BBK3253 Risk Management Prepared by Khairul Anuar

Transcription

1 BBK3253 Risk Management Prepared by Khairul Anuar Lecture 4 Internal and External Risk Risk Management & Corporate Governance Diversifiable & Non-diversifiable Risk 1

2 2

3 3

4 Risk Environment and Context The first step in managing risk is to scan all factors contributing to the environment in which risk has to be managed. Normally, the factors are divided into two: external and internal factors. 4

5 External Factors Establishing the external factors involves familiarisation with: 1. Laws and Regulation Laws and regulation can have an effect on the capability of an organization to achieve the objective and targets. For example, some laws and regulation may prevent the organisation from doing certain things that they normally do. On the other hand, some laws and regulations can benefit the organisation. 2. Economy Some countries may have very volatile economies which can affect the market while some other countries may have a matured economic environment. Other effects like economic cycle, inflation, unemployment will have an impact on businesses 5

6 External Factors 3. Corporate Governance Requirements In Malaysia, the Securities Commission Malaysia has released the Malaysian Code on Corporate Governance (MCCG); this is to be implemented by companies listed in the Bursa Malaysia to foster a strong culture of corporate governance. All organisations listed under the Bursa Malaysia are required to comply with the MCCG. 4. Government Many organisations have relationships with government bodies such as ministries, which they are dependent on in terms of policies, financing and operations. 6

7 (5) Stakeholders Expectations External Factors Most organisations have a number of interdependencies which impact the organization s risk management. These interdependencies are called extended enterprise. Some example of interdependencies include government bodies, partner organisations, customers, contractors, suppliers, employees and others. Stakeholders expectations may affect the way we normally deal with specific risks. They may be unwilling to accept the risk management actions which appear effective for the organisation. It is quite common for organisations to overlook stakeholders expectations when managing risks. 7

8 Internal Factors Once you are familiar with the external factors, you need to assess the internal factors which involves understanding the following: 1. Organisation s capabilities in terms of resources and knowledge; 2. Internal stakeholders; 3. Objectives and the organization s strategies to achieve them; 4. Values and cultures; 5. Policies and processes; and 6. Governance structure, business structure, roles and accountabilities. 8

9 Corporate Governance in Malaysia Risk Management is incorporated into Malaysian Code of Corporate Governance (MCCG). MCCG is issued by the Securities Commission Malaysia to strengthen the corporate governance culture among public listed companies. The latest issuance in 2012 is focused on strengthening the structure and composition of the Board. 9

10 Corporate Governance in Malaysia Corporate governance: 1. Is an obligation placed on the board of an organisation; and 2. It ensures stakeholders confidence in the ability of the organisation to achieve outcomes (revenue, profit, market share, etc.). MCCG is compulsory for companies listed under Bursa Malaysia. However, other organisations are encouraged to adopt the principles and recommendations of the MCCG This is to ensure those companies achieve the desired financial target and are sustainable. 10

11 Corporate Governance Principles and Recommendation The MCCG has identified 8 principles of good corporate governance culture. Along with the principles, it has addressed several recommendations to be implemented by the Board of Directors (BOD) and management team of an organisation. 11

12 Corporate Governance Principles and Recommendation Principle 1: Establishing clear roles and responsibilities; Principle 2: Principle 3: Principle 4: Principle 5: Principle 6: Principle 7: Principle 8: Strengthening composition; Reinforcing independence; Fostering commitment; Upholding integrity in financial reporting; Recognising and managing risk; Ensuring timely and high quality disclosure; and Strengthening the relationship between company and shareholder. 12

13 Implementation of Principle 6: Recognising and Managing Risk Principle 6 is related to risk management in which it requires the BOD of an organisation to establish a sound framework to manage risk. Risk management framework and internal controls system The board is required to establish a sound framework to determine the company s level of risk tolerance and actively identify, assess and monitor key business risks. In doing so, the BOD has to ensure that the organization s risks are being identified, assessed and monitored actively to safe guard shareholder s investments and the organsation s assets. The BOD also needs to disclose in the annual report the main features of the organization s risk management framework. 13

14 Principle 6 : RECOGNISE AND MANAGE RISKS 14

15 Principle 6 : RECOGNISE AND MANAGE RISKS Recommendation 6.1 The board should establish a sound framework to manage risks. Commentary The board should determine the company s level of risk tolerance and actively identify, assess and monitor key business risks to safeguard shareholders investments and the company s assets. Internal controls are important for risk management and the board should be committed to articulating, implementing and reviewing the company s internal controls system. Periodic testing of the effectiveness and efficiency of the internal controls procedures and processes must be conducted to ensure that the system is viable and robust. The board should disclose in the annual report the main features of the company s risk management framework and internal controls system. 15

16 Principle 6 : RECOGNISE AND MANAGE RISKS Recommendation 6.2 The board should establish an internal audit function which reports directly to the Audit Committee. Commentary The board should establish an internal audit function and identify a head of internal audit who reports directly to the Audit Committee. The head of internal audit should have the relevant qualifications and be responsible for providing assurance to the 16

17 Implementation of Principle 6: Recognising and Managing Risk Evaluation of Compliance It is common that the BOD establish a risk and compliance committee with responsibilities to: (a) Oversees the risk profile; b) Make its annual declaration on risk; and (c) Approve policies and processes for managing risk. The committee has free access to senior management, risk and financial control personnel in carrying out its duties. 17

18 Interrelation between corporate governance, risk management and the risk assessment process Figure 1.5 illustrates the interrelation between corporate governance, risk management and the risk assessment process. 18

19 Interrelation between corporate governance, risk management and the risk assessment process Figure 1: The interrelation between corporate governance, risk management and the risk assessment process Source: Chapman (2013) 19

20 Effective Risk Oversight The Board Of Directors (BODs) faces a challenging task of effectively overseeing the organization s enterprise-wide risk management to balance the way risks is being managed and to add value to the organisation. In principle, risk oversight is the role of the BODs. However, many approaches to risk oversight fail to link risks to strategic business objectives. Figure 2 shows an example of an effective risk oversight structure of Smith Group plc. 20

21 Effective Risk Oversight Smiths Group plc Figure 2: Example of effective risk oversight structure Source: 21

22 Effective Risk Oversight Smiths Group plc Managing risk The diagram summarises how Smiths Plc manage risk The Board has ultimate responsibility for our risk management policies and for ensuring we have an effective system of internal control. The executive and operational management assess the risks facing our businesses and respectively create and implement our risk management policies. The Audit Committee ensures appropriate oversight of risk management and is supported by our internal audit function, which tests the effectiveness of our controls and identifies areas for improvement. Figure: Example of effective risk oversight structure Source: 22

23 Pure Risk & Speculative Risk Pure risk condition where there are 2 possible outcomes: a. A chance of loss, or b. No loss Hence, there is no a possibility of a gain Examples flood, road accident, unemployment, illness and death There is no opportunity for the people who are directly affected to gain from this outcome Speculative risks situation where there are 3 possible outcomes a chance of loss, no loss, or a gain Example investors who invests in shares of a company faces speculative risk as there is a chance that he may gain or lose from the investment depending on future prices of the share Other examples starting a new business, investing in commodities Insurance companies only insure pure risks, but not speculative risk With pure risk, people generally try to minimise the probability of its occurrence With speculative risk, people are more willing to assume the risk because there is a chance of gain 23

24 Systematic & Unsystematic Risk Systematic risk arises on account of the economy-wide uncertainties and the tendency of individual securities to move together with changes in the market. This part of risk cannot be reduced through diversification. It is also known as market risk. Includes such things as changes in GDP, inflation, interest rates, etc.) Unsystematic risk arises from the unique uncertainties of individual securities. It is also called unique risk. Unsystematic risk can be totally reduced through diversification. Also known as unique risk and asset-specific risk Includes such things as labor strikes, part shortages, etc. 24

25 Diversifiable & Non-diversifiable Risk Diversifiable risks risks that involve only a small proportion of people from a relatively large group, and be reduced by diversification. This type of risks does not involve the whole population or economy Example investing only one type of stock is riskier compared to portfolio of 20 different stock of various industries Non-diversifiable risks risks that involve a large number of people of the whole economy Example a stock market crash, inflation, natural disasters such earth quake 25

26 Diversification and risk 26

27 Insurable & Non-insurable Risk Risks that are insurable are pure risks, i.e. that involve a chance of loss of loss Non-insurable risks are those that involve speculative risks (when a gain is a one of the outcomes) and also nondiversifiable risks (i.e. when the risks involves the whole economy or a large number of people Insurability of risks depends on whether it is pure or speculative risk, and Whether it is a diversifiable or non-diversifiable risk 27

28 Case Study UMW Holdings Berhad 28

29 Case Study UMW Holdings Berhad (a) First Line of Defence The first line of defence is provided by senior management. Management Committee members, Heads of Operating Companies and Heads of Corporate Divisions are accountable for all risks and internal controls assumed under their respective areas of responsibility. Senior management is also responsible for creating a risk-awareness culture, which will ensure greater understanding of the importance of risk management and internal control whilst ensuring its principles are embedded in key operational processes and in all projects. (b) Second Line of Defence The second line of defence is provided by the Risk Management, Compliance and Integrity functions. These functions are responsible for monitoring the risk management and internal control activities in the Group to ensure effective implementation and compliance with the Group s policies and guidelines. 29

30 Case Study UMW Holdings Berhad (c) Third Line of Defence The third line of defence is provided by the Group Internal Audit Division ( GIAD ). GIAD provides independent assurance of the adequacy and reliability of the risk management processes and system of internal control, and ensures compliance with risk-related regulatory requirements. 30