Chapter 11: Controlling risk

Chapter learning objectives

Upon completion of this chapter you will be able to:

  • explain and evaluate the role and purpose of risk committees in effective corporate governance
  • define and describe management responsibilities in risk management
  • explain risk appetite and how this affects risk policy
  • describe the process of and importance of, externally reporting on internal control and risk
  • explain the sources, and assess the importance of, accurate information for risk management
  • explain and assess the role of a risk manager in identifying and monitoring risk
  • explain and evaluate the role of the risk committee in identifying and monitoring risk
  • describe and assess the role of internal or external risk auditing in monitoring risk
  • explain the importance of risk awareness at all levels in an organisation
  • describe and analyse the concept of embedding risk in an organisation's systems and procedures
  • describe and evaluate the concept of embedding risk in an organisation's culture and values
  • explain and analyse the concepts of spreading and diversifying risk and when this would be appropriate
  • identify and assess how business organisations use policies and techniques to mitigate various types of business and financial risks
  • explain, and assess the importance of, risk transference, avoidance reduction and acceptance
  • explain and evaluate the different attitudes to risk and how these can affect strategy
  • explain and assess attitudes towards risk and the ways in which risk varies in relation to the size, structure and development of an organisation.

1 The role of the board

The board of an organisation plays an important role in risk management.

  • It considers risk at the strategic level and defines the organisation's appetite and approach to risk.
  • The board is responsible for driving the risk management process and ensuring that managers responsible for implementing risk management have adequate resources.
  • The board is responsible for ensuring that risk management supports the strategic objectives of the organisation.
  • The board will determine the level of risk which the organisation can accept in order to meet its strategic objectives.
  • The board ensures that the risk management strategy is communicated to the rest of the organisation and integrated with all the other activities.
  • The board reviews risks and identifies and monitors progress of the risk management plans.
  • The board will determine which risks will be accepted which cannot be managed, or which it is not cost-effective to manage, i.e. residual risk.
  • The board will generally delegate these activities to a risk committee, as discussed later in this chapter.

A framework for board consideration of risk is shown below

Board consideration of risk

  • The business strategy explains what products and services an organisation will sell in which particular markets.
  • The risk appetite identifies the amount of risk the board/organisation is willing to accept to fulfil the business strategy.
  • For some business strategies, there will be a higher risk appetite (e.g. entry into a new market) and for others a lower appetite (e.g. ensuring ongoing product quality).
  • The approach to risk is then summarised in the risk strategy. The strategy shows how risk will be managed within the business by reducing the likelihood of occurrence or minimising the impact, e.g. by taking out insurance or by diversification.
  • Residual risk is risk that cannot be managed, or which it is not cost-effective to manage.

Risk appetite

Risk appetite is a measure of the general attitude to accepting risk

It can be determined by:

  • risk capacity - the amount of risk that the organisation can bear, and
  • risk attitude - the overall character of the board, in terms of the board being risk averse or risk seeking.

How risk appetite affects risk policy.

Risk appetite has an important influence on the risk strategies an organisation has in place.

Risk averse organisation

For example a charity or public sector organisation will becharacteristically risk averse - the organisation would seek to avoidrisky situations.

  • Therefore the risk management system the organisation develops may be less sophisticated and less costly

Risk seeking organisation

Conversely an organisation actively seeking additional risk, financial derivative traders for example. Should:

  • See risk management as of strategic importance.
  • Invest in a comprehensive risk mangement system 

Risk appetite factors

The factors or business strategies, which could affect the risk appetite of the board of a company include:

Risk attitude and organisational factors

Risk attitude can be seen on a continuum from risk averse to risk seeking.

  • There is no easy correlation between the risk attitude of an organisation and its size, structure and development.
  • In general terms:
    • a small, young company may have a higher risk attitude as it takes risks in order to get its product into the market.
    • a larger, older company may appear to be more risk averse as it seeks to protect its current market position.

Risk attitude factors

The overall point here is that general trends can be established.However, there is no definitive link between size, structure anddevelopment and the level of risk within an organisation.

2 Risk committee

  • Though corporate governance codes do not specifically require a risk committee to be established, many companies will set up a separate risk committee or establish the audit committee as a 'risk and audit committee'.
  • The risk committee is sometimes referred to as a risk management committee.
  • Where no risk committee is formed, the audit committee will usually perform similar duties.

Roles of the risk committee

Composition of risk committee

The committee will include both executive and non-executive directors, with the majority being NEDs.

Executive directors are involved as they are responsible for theday-to-day operations and therefore have a more detailed understandingof the associated risks.

Roles of the risk committee

In broad terms, the risk (management) committee within an organisation has the following main aims:

  • Raising risk awareness and ensuring appropriate risk management within the organisation.
  • Establishing policies for risk management.
  • Ensuring that adequate and efficient processes are in place to identify, report and monitor risks.
  • Updating the company's risk profile, reporting to the board and making recommendations on the risk appetite of the company.

Supporting these objectives of the risk (management) committee,there are many secondary objectives. These objectives may also becontained in the terms of reference of the risk (management) committee.

  • Advising the board on the risk profile and appetite of the company and as part of this process overseeing the risk assurance process within the company.
  • Acting on behalf of the board, to ensure that appropriate mechanisms are in place with respect to risk identification, risk assessment, risk assurance and overall risk management.
  • Continual review of the company's risk management policy including making recommendations for amendment of that policy to the board.
  • Ensuring that there is appropriate communication of risks, policies and controls within the company to employees at all management levels.
  • Ensuring that there are adequate training arrangements in place so management at all levels are aware of their responsibilities for risk management.
  • Where necessary, obtaining appropriate external advice to ensure that risk management processes are up to date and appropriate to the circumstances of the company.
  • Ensuring that best practices in risk management are used by the company, including obtaining and implementing external advice where necessary.

Responsibilities of the risk committee

Detailed tasks of the risk committee are to:

  • Assess risk management procedures (for the identification, measurement and control of key risk exposures) in accordance with changes in the operating environment.
  • Emphasise and demonstrate the benefits of a risk-based approach to internal control.
  • If appropriate, consider risk audit reports on key business areas to assess the level of business risk exposure.
  • Assess risks of any new ventures and other strategic initiatives.
  • If appropriate, review credit risk, interest rate risk, liquidity risk and operational risk exposures with regard to full board risk appetite.
  • Consider whether public disclosure of information regarding internal control and risk management policies and key risk exposures is in accordance with the statutory requirement and financial reporting standards.
  • Make recommendations to the full board on all significant matters relating to risk strategy and policies.

Some of these tasks may be directed toward the audit committee,especially the areas of internal control where there already is aninternal audit function.

3 Role of the risk manager

  • The risk manager is a member of the risk management committee, reporting directly to that committee and the board.
  • The role focuses primarily on implementation of risk management policies
  • The manager is supported and monitored by the risk management committee.
  • The role is more operational than strategic.
  • Policy is set by the board and the risk management committee and implemented by the risk manager.

Risk manager activities

Typical activities carried out by a risk manager include:

  • Provision of overall leadership for risk management team.
  • Identification and evaluation of the risks affecting an organisation from that organisation's business, operations and policies.
  • Implementation of risk mitigation strategies including appropriate internal controls to manage identified risks.
  • Seeking opportunities to improve risk management methodologies and practices within the organisation.
  • Monitoring the status of risk mitigation strategies and internal audits, and ensuring that all recommendations are acted upon.
  • Developing, implementing and managing risk management programmes and initiatives including establishment of risk management awareness programmes within the organisation.
  • Maintaining good working relationships with the board and the risk management committee.
  • Ensuring compliance with any laws and regulations affecting the business.
  • Implementing a set of risk indicators and reports, including losses, incidents, key risk exposures and early warning indicators.
  • Liaising with insurance companies, particularly with regards to claims, conditions and cover available.
  • Depending on specific laws of the jurisdiction in which the organisation is based, working with the external auditors to provide assurance and assistance in their work in appraising risks and controls within the organisation.
  • Again, depending on the jurisdiction, producing reports on risk management, including any statutory reports (e.g. Sarbanes-Oxley (SOX) reports in the US).

4 Risk awareness

As previously discussed, one of the roles of the risk committee is to raise risk awareness within the organisation.

In general terms, a lack of risk awareness means that an organisation has an inappropriate risk management strategy.

  • Risks affecting the organisation may not have been identified meaning there will be a lack of control over that risk.
  • Risks may occur and the control over that risk is not active due to lack of monitoring and awareness.
  • Continued monitoring within the organisation is therefore required to ensure that risk management strategies are updated as necessary.

Levels of risk awareness

Sources of information on risk

The risk committee will obtain information about risks, and weaknesses in controls, from a variety of sources including:

  • reports from departmental managers
  • whistleblowers
  • reports on key project and new business areas
  • results of internal audit reviews (possibly from the audit committee)
  • customer feedback
  • performance monitoring systems (internal and external factors)
  • directors' own observations. 

5 Embedding risk

  • The aim of embedding risk management is to ensure that it is 'part of the way we do business' (to misquote Handy).
  • It can be considered at two levels:
    • embedding risk in systems
    • embedding risk in culture.

Embedding risk in systems

  • Embedding risk in systems applies to the concept of ensuring that risk management is included within the control systems of an organisation.
  • In this context, a control system helps ensure that other systems (e.g. the accounting system) are working correctly.
  • Risk management is not seen as a separate system.
  • In many jurisdictions, this is a statutory requirement (e.g. US) while in others it is a code of best practice (e.g. UK).
  • To be successful, embedding risk management needs approval and support from the board.

The process of embedding risk management within an organisation's systems and procedures can be outlined as follows:

(1)Identify the controls that are already operating within the organisation.

(2)Monitor those controls to ensure that they work.

(3)Improve and refine the controls as required.

(4)Document evidence of monitoring and controloperation (using performance metrics or independent assessment such asinternal or external audit).

Success of embedding risk in systems

Embedding risk management is unlikely to be successful within an organisation unless it is:

  • supported by the board and communicated to all managers and employees within the organisation
  • supported by experts in risk management
  • incorporated into the whole organisation, i.e. not part of a separate department seen as 'responsible' for risk
  • linked to strategic and operational objectives supported by existing processes such as strategy reviews, planning and budgeting, e.g. again not seen as an entirely separate process
  • supported by existing committees, e.g. audit committee and board meetings rather than simply the remit of one 'risk management' committee
  • given sufficient time by management to provide reports to the board.

Embedding risk in culture

  • As noted above, risk management needs to be embedded into policies and procedures in an organisation.
  • However, the policy may still fail unless all workers in a company (board to employees) accept the need for risk management.
  • Embedding risk into culture and values therefore implies that risk management is 'normal' for the organisation.

Methods of embedding risk management in the culture and values of an organisation include:

  • aligning individual goals with those of the organisation
  • including risk management responsibilities within job descriptions
  • establishing reward systems which recognise that risks have to be taken in practice (e.g. not having a 'blame' culture)
  • establishing metrics and performance indicators that can monitor risks and provide an early warning if it is seen that risks will actually occur and affect the organisation
  • informing all staff in an organisation of the need for risk management, and publishing success stories to show how embedding risk management in the culture has benefited both organisation and staff.

Success of embedding risk in culture

Various cultural factors which affect the extent to which riskmanagement can be embedded into the culture and values of anorganisation include:

  • whether the culture is open or closed, i.e. open to new ideas, procedures and change
  • the overall commitment to risk management policies at all levels in the organisation
  • the attitude to internal controls, i.e. to cause constraints within the organisation or provide benefits in terms of lowering risk?
  • governance, i.e. the need include risk management in the organisation to meet the needs and expectations of external stakeholders
  • whether risk management is a normal part of the organisation's culture, i.e. whether it is taken for granted or not.

6 Risk management: TARA (or SARA)

  • The risk management process was described in the previous chapter. We will now move onto the third step of the process: risk planning and formulating the risk management strategies.
  • Strategies for managing risks can be explained as TARA (or SARA): Transference (or Sharing), Avoidance, Reduction or Acceptance.

Risk management using TARA

Transference. In some circumstances, risk canbe transferred wholly or in part to a third party, so that if an adverseevent occurs, the third party suffers all or most of the loss. A commonexample of risk transfer is insurance. Businesses arrange a wide rangeof insurance policies for protection against possible losses. Thisstrategy is also sometimes referred to as sharing.

Risk sharing An organisation might transfer its exposures to strategic risk by sharing the risk with a joint venture partner or franchisees.

Avoidance. An organisation might choose toavoid a risk altogether. However, since risks are unavoidable inbusiness ventures, they can be avoided only by not investing (orwithdrawing from the business area completely). The same applies tonot-for-profit organisations: risk is unavoidable in the activities theyundertake.

Reduction/mitigation. A thirdstrategy is to reduce the risk, either by limiting exposure in aparticular area or attempting to decrease the adverse effects shouldthat risk actually crystallise.

Other examples of risk reduction:

Risk minimisation. This is where controls are implemented that may not prevent the risk occurring but will reduce its impact if it were to arise.

Risk pooling. When risks are pooled, the risks from manydifferent transactions of items are pooled together. Each individualtransaction or item has its potential upside and its downside. Forexample, each transaction might make a loss or a profit by treating themall as part of the same pool. The risks tend to cancel each other out,and are lower for the pool as a whole than for each item individually.

An example of risk reduction through pooling is evident in theinvestment strategies of investors in equities and bonds. An investmentin shares of one company could be very risky, but by pooling shares ofmany different companies into a single portfolio, risks can be reduced(and the risk of the portfolio as a whole can be limited to theunavoidable risks of investing in the stock market).

Reducing Financial Risk - Hedging techniques.

Risks in a situation are hedged by establishing an oppositeposition, so that if the situation results in a loss, the positioncreated as a hedge will provide an offsetting gain. Hedging is usedoften to manage exposures to financial risks, frequently usingderivatives such as futures, swaps and options.

With hedging, however, it often happens that if the situation forwhich the hedge has been created shows a gain, there will be anoffsetting loss on the hedge position.

In other words, with hedging, the hedge neutralises or reduces the risk, but:

  • restricts or prevents the possibility of gains from the 'upside risk'
  • as well as restricting or preventing losses from the downside risk.

Neutralising price risk with a forward contract

In some situations, it is possible to neutralise or eliminate therisk from an unfavourable movement in a price by fixing the price inadvance.

For example, in negotiating a long-term contract with a contractor,the customer might try to negotiate a fixed price contract, toeliminate price risk (uncertainty about what the eventual price will beand the risk that it might be much higher than expected). Thecontractor, on the other hand, will try to negotiate reasonable priceincreases in the contract. The end result could be a contract with afixed price as a basis but with agreed price variation clauses.

Fixed price contracts for future transactions are commonly used forthe purchase or sale of one currency in exchange for another (forwardexchange contracts).

Acceptance. The final strategy is to simplyaccept that the risk may occur and decide to deal with the consequencesin that particularly situation. The strategy is appropriate normallywhere the adverse effect is minimal. For example, there is nearly alwaysa risk of rain; unless the business activity cannot take place when itrains then the risk of rain occurring is not normally insured against.

Risk mapping and risk management strategies

Risk maps can provide a useful framework to determine an appropriate risk management strategy.

Test your understanding 1

The TGB Company runs sporting events such as tennis tournaments anddownhill skiing events in various countries. The company has beenfairly successful in the past in running events that attract asignificant number of customers, and in the last 10 years TGB has alwaysmade a profit.

The board of TGB are now considering a number of sporting events for the next financial year.

  • A repeat of this year's successful two-week long outdoor tennis tournament at a time of year when there is a 10% probability of rain on any given day. If it rains, customers are allowed access to the tournament on the following day. However, it there is rain on two consecutive days, tickets for those days are declared void and cannot be used.
  • A new proposal to hold curling championships in 25 different countries in one year. (Curling is a sport played on ice where football sized stones are slid across the ice with the aim of stopping them as close as possible to a target on the ice). Organisation of the championships will mean TGB either has to hire additional staff or run fewer sporting events in other sports. Demand for the curling championships is high in colder countries, but unclear in warmer countries where the sport has never been played.
  • A new proposal to hold motor bike racing on the streets of a major European city. The city would effectively be closed to other traffic for a week with races taking place on normal public roads. There is a probability of 95% that at least one rider will be killed during the week and at 85% probability of serious injury to more than 10 spectators in the result of a crash. TGB's insurers have indicated that they would not be prepared to insure this event. However, TGB financial accountant indicates that the event would be highly profitable.
  • A repeat of a successful skiing championship in the Alps. The championship has been run for the last 25 years and is always well attended. However, analysts indicate that due to global warming there is a remote possibility that the Alps will not receive sufficient snow and the championship will not be able to go ahead. The board consider this risk to be so remote is it not worth worrying about.


(a)Using the risk management model of TARA,explain the elements of the model and discuss how the TGB Company shouldmanage risks for each of its proposed sporting events.

(b)Compare and contrast the roles of the risk manager and the risk committee.

7 Further risk management strategies

Risk avoidance and retention

  • Risk avoidance: the risk strategy by which the organisation literally avoids a risk by not undertaking the activity that gives rise to the risk in the first place.
  • Risk retention: risk strategy by which an organisation retains that particular risk within the organisation.
    • This is a similar concept to risk acceptance.

Avoidance and retention strategies

  • Risk avoidance and risk retention strategies relate in part to the risk appetite of the organisation, and then the potential likelihood of each risk, and the impact/consequence of that risk as discussed in the last chapter.
  • A risk avoidance strategy is likely to be followed where an organisation has a low risk appetite. The strategy will involve avoiding those activities that will incur risk, e.g. activities that have a higher probability of failure where alternative risk strategies such as transference cannot be used:
    • a new project with a very low likelihood of success will not be started.
    • an organisation may amend its portfolio of companies (where the organisation is a holding company) if it considers one particular area to be too risky.
  • A risk retention strategy will be followed where the risk is deemed to be minimal or where other risk strategies such as transference are simply too expensive:
    • an organisation may 'self-insure' against minor damage to its vehicles because taking out comprehensive insurance to cover all damage would be too expensive
    • the organisation may decide not to insure against significant movements in interest rates as this risk is minimal but smaller movements in interest rates will be insured against.

Diversifying/spreading risk

  • Risk can be reduced by diversifying into operations in different areas, such as into Industry X and Industry Y, or into Country P and Country Q.
  • Poor performance in one area will be offset by good performance in another area, so diversification will reduce total risk.
  • Diversification is based on the idea of 'spreading the risk'; the total risk should be reduced as the portfolio of diversified businesses gets larger.
  • Diversification works best where returns from different businesses are negatively correlated (i.e. move in different ways). It will, however, still work as long as the correlation is less than +1.0.
  • Example of poor diversification – swimming costumes and ice cream – both reliant on sunny weather for sales.
  • Spreading risk relates to portfolio management as an investor or company spreads product and market risks.


Risk can be diversified in terms of market/product management.

  • Market/product management attempts to spread risk according to the portfolio of companies held within a group based more on links within the supply chain.

Spreading risk by portfolio management

Within a organisation, risk can be spread by expanding theportfolio of companies held. The portfolio can be expanded byintegration – linking with other companies in the supply chain, ordiversification into other areas.

This is development beyond the present product and market, but still within the broad confines of the 'industry'.

  • Backward integration refers to development concerned with the inputs into the organisation, e.g. raw materials, machinery and labour.
  • Forward integration refers to development into activities that are concerned with the organisation's outputs such as distribution, transport, servicing and repairs.
  • Horizontal integration refers to development into activities that compete with, or directly complement, an organisation's present activities. An example of this is a travel agent selling other related products such as travel insurance and currency exchange services.

Unrelated diversification

This is development beyond the present industry into productsand/or markets that may bear no clear relationship to their presentportfolio. Where appropriate an organisation may want to enter into acompletely different market to spread its risk.

Problems with diversification:

  • If diversification reduces risk, why are there relatively few conglomerate industrial and commercial groups with a broad spread of business in their portfolio?
  • Many businesses compete by specialising, and they compete successfully in those areas where they excel.
  • Therefore, it is difficult for companies to excel in a wide range of diversified businesses. There is a possible risk that by diversifying too much, an organisation might become much more difficult to manage. Risks could therefore increase with diversification, due to loss of efficiency and problems of management.
  • Many organisations diversify their operations, both in order to grow and to reduce risks, but they do so into related areas, such as similar industries (e.g. banking and insurance, film and television production, and so on) or the same industry but in different parts of the world.
  • Relatively little advantage accrues to the shareholders from diversification. There is nothing to prevent investors from diversifying for themselves by holding a portfolio of stocks and shares from different industries and in different parts of the world.

Test your understanding 2

Briefly consider whether it is always a good business strategy for a listed company to diversify to reduce risk.

Risk strategy and Ansoff's matrix

The strategy of an organisation will be affected by risk in the following ways.

  • If the risk capacity has been reached, then the organisation will tend to seek low-risk activities. However, if the risk capacity is high then risky projects may be undertaken.
  • Overall, the organisation's strategy is likely to have a portfolio of projects, some incurring more risk than others, so that the overall risk appetite is met from that portfolio. A high-risk appetite will indicate that the organisation will normally seek a lower number of higher-risk/return activities. However, a low-risk appetite indicates that a higher number of low-risk/lower-return activities will be preferred.
  • Finally, a risk strategy of primarily self insurance may limit the organisation's strategy regarding undertaking risky projects. Self-insurance implies risk minimisation as an overall strategy.
  • Similarly, a risk strategy of risk transference may imply an overall strategy that incorporates a higher level of risk. However, risk will then be limited by the amount of insurance premiums. Where premiums become too high, the of risk strategy determines that, overall, the organisation will seek less risky projects.

Ansoff's product/market matrix provides a summary ofstrategic options for an organisation when looking to expand. The matrixis shown below.

In summary, the matrix illustrates that an organisation can expandusing existing or new products into existing or new markets. The levelof risk associated with each strategy is:

Option 1 – low risk as the product and the market areknown – the risk here is attempting to sell a product in themarketplace when demand is falling (e.g. video players).

Option 2 – higher risk – although the market is knownthere is a risk that customers will not like the enhanced or new product(e.g. a mobile telephone that can double as an MP3 player).

Option 3 – again higher risk – the product is known butthe marketplace is not. The main risks relate to poor sales strategy orpoor market research indicating that customers want the product whenthey do not (e.g. Asda retreating from Germany).

Option 4 – highest risk option – both the market and theproduct are new combining the risks from Options 2 and 3. While therisk is highest here, so are potential returns if the new product can besuccessfully sold in the new market.

Test your understanding 3

Azure Ltd was incorporated in Sepiana on 1 April 20X4. In May, thecompany exercised an exclusive right granted by the government of Pewtato provide twice weekly direct flights between Lyme, the capital ofPewta, and Darke, the capital of Sepiana.

The introduction of this service has been well advertised as'efficient and timely' in national newspapers. The journey time betweenSepiana and Pewta is expected to be significantly reduced, soencouraging tourism and business development opportunities in Sepiana.

Azure operates a refurbished 35-year-old aircraft which is leasedfrom an international airline and registered with the Pewtan AviationAdministration (the PAA). The PAA requires that engines be overhauledevery two years. Engine overhauls are expected to put the aircraft outof commission for several weeks.

The aircraft is configured to carry 15 First Class, 50 BusinessClass and 76 Economy Class passengers. The aircraft has a generous holdcapacity for Sepiana's numerous horticultural growers (e.g. of cocoa,tea and fruit) and general cargo.

The six-hour journey offers an in-flight movie, a meal, hot andcold drinks and tax-free shopping. All meals are prepared in Lyme under acontract with an airport catering company. Passengers are invited tocomplete a 'satisfaction' questionnaire which is included with thein-flight entertainment and shopping guide. Responses received show thatpassengers are generally least satisfied with the quality of the food– especially on the Darke to Lyme flight.

Azure employs ten full-time cabin crew attendants who are trainedin air-stewardship including passenger safety in the event of accidentand illness. Flight personnel (the captain and co-pilots) are providedunder a contract with the international airline from which the aircraftis leased. At the end of each flight the captain completes a timesheetdetailing the crew and actual flight time.

Ticket sales are made by Azure and travel agents in Sepiana andPewta. On a number of occasions Economy seating has been over-booked.Customers who have been affected by this have been accommodated inBusiness Class as there is much less demand for this, and even less forFirst Class. Ticket prices for each class depend on many factors, forexample, whether the tickets are refundable/non-refundable,exchangeable/non-exchangeable, single or return, mid-week or weekend,and the time of booking.

Azure's insurance cover includes passenger liability,freight/baggage and compensation insurance. Premiums for passengerliability insurance are determined on the basis of passenger milesflown.


Identify and explain the risks facing Azure Ltd. Describe how theserisks could be managed and maintained at an acceptable level by AzureLtd. [No specific risk management model is required].

8 Risk auditing

  • Risk audit is a systematic way of understanding the risks that an organisation faces.
  • Unlike financial auditing, risk audit is not a mandatory requirement for all organisations but, in some highly regulated industries, a form of ongoing risk assessment and audit is compulsory in most governance jurisdictions.
  • Some organisations employ internal specialists to carry out risk auditing, others utilise external consultants to perform the work.

Refer to the Examiner's article published in Student Accountant in March 2009 "Risk and Environmental Auditing”

Internal or external risk auditors?

The case for Internal Audit:

  • The actual management of risk is a responsibility of management and is therefore and internal function. Thus many companies prefer to keep their assessment 'in-house.'
  • Internal audit teams have the advantage of familiarity with the organisation's culture, systems, procedures and policies. Given their familiarity with the nature of the business and how things are supposed to work, internal audit should be able to perform a highly specific and focussed risk assessment. It can be argued that an external team would take a long time to develop the same understanding and could never, in practice, maintain the same knowledge of a company's nuances as it evolves as an internal team.
  • Internal teams are flexible in terms of the way they are deployed. As they are controlled by management they can be directed to perform a variety of engagements that can be changed at a moment's notice. All engagements with external teams are subject to the restrictions of engagement letters, availability of resources and the fees they charge.
  • Internal audit should produce work that is written and structured according to the expectations and norms of the organisation, which is therefore relevant for the intended use. External teams could be criticised for pitching their reports at too high a technical level for the intended audience or perhaps in an area the audience was not specifically concerned with.

The case for External Audit:

  • External teams should comply with IFAC's (and ACCA's) code of ethics. They should therefore be more objective than an internal team, who will suffer from over familiarity with the company. It is likely that external auditors will have no link to anybody inside the organisation being audited and so there will be fewer prior friendships and personal relationships to consider.
  • The fact that these threats are avoided or reduced will create a higher degree of confidence for investors and, where applicable, regulators.
  • Any external auditor brings a fresh pair of eyes to the task, identifying issues that internal auditors may have overlooked because of familiarity. When internal employees audit a system or department, they may be so familiar with the organisation's routines, procedures, culture, and norms that a key risk might be overlooked or wrongly assessed.
  • Best practice and current developments can be introduced if external consultants are aware of these. Given that consultants typically promote themselves on the currency of their skills, it is often more likely that their knowledge will be more up to date than that of internal staff, whose skills may be geared specifically to their organisation's needs and expectations.

Purpose of risk auditing

  • Risk auditing assists the overall risk monitoring activity (last step in the risk management process) by providing an independent view of risks and controls in an organisation.
  • As with any audit situation, a fresh pair of eyes may identify errors or omissions in the original risk monitoring process.
  • In many situations, audit work is obligatory (e.g. SOX requirements).
  • Following review, internal and external audit can make recommendations to amend the risk management system or controls as necessary.

Stages of a risk audit

Process of a risk audit

The process of internal, and external audit, in monitoring risks will include:

(1)Identifying the risks that exist within an organisation.

(2)Assessing those risks in terms of likelihood of occurrence and impact on the organisation should the risk actually occur.

(3)Reviewing the controls that are in place to prevent and/or detect the risk and assessing if they are appropriate.

(4)Informing the board (or risk managementcommittee where one exists) about risks which are outside acceptablelevels or where controls over specific risks are ineffective.

9 Process of external reporting of internal controls and risk

External reporting of internal control and risk relates to reporting sources outside the company.

  • The provision of information regarding internal controls is important to safeguard shareholders interests and companies assets.
  • Reporting may be voluntary or required by statute (e.g. Specified in the US by section 404. Sarbanes-Oxley)
  • In the extreme, third parties will be required to report where the company is either unaware of reporting situations or declines to report voluntarily.
  • Some reporting systems are geared towards internal reporting (e.g. audit committees) but external reporting may also be required.
  • The 'process' of reporting implies some form of decision making prior to an external report being made.
  • The process will normally imply compliance with the relevant statutory or ethical guidance appropriate to the entity and the person making the external report.

SOX reporting

In the US system, external reporting is regular and follows a setpattern. Sarbanes-Oxley reporting applies to companies listed on a USstock exchange such as the NASDAQ or NYSE.

Reporting is split between the directors and the auditors as shown below:

See chapter 10 section 5 for further detail of SOX section 404, which has proved to be a significant burden on smaller companies.

UK external reporting

In the UK, the reporting system is based on the concept of comply(with the corporate governance regulations) or explain (thenon-compliance). While regulations apply to listed companies, corporategovernance is still a code, rather than statutory, so it is moredifficult to enforce.

Reporting sources will focus on different elements of risk management, as discussed below:

10 Chapter summary

Test your understanding answers

Test your understanding 1

(a) TARA model

The TARA model of risk management assists decision makers inchoosing the appropriate risk management option for different events andcircumstances. There are four options, as explained below.


In this option, risk is transferred wholly or in part to a thirdparty, so that if an adverse event occurs, the third party suffers allor most of the loss. A common example of risk transfer is insurance. Allbusinesses arrange a wide range of insurance policies for protectionagainst possible losses.

There is a risk that part or all of the outdoor tennis tournamentis rained off (a 10% probability of rain suggests on average that oneday's play each year will be lost because of rain). While TGB can acceptthe risk of 1 day being lost to rain and hopefully build contingenciesinto their time budgets for this, the risk of losing any more days mustbe guarded against. TGB are likely to take out insurance against thispossibility. Insurance will be for loss of profit and possibly to repaycustomers for their tickets where more than two-day's consecutive playis lost.


Another strategy for an organisation is to avoid a riskaltogether. However, since many risks are unavoidable in businessventures, they can be avoided only by not investing (or withdrawing fromthe business area completely).

In terms of business probity, running a sporting event where itis almost certain that deaths and injury will occur does not appear tobe acceptable. TGB may incur adverse publicity as a result of anyaccidents partly as the board knew these were likely to occur. Even ifthe event occurred, TGB will not be able to obtain insurance. Any claimsfor negligence, for example, would directly impact on TGB. Even thoughthe event appears profitable, the best course of action appears to benot to run the event.


Another option is to reduce the risk, either by limiting exposurein a particular area or attempting to decrease the adverse effectsshould that risk actually occur.

For the curling championships, the best option for TGB appears tobe to limit the risk in this area. Holding the championships in all 25countries appears risky as demand is not known, and will involve TGB inadditional costs. One option, therefore, is to hold the championshipsonly in the colder countries this year where demand is higher.

Depending on the success this year, the feasibility of extending the championships in the following year can be assessed.


Finally, an organisation can simply accept that the risk mayoccur and decide to deal with the consequences in that particularsituation. The strategy is appropriate normally where the adverse effectis minimal.

The skiing championships are threatened by global warming;however, the board considers the threat to be remote. While the loss ofthe championships could presumably be insured against, the premium isunclear and the likelihood of lack of snow, at least at present, isremote. The board's decision to do nothing is therefore correct.However, the situation should be monitored in the future and the needfor insurance reviewed again as necessary.

(b) Risk manager and risk committee


The risk manager is a member of the risk committee. The managerreports to that committee as well as the board of directors. The riskcommittee will normally include board members as well as seniormanagement. Where there is no risk committee then the audit committeewill normally take on this role.

Risk awareness

The risk committee is responsible for raising risk awareness in acompany and ensuring that there is appropriate risk management.

The risk manager is responsible for implementing any policies ofrisk awareness and well as reporting deficiencies in risk management tothe board.

Monitoring risks

The risk committee will ensure that there are adequate andefficient processes in place in the company to identify, report andmonitor risks. In this sense, the committee will be identifying risksand ensuring that the risks are dealt with effectively.

The risk manager will also be identifying risks and reportingthose to the risk committee. The monitoring undertaken by the managerwill be at a lower level to that of the committee. The manager is likelyto be liaising with internal auditors to monitor the detailedimplementation and review of risk mitigation strategies and internalaudits of those strategies.

Company risk profile

The risk committee will be responsible for updating the company'srisk profile as well as reporting to the board and makingrecommendations regarding the risk appetite of the company.

The risk manager will be advising the committee on the risk profile and risk appetite.


The risk committee has a strategic role in a company. Theymonitor the whole risk management process and make recommendations tothe risk manager.

The risk manager implements the recommendations from the riskcommittee. In this sense the role is more operational than strategic asthe manager is responsible for the detailed internal controls necessaryto manage identified risks.

Risk management policy

The company's overall risk management policy is set by the board with the assistance of the risk committee.

The risk manager is then responsible for implementing that policy.

Best practice in risk management

The risk committee will ensure that the best practices in riskmanagement are followed within the company. This means that changes torisk management strategies will be recommended where necessary.

The risk manager will provide reports to the committee on riskmanagement practices obtained from detailed research. The manager willalso monitor the external environment for new legislation and againinform the committee of this, where necessary recommending any necessaryaction.

Test your understanding 2

Arguments for and against diversification.


  • Reduces risks and enables company to give more predictable return to investors.
  • Attracts investors who want low-risk investments.


  • Management may not understand all the businesses that the company operates in – increases the risk.
  • It is not necessary to diversify for investors – they can diversify themselves by investing in a number of different companies. A listed company is likely to have many institutional shareholders who will generally be fully diversified in their own investments.
  • New business areas can attract risks, e.g. going into a new country may increase the risk of not understanding a company culture.

Test your understanding 3

Risk: Rights to operate

All terms and conditions of the rights to operate, which provideassurance that Azure is a going concern for the time-being, must be met.For example, twice-weekly flights may be a 'guaranteed' minimum.

Terms and conditions attached to the rights may threaten Azure'soperational existence if, for example, there are any circumstances underwhich the rights could be withdrawn. For example, if the standard ofservice falls below a minimum specified level.


  • Accept at the present level (as one that has to be borne) but, bear in mind (e.g. when making strategic decisions) the impact that management's actions could have on any renewal of the rights.
  • Relevant terms and conditions should be communicated to all staff so they are clear about the importance of their areas of responsibility.

Risk: Competition

Although at the moment there appears to be none (as the rights areexclusive), any competition in the future could reduce profitability(e.g. if the rights were to become non-exclusive or an indirect servicebetween Sepiana and Lyme should be established).


  • Monitor the progress of applications for flights to destinations which could provide transit to Lyme.
  • Reduce the risk by increasing the reliability and reputation of Azure's service, improving comfort, etc (e.g. by increasing leg room and air-conditioned lounges).

Risk: Age of aircraft

The age of the aircraft (35 years) is likely to have a bearing onfuel consumption and other costs (e.g. repairs and maintenance).


  • Azure should manage its cash flows and borrowing capability (e.g. bank loan facility) to carry out ongoing operating repairs as and when needed.

Risk: Engine overhaul

If the lease is a finance lease it is likely that Azure will haveto bear the costs of the overhaul – which may have a detrimentaleffect on cash flows.

The service would need to be suspended while the engine is being overhauled unless an alternative is planned for.


  • As above, Azure should budget its financial resources to meet the costs of the overhaul, the timing of which can be planned for.
  • The lease agreement with the airline should provide that an equivalent aircraft be available.

Risk: Leased asset

Azure operates with just one leased asset which may be withdrawn from service:

  • in the interests of passenger safety (e.g. in the event of mechanical failure);
  • for major overhaul;
  • if Azure defaults on the lease payments.


  • Azure should enter into a contractual arrangement (e.g. may be included within the terms of an operating lease) for a replacement aircraft in the event that the aircraft be grounded.
  • Azure should carry adequate insurance cover for remedying and/or providing compensation to customers for significant disruptions to the scheduled service.

Risk: Fuel prices

Increases in fuel prices (a major operational cost) will reduce profitability.


  • Fuel surcharges should be included in the flights' price structure so that significant increases can be passed on to the customers.
  • Hedging against the effect of energy price (and exchange rate) risks through forward contracts.

Risk: Weather

Weather conditions may delay or cancel flights. Actual andpotential customers may choose not to plan trips if the flight scheduleis so unreliable that they expect to face disruptions and uncertainjourney times.


  • Manage the impact of the risk/modify the business activity. For example, as any form of travel may be hazardous if weather conditions are so bad as to disrupt the flight schedule, there should be air-conditioned facilities in which travellers can relax before their journey.

Risk: Horticultural cargo

Certain produce may be prohibited from import (e.g. due to the riskof spread of disease). Azure may face fines for carrying bannedproduce.

Growers may seek to hold Azure liable for:

  • produce which perishes (e.g. if successive flights are cancelled);
  • impounded goods.


  • Contracts with growers should clearly state items of produce that cannot be carried.
  • Azure's operational controls should include verification checks on produce carried.
  • Azure should have adequate insurance cover against claims for damaged/lost cargo.

Risk: Economy

With significantly less demand for Business Class than for Economy(which gets over-booked) and even less for First Class, the service isoperating at well below capacity (economy is only 54% of seatingcapacity).

Azure may not be recouping fixed operating costs in the long run, making the service uneconomical.


  • Keep demand for the classes of tickets under review and respond to the excess of supply over demand for Economy seating (and demand shortfall for First and Business Class seats). For example:
    • charge higher prices for economy on peak flights;
    • offer larger discounts for advance bookings on First and Business Class seats;
    • introduce a loyalty scheme for frequent users which offers 'preferred customer' seat upgrades.

Risk: Service levels

Azure's schedule is described as 'efficient and timely'. If thelevel of service delivered does not meet expectations it is unlikelythat a regular customer base will be established.


  • Azure should benchmark the timeliness of its service, against a comparable airline service operating under similar weather conditions.

Risk: On-board services

Passengers are expressing dissatisfaction with meals provided,especially on the 'return' flight from Darke. The food prepared in Lymemay be stale or contaminated by the time it is served.

Passengers may be deterred from using this flight if they are subject to the risk of illness.


Azure should consider:

  • changing caterer in Lyme;
  • a contract with a caterer in Darke;
  • expert advice (e.g. of a chef) on preserving the quality of meals for long-haul flights.

Risk: Passenger safety

Penalties for non-compliance with safety regulations (e.g.maintenance checks on life jackets, etc) may be incurred if inspectionlogs are not kept.

Azure may face lawsuits for personal injury or illness (e.g. deep vein thrombosis 'DVT'),


  • Staff training should be on-going with regular safety drill procedures (e.g. in evacuation procedures and the use of life-rafts).
  • Safety procedures must be demonstrated before take-off on every flight and passengers referred to safety information, including how to reduce the risk of DVT, provided with each seat.

Risk: Air stewards/Cabin crew safety

Azure will have difficulty recruiting and maintaining the servicesof appropriately qualified cabin crew if it does not have sufficientregard for their health and safety.


Flight personnel rotas should ensure, for example, that:

  • pilots take 'ground leave' between flights;
  • there is adequate 'cover' when crew are sick or taking leave.

Risk: Emergency

A serious accident (e.g. fire), collision or breakdown may threaten operations in both the short and longer-term.


Accept at the present level, but taking all practicable safetychecks now implemented in the airline industry to ensure that Azure isnot exposed to preventable risks. For example:

  • x-ray screening of checked-in baggage;
  • security screening of cabin baggage and passengers, etc.

Risk: Flight personnel

Azure may not be able to service the flight in the event ofnon-supply of flight personnel by the international airline (e.g. due tostrike action).


  • The agreement with the airline should indemnify Azure for all costs and losses incurred if flights are cancelled due to non-availability of flight personnel.

Risk: Flight tickets

Tickets are sold by more than one party (Azure and travel agents)and at more than one location. Also, pricing is complex, with a range oftariffs depending on many factors. This increases the risk that:

  • revenue may be lost if passengers are under-charged or ticket sales unrecorded; and
  • flights may be over-booked, with consequent loss of customer goodwill.

The configuration of the aircraft does not currently meet thecurrent demand profile of passengers and under the terms an operatinglease may not be changeable.


  • Strict controls must be exercised over:
    • unused tickets;
    • ticket pricing;
    • real-time reservations; and
    • ticket refund and exchange transactions.
  • Commence negotiations with the international airline for an amendment to the current lease terms allowing flexibility in the seating arrangements.

Tutorial note: Candidates are not expected to have specificknowledge of the airline industry. However, marks will be awarded forrelevant comments, for example, concerning quotas for landing/take-offslots and IATA's levy. The preceding answer is not exhaustive. Forexample, that the aircraft is flying for only 24 hours a week is a riskas this is a low capacity at which to operate for the recovery ofoverheads.

Created at 5/24/2012 12:35 PM  by System Account  (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London
Last modified at 5/25/2012 12:54 PM  by System Account  (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London

Rating :

Ratings & Comments  (Click the stars to rate the page)


Recent Discussions

There are no items to show in this view.