SESSION 12 IDENTIFYING RISK

1201
OVERVIEW
Objective
To consider the various risks faced by business entities.



RISK AND
CORPORATE
GOVERNANCE
RISK
RISK CATEGORIES
Overview
Definitions Risk
Turnbull and the Combined Code
Potential benefits
Beyond Turnbull
Strategic risk
Operational risk
Generic risk
Sector specific risk
COMMON
BUSINESS RISKS
GENERAL
CATEGORIES
COUNTRY RISKS
Market risk
Credit risk
Liquidity risk
Technological risk
Legal and regulatory risk
Health and safety risk
Environmental risk
Reputation risk
Business probity risk
Derivative risk
Additional risks
Examples

SESSION 12 IDENTIFYING RISK
1202
1 RISK AND CORPORATE GOVERNANCE
1.1 Overview
Businesses have always faced risk and hence the need to manage such risks. Kit
Sadgrove (The Complete Guide to Business Risk Management) identifies three risk
management ages:
1.1.1 First age
Non-entrepreneurial types of risk (e.g. security, fire, theft, fraud, pollution) usually
covered by insurance. The focus was internal, reactive and with an uncoordinated risk
management strategy.
1.1.2 Second age
As above, except that, within the 1970s and 80s, organisations started to use more
preventative and proactive solutions (e.g. use of quality assurance procedures).
Legislation (e.g. on health and safety) the emergence of stakeholder theory and a
green agenda raising concerns over the environmental impact of businesses also
enhanced the need for greater interaction and pro-activity.
The first Chief Risk Officer (at GE Capital) was only appointed in 1993.
1.1.3 Third age
Entrepreneurial types of risk (e.g. innovation, investment, diversification, new and
emerging markets, business environments) that cannot be covered by insurance
getting decisions wrong may cost a lot of money, but getting them right significantly
enhances shareholder wealth.
The focus is both internal and market orientated with a systematic approach to the risk
management strategy (e.g. Turnbull, COSO).
Initiated in 1995 with the publishing of the first risk management standard. This was
followed by other standards (e.g. Turnbull Report, Institute of Risk Management Risk
Management Standard, COSO Enterprise Risk Management Integrated Framework) and
greater disclosure requirements within financial statements (e.g. IAS 1, IFRS 7) and
other reports (e.g. corporate social responsibility (CSR) and the Global Reporting
Initiative (GRI)).
Commentary

Perhaps a fourth age is beginning as risk management has firmly moved from being
largely associated with insurance, compliance and loss avoidance to being fully a board
level activity, embedded throughout the organisation and a core part of its culture.
Once exotic risks (e.g. human capital, reputation, supply chain, business resilience
and climate change) are now mainstream. In addition, risk management is no longer
being seen as a means to minimise loss but as a way to leverage broader benefits (e.g.
enhancing reputation and gaining a competitive advantage).

SESSION 12 INDENTIFYING RISK
1203
1.2 Definitions Risk

Risk is any event which may affect an organisations ability to survive and
compete in its market as well as to maintain its financial strength, positive
public image and the overall quality of its people and services
It is the threat that an event or action will adversely affect an organisations
ability to meet its business objectives and execute its strategies successfully
The Economist
Risk is the possibility that an event will occur and adversely affect the
achievement of objectives COSO
Risk is the combination of the probability of an event and its consequences
Institute of Risk Management
Business risk is the risk that the business will not be able to do the business


Definitions Risk management

The process whereby organisations methodically address the risks attaching
to their activities with the goal of achieving sustained benefit within each
activity and across the portfolio of all activities Institute of Risk Management
A process, effected by the entitys board of directors, management and other
personnel, applied in strategy setting and across the enterprise. It is designed
to identify potential events that may affect the entity, and manage risk to be
within the entitys risk appetite, to provide reasonable assurance regarding the
achievement of entity objectives COSO


1.3 Turnbull and the Combined Code
The UK Combined Code, not only being the first code on corporate governance, was
also the first to set a strong link between internal control and risk management. As
already noted in other sessions, under the Combined Code:
The boards role is to provide entrepreneurial leadership of the company within a
framework of prudent and effective controls which enables risk to be assessed and
managed.
NEDs should satisfy themselves that financial controls and systems of risk
management are robust and defensible.
The boards review of the effectiveness of the internal controls should cover . and
risk management systems.
The Audit Committee should review the companys risk management systems
unless expressly addressed by a separate board risk committee composed of
independent directors, or by the board itself.
SESSION 12 IDENTIFYING RISK
1204
When assessing governance disclosures, institutional shareholders should bear in
mind the size and complexity of the company and the nature of the risks and
challenges it faces.
Under the Listing Rules of the London Stock Exchange, a description of the main
features of a companys internal control and risk management systems must be
made in the financial statements.
The Turnbull Report was issued in September 1999 (and updated in October 2005) to
assist boardrooms with the Codes requirements on internal control and risk
management.
Turnbull basically recommended that companies should identify, evaluate and manage
all their risks, not just the narrowly financial ones (e.g. environmental, reputation and
business propriety risks).
Specific guidance under Turnbull relating to risks includes:
The regular reporting from management to the board on internal controls (required
under the Code) should provide a balanced assessment of the significant risks and
the effectiveness of the system of internal control in managing those risks.
When reviewing the reports, the board should consider:
what are the significant risks and assess how they have been identified,
evaluated and managed;
assess the effectiveness of the related system of internal control in managing
the significant risks.
Consideration of the scope, quality and effectiveness with which risks are identified
and managed.
Questions to be considered by the board when assessing the effectiveness of the
entitys risk and control processes (see earlier session).
Example 1

Suggest THREE questions that an entitys board should consider when
carrying out an annual review of risk assessment.


Commentary

At the time Turnbull was issued (1999) very few companies systematically carried out
non-conventional risk analysis. After Turnbull the impact, for example, on the role of
internal audit was substantial. The IIA noted that whilst initially many companies
were complacent about Turnbull when it was first issued, within six months, the vast
majority had commenced to change their processes to ensure risk management would
become an embedded organisation-wide activity with the necessary assurance being
required from internal audit. Many of the organisations cited that such changes were
considered to make sound business sense and would contribute to shareholder prosperity.

SESSION 12 INDENTIFYING RISK
1205
1.4 Potential benefits

POTENTIAL
BENEFITS
Improved market
share, greater
profitability and
reduced earnings
volatility
Important source of
competitive advantage
Better overall
corporate reputation
and image
Better relations
with regulators
and rating agencies
Greater internal
focus on
doing the right
things right, at the
right time
Better strategic
decision making
through improved
data collection and
analysis
Fewer sudden
shocks, unwelcome
surprises and less
time fire fighting
Stronger reputation
with stakeholders
and standing with
those providing
oversight
Enhanced
shareholder value
Lower cost of
capital, improved
investor relations
and opportunities

Illustration 1 - Cases

Swiss bank
In 2002, a major private Swiss bank established an asset management and investment
business. They also established an independent risk management function. Because
the trust of investors was vital to the continued success of the asset management
business (the trust built up over many years, could easily be lost through one bad
decision) the risk management process was used as a key selling point in presentations
made to institutional investors. Thus the function was not only used internally, but
also as a key competitive advantage to keep business, take business away from rivals
and to generate new business.
Dock strike
In September 2002 there was a severe dockworkers strike on the west coast of the USA.
29 ports were impacted for a total of 10 days. Several major retailers (including Wal-
Mart see next case) had foreseen this event (because of the deteriorating relationships
over several months between the port workers and managers) and had increased their
imports of vital inventory prior to September. Many other retailers did not recognise
this risk and did nothing their vital goods remained ship bound during the strike and
were not delivered until several weeks after the strike ended due to the time taken to
clear the backlog of containers.




SESSION 12 IDENTIFYING RISK
1206
Illustration 1 continued

Wal-Mart
In August 2005, the Gulf coast of the USA was struck by a severe hurricane, Katrina.
New Orleans, in particular, was heavily hit.
From the moment the hurricane had formed over the Bahamas, Wal-Mart Stores (the
largest US corporation by revenue) risk management and procurement systems, using
information from the US National Hurricane Center, the National Weather Service and
their own database, had identified the basic foodstuffs, goods and equipment that
would be needed should the hurricane come ashore. As it became clear where the
hurricane was most likely to come ashore, Wal-Mart moved the necessary supplies and
materials into the relevant stores, in preparation to meet the expected demand.
In the event, because of the catastrophe caused by the hurricane and the failure of New
Orleans levee system (and the subsequent flooding of the city), Wal-Mart gave away
most of the foodstuffs and essential supplies. They also established supply routes
bringing in more necessary aid into the stricken areas.
While state and federal officials came under harsh criticism for their handling of the
storms aftermath, Wal-Mart was held up as a model for logistical efficiency, risk
management and nimble disaster planning, which allowed it to quickly deliver the
necessary food, water, fuel and other essential goods to thousands of people impacted
by the hurricane.


1.5 Beyond Turnbull
The Turnbull Report was a significant turning point for how entities considered and
managed risk. The report made it perfectly clear that risk management:
was not a one-off exercise, but was for life evolving as the business changed, its
environment changed and risks changed (especially as the unknown risks became
known and were replaced by further unknown risks);
was not about eliminating all risk, as maximising shareholder and stakeholder
wealth involves taking risks but such risks will have been assessed, monitored
and controlled;
was about identifying trends and future events thus being first to take a competitive
advantage an opportunity risk to create value or take first advantage of limited,
decreasing resources.
Along with Turnbull the significant increase in stakeholder interests since the 1990s, has
resulted in greater pressures being placed on entities not only to manage risks, but also
to disclose the risks they face and how those risks are being managed.
Commentary

Interestingly, the huge increase of risk disclosure made public by entities has not just
been through regulatory, GAAP or listing requirements but also through the
mechanism of the market place (e.g. CSR and GRI).


SESSION 12 INDENTIFYING RISK
1207
2 RISK CATEGORIES
There are many risks (potentially hundreds) faced by different entities.
There are several ways in which they may being able to categorise them. For example:
General categories;
Common business risks; and
Country risks.
Commentary

The risks and categories discussed in the sections which follow are based on the
requirements of the syllabus. In the exam, a general question may be asked, for
example, on the strategic risks faced by a specific entity or you may be asked to identify
risks based on a scenario.


3 GENERAL CATEGORIES
3.1 Strategic risk
Definition strategy

The direction and scope of an organisation over the long-term with the aim
of fulfilling stakeholder expectations. Johnstone, Scholes and Whittington


Strategic (sometimes called enterprise) risk is the risk that an entity is unable to
achieve one or more of its strategic objectives. This may be due to poor selection of
strategic options, poor management and execution or negative impact of strategic risks.
The risks to an entitys strategy are the threats or opportunities that materially affect the
ability of an entity to survive. They arise from the need for directors to make
fundamental decisions concerning the organisations objectives and relate to, for
example, the environment, stakeholders, changes in the economy, new products,
emerging markets, competitors, life-cycles, emerging technology, refinancing.
A top down approach is essential, rather than an (operational) bottom up approach.
As strategy concerns the future, strategic threats and opportunities:
often come from unexpected quarters (surveys of CEOs and boards indicate at least
35% of all strategic threats) risk management systems are therefore required that
can rapidly make sense of risk situations and enable fast and effective responses to
mitigate threats and capitalise on opportunities.
are often low frequency, but high impact they will have never occurred before,
thus would not be predicted or identified by traditional risk management systems
that rely on historical data.
SESSION 12 IDENTIFYING RISK
1208
are often very complex, arising out of ambiguous and non-routine situations (the
very nature of strategic decision making) with organisation-wide rather than
operation specific implications risk management must identify when managers
are dealing with something they do not understand well and do not do often.
In order to recognise the development of these types of risk quickly, and respond to
them, it is essential for boards to understand how the entity integrates with, and reacts
to, the external environment. Building up an understanding of all environmental
factors that will impact an entity is an essential first step to enabling recognition of a
developing problem.
Example 2

Suggest FIVE strategic risks that could be expected to have an impact on
businesses over the next twelve months.


3.2 Operational risk
Definition

The risk of loss resulting from inadequate or failed internal processes, people
and systems, or from external events. Basel II


Commentary

Operational risks also cover financial and compliance.
Turnbull suggested the following as being typical examples of:
3.2.1 Operational risks
Business processes not aligned to
strategic goals
Change initiative failure
Loss of entrepreneurial spirit
Stock outs of raw materials
Skills shortage
Physical disasters (e.g. fire, earthquake)
Failure to create/exploit intangible
assets
Loss of physical assets
Lack of business continuity
Poor brands
Breach of confidentiality
Quality problems
Lack of orders
Failure of major project
Loss of key contracts
Inability to use internet
Failure of outsource provider to deliver
Industrial action (own, supplier or
customer)
Failure of information technology
Low employee motivation or efficiency
Inability to implement change
Inefficient/ineffective processing of
documents
SESSION 12 INDENTIFYING RISK
1209
Succession problems
Loss of key people
Inability to reduce cost base
Tough contract obligations
Over-reliance on key suppliers or
customers
Failure of new products or services
Poor service levels
Unsatisfied customers
Poor brand management
Product liability
Inefficient/ineffective management
process
Exploitation of third world employees
Business probity issues
Reputational issues
Missed business opportunities

3.2.2 Financial risks
Liquidity risk
Market risk
Going concern problems
Overtrading
Credit risk
Interest risk
Currency risk
High cost of capital
Treasury risk
Misuse of financial resources
Fraud risks
Misstatement within financial
statements
Breakdown of accounting system
Unrecorded liabilities
Unreliable accounting records
Hacking of IT/IS
Decisions based on incomplete or
faulty information
Too much data, insufficient analysis

3.2.3 Compliance risks
Breach of listing rules
Breach of financial regulations
Breach of legal requirements
Litigation risk
Breach of competition laws
Tax problems and penalties
Breach of other laws or regulations
Health and safety risks
Environmental problems

3.2.4 Business (strategic) risks
Wrong business strategy
Competitive pressure on price and/or
market
General/regional economic problems
Technology obsolescence
Too slow to innovate
Substitute products
Adverse government policy
Industry sector in decline
Take-over target/bad acquisition
Inability to obtain further capital
SESSION 12 IDENTIFYING RISK
1210
3.3 Generic risk
Risks that are pervasive to all businesses (e.g. interest rates, breaches of company law).
They can impact businesses in different ways (e.g. interest rates will have a far greater
impact highly geared businesses).
3.4 Sector specific risk
Specific risks that only impact particular business sectors (e.g. regulation risk may be
considered as a generic risk, but different businesses are subject to different regulatory
authorities). For example:
company law applies to all businesses (generic risk);
listing regulations that only apply to companies that are listed (specific sector);
Financial Services Regulations would only apply to those companies (listed or
otherwise) providing financial services (e.g. banks);
charity regulations would only apply to those organisations registered as charities
some of which may also be companies subject to company law.
4 COMMON BUSINESS RISKS
4.1 Market risk
Market risk (sometimes referred to as systematic risk) is the exposure to the uncertain
market value of an asset, liability, investment portfolio or a derivative contract linked to
the asset (liability) held.
It is the risk that the value of an investment (or liability) will decrease (increase) due to
moves in market factors.
Typical market factors include:
Changes in equity value (equity risk)
Interest rate changes (interest rate risk)
Foreign exchange changes (currency risk)
Changes in commodity prices (commodity risk)
Other price risks that would cause the market price to change
Commentary

IFRS 7 Financial Instruments: Disclosures defines market risk as the risk that the
fair value or future cash flows of a financial instrument will fluctuate because of
changes in market prices. Remember that the simple receivable is a financial
instrument as are foreign currency deposits, investments in another entity (e.g. equity
or fixed interest debt), foreign currency hedges and forward contracts for commodities.
So virtually all companies will be exposed to market risk.

SESSION 12 INDENTIFYING RISK
1211
4.2 Credit risk
The risk that one party to a financial instrument (e.g. trade receivable, loan) will cause a
financial loss for the other party by failing to discharge an obligation (e.g. they fail to
settle the debt).
The factors to be taken into account include:
the total volume of credit sales
the organisations credit policy and credit terms offered (credit limits and time
allowed to pay)
quality of customers (some types of customer are a greater credit risk than others)
credit vetting, assessment and debt collection procedures
Illustration 2

The sub-prime mortgage market (developed on the back of the USA housing bubble
2000-2008 ) was based around banks and mortgage brokers in the USA selling
mortgages to known credit risks (sub-prime NINJA - No Income, No Job, (and) no
Assets).
As they were then able to resale these mortgages on through the mortgage bond
market, the banks credit risks were considered to be limited (someone elses
problem) and should default occur, the debt would easily be covered by the rising
value of the property held as collateral. By 2005, 20% of US mortgages were of this
type.
However, most of these mortgages were ARM (adjustable rate mortgages) that held
reset clauses so that after 2 to 5 years, the low interest rate would reset to market
rates (often double the initial rate). As the reset clauses activated, most mortgagees
defaulted. Initially, this had little impact on house prices but as more reset clauses
activated, more repossessed houses came onto the market and house prices started to
collapse. Within two years (2007 and 2008) the average annual change in house
prices fell from +10% to -10%.
Banks who had not resold sub-prime mortgages into the mortgage bond market
suffered huge bad debts, whilst some of those that had were required to repay under
the terms of the bond.
In addition, the banks and other financial institutions involved in the mortgage bond
market had developed and sold onto other financial institutions new financial
instruments (Collateralized Debt Obligations CDO) in which the subprime debt
had been sliced and diced with prime debt in order to obtain a high credit rating
(i.e. it was not possible to identify and remove the sub-prime element from the whole
financial instrument).
As the defaults on sub-prime mortgages increased, the value of the sub-prime
mortgages, the financial instruments containing or derived from sub-prime
mortgages collapsed, leading to the credit crunch when banks had to write-off
$billions from their statements of financial position, attempted to raise additional
finance to shore up their financial position and (along with other lenders) tightened
up their lending requirements. The inter-bank lending market froze as banks lost
faith in the money-market system and refused to continue to lend to each other
preferring to hold onto money rather than lend it in fear that it may not be repaid.

SESSION 12 IDENTIFYING RISK
1212
Illustration 2 continued

The lack of credit caused consumers not to spend, major development projects to
halt, companies to cease expansion (with many unable to roll over existing credit
lines or debt) and contract. As faith has been lost in the banking and consumer
systems, many companies have been faced with significant declines in market
capitalisation, restructuring and increased going concern risks.


4.3 Liquidity risk
Firstly, the risk that an entity will encounter difficulty in meeting obligations associated
with financial liabilities (i.e. difficulty in repaying debt).
Secondly, the risk that an entity will not be able to raise cash either from its shareholders
or other third parties (e.g. banks).
Thirdly, the risk of a premature or force sale of assets, at a market loss, to raise
necessary liquidity.
An entity is said to have liquidity if it can easily meet its needs for cash either because it
has cash on hand or can otherwise raise or borrow cash.
Obviously, the concept of liquidity for an entity revolves around cash. The liquidity of
an entity depends on:
the short-term need for cash;
cash on hand;
available lines of credit;
the liquidity of the entitys assets;
the entitys reputation in the marketplacehow willing will counterparties be to
trade with or lend to the entity and how willing are existing or potential
shareholders to invest in the entity?
4.4 Technological risk
The risk that an entity does not realise (or recognise) the potential of technology
(including change and emerging technology) to maintain or gain competitive
advantage.
Such technology may be:
back room (e.g. management and executive information systems, decision support
systems, CAD); or
front room (e.g. operational systems, production systems, procurement systems,
supply chain systems, customer management systems).
Like many other categories of risk, technology risk is a two-way risk, and technological
change creates both threats and opportunities for organisations.
SESSION 12 INDENTIFYING RISK
1213
Neumann (taking Porters competitive advantage strategies) developed a five point
competitive strategy for information systems and technology:
Cost leadership (using technology to reduce costs, production and administration,
below those of competitors)
Differentiation (unique products, improved quality, improved effectiveness of
service, developing niche markets, increased efficiency of business processes)
Innovation (new ways of doing business, extending product life through added
value, business model evolution)
Growth (new markets, quicker responses to market indicators, web based selling)
Strategic alliance (with customers, suppliers, competitors, other companies through
integration of systems, shared systems, joint ventures, mergers)
All of the above raise specific strategic and operational risks and opportunities.
Challenges facing entities (that will give rise to risks) include:
Achieving alignment of IT with companies business objectives. The business
strategy must drive the technology strategy. A strong business case must be made
for the technology with a positive cost/benefit.
Dealing with increasingly complex technology environments. In order to be able to
measure risk, management must understand the risk. It is not uncommon for
management to believe they understand the technology and its impact, when in fact
they do not. Thus risks are not identified until they occur often too late to be able
to react to them.
Protecting against a plethora of new threats and vulnerabilities. These include data
loss, data corruption, hacking, viruses and loss of reputation.
Increased regulatory compliance obligations. Initially data protection, but now
including cross-border tax issues and monitoring of website content.
Out of control IT projects. Basically projects that should never have been started
poorly planned, implemented and managed, invariably involving overspend. The
greatest damage is done when the completed project fails to meet the original
objectives.
Achieving visibility of IT spend (ensuring management are fully aware of the
budget and actual spend) and the value it returns to the business (this may be
difficult to quantify when the expected benefits are qualitative).
Further specific risks relating to technology include:
Physical damage (e.g. fire, flood, weather, natural disaster, terrorist attack,
accidental damage, deliberate damage);
Theft (physical or of data);
Data corruption;
Poor training in the use of the technology;
SESSION 12 IDENTIFYING RISK
1214
Unauthorised access to systems ;
Systems development and programming;
Internet damage (e.g. viruses, hacking, denial of service attacks).
4.5 Legal and regulatory risk
The risk of breaching applicable laws and regulations, sometimes referred to as
compliance risk (i.e. the risk of not complying with laws and regulations).
Such laws may be general (e.g. health and safety, company law, financial statements) or
they may be specific (e.g. financial service regulations, listing regulations).
A survey by the Times in December 2007 identified the top ten legal risks as being:
Competition law (e.g. cartels);
Data protection (e.g. illegal use, unlawful access);
Copyright infringement;
Product recall (e.g. food safety, products fit for use, use of illegal materials);
Health and safety;
Financial statements;
Taxation;
Financial Services Authority (FSA);
Money laundering;
Extradition (particularly where operations are conducted within the USA).
Whilst the breaching of some laws and regulations may result in a (immaterial) fine,
other breaches may see the withdrawal of an operating licence, closure of the business
or substantial fines, bad publicity and criminal procedures (usually meaning jail terms)
for managers and directors.
Commentary

The sheer number and intensity of the laws and regulations governing companies is
often stated by directors as being their worst nightmare. Many surveys conclude
that far too much time is taken up by the CEO and the board in keeping up to date and
dealing with what are considered an unnecessary bureaucratic intrusion into company
affairs. However, to ignore them is not an option.


4.6 Health and safety risk
Health is not merely the absence of disease or infirmity, but a state of complete physical,
mental and social well-being and the avoidance of unintentional injury or death. (World
Health Organisation - WHO).
Safety, in the WHO report, is interpreted to refer directly to the means of avoiding
unintentional injury or death, and is considered to be an aspect of health promotion.
Health and safety risk can thus be considered as the risk of unintentional harm (actual
or potential) to employees or other individuals (e.g. visitors, customers, local
population) caused by the entity.
SESSION 12 INDENTIFYING RISK
1215
A hazard is anything that may cause harm, such as chemicals, electricity, working from
ladders, an open drawer etc.
The risk is the chance, high or low, that somebody could be harmed by these and other
hazards, together with an indication of how serious the harm could be.
Commentary

In many occupations there is always the risk of serious injury and death (e.g. mining,
fire-fighting, deep sea diving). Health and safety procedures therefore need to be in
place to reduce this risk to an acceptable level to the employee.


Initially employer (and employee) responsibilities for health and safety in the workplace
were laid down within health and safety laws and regulations. With the increasing
importance of CSR, many employers consider health and safety to be a moral issue and
provide a working environment that exceeds the minimum requirements of the current
laws and regulations in order to achieve an appropriate work-life balance for their
employees.
It is critical for organisations, their managers and workforce to observe health and
safety legislation (and assess the risks of breaches) for the following reasons:
In many jurisdictions health and safety is covered by legislation, thus breaches will
be subject to criminal proceedings, fines and in extreme cases, closure of the
business (e.g. loss of licence to operate).
Accidents and illness can be costly in monetary and reputation terms to the
employer through lost production, absence of key employees, lower morale within
the workforce, legal fees if involved in a court case, bad publicity.
Under civil law, it may be possible for the employee (or visitors to the organisation)
to sue for compensation if they are injured.
Organisations have a moral obligation to protect others (including not only their
workforce but customers, visitors and the local community).
Insurance cover is usually required by organisations. A poor health and safety
record may invalidate any insurance cover, without which the organisation would
not be allowed to operate.

Example 3

Suggest TEN risks to the health and safety of employees working within an
office environment.



SESSION 12 IDENTIFYING RISK
1216
4.7 Environmental risk
Environmental risk is the risk of damage that an entitys activities can cause to the
environment, and the harm to people or the loss of quality of life that can result from
such environmental degradation.
It is the actual or potential threat of adverse effects on living organisms and the
environment by effluents, emissions, wastes, resource depletion, etc, arising out of an
entitys activities (e.g. global warming, river pollution, ground water pollution).
Whilst all entities will face environmental risk, the agriculture, chemical, transportation,
logging and nuclear power industries are examples of industries with a high
environmental risk.
Illustration 3

Gas wars
The January 2009 gas wars involving the EU, Ukraine and Russia increased
the environmental risk of a number of companies as they were unable to use
gas (a relatively clean fuel) as their normal power source. Some EU countries
restarted old technology nuclear power plants and others allowed their
industries to use heavy fuel oil, resulting in smog warnings in cities.
Biofuels
Biofuels are generated through the cropping of plants such as soya beans,
maize, wheat and sugar cane to use as a source of energy, e.g. transport fuel.
Initially hailed as a green solution to the depletion of unsustainable fossil
fuels and increasing global warning, biofuels are now being considered as a
major environmental risk re deforestation (as forests are cleared to enable more
crops to be grown) and as a major factor in the food shortages (and significant
increases in food prices) in the first decade of 2000, as millions of acres of land
were switched from food production to fuel production.


Whilst many countries have specific legislation dealing with the environmental impact
of entities, a key driver on environmental risk has been the sustainability reporting
guidelines of the GRI, which, for the environment, includes disclosure, monitoring,
management and risks related to, for example:
Materials
Energy
Water
Emissions, effluents and waste
Transport
SESSION 12 INDENTIFYING RISK
1217
4.8 Reputation risk
Reputation risk is the risk that negative publicity regarding an institutions business, its
procedures, policies, practices, actions, ethics and the actions of its stakeholders (e.g.
directors, managers, employees, regulators, customers and suppliers) will lead to a loss
of shareholder value, competitive advantage, business revenue or lead to regulatory
action or litigation.
An entitys or individuals reputation will decline when experience of the entity or
individual will fall short of expectation. This does however, raise three key questions:
Whose experience? Customers, investors, regulators, employees, the general public
What experience? Each stakeholder will have their own claims on, and perceptions
of, the entity and thus their own set of experiences that could lead to reputational
damage?
Which expectations and how were they formed? The expectation of a stakeholder
may be unrealistic. The factors related to expectations may be outside of the
control, of the entity. Expectations may be based on incorrect assumptions or
standards.
Thus it is easy to see why reputation risk is often referred to as the risks of risks or
the mother of all risks a reputation that has taken twenty years to develop can (in
the CNN world) be lost within 20 seconds and why it can be very difficult to
manage.
Commentary

Should it be treated as a single element or considered to be embedded within many other
risks (e.g. product risk, brand risk, procurement risk, HR risk, operational risk etc)?


In addition, many elements of an entitys reputation may be outside of its control, e.g.
actions of its customers and suppliers. However, the way the entity reacts to such
matters will often determine its reputation.
Example 4

Give FOUR examples of corporate behaviour that may lead to a reputational
risk.


4.9 Business probity risk
Probity is the strict adherence to a code of ethics based on undeviating honesty,
specially in commercial (monetary) matters and beyond legal requirements. Thus
business probity risk is the risk that business transactions and actions may not be
ethical, lawful, prudent, effective and transparent.
SESSION 12 IDENTIFYING RISK
1218
Basic probity risk relates to bribe offering and accepting, with the defence, oil, public
works/construction and banking/finance (e.g. money laundering) industries ranking as
having the highest incidence of bribery being considered a normal business practice.
Within an individual company, the greatest probity risk may be considered as arising
during the awarding of supply and service contracts.
Other probity issues include:
the actions of specific directors (e.g. the CEO) in not providing all necessary
information to the board or audit committee;
providing misleading information (e.g. through reports, websites, briefings) to the
market, shareholders, regulators and other stakeholders;
being economical with the truth, e.g. not providing the full picture (usually bad
news) or just drip feeding the information to those who have a right to know;
attempting to hide bad news on the basis that the problem will go away.
4.10 Derivative risk
Derivative risk is the risk that derivatives will cause substantial financial damage to an
entity (or not behave as expected).
Derivatives are financial instruments that require no initial net investment and will be
settled at a future date. Their value is derived in response to a change in something else
(underlying) e.g. interest rates, another financial instrument price, commodity price,
foreign exchange rate, index of prices or rates, credit rating or credit index.
Initially developed as a tool to manage and reduce risk, they hedge the risk of owning
things that are subject to unexpected price fluctuations, e.g. foreign currencies, bushels
of wheat, oil, stocks and government bonds. There are two main types: futures, or
contracts for future delivery at a specified price, and options that give one party the
opportunity to buy from or sell to the other side at a prearranged price.
Because, simplistically, derivatives are bets taken on the movement of the underlying,
many financial institutions started to trade in derivatives on the basis of wanting to
make substantial profits through either winning the bet or making commissions on
placing the bet on behalf of clients.
Commentary

The job of a derivatives trader has been likened to that of a bookie once removed (i.e.
taking bets on people making bets). As with all bets, somebody wins and somebody loses.
By their very nature, derivatives encourage higher degrees of speculation so that
derivatives traders behave, like a bookie once removed. The potential rewards are such
that a technique designed to reduce risk is all too often treated as a gamblers tool.


SESSION 12 INDENTIFYING RISK
1219

Illustration 4

We view them as time bombs both for the parties that deal in them and the
economic system ... In our view ... derivatives are financial weapons of mass
destruction, carrying dangers that, while now latent, are potentially lethal.
Warren Buffett (2002)
1994 Procter & Gamble Co loses of $157 million on interest rate
speculation.
1994 Metallgesellshaft collapses through loosing $1.5 billion on oil futures.
1995 Barings Bank goes bust, $1.4 billion.
1998 Long Term Credit Management bailout at a cost of $3.5 billion.
2001 Enron goes bankrupt. The 7th largest company in the US and the
worlds largest energy trader made extensive use of energy and credit
derivatives but becomes the biggest firm to go bankrupt in American
history after systematically attempting to conceal huge losses.
2002 Allied Irish Bank (AIB) loses of $750 million.
2004 National Australia Bank (NBA) loses of A$180 million.
2004 China Aviation looses $550m in speculative trade.
2006 the US-based hedge fund, Amaranth Advisors, looses $6 billion
trading in natural gas futures.
2008 Socit Gnrale looses 4.9 billion in unauthorised futures trading.
2007 (ongoing) Toxic Assets, the Credit Crunch and a derivatives
Chernobyl. $500 trillion total derivatives market exposure (Bear Stearns,
Lehman Brothers, UBS, and Citigroup to name but a few) as substantial
attempted unwinding of positions freezes the derivatives market, leaving
both parties and the middleman banks with substantial losses.


Commentary

Note that many of the entities in the above illustration are not financial institutions.
Many such entities started to use derivatives to try and generate profits rather than as
cost managers. Dealing in derivatives was not their formal business. Many paid the
price when their inexperience turned against them.


SESSION 12 IDENTIFYING RISK
1220
5 COUNTRY RISKS
5.1 Additional risks
Many of the risks discussed above can be compounded by the fact that an entity
operates overseas, has suppliers and/or customers based overseas. For example,
different:
legal systems;
tax systems;
financial reporting requirements;
health and safety regulations;
employment laws;
regulatory frameworks;
ethical, moral and environmental expectations.
Each of these elements presents additional risks, in the framework of country risks, to
the entity.
5.2 Examples
Bribery may be a common way of conducting business (to obtain contracts) in one
country, but would be a high probity risk in the home country and thus of particular
concern when dealing with overseas customers who would expect to be bribed.
Use of child labour may be acceptable in the country of a supplier, but would not be
acceptable in the operating environment of the buyers country and could therefore be a
high reputational risk.
FOCUS
You should now be able to:

define and explain risk in the context of corporate governance;
define and compare (distinguish between) strategic and operational risks;
define and explain the sources and impacts of common business risks:
market
credit
liquidity
technological
legal
health, safety and environmental
reputation
business probity
derivatives
recognise and analyse the sector or industry specific nature of many business risks.
SESSION 12 INDENTIFYING RISK
1221
EXAMPLE SOLUTIONS
Solution 1 Risk assessment questions
Does the company have clear objectives and have they been communicated so as to
provide effective direction to employees on risk assessment and control issues?
Are the significant internal and external operational, financial, compliance and other
risks identified and assessed on an ongoing basis?
Is there a clear understanding by management and others within the company of what
risks are acceptable to the board?
Solution 2 Strategic risks
The credit crunch (tighter credit, lack of credit, inability to refinance, recall of credit)
Regulation and compliance (unknown regulatory reaction to, for example, sub-prime
and Bowdon)
Deepening recession (lack of customers, going concern)
Radical greening (environmental and sustainability challenges, additional disclosure
and regulation, e.g. carbon emissions)
Non-traditional market entrants (emerging markets)
Cost cutting (cost containment internally and from suppliers)
Managing talent (keeping talent in time of recession, misaligned compensation
packages)
Executing alliances and transactions (recession provides opportunities, but could
easily result in missed opportunities and bad mergers)
Business model redundancy (long-established business models may no longer be
appropriate)
Reputation
Commentary

The suggested risks are from an Ernst & Young 2009 survey on business risks. Other
surveys could easily suggest similar or different risks.


SESSION 12 IDENTIFYING RISK
1222
Solution 3 Health and safety risks
Blocked fire exits or insufficient exits
Fire protection systems not operating correctly (or none at all)
Poor ventilation
Low light in working areas, corridors and stairs
Sharp edges on equipment and furniture
Frayed electric wires, overloaded plugs, electrical equipment exposed to water
Trailing wires, cables and leads
Poorly designed seating not supporting the back
Top-heavy filing cabinets
Worn or torn carpets
Liquid on floors
Untrained equipment operators
Lack of training in basic health and safety procedures
No first aid facilities

Solution 4 Reputation risk
Employing child labour in under-developed/third world countries or operating
sweatshops in which employees (usually immigrant labour who are often illegal
immigrants) work long hours in poor conditions for low pay.
Causing environmental damage and pollution.
Public suspicions about the damage to health from using the companys products or
form materials used within products.
Investing heavily in countries with unpopular, racial or tyrannical governments.
Involvement in business scandals such as mis-selling financial products or products
known to be unsafe.