal action fornegligence. Tobacco companies have been exposed to legal action forcompensation from cancer victims. Companies manufacturing or providingfood and drink are also aware of litigation risk from customers claimingthat a product has damaged their health.

Regulatory risk arises from the possibility that regulationswill affect the way an organisation has to operate. Regulations mightapply to businesses generally (e.g. competition laws and anti-monopolyregulations) or to specific industries.

Compliance risk is the risk of losses, possibly fines,resulting from non-compliance with laws or regulations. Measures toensure compliance with rules and regulations should be an integral partof an organisation's internal control system.

Technology risk arises from the possibility thattechnological change will occur. Like many other categories of risk,technology risk is a two-way risk, and technological change creates boththreats and opportunities for organisations.

Economic risk refers to the risks facing organisations fromchanges in economic conditions, such as economic growth or recession,government spending policy and taxation policy, unemployment levels andinternational trading conditions.

Environmental risk faces a business due to the environmentaleffects of its operations. These effects may include pollutionresulting from business activity, such as oil spillages (and hence therisk of being held liable for such pollution, along with punitiveaction) or restrictions on the supply of natural resources to thebusiness due to environmental factors (e.g. global warming). The riskmay even extend to changes in regulations relating to environmentalissues or public opinion on environmental impacts of businesses.

Health and Safety risk. Many companies engage in potentiallyhazardous activities that can give rise to injury or the loss of lifeof those working in a particular environment such as:

  • a oil rig
  • a factory
  • a farm

Health and safety risks are an inherent part of these industriesand so the risk management task cannot be to avoid the risks completely.To reduce the risk to an acceptable level will involve incurring thecosts of risk mitigation:

  • Installing protective shielding
  • Issuing safety equipment like hats and protective glasses etc.

Business probity risk is related to the governanceand ethics of the organisation. It can arise from unethical behaviour byone or more participants in a particular process. It is often discussedin the context of procurement, where issues such as failing to treatinformation as confidential, lack of trust in business dealings and timespent in resolution of disputes may arise.

Derivatives risk refers to the risks due to the useof financial instruments. There is a risk of significant losses (orgains) from trading speculatively in derivatives such as futures oroptions. The risk can be many times larger than the margins paid toenter these markets.

Entrepreneurial risk is the necessary risk associated withany new business venture or opportunity. It is most clearly seen inentrepreneurial business activity, hence its name. In 'Ansoff' terms,entrepreneurial risk is expressed in terms of the unknowns of themarket/customer reception of a new venture or of product uncertainties,for example product design, construction, etc. There is alsoentrepreneurial risk in uncertainties concerning the competences andskills of the entrepreneurs themselves.

The list of risks is given above is fairly comprehensive.

The diagram below shows those risks mentioned in the ACCA study guide. Definitions of these risks may be required in the exam.

Sources and impacts of business risks

Examples of some different risks and possible impacts:

Use of risk categories

To make the risk management process understandable and manageable,it is recommended that organisations use no more than 20-30 riskcategories for identifying their risks. Risk categories should notoverlap.

Two examples of risk categorisation by major companies are given here.

Snecma, the avionics group, identifies its risks under five different headings:

  • Financial.
  • Human.
  • Image (corporate reputation, product reputation).
  • Customers and partners.
  • Technical and production.

The commercial banking and insurance group, Lloyds TSB, uses 11 risk categories:

  • Strategic
  • Credit
  • Market
  • Insurance indemnity
  • Operational
  • Governance
  • People and organisation
  • Products and services
  • Customer treatment
  • Financial soundness
  • Legal, regulatory and change management.

The bank does not have a separate risk category for reputationrisks, because it considers that its reputation can be affected by allthe other categories of risk.

Test your understanding 3

The ZXC company manufactures aircraft. The company is based inEurope and currently produces a range of four different aircraft. ZXC'saircraft are reliable with low maintenance costs, giving ZXC a goodreputation, both to airlines who purchase from ZXC and to airlines'customers who fly in the aircraft.

ZXC is currently developing the 'next generation' of passengeraircraft, with the selling name of the ZXLiner. New developments inZXLiner include the following.

  • Two decks along the entire aircraft (not just part as in the Boeing 747 series) enabling faster loading and unloading of passengers from both decks at the same time. However, this will mean that airport gates must be improved to facilitate dual loading at considerable expense.
  • 20% decrease in fuel requirements and falls in noise and pollution levels.
  • Use of new alloys to decrease maintenance costs, increase safety and specifically the use of Zitnim (a new lightweight conducting alloy) rather than standard wiring to enable the 'fly-by-wire' features of the aircraft. Zitnim only has one supplier worldwide.

Many component suppliers are based in Europe although ZXC doesobtain about 25% of the sub-contracted components from companies in theUSA. ZXC also maintains a significant R&D department working on theZXLiner and other new products such as alternative environmentallyfriendly fuel for aircraft.

Although the ZXLiner is yet to fly or be granted airworthinesscertificates, ZXC does have orders for 25 aircraft from the HTS company.However, on current testing schedules the ZXLiner will be deliveredlate.

ZXC currently has about €4 billion of loans from various banksand last year made a loss of €2.3 billion. ZXC's chief executive hasalso just resigned taking a leaving bonus of around two years salary.


Identify and explain the sources of business risk that could affect ZXC.

For each of those risks evaluate the impact of the risk on ZXC andwhere necessary, discuss how that risk can be mitigated by ZXC.

6 Risk identification: Categories and risk relationships

Generic or Specific

Business risks can be either generic, that is the risk affects all businesses, or specific to individual business sectors.

  • Examples of generic risks include changes in the interest rate, non-compliance with company law, or poor use of derivative instruments.
  • Generic risks can also affect different businesses in different ways, a company with substantial borrowing will be affected more by an increase in interest rates than a company with little or no borrowings.
  • Similarly, a company manufacturing computers will be more at risk from the possibility of changes in legislation affecting VDUs than a company providing legal services.

The concept of related risk factors

To understand risk there is a need to appreciate certain risks are related to each other.

This relationship can be either positively or negatively correlated.

Take the recent oil spill in the Gulf of Mexico, this has clearlyhad a huge environmental impact but has also severely affected BP'sreputation. This relationship would be described as a positivecorrelation. As one risk increases, so does the other.

A negative correlation would see the risks moving in oppositedirections, for example as BP spend more money trying to limit theenvironmental damage caused, and therefore reduce the environmentalrisk. The company is depleting its cash reserves substantially andincreasing its financial risk.

Examples of sector specific risks

To state the obvious, sector-specific risks vary depending on theindustry sector. Good sources of identifying these risks are thebusiness pages of quality newspapers. Reading these pages a few times aweek will keep you up to date with events in the business world and thereasons for them.

Here are four sectors and a summary of the risks affecting each(some comments being drawn from newspaper reports to show how knowledgedoes help here):

The overall point is that the risk profile is different for eachsector – even though the risk areas can remain the same (reputationrisk has been used for each of the areas above).

Current 'real-life' events will show how risks facing businessesare constantly evolving. The credit crunch impact on the banking sectoris a prime example of this.

Test your understanding 4

Identify FIVE examples of sector-specific risks that might affect a university.

7 The impact on stakeholders

Business risks initially affect the company subject to those risks.However there will be a 'knock-on' effect of those risks onstakeholders:

  • The amount of the effect will depend on how close the stakeholder is to the company.
  • In many situations, the actual impact is to affect the company again; the stakeholders will mitigate the risk by distancing themselves from the company.
  • Impact on stakeholders is likely to be more severe where they actually cause the business risk in the first place.

Impact on stakeholders

A summary of different stakeholders and the impact of business risks on them is provided below:

8 Assessing risks

A common qualitative way of assessing the significance of risk is to produce a 'risk map':

  • The map identifies whether a risk will have a significant impact on the organisation and links that into the likelihood of the risk occurring.
  • The approach can provide a framework for prioritising risks in the business.
  • Risks with a significant impact and a high likelihood of occurrence need more urgent attention than risks with a low impact and low likelihood of occurrence.
  • The significance and impact of each risk will vary depending on the organisation:
    • e.g. an increase in the price of oil will be significant for airline company but will have almost no impact on a financial services company offering investment advice over the internet.
  • The severity of a risk can also be discussed in terms of 'hazard'. The higher the hazard or impact of the risk, the more severe it is.
  • Risks can be plotted on a diagram, as shown.

This diagram will be revisited in the next chapter when we consider risk management strategies.

Illustration of risk mapping

Bogle Freight is a freight-forwarding business. It sends containersof freight from Heathrow to airports around the world. It specialisesin consolidating the freight of different shippers into a singlecontainer, to obtain the benefit of lower freight charges for largeshipments. The prices that Bogle charges its clients cover a share ofthe airline flight costs and insurance, and provide a margin to coverits running costs and allow for profit.

To make a satisfactory profit, Bogle needs to fill its containersto at least 75%, and at the moment is achieving an average 'fill' of78%.

International trade and commerce have been growing in the past year, although at a slow rate.

Bogle's management is aware that airline flight costs are likely torise next year due to higher fuel costs, and because several majorairlines that have been suffering large losses will be hoping toincrease their prices.


Prepare a 2 × 2 risk map, with one risk identified in eachquadrant of the map. Explain your reasons for assessing the probabilityand impact of the risk as high or low in each case.


The suggested solution below uses the information provided, butalso considers how the business of an international freightforwardermight be affected by risk factors. Your solution might identifydifferent risks.


(1)High probability, high impact risk. Thebusiness will be affected if the average 'fill' for containers fallsfrom its current level of 78%. Profits will be unsatisfactory if the'fill' is less than 75%, suggesting that there could be a high risk offalling and inadequate profitability due to failure to win enoughbusiness.

(2)Low probability, high impact risk. Adownturn in international trade will affect the volume of freight and sowould reduce Bogle's income. Since international trade has beengrowing, the likelihood of a downturn would seem to be low.

(3)High probability, low impact risk. It seemsinevitable that airlines will charge higher prices, but Bogle can passon these costs to its own customers, therefore the impact of this riskis low.

(4)Low probability, low impact risk. Thecollapse of a major airline is possible due to high losses, but isperhaps unlikely. If an airline did go out of business, internationalfreight should not be affected, because businesses would switch to otherairlines.

Test your understanding 5

Suggest a risk that could be included in each quadrant of a risk map for an accountancy tuition company.

Dynamic nature of risk assessment

  • Risks change over time.
  • The environments that companies operate within (both internal and external) vary with respect to the degree of change that is faced.
  • In a dynamic environment these changing risks will lead to the assessment of probability and impact in the risk map constantly altering.

Examples of changing risk assessments

As the assessments of probability or impact of a risk change so does the position of a risk on a risk map.  

Taking the following two risks to an oil company as examples:

Risk X: This is the risk of a major leak at one of theoffshore oil platforms operated by this company. It has been classifiedas high impact, due to the fact that it would require a substantialexpenditure to repair and rectify the environmental damage, and as highlikelihood based on the complexity of the deep-sea oil drillingoperations and the large number of platforms operated. At this stage therisk would be shown at X1 in the risk map below.

There is a subsequent change in the regulations of this industryplacing restrictions on the establishment of new deep-sea oil platforms.The company will therefore have fewer platforms in operation (severalare due to close soon, and new ones cannot be opened) and hence theprobability of such a leak occurring is now reduced. The risk hastherefore moved to position X2 on the risk map.

Risk Y: This is the risk of the company being unable torecruit permanent members of staff to work on the offshore platforms.The risk is classified as low impact, since contract staff can beutilised instead of permanent employees, but high probability due to thecompany offering below market-average salaries – shown at positionY1.

An internal policy decision is made to improve the salary packagefor offshore operatives, which has the effect of moving this risk toposition Y2 – low impact and now low probability.

In the situations of both risks X and Y the strategies implementedto mitigate these risks will need to be amended following the revisedrisk assessments.

As a result of risks changing, a company must adapt its risk management accordingly.

  • organisations in dynamic environments must invest more in risk management processes to keep abreast of changes
  • organisations in dynamic environments may need to have more rigorous (and costly) risk response strategies in place to be able to adapt to the changes.

9 Risk perception

A further complication to risk assessment is the quality of information available upon which to assess the risks.

Subjective risk perception has obvious limitations, including:

  • it may affect the suitability of selected risk mitigation techniques
  • it may impact resource decisions.

Examples of objective and subjective risk assessment

Tools and techniques for quantifying risks

A number of tools can be used to quantify the impact of risks onthe organisation, some of which are described below. These will havebeen covered in your earlier studies, in papers F5 and F9.

  • Scenario planning: in which different possible views of the future are developed, usually through a process of discussion within the organisation.
  • Sensitivity analysis: in which the values of different factors which could affect an outcome are changed to assess how sensitive the outcome is to changes in those variables.
  • Decision trees: often used in the management of projects to demonstrate the uncertainties at each stage and evaluate the expected value for the project based on the likelihood and cash flow of each possible outcome.
  • Computer simulations: such as the Monte Carlo simulation which uses probability distributions and can be run repeatedly to identify many possible scenarios and outcomes for a project.
  • Software packages: designed to assist in the risk identification and analysis processes.
  • Analysis of existing data: concerning the impact of risks in the past.

Illustration 1 – Northern Rock and risk management

The share price of Northern Rock plummeted by over 90% during thecredit crunch crisis of 2007/2008. In the end it became the first UKbank to experience a run by its customers since 1866. Statenationalisation followed shortly afterwards.

The reasons relate to the lack of risk management in its lendingpolicy and it's almost total reliance on other bank lending to fund it'sgrowth. In addition, the bank used investment products so complex thatits own staff didn't fully understand them, which meant that it wasunable to adequately evaluate its own risk exposure or that of itscustomers. 

In line with all major banks Northern Rock spends millions ofdollars employing qualified individuals to assess its risks through riskmanagement software, and yet despite all of this its shareholders werefaced with receiving 5 pence per share in compensation afternationalisation (against a share price at the time of the company'sflotation in 2000 of around £5.00).

10 Chapter summary

Test your understanding answers

Test your understanding 1 - Holistic approach to risk

By imposing changes without considering the impact on otherbusiness departments the disadvantages of the new procedures are likelyto outweigh the advantages gained.


  • It is likely that the number of counterfeit bank notes taken by the stores throughout the country will decrease. This should increase the profitability of each transaction.
  • The finance team is likely to hit any KPI's relating to counterfeit notes being taken in the company stores.
  • Goodwill is likely to be generated between the police and the company.
  • A positive impact on customer goodwill may be achieved as customers like the way the company is taking a stand against crime.


  • The speed of service to customers is likely to be adversely affected. The increased time to serve each customer is likely to reduce a core KPI for a 'fast food' business.
  • Goodwill with customers is likely to be adversely affected due to the reduction in speed of service.
  • Company employees who work at the till are more likely to be put in difficult confrontational situations with customers if they follow the company policy to confiscate possible counterfeit notes.
  • In addition the employees are likely to be significantly demotivated as any breach of the new procedures may be subject to disciplinary action, up to, and including dismissal from the company.
  • The Human Resources team may face a significantly increased workload due to employees not applying the procedures and/or facing subsequent disciplinary action.
  • The operations of the stores may be adversely affected since staff facing disciplinary action are likely to be suspended from duty increasing the risk of staff shortages.
  • Recruitment, in a business sector that has a traditionally high staff turnover rate, may be negatively impacted as potential new staff may join competitors that don't have such rigid procedures in place.

Test your understanding 2

Strategic risks

  • Failure of strategic partner.
  • Competitors make more technological advances.
  • Major corporate customer decides to discontinue contract.
  • Competitor launches a price war for Broadband supply.

Operational risks

  • Poor service quality.
  • Service outages.
  • Network fraud.
  • Inaccurate billing.
  • Unauthorised system changes.

Test your understanding 3

Product/market risk

This is the risk that customers will not buy new products (orservices) provided by the organisation, or that the sales demand forcurrent products and services will decline unexpectedly.

For ZXC, there is the risk that demand for the new aircraft will beless than expected, either due to customers purchasing the rivalairplane or because airports will not be adapted to take the newZXLiner.

Commodity price risk

Businesses might be exposed to risks from unexpected increases (or falls) in the price of a key commodity.

Part of the control systems of the ZXLiner rely on the availabilityof the new lightweight conducting alloy Zitnim. As there is only onesupplier of this alloy, then there is the danger of the monopolistincreasing the price or even denying supply. Increase in price wouldincrease the overall cost of the (already expensive) ZXLiner, whiledenial of supply would further delay delivery of the aircraft. ZXC needsto maintain good relations with their key suppliers to mitigate thisrisk.

Product reputation risk

Some companies rely heavily on brand image and product reputation,and an adverse event could put its reputation (and so future sales) atrisk.

While the reputation of ZXC appears good at present, reputationwill suffer if the ZXLiner is delayed significantly or it does notperform well in test flights (which have still to be arranged). Airlinecustomers, and also their customers (travellers) are unlikely to feelcomfortable flying in an aircraft that is inherently unstable. ZXC mustcontinue to invest in R&D and good quality control systems tomitigate the effects of this risk.

Credit risk

Credit risk is the possibility of losses due to non-payment bydebtors or the company not being able to pay its creditors, which willadversely affect the company's credit rating.

Given that the ZXLiner has not been sold at present, there are no debtors.

However, ZXC is heavily dependent on bank finance at present –any denial of funds will adversely affect ZXC's ability to continue totrade. Credit risk is therefore significant at present.

Currency risk

Currency risk, or foreign exchange risk, arises from thepossibility of movements in foreign exchange rates, and the value of onecurrency in relation to another.

ZXC is currently based in Europe although it obtains a significantnumber of parts from the USA. If the €/$ exchange rate became worse,then the cost of imported goods for ZXC (and all other companies) wouldincrease. At present, the relatively weak US$ is in ZXC's favour and sothis risk is currently negligible.

Interest rate risk

Interest rate risk is the risk of unexpected gains or lossesarising as a consequence of a rise or fall in interest rates. Exposuresto interest rate risk arise from borrowing and investing.

As ZXC do have significant bank loans, then the company is veryexposed to this risk. As interest rates are expected to rise in thefuture then ZXC would be advised to consider methods of hedging againstthis risk.

Gearing risk

Gearing risk for non-bank companies is the risk arising from exposures to high financial gearing and large amounts of borrowing.

Again, ZXC has significant amounts of bank loans. This increasesthe amount of interest that must be repaid each year. In the short termZXC cannot affect this risk as the bank loans are a necessary part ofits operations.

Political risk

Political risk depends to a large extent on the political stabilityin the countries in which an organisation operates, the politicalinstitutions within that country and the government's attitude towardsprotectionism.

As ZXC operates in a politically stable country this risk is negligible.

Legal risk or litigation risk

The risk arises from the possibility of legal action being taken against an organisation.

At present this risk does not appear to be a threat for ZXC.However, if the ZXLiner is delayed any further there is a risk forbreach of contract for late delivery to the HTS company. There is littleZXC can do to guard against this risk, apart from keep HTS appraised ofthe delays involved with the ZXLiner.

Regulatory risk

This is the possibility that regulations will affect the way an organisation has to operate.

In terms of aircraft, regulation generally affects noise andpollution levels. As the ZXLiner is designed to have lower noise andpollution levels than existing aircraft then this risk does not appearto be a threat to ZXC.

Technology risk

Technology risk arises from the possibility that technological change will occur or that new technology will not work.

Given that ZXC is effectively producing a new product (the ZXLiner)that has not actually been tested yet, there is some technology risk.At worse, the ZXLiner may not fly at all or not obtain the necessaryflying certificates. ZXC appear to be guarding against this risk by notdecreasing its investment in product development.

Economic risk

This risk refers to the risks facing organisations from changes ineconomic conditions, such as economic growth or recession, governmentspending policy and taxation policy, unemployment levels andinternational trading conditions.

Demand for air travel is forecast to increase for the foreseeablefuture, so in that sense there is a demand for aircraft which ZXC willbenefit from. The risk of product failure is more significant thaneconomic risk.

Environmental risk

This risk arises from changes to the environment over which anorganisation has no direct control, such as global warming, to those forwhich the organisation might be responsible, such as oil spillages andother pollution.

ZXC is subject to this risk – and there is significant debateconcerning the impact of air travel on global warming. At the extreme,there is a threat that air travel could be banned, or made veryexpensive by international taxation agreements, although this appearsunlikely at present. ZXC need to continue to monitor this risk, andcontinue research into alternative fuels etc. in an attempt to mitigatethe risk.

Business probity

This is the risk that a company does not follow rules of good corporate governance or show appropriate ethical awareness.

In ZXC, the departure of the chief executive with a bonus of morethan two years salary appears to act against business probity – whyshould the chief executive obtain a bonus when ZXC is making a loss andworkers may be made redundant? However, the impact of this risk on ZXCis unclear. It is unlikely to affect sales as customers are moreinterested in the ZXLiner than the departure of the chief executive.There is more of an association risk in terms of business probity notbeing followed in other areas such as perceived cost cutting in researchand development affecting the quality of the product. Again, ZXC areguarding against this risk.

However, the board of ZXC should ensure that the remunerationcommittee review directors' service contracts to ensure risk in thisarea does not occur in the future.

Test your understanding 4

  • An inability to attract good-quality staff as academic salaries fall below those in business.
  • Major private university is established which is attractive to typical applicants to this university.
  • Research income threatened by poor financial position of donors to major projects.
  • Admissions policy of university is portrayed by media as discriminatory.
  • Government policy for funding further education is diverted in favour of other types of institution.

Test your understanding 5

Created at 5/24/2012 12:34 PM  by System Account  (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London
Last modified at 5/25/2012 12:54 PM  by System Account  (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London

Rating :

Ratings & Comments  (Click the stars to rate the page)


Recent Discussions

There are no items to show in this view.