Referencer for Quick

Revision
Final Course Paper-6A: Risk
Management
A compendium of subject-wise capsules published in the
monthly journal “The Chartered Accountant Student”

Board of Studies
(Academic)
ICAI
INDEX
Page No. Edition of Students’ Journal Topics
1-4 March 2020 Introduction to Risk
4-7 March 2020 Source and Evaluation of Risks
8 March 2020 Risk Management
 Risk Management
RISK MANAGEMENT: A CAPSULE FOR QUICK REVISION
The subject “Risk Management” basically involves applying the knowledge and techniques of Risk Management
to identify, measure, assess, quantify, monitor and mitigate risks in an organization. So, the Risk Management
is basically a continuous process to keep identifying the risk inherent in an organization, monitoring it and
taking steps to treat and mitigate it, wherever required. In this regard, an attempt has been made to convey the
concepts of Risk Management to the students in a lucid and simple manner in the form of capsules.

CHAPTER 1: INTRODUCTION TO RISK

Chapter Overview Occupational Health & Safety Advisory
Services (OHSAS)
The Concept Risk and Occupational Health & Safety Advisory Services (OHSAS)
of Risk Uncertainty defines risk as the combination of the probability of a hazard
resulting in an adverse event, and the severity of the event.
Classification Illustrative Corporate Risks
of Risks

Corporate Functions Risk Areas

Dynamic Types of Risks
Nature of Risks Human Resources Poor morale & talent retention
Sales & Marketing Poor Customer loyalty &
Introduction retention
Operations Inability to Digitize/ automate
Risk derives from the early Italian word “risco” which means processes
danger or “risicare,” which means “to dare” or French word
Treasury Low return on investments
“risqué”. Risk is a choice rather than a fate. The actions
companies dare to take are central to our definition of Information Technology Hacking and unauthorized
risk. Risk and reward are two sides of the same coin. Risk access
leaders choose their risks well. They look at external and New Product Product failure
internal risks in broad context. They integrate decisions with development
corporate strategy, and strike a healthy balance between risk Treasury Mismatch in cash flows
management as an opportunity and a protection shield. Finance & Accounts Unreliable financial statements

ICAI Guide on Risk Based Internal Auditing Classification of Business Risk

Meaning of Risks - In a larger sense, risks are those Internal
uncertainties of outcome, whether an opportunity or
External
threat, arising out of actions and events. While looking Business Risk
at them narrowly, risks are those uncertainties which Controllable
impede the achievement of the objective. Uncontrollable

Business Risks: Internal and External

Business Risk - Business risks impede the achievement Internal risks arise from events taking place within the business
of the organisation's goals and objectives. enterprise. Such risks arise during the ordinary course of a
business. These risks can be forecasted and the probability of their
SA 315 of ICAI defines the term Significant risk in occurrence can be determined. Hence, they can be controlled by
the context of auditing as – An identified and assessed the management significantly.
risk of material misstatement that, in the auditor’s
External risks arise due to events occurring outside the business
judgment, requires special audit consideration.
organisation. Such events are generally beyond the control of the
management. Hence, determining the likelihood of the resulting
ICAI’s Standard of Internal Audit - Enterprise risks cannot be done with accuracy.
Risk Management defines Risk as an event which
can prevent, hinder, and fail to further or otherwise Business Risks: Controllable and Non-con-
obstruct the enterprise in achieving its objectives. A trollable
business risk is the threat that an event or action will
adversely affect an enterprise’s ability to maximize Controllable risks arise from the events taking place within the
stakeholder value and to achieve its business objectives. business enterprise. Such risks arise during the ordinary course
of business. These risks can be forecasted and the probability of
SA 315 of ICAI defines Business Risk as a risk resulting their occurrence can be determined.
from significant conditions, events, circumstances, Uncontrollable risks however, are those that would have a
actions or inactions that could adversely affect an detrimental financial impact but cannot be controlled. Some
entity’s ability to achieve its objectives and execute uncontrollable risks that are common to many businesses include
its strategies, or from the setting of inappropriate - Recessionary economy, new competitor locating nearby, and
objectives and strategies. new technology.
The Chartered Accountant Student March 2020 07
1
Risk Management
ICAI’s Standard of Internal Audit  Possible (score 3).
 Likely (score 4).
Risk may be broadly classified into Strategic, Operational,  Almost certain (score 5).
Financial and Knowledge. Risk consequences can also be against five levels on a scale of 5, viz.
 Insignificant (score 1).
They are associated with the primary long-term  Minor (score 2).
Strategic purpose, objectives and direction of the business.  Moderate (score 3).
Risks  Major (score 4).
 Catastrophic (score 5).
They are associated with the on-going, day-to-
Operational day operations of the enterprise.
Risks
Difference between Risk & Uncertainty
They are related specifically to the processes, Uncertainty Risk
techniques and instruments utilised to manage The lack of complete A state of uncertainty where some
Financial the finances of the enterprise, as well as those certainty, that is, the existence of the possibilities involve a loss,
Risks processes involved in sustaining effective financial of more than one possibility. catastrophe, or other undesirable
relationships with customers and third parties. The “true” outcome/state/ outcome.
result/value is not known.
They are associated with the management and Measurement of Measurement of risk: A set of
protection of knowledge and information within uncertainty: A set of possibilities each with quantified
Knowledge
the enterprise. probabilities assigned to a set probabilities and quantified
Risks
of possibilities. losses.
Example: "There is a 60% Example: "There is a 40% chance
chance this market will the proposed oil well will be
Open Group Standard double in five years". dry with a loss of $12 million in
exploratory drilling costs".
The Open Group suggests classifying risks with respect to effect and
frequency in accordance with scales used within the organization.
There are no hard and fast rules with respect to measuring effect and Complexity, Volatility, Ambiguity and Uncertainty
frequency.
Effect could be assessed using the following criteria as an Characteristics: The situation has
example: many interconnected parts and
 Catastrophic infers critical financial loss that could result in variables. Some information is
bankruptcy of the organization. available or can be predicted, but
 Critical infers serious financial loss in more than one line the volume or nature of it can be
of business leading to a loss in productivity and no return on overwhelming to process.
investment.
 Marginal infers a minor financial loss in a line of business and a Example: you are doing business
reduced return on investment. in many countries, all with unique
 Negligible infers a minimal impact on a line of business' ability Complexity
regulatory environments, tariffs, and
to deliver services and/or products. cultural values.
Frequency could be indicated as follows:
Approach: Restructure, bring on
 Frequent: Likely to occur very often and/or continuously.
or develop specialists, and build up
 Likely: Occurs several times over the course of a transformation
cycle. resources adequate to address the
 Occasional: Occurs sporadically. complexity.
 Seldom: Remotely possible and would probably occur not more
than once in the course of a transformation cycle.
 Unlikely: Will probably not occur during the course of a
Characteristics: The challenge is
transformation cycle.
unexpected or unstable and may
Potential scheme to assess corporate impact could be as follows: be of unknown duration, but it’s
 Extremely High Risk (E): The transformation effort will most not necessarily hard to understand;
likely fail with severe consequences. knowledge about it is often available.
 High Risk (H): Significant failure of parts of the transformation
effort resulting in certain goals not being achieved.
 Moderate Risk (M): Noticeable failure of parts of the Volatility Example: Prices fluctuate after a
transformation effort threatening the success of certain goals. natural disaster takes a supplier off-
 Low Risk (L): Certain goals will not be wholly successful. line.

The ICAI Guide on Risk Based Internal Audit Approach: Build in slack and
All risks have two attributes, viz. devote resources to preparedness-
 Likelihood of risk occurrence. for instances, stockpile inventory
 Risk consequence. or overbuy talent. These steps are
Measurement of the likelihood of risk is normally against five typically expensive; your investment
levels on a scale of 5, viz. should match the risk.
 Remote (score 1).
 Unlikely (score 2).

08 March 2020 The Chartered Accountant Student

2
 Risk Management
Characteristics: Casual relationships are Type of Risks- Illustrative
completely unclear. No precedents exist; you face • Financial risk - These risks are associated with the financial
“unknown unknowns.” assets, structure and transactions of the particular industry.
• Credit risk - The risk of loss arising from outright default due to
Ambiguity

Example: You decide to move into immature or the inability or unwillingness of the customer or counterparty
emerging markets or to launch products outside to meet their commitments. Credit risk is the probability of loss
your core competencies. from a credit transaction. It is also called as default risk.
• Liquidity risk - It arises whenever the bank is unable to generate
Approach: Experiment, understanding cause and cash to meet out its liability payment obligations or increase
effect requires generating hypotheses and testing in assets or its failure to manage the unplanned decreases or
them. Design your experiments so that lessons changes in the funding sources.
learned can be broadly applied. • Market risk - The risk of losses caused by adverse changes in
the market variables such as interest rate, Foreign Exchange
rate, equity price and commodity price.
Characteristics: Despite a lack of other • Operational Risk- The risk associated with the operations
information, the event’s basic cause and effect are of an organization. It is the risk of loss resulting from failure
known. Change is possible but not a given. of people employed in the organization, internal process,
systems or external factors acting upon it to the detriment
Uncertainty

Example: A competitor’s pending product launch of the organization.

muddies the future of the business and the market. • Strategic Risk - The current and prospective impact
on earnings, capital, reputation or good standing of an
organization arising from its poor business decisions,
Approach: Invest in information-collect, interpret, improper implementation of decisions or lack of response
and share it. This works best in conjunction with to industry, economic or technological changes. Failure of
structural changes, such as adding information strategies will adversely impact the business objectives and
analysis networks that can reduce on-going attainment of the goals.
uncertainty. • Compliance Risk – It includes material financial loss or
loss of reputation which may occur as a result of its failure
to comply with the laws includes regulations, rules, related
Categorization of Risks self-regulatory organization, standards and code of conduct
applicable to its business activities.
Pure Risks are associated with uncertainties which • Regulatory Risk - Regulatory Risk arises due to changes
may cause loss. In a pure risk situation, a loss occurs made in policies and procedures by the regulators viz, RBI,
or no loss occurs – there is no possibility for gain. Central and State Governments, SEBI, IRDA, etc.
These uncertainties may be due to perils such as fire, • Reputation risk – Adverse publicity regarding an entity’s
floods, etc. or may arise from human action such as practices will lead to a loss of revenue or litigation. Any
theft, accident etc. event which affects the name or brand image of the entity is
Reputation Risk.
• Legal risk - Arises from the uncertainty due to legal actions
Control risks are associated with unknown and or uncertainty in the application, interpretation of contracts,
unexpected events. They are sometimes referred to as laws or regulations. Legal risk is the risk arising from failure
uncertainty risks and they can be extremely difficult to comply with statutory or legal requirements.
to quantify. Control risks are often associated with
project management. • Management risk – It means the risks associated with
ineffective, destructive or underperforming management,
which hurts shareholders and the company or fund being
Speculative Risks have three possible outcomes: managed.
loss, no loss or gain. Examples of such risks include • Foreign exchange risk – Risk of loss that the entity may
the decision to invest in some shares etc. The suffer on account of adverse fluctuations in the exchange
statistical techniques used in insurance cannot be rate movements in currencies.
applied to speculative risks. Further, these risks are • Interest rate risk – Risk where changes in the market
deliberately taken with the hope of gain. interest rates might adversely affect the Net interest Income
earnings. It is the threat that interest paid may be more than
the interest collected resulting in financial loss.
Internal and External factors of Risks • Staffing risk – Risk of not employing the right person for
the right job. Poorly drafted job descriptions, inadequate
Internal Factors External Factors background verifications and inexperienced personnel
Controllable Controllable contribute to staffing risk.
 Stability and financial  Compliance with • Technology risk – Risk of not keeping pace with the fast
position of the entity regulatory changes changing technologies for business operations. Usage
 Labour strikes Uncontrollable of out-dated technologies could impact the business
 Machine failure  Economic conditions operations adversely thereby resulting in loss of reputation,
 Staff morale  Floods market share, customers, etc.
Uncontrollable  Earthquake • Business continuity risk – Risk arising from inability to
 Accidents  Market/environment restore operations immediately in the event of an incident
 Attrition of people / disaster.
 Technological change • Information (data security) risk – Risk of unauthorized
 Frauds access to data. Poor access controls both at the network
level and application level give rise to this risk.

The Chartered Accountant Student March 2020 09

3
Risk Management
• Country risk – Helps to address the issues of identifying, • Security Risk - A person or situation which poses
measuring, monitoring and controlling country exposure a possible threat to the security of something. Also,
risks. security arrangements risk means risk which arises from
• Fraud risk – Risk of control failures, management override vulnerability of security systems.
and deliberate acts of omission and commission that lead to • Governance risk - Refers to in-effective, un-ethical
financial losses. management of a company by its executives and managerial
• Price risk - Probability of loss occurring from adverse levels.
movement in the market price of an asset. • Safety risks - These are the most common and will be
• Process risk – Inability of the management to meet its present in most workplaces at one time or the other. They
process related objectives on account of failed activities in include unsafe conditions that can cause injury, illness and
a business process. It is a risk of loss resulting from failure death.
of internal processes, people and systems or from external
events.

CHAPTER 2: SOURCE AND EVALUATION OF RISKS

Chapter Overview Business Functions Assessment from Risk
Perspective
Identification Quantification
Impact of
and Sources of Risk and Generally, business functions that can be assessed from a risk
Business
of Risks various perspective as follows:
Risk
methodologies

Strategic – These include business model risk factors in

Identify and assess terms of product demand factors, availability of supply
Role of Risk Manager
the impact upon the chain inputs at competitive rates, innovation, competition,
and Risk Committee in
stakeholder involved in financial stability and capital access, etc.
identifying Risk
Business Risk

Identification and Sources of Risk

Operational – These include process execution and day-
Risk Identification to-day issues that the entity is exposed to.
Meaning – It is the action or process of identifying
some potential internal or external event, or threat or
vulnerability or a fact that could cause damage to the
entity or prevent it from achieving its objectives. Financial – These concern the effective management and
control of the finances of the organization and the effects
of external factors such as availability of credit, working
Inclusion - It includes documenting the potential risks capital, foreign exchange rates, interest rate movement
in the form of a risk questionnaire or risk register and and other market exposures.
communicating the risks to the executive management.

Effectiveness - Risk identification is effective when the

risk management team understands the business, industry
or sector in which the business operates and the key Knowledge management – Factors contributing to
management objectives or key performance indicators. knowledge risks include the unauthorised use or abuse
Further, the risk management team should undertake a of intellectual property/competitive technology. Internal
Strength, Weakness, Opportunity and Threat assessment factors may include loss of key staff.
exercise so as to document the factors that could give rise
to potential risks in future.

Participants in the Risk Identification Compliance management – To manage compliances

Process effectively entities undertake a detailed compliance risk
assessment exercise wherein each applicable law is mapped
 Business managers
for specific compliance obligation and the mitigating
 Project team
compliance action plan against it is documented.
 Risk management team
 Subject matter experts
 Customers
 End users
 Other project managers, stakeholders, and
 Outside experts
10 March 2020 The Chartered Accountant Student

4
 Risk Management
Quantification of Risk and Various Methodologies
Risk assessment  Risk Measurement Risk quantification 
The determination of Once risks have been identified, they The process of evaluating and
quantitative or qualitative are assessed and measured in order defining the cost and benefits
estimate of risk consequence to determine their probability of associated with the risk
related to a scenario or situation occurrence, costs, opportunity, social consequences.
and an identified threat or and eventual impact on the entity’s
hazard. profitability and capital.

Qualitative Risk Assessment

Risk Probability and Impact assessment generally finds answers to the following questions –
 What is the probability that a risk will occur?
 What will it cost the business if it does happen?
 The Probability and Impact Matrix indicates which risks need to be managed.

Risk Impact Matrix

Grid I Grid II Grid III

High impact & low probability; may High impact & medium probability; High impact & high probability;
be reviewed every quater needs qurterty review with real time needs quarterly review with online
monitoring monitoring

Grid IV Grid V Grid VI

Medium impact & low probability; Medium impact & medium Medium impact & high probability;
Impact
may be reviewed every six months probability; may be reviewed every may be reviewed every quater
six months

Grid VII Grid VIII Grid IX

Low impact & low probability; Low impact & medium probability; Low impact & high probability; may
may be reviewed annually may be reviewed annually be reviewed every six months

Likelihood (probability)

Tools and Techniques for Risk Quantification

Judgment and intuition Expected monetary value
In many situations, the management and auditors have to use It is the product of two numbers Risk event probability--an
their judgment and intuition for risk assessment. estimate of the probability that a given risk event will occur
and Risk event value--an estimate of the gain or loss that will
The Delphi approach be incurred if the risk event does occur.
A method for structuring a group communication process so
that the process is effective in allowing a group of individuals Simulation
as a whole to deal with a complex problem. Simulation ties together sensitivities and probability
distributions.
Scoring
First the risks in the business, system and their respective Decision Tree
exposures are listed, and weights assigned then product of the It is a diagram that depicts key interactions among decisions
risk weight with the exposure weight of every characteristic is and associated chance events as they are understood by the
computed. The sum of these weighted score gives us the risk decision maker.
and exposure score of the system. System risk is then ranked
according to the scores obtained. Expert Judgement
It can often be applied in lieu of or in addition to the
Quantitative techniques mathematical techniques described above.
These techniques involve the calculation of an annual loss
exposure value based on the probability of the event and the Frequency of Loss
exposure in terms of estimated costs. It measures the number of times losses occur during a
particular period of time.
Qualitative techniques
These techniques are most widely used approaches to risk Scenario Analysis
analysis. Probability data is not required and only estimated It is extension of Sensitivity Analysis where only one variable
potential loss is used. at a time is analyzed. Here, we could see the combined effects
of changes in more than one variable.

The Chartered Accountant Student March 2020 11

5
Risk Management
Risk Identification and Assessment Stakeholder analysis
Approaches It includes the process of identifying individuals or groups
Some of the important techniques of risk identification are who have a vested interest in the objectives. It also involves
detailed hereunder: engaging them to better understand the objective and its
associated uncertainties.
Analysis of processes
Under this technique, material or significant business Working groups
processes are flow charted. Compact working groups can be formed that could be cross
functional, to surface detailed information about the risks i.e.
Brainstorming source, causes, consequences, stakeholder impacted, existing
Under brainstorming a group of employees put forward their controls.
ideas or sensation of risk.
Corporate knowledge
Questionnaires & Interviews History of risks provides insight into future threats or
Focused on detecting the concerns of staff with respect to opportunities through: -
the risks or threats that they perceive in their operating • Experiential knowledge
environment. • Documented knowledge
• Lessons learned
Checklists
These are information aids to reduce the likelihood of failures
from potential hazards, risks or controls that have been Risk Treatment Options
developed usually from past experience, either as a result of
Sr. Risk Description
a previous risk assessment or as a result of past failures or No action
incidents or history or industry learning.
1 Avoid Exiting the activities giving rise to risk.
“What-if” Technique (WIFT) Risk avoidance may involve exiting a
This is a structured, team exercise, where the expert facilitator product line, declining expansion to a new
utilizes a set of “indicators” or “hints” to stimulate participants geographical market, or selling a division.
to identify risks. 2 Reduce/ Action is taken to reduce the risk likelihood
Manage or impact, or both. This, typically, involves
Fault Tree Analysis (FTA) any of the myriad of everyday business
This method is similar to a form of creative thinking called decisions. This involves addressing the
reverse brainstorming. This technique is used for identifying root cause of the risk factor.
and analyzing factors that can contribute to a specified 3 Transfer/ Reducing the risk likelihood or impact
undesired event (called the “top event”). Share by transferring or, otherwise, sharing a
portion of the risk. Common techniques
Bow Tie Analysis include purchasing insurance cover,
Bow tie analysis is a diagrammatic way of describing, linking outsourcing activities, engaging in hedging
and analyzing the pathways of a risk from causes to effects/ transactions.
consequences.
4 Accept No action is taken to affect the risk
Direct Observations likelihood or impact. This is mainly in
cases where the risk implications are lower
This relatively simple technique and is used daily in the
than the Company’s risk appetite levels.
workplace by staff who may observe risky situations and
hazards regularly.

Incident Analysis Impact of Business Risk

Recording incidents (that has already happened) in a register, Sr. Impact Nature of Impact
conducting root cause analysis and periodically running No Areas
some trend analysis reports to analyze incidents, which can
potentially enable identification of new risks. 1 Strategy and Delays, change management, failure to
business achieve objectives
Surveys objectives
It is similar to structured interviews but involves a larger 2 Financial Direct or indirect financial loss
number of people. It can be used to collect a broad set of ideas, 3 Customer Loyalty, relationship, payment terms,
thoughts and opinions across a range of areas covering risks
attrition
and control effectiveness.
4 Employee Morale, engagement, attrition
Workshops 5 Vendor/ Loyalty, relationship, payment terms,
Meeting of group of employees in a comfortable atmosphere, supplier attrition
in order to identify the risks and assess their possible impact 6 Compliance Delays, penalties, offences, defaults,
on the company.
imprisonment
Comparison with other organizations 7 Reputation/ Loss of confidence, public exposures,
The technique used for comparing one’s own organization Brand equity litigation, etc.
with the competitors.
12 March 2020 The Chartered Accountant Student

6
 Risk Management
Classification of Risks on the basis of Identify and Assess the Impact upon the
impacts Stakeholders Involved in Business Risk
Risks can be classified on the basis of their impacts into S. Stakeholders Nature of Impact
following rating buckets: No.
1 Owners, Failure to achieve objectives, Delays,
Boards & Change management, disruption,
Severe Major Insignifi- Management financial losses, etc.
Moderate Minor
cant
2 Society Loss of confidence, health hazards,
direct or indirect financial losses,
disruption in life style, etc.
Analyzing the Level of Risk 3 Consumer Health, financial losses, loss of
To analyze risks, we need to work out the likelihood of its confidence, etc.
happening (frequency or probability) and the consequences it 4 Employee Life, health, morale, engagement,
would have (the impact) of the risks that are identified. attrition
A risk analysis can be presented in the form of a matrix as 5 Vendor/ Loyalty, relationship, payment terms,
follows: supplier attrition
6 Government, Revenue loss, delays in project
Likelihood scale Regulators implementations, loss of public
Level Likelihood Description confidence, etc.
4 Very likely Happens more than once a year in the 7 Investors Loss of confidence, lower returns,
industry litigation, financial losses, etc.
3 Likely Happens about once a year in the
industry Principles For Effective Implementation of
2 Unlikely Happens every 10 years or more in the Risk Management Recommended By Oecd
industry
1 Very Has only happened once in the industry Risk managers were often separated from management
and not regarded as an essential part of implementing
unlikely
the company’s strategy. Most important of all, boards
were in a number of cases ignorant of the risk facing
Consequences scale the company.
Level Consequence Description
4 Severe Financial losses greater than R5
Crores The aim is to ensure that risks are understood, managed
and, when appropriate, communicated.
3 High Financial losses between R1 to 5
Crores
2 Moderate Financial losses between R10 Lacs to Effective implementation of risk management requires
1 Crore an enterprise-wide approach rather than treating each
1 Low Financial losses less than R10 Lacs business unit individually.

Once the level of risks are completed, we then need to create The board should also review and provide guidance
a risk rating table by multiplying Likelihood Scale with the about the alignment of corporate strategy with risk-
Consequences Scale to evaluate the risk for making a decision appetite and the internal risk management structure.
about its severity and ways to manage it.

Risk rating table To assist the board in its work, it should also be
considered good practice that risk management and
Risk Description Risk Management Action
control functions be independent of profit centers
rating and the “chief risk officer” or equivalent should report
12-16 Severe Needs immediate corrective action directly to the board of directors along the lines.
8-12 High Needs corrective action within 1
week
The process of risk management and the results of risk
4-8 Moderate Needs corrective action within 1
assessments should be appropriately disclosed.
month
1-4 Low Does not currently require
corrective action
Corporate governance standard setters should be
encouraged to include or improve references to risk
management in order to raise awareness and improve
implementation.

The Chartered Accountant Student March 2020 13

7
Risk Management
CHAPTER 3: RISK MANAGEMENT
Chapter Overview Objectives of risk management
Concept of Risk Objective and Process Risk Identification
Management Risks of Risk Management
Risk Assessment
Risk Management Importance of Risk
Techniques Management Risk Mitigation

Concept of Risk Management Step by Step Process of Risk Management

Steps Action Principles
Source Views
Step 1: Uncovering, recognizing Risk identification
Warren Buffet Risk comes from not knowing what you are Identify the and describing risks that – What can go
doing. Risk might affect your project wrong?
Theodore Risk management is about people and or its outcomes.
Roosevelt processes and not about models and Step 2: Determining the Risk analysis
technology. Analyze the likelihood and – How will it affect
The Risk Risk management is a central part of any risk. consequence of each risk. us?
Management organization’s strategic management. Step 3: Evaluating or ranking Risk control
Standard, The It is the process whereby organizations Evaluate or the risk by determining – What should we
Institute of Risk methodically address the risks attaching to Rank the the risk magnitude, do?
Management their activities with the goal of achieving Risk. which is the combination
sustained benefit within each activity and of likelihood and
across the portfolio of all activities. consequence.
Thomas S. Risk management is the art of using lessons Step 4: Minimizing the Risk treatment
Coleman, from the past to mitigate misfortune and Treat the probability of the negative – If something does
Practical exploit future opportunities—in other Risk. risks as well as enhancing happen, how will
Guide Risk words, the art of avoiding the stupid the opportunities by you pay for it?
Management, mistakes of yesterday while recognizing creating risk mitigation
CFA Institute that nature can always create new ways for strategies, preventive
things to go wrong. plans and contingency
plans.
Risk Attitude, Appetite, and Tolerance Step 5: Reviewing the Risk Risk Monitoring
Monitor and Register and use it to – How can we
Risk Attitude – It depends upon one’s temperament such Review the monitor, track and continuously look
as whether a particular individual or an organization is risk. update risks. at foresight and
risk-averse, risk-neutral, or risk-seeking. hindsight?

Risk tolerance – Means how much risk an organization

can tolerate or willing to withstand. Risk Management Techniques
Risk appetite – The risk taking capacity and looks at Tolerate: The exposure may be tolerable without any
how much risk one is willing to take. further action being taken.

Transfer: For some risks, the best response may be

Risks Appetite – Principles and Approach to transfer them. This might be done by conventional
insurance or by paying a third party to take the risk.
Risk appetite can be complex

Risk appetite needs to be measurable Terminate: Some risks can only be treatable, or
containable to acceptable levels, by terminating the
Risk appetite is not a single, fixed concept activity itself.

Risk appetite should be developed in the context of an

organization’s risk management capability, which is a Treat: By far, a large number of risks are addressed in
function of risk capacity and risk management maturity this way. The purpose of treatment is to continue with
the activity giving rise to the risk and action (internal
Risk appetite must be integrated with the control culture control) is taken to contain the risk to an acceptable
of the organization level.

14 March 2020 The Chartered Accountant Student