Risk management is a key element of any management accounting role. The ability to identify risks before they arise, and then plan a strategy for controlling risks is paramount. The consequences of not doing this could be business failure.

This page looks at defining, identifying and mapping risks. Further aspects can be explored using the following links:

Definitions of risk

A popular way of defining risk is as an unrealised yet potential future loss arising from a present action or inaction. This sees risk as an essentially negative factor.

A definition that may be more specific to businesses would be that risk is the variability in future cash flows. This sees risks as both the opportunities and dangers associated with uncertain future events. Risks can have an adverse ('downside exposure') or favourable impact ('upside potential') on the organisation's objectives.

For example, if you have a variable rate loan then you would benefit from an interest rate drop but suffer if rates increased.

Ideally people want to reduce their downside exposure while staying open to the potential for upside gains. One way of doing this is through the use of financial options but these come at a high cost. Most financial derivatives effectively fix future prices (e.g. interest rates) and so eliminate the downside and the upside potential.

A more workable definition that is often used in standards concerning risk is that

Risk = probability × impact


  • probability = probability of an event occuring
  • impact = the consequences to the firm if the event occurs

For example, a fire at a warehouse could have a major financial impact but how likely is it to occur? Both aspects are important to deciding how to manage the risk.


  • some writers use the term "true risk" for the downside exposure
  • Some writers use the term "uncertainty" where probabilities cannot be quantified and the term "risk" only when they can.

Why incur risk ?

Risk and return

To generate higher returns a business may have to take more risk in order to be competitive. Risk and return are often linked.

  • Conversely, not accepting risk tends to make a business less dynamic, and implies a 'follow the leader' strategy.
  • Incurring risk also implies that the returns from different activities will be higher 'benefit' being the return for accepting risk.
  • Benefits can be financial - decreased costs, or intangible better quality information.
  • In both cases, these will lead to the business being able to gain competitive advantage.

Benefits of taking risks

 Consider the following grid in terms of the risks a business can incur and the benefits from undertaking different activities.

Focusing on low-risk activities can easily result in a low ability to obtain competitive advantage - although where there is low risk there is also only a limited amount of competitive advantage to be obtained. For example, a mobile telephone operator may produce its phones in a wide range of colours. There is little or no risk of the technology failing, but the move may provide limited competitive advantage where customers are attracted to a particular colour of phone.

Some low-risk activities, however, will provide higher competitive advantage - when these can be identified. If these can be identified, then the activity should be undertaken because of the higher reward. For example, the mobile phone operator may find a way of easily amending mobile phones to make them safer regarding the electrical emissions generated. Given that customers are concerned about this element of mobile phone use, there is significant potential to obtain competitive advantage. However, these opportunities are few and far between.

High-risk activities can similarly generate low or high competitive advantage. Activities with low competitive advantage will generally be avoided. There remains the risk that the activity will not work, and that the small amount of competitive advantage that would be generated is not worth that risk.

Other high-risk activities may generate significant amounts of competitive advantage. These activities are worth investigating because of the high returns that can be generated. For example, a new type of mobile phone providing, say, GPS features for use while travelling, may provide significant competitive advantage for the company; the risk of investing in the phone is worthwhile in terms of the benefit that could be achieved.

The point is, therefore, that if a business does not take some risk, it will normally be limited to activities providing little or no competitive advantage, which will limit its ability to grow and provide returns to its shareholders.

Risk identification

The risks businesses face will vary greatly between companies and derive from a number of different sources, including those shown below.

The risks listed below are not exhaustive but illustrate many of the typical risks that affect a business.

Risk types

Market risks.

Risks which derive from the sector in which the business is operating, and from its customers. These risks can apply to:

  • resource (not being able to obtain the required inputs)
  • production (risks in poor manufacturing, etc.)
  • capital markets (not being able to obtain necessary finance)
  • liquidity (the risk of having insufficient cash for the day-to-day running of the business).

Product risk.

The risk that customers will not buy new products (or services) provided by the organisation, or that the sales demand for current products and services will decline unexpectedly.

A new product launched onto the market might fail to achieve the expected volume of sales, or the take-up might be much slower than expected. For example, the demand for 'third generation' (3G) mobile communications services has grown much slower than expected by the mobile telephone service providers, due partly to the sluggish development of suitable mobile phone handsets.

Commodity price risk.

Businesses might be exposed to risks from unexpected increases (or falls) in the price of a key commodity.

Businesses providing commodities, such as oil companies and commodity farmers, are directly affected by price changes. Equally, companies that rely on the use of commodities could be exposed to risks from price changes. For example, airlines are exposed to the risk of increases in fuel prices, particularly when market demand for flights is weak, and so increases in ticket prices for flights are not possible.

Product reputation risk.

Some companies rely heavily on brand image and product reputation, and an adverse event could put its reputation (and so future sales) at risk. Risk to a product's reputation could arise from adverse public attitudes to a product or from negative publicity: this has been evident in Europe with widespread hostility to genetically-modified (GM) foods.

Credit risk.

Credit risk is the possibility of losses due to non-payment, or late payment, by customers. The exposure of a company to credit risks depends on factors such as:

  • the total volume of credit sales
  • the organisation's credit policy
  • credit terms offered (credit limits for individual customers and the time allowed to pay)
  • the credit risk 'quality' of customers: some types of customer are a greater credit risk than others
  • credit vetting and assessment procedures.

Liquidity risk

Liquidity risk relates to the possibility of a company's cash inflows not being sufficient to meet its cash outflows. This may arise from poor credit control or cash management, and may show itself in late payment to suppliers, or even in downgrading of its credit rating.

Currency risk.

Currency risk, or foreign exchange risk,arises from the possibility of movements in foreign exchange rates, and the value of one currency in relation to another.

Interest rate risk.

 Interest rate risk is the risk of unexpected gains or losses arising as a consequence of a rise or fall in interest rates. Exposures to interest rate risk arise from borrowing and investing.

Gearing risk.

Gearing risk for non-bank companies is the risk arising from exposures to high financial gearing and large amounts of borrowing.

Political risk 

Political risk depends to a large extent on the political stability in the countries in which an organisation operates and the attitudes of governments towards protectionism.

A change of government can sometimes result in dramatic changes for businesses. In an extreme case, e.g. an incoming government might nationalise all foreign businesses operating in the country. Even in countries with a stable political system, political change can be significant, e.g. an incoming government might be elected on a platform of higher, or lower taxation.

Legal risk

Legal, or litigation risk arises from the possibility of legal action being taken against an organisation. For many organisations, this risk can be high.

For example, hospitals and hospital workers might be exposed to risks of legal action for negligence. Tobacco companies have been exposed to legal action for compensation from cancer victims. Companies manufacturing or providing food and drink are also aware of litigation risk from customers claiming that a product has damaged their health.

Regulatory risk

Regulatory risk arises from the possibility that regulations will affect the way an organisation has to operate. Regulations might apply to businesses generally (e.g. competition laws and anti-monopoly regulations) or to specific industries.

Compliance risk

Compliance risk is the risk of losses, possibly fines, resulting from non-compliance with laws or regulations. Measures to ensure compliance with rules and regulations should be an integral part of an organisation's internal control system.

Technology risk

Technology risk arises from the possibility that technological change will occur. Like many other categories of risk, technology risk is a two-way risk, and technological change creates both threats and opportunities for organisations.

Economic risk

Economic risk refers to the risks facing organisations from changes in economic conditions, such as economic growth or recession, government spending policy and taxation policy, unemployment levels and international trading conditions.

Environmental risk

Environmental risk faces a business due to the environmental effects of its operations.

These effects may include pollution resulting from business activity, such as oil spillages (and hence the risk of being held liable for such pollution, along with punitive action) or restrictions on the supply of natural resources to the business due to environmental factors (e.g. global warming). The risk may even extend to changes in regulations relating to environmental issues or public opinion on environmental impacts of businesses.

Health and Safety risk.

 Many companies engage in potentially hazardous activities that can give rise to injury or the loss of life of those working in a particular environment such as:

  • an oil rig
  • a factory
  • a farm

Health and safety risks are an inherent part of these industries and so the risk management task cannot be to avoid the risks completely.To reduce the risk to an acceptable level will involve incurring the costs of risk mitigation:

  • Installing protective shielding
  • Issuing safety equipment like hats and protective glasses, etc.

Business probity risk

Business probity risk is related to the governance and ethics of the organisation. It can arise from unethical behaviour by one or more participants in a particular process. It is often discussed in the context of procurement, where issues such as failing to treat information as confidential, lack of trust in business dealings and time spent in resolution of disputes may arise.

Derivatives risk

Derivatives risk refers to the risks due to the use of financial instruments. There is a risk of significant losses (or gains) from trading speculatively in derivatives such as futures or options. The risk can be many times larger than the margins paid to enter these markets.

Entrepreneurial risk

Entrepreneurial risk is the necessary risk associated with any new business venture or opportunity. It is most clearly seen in entrepreneurial business activity, hence its name.

In 'Ansoff' terms, entrepreneurial risk is expressed in terms of the unknowns of the market/customer reception of a new venture or of product uncertainties, for example product design, construction, etc. There is also entrepreneurial risk in uncertainties concerning the competencies and skills of the entrepreneurs themselves.

Strategic and operational risks

Strategic risks:

  • risks arising from the possible consequences of strategic decisions taken by the organisation
  • also arise from the way that an organisation is strategically positioned within its environment
  • should be identified and assessed at senior management and board or director level
  • PESTEL and SWOT techniques can be used to identify these risks.

Operational risks:

  • refer to potential losses that might arise in business operations
  • include risks of fraud or employee malfeasance, poor quality production or lack of inputs for production
  • can be managed by internal control systems.

Sources of information on risk

The management of a company will obtain information about risks, and weaknesses, from a variety of sources including:

  • reports from departmental managers
  • whistleblowers
  • reports on key project and new business areas
  • results of internal audit reviews
  • customer feedback
  • performance monitoring systems (internal and external factors)
  • directors' own observations

Risk mapping

A common qualitative way of assessing the significance of risk is to produce a 'risk map':

  • The map identifies whether a risk will have a significant impact on the organisation and links that into the likelihood of the risk occurring.
  • The approach can provide a framework for prioritising risks in the business.
  • Risks with a significant impact and a high likelihood of occurrence need more urgent attention than risks with a low impact and low likelihood of occurrence.
  • The significance and impact of each risk will vary depending on the organisation:
    • e.g. an increase in the price of oil will be significant for airline company but will have almost no impact on a financial services company offering investment advice over the internet.
  • The severity of a risk can also be discussed in terms of 'hazard'. The higher the hazard or impact of the risk, the more severe it is.
  • Risks can be plotted on a diagram, as shown below:

Sources and impact of risks

Examples of some different risks and possible impacts are:

Illustration of risk mapping

Bogle Freight is a freight-forwarding business. It sends containers of freight from Heathrow to airports around the world. It specialises in consolidating the freight of different shippers into a single container, to obtain the benefit of lower freight charges for large shipments. The prices that Bogle charges its clients cover a share of the airline flight costs and insurance, and provide a margin to cover its running costs and allow for profit.

To make a satisfactory profit, Bogle needs to fill its containers to at least 75%, and at the moment is achieving an average 'fill' of 78%.

International trade and commerce have been growing in the past year, although at a slow rate.

Bogle's management is aware that airline flight costs are likely to rise next year due to higher fuel costs, and because several major airlines that have been suffering large losses will be hoping to increase their prices.

The suggested risk map below uses the information provided, but also considers how the business of an international freight forwarder might be affected by risk factors. You might identify different risks.


(1) High probability, high impact risk. The business will be affected if the average 'fill' for containers falls from its current level of 78%. Profits will be unsatisfactory if the 'fill' is less than 75%, suggesting that there could be a high risk of falling and inadequate profitability due to failure to win enough business.

(2) Low probability, high impact risk. A downturn in international trade will affect the volume of freight and so would reduce Bogle's income. Since international trade has been growing, the likelihood of a downturn would seem to be low.

(3) High probability, low impact risk. It seems inevitable that airlines will charge higher prices, but Bogle can pass on these costs to its own customers, therefore the impact of this risk is low.

(4) Low probability, low impact risk. The collapse of a major airline is possible due to high losses, but is perhaps unlikely. If an airline did go out of business, international freight should not be affected, because businesses would switch to other airlines.

Impact on stakeholders

Any risk a business faces will have an impact on that business and it's various stakeholders. For example

Changes to risk assessments

Because risks change over time and the environments that companies operate within (both internal and external) vary with respect to the degree of change that is faced, risk assessments will need to be updated regularly.

In a dynamic environment these changing risks will lead to the assessment of probability and impact in the risk map constantly altering.

This will lead to a new risk map. For example:

As a result of risks changing, a company must adapt its risk management accordingly.

  • organisations in dynamic environments must invest more in risk management processes to keep abreast of changes
  • organisations in dynamic environments may need to have more rigorous (and costly) risk response strategies in place to be able to adapt to the changes.

Risk quantification

A number of tools can be used to quantify the impact of risks on the organisation, some of which are described below.

Scenario planning: in which different possible views of the future are developed, usually through a process of discussion within the organisation.

Sensitivity analysis: in which the values of different factors which could affect an outcome are changed to assess how sensitive the outcome is to changes in those variables.

Decision trees: often used in the management of projects to demonstrate the uncertainties at each stage and evaluate the expected value for the project based on the likelihood and cash flow of each possible outcome.

Computer simulations: such as the Monte Carlo simulation which uses probability distributions and can be run repeatedly to identify many possible scenarios and outcomes for a project.

Software packages: designed to assist in the risk identification and analysis processes.

Analysis of existing data: concerning the impact of risks in the past.

Created at 8/9/2012 9:46 AM  by System Account  (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London
Last modified at 9/27/2013 4:39 PM  by System Account  (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London

Rating :

Ratings & Comments  (Click the stars to rate the page)


risk;Risk map;Risk quantification;Risk assessment;Risk types;Risk identification;Control

Recent Discussions

There are no items to show in this view.