DB -question on Real World Application of Risk Management

User Generated

barcvrpr

Business Finance

Organization Risk

Description

Find one recent example of a situation/story/event in the news or on a website (within the past 6 months or so) and briefly describe how it relates to any of the risk management concepts we have studied so far in our course. Be sure to include the link if you opt for the website source.


please add more sources when answering the question.

Unformatted Attachment Preview

15 Tolerate, treat, transfer and terminate compliance risks. The benchmark test for significance should be set at a level that represents a significant impact for the organization. Having identified the priority significant risks, the organization then needs to review the controls in place and decide whether further actions are required. For hazard risks, the range of responses available is often described as the 4Ts. There is a broad range of terminology available to describe risk response options. In fact, both British Standard BS 31100 and ISO 31000 use the term 'risk treatment' as the more generic description. For example, the British Standard defines risk treatment as the 'process of developing, selecting and implementing controls'. Likewise, ISO 31000 defines risk treatment as 'development and implementation of measures to modify risk'. The terminology used in the Orange Book has been adopted for this text for the risk response stage of the risk management process. The options for responding to risk can then be identified as the 4ts. Appendix B contains information on the alternative definitions that are used by different publications. TABLE 15.1 Description of the 4Ts of hazard response Control/reduce risks will be addressed in this way. The purpose of treatment is that, whilst continuing within the organization with the activity giving rise to the risk, action (control) is taken to constrain the risk to an acceptable level. 3 Transfer For some risks the best Insurance/contract response may be to transfer them. This might be done by conventional insurance, or it might be done by paying a third party to take the risk in another way. This option is particularly good for mitigating financial risks or risks to assets. 4 Terminate Some risks will only be Avoid/eliminate treatable, or containable to acceptable levels, by terminating the activity. It should be noted that the option of termination of activities may be severely limited in government when compared to the private sector. The 4 Ts of hazard response Priority significant risks facing an organization are those that have: • high or very high impact in relation to the benchmark test for significance; • high or very high likelihood of materializing at or above the benchmark level; • high or very high scope for cost-effective improvement in control. More information and a brief description of each of the 4Ts is provided in Table 15.1. The 4Ts of hazard risk management can be summarized as: 1 Tolerate Accept/retain Generally speaking, it is only priority significant risks that require attention at the most senior level of the organization. However, it is appropriate that compliance risks also receive boardroom attention. In practice, the board will expect these compliance risks to be properly managed and the board will only receive routine/annual reports describing risk performance, or a special report if a specific issue has arisen. The organization will seek to introduce effective and efficient controls to minimize • tolerate; • treat; transfer; • terminate. The exposure may be tolerable without any further action being taken. Even if it is not tolerable, the ability to do anything about some risks may be limited, or the cost of taking any action may be disproportionate to the potential benefit gained. By far the greater number of Figure 15.1 suggests that there is a dominant response in relation to each of the 4 Ts, according to the position of the risk on a risk matrix. For risks that are low likelihood/low impact, the main 2 Treat response is tolerate. For risks that are high likelihood/low impact, the main response is treat. For risks that are low likelihood/high impact, the main response is transfer, and for risks that are high likelihood/high impact, the main response is terminate. In order to give some context to the range of risks that is being considered, Table 15.2 provides examples of the range of potentially significant risks associated with the headings of the FIRM risk scorecard. Assessment of each of the risks will enable the organization to place the risk on a risk matrix. The position of the risk on the risk matrix will then indicate the most likely response to that risk. If the risk assessment is undertaken at the current level of risk, the effect of the existing controls will already have been evaluated as part of the risk assessment exercise. Consider the case of a theatre that needs to respond to the increasing use of agents who require payment at the time of the booking, rather than after the performance. Also, a recent failure of an actor to arrive on the night of the performance caused the theatre considerable financial loss. This has resulted in the theatre reviewing the booking and appearance arrangements for actors and deciding responses that are appropriate in relation to all 4 Ts. The theatre might decide that it has to tolerate the new booking fee arrangements. It has also decided that in order to treat/reduce the risk, it will only deal with established agents in future and terminate existing arrangements with an agency that has proved unreliable in the past. The theatre might also investigate the possibility of buying insurance, so that the theatre can transfer the cost of a performance cancelled because the actor fails to arrive on the night. under control liabilities arise in the pension fund Infrastructure People Failure to achieve/maintain health and safety standards Premises Damage to key location caused by insured peril Processes IT control systems not available because of virus or hacker activity Products Disruption because of failure of supplier Reputational Brand Product recall causes damage to product image and brand Public opinion Lost sales or revenue because of change in public tastes Regulators Regulator enforcement action causes loss of public confidence CSR Allegations of unethical product- sourcing causes loss of Impact TABLE 15.2 Key dependencies and significant risks Transfer the risk to another party Terminate the activity generating the risk FIRM risk scorecard Financial sales Tolerate the risk and its likely impact Treat the risk to reduce the likely impact or exposure Marketplace Regulatory environment Example Example of a dependencies significant risk Availability of Insufficient funds funds available from parent company Correct Inadequate profit allocation of because of incorrect funds capital expenditure decisions Internal Fraud occurs because control of inadequate internal controls Liabilities Higher than expected Likelihood Economic health Change in tax regime results in unbudgeted tax demands Decline in world or national economy reduces consumer spending Changes in technology FIGURE 15.1 Risk matrix and the 4 Ts of hazard management Product development reduce product appeal and sales Competitor Competitor behaviour substantially reduces prices to win market share decision. For example, an electricity company operating independently in the northern states of the United States may have to accept the impact of variation in temperature on electricity sales. By merging (or setting up a joint venture) with an electricity company in the southern states, the north/south combined operation will be able to smooth the temperature-related variation in electricity sales. The combined operation will then sell more electricity in the northern states during cold weather, when demand in the southern states is low. Conversely, the combined operation will sell more electricity for air-conditioning units in the southern states in the summer, when demand for electricity in the northern states may be lower. Tolerate risk Treat risk Risk tolerance is defined in Guide 73 as the organization's or stakeholder's readiness to bear the risk after risk treatment in order to achieve its objectives. The guide then adds that risk tolerance can be influenced by legal or regulatory (compliance) requirements. The comment about legal or regulatory requirements is very relevant, in that organizations will often have to tolerate a risk because of legal or regulatory requirements, even in circumstances where the organization would otherwise not wish to tolerate that risk. It should be noted that tolerance relates to a specific or individual risk, rather than the more general approach represented by risk appetite. Risk appetite refers to the amount and type of risk that an organization is willing to pursue or retain. There is a confusion of terminology between when an organization is willing to tolerate a risk and the concept of risk tolerance. The concept of tolerate is normally concerned with the organization being willing to retain or tolerate a risk, even if it is higher than the organization would choose to accept. The other concept is that of risk tolerance. Many organizations use risk tolerance in the engineering sense to represent the range of risk that is broadly acceptable. In Figure 25.1, the central sections of concerned zone and cautious zone draw the boundary around the risk tolerance. As with the engineering use of the word tolerance, these zones define the boundaries within which the organization desires the level of risk to be confined. An organization may have to tolerate risks that have a current level beyond its comfort zone and its risk appetite. On occasions, an organization may even have to tolerate risks that are beyond its actual risk capacity. However, this situation would not be sustainable and the organization would be vulnerable during this period. When the hazard risk is considered to be within the risk appetite of the organization, the organization will tolerate that risk. Risk tolerance is shown as the approach that will be adopted in relation to low-likelihood risks with low impact. However, an organization may decide to tolerate risk levels that are high because they are associated with a potentially profitable activity or relate to a core process that is fundamental to the nature of the organization It is unusual for a hazard risk to be accepted or tolerated before any risk control measures have been applied. Generally speaking, a risk only becomes tolerable when all cost-effective control measures have been put in place, so that the organization is accepting or tolerating the risk at its current level. Certain control measures may have been applied because the inherent level of the risk may have been unacceptable. Control effort seeks to move the risk to the low-likelihood /low-impact quadrant of the risk matrix, as illustrated in Figure 16.1. Sometimes risks are only accepted as part of an arrangement whereby one risk is balanced against another. This is a simple description of neutralizing or hedging risks, but on a business level this may represent a fundamentally important strategic When the level of risk exposure (likelihood) associated with a particular hazard is high but the potential loss (impact) associated with it is low, the organization will wish to treat the risk. Risk treatment will often be undertaken with the risk at the inherent and/or current level, so that when the risk has been treated, the new current level or target level may become tolerable. Actions to improve the standard of risk control will always be under constant review in an organization. On a personal level, wearing a seat belt when driving a car or fitting an intruder alarm in a house are examples of risk reduction actions. Improvements to standards of risk control in relation to physical insurable) risks are well known. Fitting sprinklers to buildings, providing enhanced building security arrangements and employee security vetting are all examples of risk improvement actions designed to better manage hazard risks. When identifying suitable risk treatment options, the organization will need to look at the effect of the treatment on the likelihood of the risk materializing as well as looking at the impact of the risk should it materialize. Cost-effective risk treatments will need to be selected and the effect of different control measures can be shown on a risk matrix, as in Figure 16.1. There is an issue of terminology associated with treat risk. ISO 31000 considers that treat risk' is the main heading under which various options exist, such as: terminology is dictated by the internal context within the organization. If the terminology that has developed within the organization is inconsistent with the terminology in ISO 31000, it is probably the case that the risk manager would be better advised to use the terminology that already exists within the organization, rather than trying to introduce new terms or new meanings for existing terms. Transfer risk . avoiding the risk by deciding not to start or continue with the activity; taking or increasing the risk in order to pursue an opportunity; • removing the risk source; • changing the likelihood or the consequences; • sharing the risk with another party or parties; • retaining the risk by informed decision. Other risk management standards refer to "risk response' as the main heading and this is the approach taken in this chapter. Using risk response as the main heading then gives rise to the options of tolerate, treat, transfer and terminate. As with all issues of terminology, it is for the organization to establish its own risk vocabulary, one that is consistent with the external, internal and risk management context. In some cases, terminology will be dictated by the external context. For example, banks and other financial institutions will need to use the terminology of the regulator. On occasions, When the likelihood of a risk materializing is low but the potential is high, the organization will wish to transfer that risk. Insurance is a well-established mechanism for transferring the financial impact of losses arising from hazard risks and (to a lesser extent) control risks. The issues associated with the use of insurance as a risk transfer mechanism are considered in more detail in Chapter 17. In some cases, risk transfer is closely related to the desire to eliminate or terminate the risk. However, many risks cannot be transferred to the insurance market, either because of prohibitively high insurance premiums because the risks under consideration have (traditionally) not been insurable. Risk transfer can be achieved by conventional insurance and also by contractual agreement. It may also be possible to find a joint-venture partner, or some other means of sharing the risk. Risk hedging or neutralization may therefore be considered to be a risk transfer option, as well as a risk treatment option. The cost of risk transfer is a component of risk financing. Once again, there is variation in the definitions used. In relation to risk financing, both BS 31100 and ISO 31000 agree that risk financing involves the cost of contingent arrangements for the provision of funds to meet the financial impact of a risk materializing. Such arrangements are usually provided by insurance, and insurance is, therefore, finance that is contingent upon certain insured events taking place. A difference in the definitions in BS 31100:2008 and ISO 31000:2009 is that ISO 31000 also considers that the cost of risk financing should include the provision of funds to meet the cost of risk treatment. In this text, resourcing of controls is considered to be a separate step in the risk management process. This is another example that illustrates that there is no universally agreed or common language of risk. There is another issue of terminology with the use of the phrase "risk transfer'. ISO 31000 recommends that risk sharing should be used in preference to risk transfer. The argument is that a risk can never be fully transferred and whatever the intention of the parties, the risk will always be, to some extent, shared. This is an accurate analysis, but the choice of terminology used within an organization will also be influenced by other factors. In relation to risk sharing, the insurance industry uses the terminology risk transfer. It may be difficult for the enterprise risk manager to insist on the use of the phrase risk sharing when the insurance manager in the organization prefers to use the terminology of risk transfer because that is the standard terminology used in part of the external context that is the insurance market. Terminate risk organization. The organization may find that it has to tolerate risks beyond its empirical risk appetite in order to continue to undertake a certain activity. rewards will increase while the level of risk will remain high. The organization will seek to achieve growth, but may feel that growth is too slow or the level of risk remains too high, and if so it will exit from those operations. Potential reward Exploit opportunity until competitors arrive Expand depending on risk appetite and capacity Exist in mature/declining Explore entrepreneurial markets opportunities When a risk is both of high likelihood and high potential impact, the organization will wish to terminate or eliminate the risk. It may be that the risks of trading in a certain part of the world or the environmental risks associated with continuing to use certain chemicals are unacceptable to the organization and/or its stakeholders. In these circumstances, appropriate responses would be elimination of the risk by stopping the process or activity, substituting an alternative activity or outsourcing the activity that is associated with the risk. An organization may wish to terminate a risk, but it could be the case that the activity that gives rise to it is fundamental to the ongoing operation of the organization. In such circumstances, the organization may not be able to terminate or eliminate the risk entirely and thus will need to implement alternative control measures. This is a particular issue for public services. There may be certain risks that have high likelihood and high impact, but the organization is unable to terminate the activities giving rise to them. This may be because the activity is a statutory requirement placed on a government agency or public authority. The public service imperative may restrict the ability to cease the activity, so the organization will need to introduce control measures, to the greatest extent that is cost- effective. It is likely that such control measures will be a combination of risk treatment and risk transfer. As these control measures are applied, the level of risk will move to a level where the organization will be able to tolerate the risk. Because of the variable nature of risks, it may not be possible to get all risks to a level that is within the risk appetite of the Level of risk Strategic risk response The overall approach to the management of control and opportunity risks is similar to the approach adopted for the management of hazard risks. However, there are sufficient differences in the range of options available for these to be presented separately. It is worth remembering that projects normally reflect and implement the tactics that are being employed to implement strategy. Figure 16.1 illustrates the 4 Ts of hazard risk management and the type of controls that are most likely to be associated with each type of hazard risk response. The types of controls are considered below. This chapter has been concerned almost exclusively with responding to hazard risks. The 4 Ts represent the options for mitigating hazard risks. Figure 15.2 suggests that there are a range of responses available for the management of opportunity risks. Developing and implementing effective and efficient strategy will require the evaluation of the level of risk associated with each available strategy and the level of reward that the strategy will deliver. The 4 Es of opportunity management are set out as exist, explore, exploit and exit. There is a close relationship between the 4 Es and the status of the organization, as illustrated in Figure 15.2. A start-up operation will face a higher level of risk and low potential rewards. Entrepreneurial opportunities will be explored at this time. As the organization grows, potential FIGURE 15.2 Risk versus reward in strategy After a period of growth, the organization should be achieving a high reward for a reduced risk. This represents the phase where the organization will exploit opportunities until competitors arrive. This is a mature operation. All mature operations are exposed to the possibility of decline, although many organizations choose to exist in a mature, declining market, where risk exposure is low and so are potential rewards. The application of the 4 Es to the management of strategic, opportunity or speculative risks is consistent with the description of risk and reward
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

I have attached your...


Anonymous
Super useful! Studypool never disappoints.

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Similar Content

Related Tags