BBK3253 Risk Management Prepared by Khairul Anuar

Transcription

1 BBK3253 Risk Management Prepared by Khairul Anuar Lecture 3 Internal and External Risk Risk Management & Corporate Governance Diversifiable & Non-diversifiable Risk Risk Appetite and Risk Tolerance 1

2 Risk Environment and Context The first step in managing risk is to scan all factors contributing to the environment in which risk has to be managed. Normally, the factors are divided into two: external and internal factors. 2

3 External Factors Establishing the external factors involves familiarisation with: 1. Laws and Regulation Laws and regulation can have an effect on the capability of an organization to achieve the objective and targets. For example, some laws and regulation may prevent the organisation from doing certain things that they normally do. On the other hand, some laws and regulations can benefit the organisation. 2. Economy Some countries may have very volatile economies which can affect the market while some other countries may have a matured economic environment. Other effects like economic cycle, inflation, unemployment will have an impact on businesses 3

4 External Factors 3. Corporate Governance Requirements In Malaysia, the Securities Commission Malaysia has released the Malaysian Code on Corporate Governance (MCCG); this is to be implemented by companies listed in the Bursa Malaysia to foster a strong culture of corporate governance. All organisations listed under the Bursa Malaysia are required to comply with the MCCG. 4. Government Many organisations have relationships with government bodies such as ministries, which they are dependent on in terms of policies, financing and operations. 4

5 (5) Stakeholders Expectations External Factors Most organisations have a number of interdependencies which impact the organization s risk management. These interdependencies are called extended enterprise. Some example of interdependencies include government bodies, partner organisations, customers, contractors, suppliers, employees and others. Stakeholders expectations may affect the way we normally deal with specific risks. They may be unwilling to accept the risk management actions which appear effective for the organisation. It is quite common for organisations to overlook stakeholders expectations when managing risks. 5

6 Internal Factors Once you are familiar with the external factors, you need to assess the internal factors which involves understanding the following: 1. Organisation s capabilities in terms of resources and knowledge; 2. Internal stakeholders; 3. Objectives and the organization s strategies to achieve them; 4. Values and cultures; 5. Policies and processes; and 6. Governance structure, business structure, roles and accountabilities. 6

7 Corporate Governance in Malaysia Risk Management is incorporated into Malaysian Code of Corporate Governance (MCCG). MCCG is issued by the Securities Commission Malaysia to strengthen the corporate governance culture among public listed companies. The latest issuance in 2012 is focused on strengthening the structure and composition of the Board. 7

8 Corporate Governance in Malaysia Corporate governance: 1. Is an obligation placed on the board of an organisation; and 2. It ensures stakeholders confidence in the ability of the organisation to achieve outcomes (revenue, profit, market share, etc.). MCCG is compulsory for companies listed under Bursa Malaysia. However, other organisations are encouraged to adopt the principles and recommendations of the MCCG This is to ensure those companies achieve the desired financial target and are sustainable. 8

9 Corporate Governance Principles and Recommendation The MCCG has identified 8 principles of good corporate governance culture. Along with the principles, it has addressed several recommendations to be implemented by the Board of Directors (BOD) and management team of an organisation. 9

10 Corporate Governance Principles and Recommendation Principle 1: Establishing clear roles and responsibilities; Principle 2: Principle 3: Principle 4: Principle 5: Principle 6: Principle 7: Principle 8: Strengthening composition; Reinforcing independence; Fostering commitment; Upholding integrity in financial reporting; Recognising and managing risk; Ensuring timely and high quality disclosure; and Strengthening the relationship between company and shareholder. 10

11 Implementation of Principle 6: Recognising and Managing Risk Principle 6 is related to risk management in which it requires the BOD of an organisation to establish a sound framework to manage risk. Risk management framework and internal controls system The board is required to establish a sound framework to determine the company s level of risk tolerance and actively identify, assess and monitor key business risks. In doing so, the BOD has to ensure that the organization s risks are being identified, assessed and monitored actively to safe guard shareholder s investments and the organsation s assets. The BOD also needs to disclose in the annual report the main features of the organization s risk management framework. 11

12 Principle 6 : RECOGNISE AND MANAGE RISKS 12

13 Principle 6 : RECOGNISE AND MANAGE RISKS Recommendation 6.1 The board should establish a sound framework to manage risks. Commentary The board should determine the company s level of risk tolerance and actively identify, assess and monitor key business risks to safeguard shareholders investments and the company s assets. Internal controls are important for risk management and the board should be committed to articulating, implementing and reviewing the company s internal controls system. Periodic testing of the effectiveness and efficiency of the internal controls procedures and processes must be conducted to ensure that the system is viable and robust. The board should disclose in the annual report the main features of the company s risk management framework and internal controls system. 13

14 Principle 6 : RECOGNISE AND MANAGE RISKS Recommendation 6.2 The board should establish an internal audit function which reports directly to the Audit Committee. Commentary The board should establish an internal audit function and identify a head of internal audit who reports directly to the Audit Committee. The head of internal audit should have the relevant qualifications and be responsible for providing assurance to the 14

15 Implementation of Principle 6: Recognising and Managing Risk Evaluation of Compliance It is common that the BOD establish a risk and compliance committee with responsibilities to: (a) Oversees the risk profile; b) Make its annual declaration on risk; and (c) Approve policies and processes for managing risk. The committee has free access to senior management, risk and financial control personnel in carrying out its duties. 15

16 Interrelation between corporate governance, risk management and the risk assessment process Figure 1.5 illustrates the interrelation between corporate governance, risk management and the risk assessment process. 16

17 Interrelation between corporate governance, risk management and the risk assessment process Figure 1: The interrelation between corporate governance, risk management and the risk assessment process Source: Chapman (2013) 17

18 Effective Risk Oversight The Board Of Directors (BODs) faces a challenging task of effectively overseeing the organization s enterprise-wide risk management to balance the way risks is being managed and to add value to the organisation. In principle, risk oversight is the role of the BODs. However, many approaches to risk oversight fail to link risks to strategic business objectives. Figure 2 shows an example of an effective risk oversight structure of Smith Group plc. 18

19 Effective Risk Oversight Smiths Group plc Figure 2: Example of effective risk oversight structure Source: 19

20 Effective Risk Oversight Smiths Group plc Managing risk The diagram summarises how Smiths Plc manage risk The Board has ultimate responsibility for our risk management policies and for ensuring we have an effective system of internal control. The executive and operational management assess the risks facing our businesses and respectively create and implement our risk management policies. The Audit Committee ensures appropriate oversight of risk management and is supported by our internal audit function, which tests the effectiveness of our controls and identifies areas for improvement. Figure: Example of effective risk oversight structure Source: 20

21 Pure Risk & Speculative Risk Pure risk condition where there are 2 possible outcomes: a. A chance of loss, or b. No loss Hence, there is no a possibility of a gain Examples flood, road accident, unemployment, illness and death There is no opportunity for the people who are directly affected to gain from this outcome Speculative risks situation where there are 3 possible outcomes a chance of loss, no loss, or a gain Example investors who invests in shares of a company faces speculative risk as there is a chance that he may gain or lose from the investment depending on future prices of the share Other examples starting a new business, investing in commodities Insurance companies only insure pure risks, but not speculative risk With pure risk, people generally try to minimise the probability of its occurrence With speculative risk, people are more willing to assume the risk because there is a chance of gain 21

22 Systematic & Unsystematic Risk Systematic risk arises on account of the economy-wide uncertainties and the tendency of individual securities to move together with changes in the market. This part of risk cannot be reduced through diversification. It is also known as market risk. Includes such things as changes in GDP, inflation, interest rates, etc.) Unsystematic risk arises from the unique uncertainties of individual securities. It is also called unique risk. Unsystematic risk can be totally reduced through diversification. Also known as unique risk and asset-specific risk Includes such things as labor strikes, part shortages, etc. 22

23 Diversifiable & Non-diversifiable Risk Diversifiable risks risks that involve only a small proportion of people from a relatively large group, and be reduced by diversification. This type of risks does not involve the whole population or economy Example investing only one type of stock is riskier compared to portfolio of 20 different stock of various industries Non-diversifiable risks risks that involve a large number of people of the whole economy Example a stock market crash, inflation, natural disasters such earth quake 23

24 Diversification and risk 24

25 Insurable & Non-insurable Risk Risks that are insurable are pure risks, i.e. that involve a chance of loss of loss Non-insurable risks are those that involve speculative risks (when a gain is a one of the outcomes) and also nondiversifiable risks (i.e. when the risks involves the whole economy or a large number of people Insurability of risks depends on whether it is pure or speculative risk, and Whether it is a diversifiable or non-diversifiable risk 25

26 Risk Appetite Risk appetite, is the amount and type of risk that an organisation is willing to pursue or retain. In other words, it is the total impact of risk an organisation is prepared to accept in the pursuit of its strategic objectives. (Defined by MS ISO Guide 73) Factors such as external environment, people, business systems and policies can all influence an organization s risk appetite. Put simply, this means that the amount of impact from risk that an organisation is prepared to accept will vary from organisation to organisation. Developing risk appetite is not a one off process. It has to be communicated to those involved in decision making. There should be a process of monitoring and updating risk appetite in responding to external and internal changes. Thus, developing risk appetite is a continuous process. 26

27 Risk Appetite Figure below shows the steps involved in developing a risk appetite. 27

28 Risk Appetite Determining RA of an Organisation In determining risk appetite, normally organisations establish a risk matrix. This risk matrix is developed after a long deliberation at the Board and senior management level taking into account stakeholder s interest, business systems and policies as well as the external environment. Figure 5.2 displays an example of a risk matrix. The risk matrix is based on the likelihood and consequences criteria. The likelihood and consequence criteria contribute to the level of risks where the risk appetite is developed. The Board and senior management will decide the appropriate risk appetite for the organisation. For example in Figure 5.2, a company may decide that any risk that falls under the L and M boxes are acceptable, while those labelled under as S and H are unacceptable. 28

29 Risk Assessment Figure 5.2: An example of a company s typical risk matrix L I K E L I H O O D Almost Certain 4 Likely 3 Unlikely 2 Rare 1 M4 S8 S12 H16 M3 S6 S9 S12 L2 M4 S6 S8 L1 L2 M3 M4 Negligible 1 Minor 2 Major 3 Critical 4 CONSEQUENCES

30 Risk Appetite Determining RA of an Organisation Risk appetite may differ depending on its scope of application, whether to the overall organisation, a specific category of risk, process or project. The criteria of appetite, whether low or high also varies with the type of business, activity or project. Example: A consulting firm which depends heavily on their consultants in delivering their service will have a low appetite on the consultant turnover rate. This is because a high turnover rate will have a great impact on their business. A real estate agency could adopt a higher appetite on employee turnover rate, but a low appetite on interest rate fluctuations and financing risk. Higher appetite or larger appetite range contribute to a lower impact in achieving business objectives because the greater range provides more allowance or buffers for the organisation to strategise their plan. The agency is able to accept risks as a result of high turnover, most probably, because there are plenty of real estate agents. Therefore, the impact towards achieving business objective is low or insignificant. 30

31 Risk Appetite Determining RA of an Organisation Lower appetite does not provide much room for the organisation to respond and, thus, it contributes to greater impact on business objectives. Example: slight fluctuation of interest rate will impact the organisation tremendously because the real estate market is influenced by its price and demand. The higher price will obviously reduce the demand for real estate ultimately achieving the organisation s business objective. Figure 5.3 shows the relationship between appetite and impact to business objectives. 31

32 Risk Tolerance MS ISO Guide 73: 2010 defines risk tolerance as an organisation s or Stakeholder s readiness to bear the risk after risk treatment in order to achieve its objectives. It is a measure of an organisation s capacity to handle risk. Consider the example illustrated in Figure

33 Risk Tolerance Figure 5.5 shows that after considering their financial forecasting, the company s risk appetite is between 2000 to 5000 customers per month. However, they can still tolerate at the upper limit up to 6000 customers. If they accept more than this limit, they will be facing other emerging risks that could affect their profitability. On the other hand, at the lower limit, they can tolerate customer count up to If they go lower than this, the business will not be breaking even and they will be operating in a loss. 33

34 Risk Tolerance To facilitate your understanding, look at the examples of the difference between risk appetite and risk tolerance for 3 different types of business shown in the table below. 34

35 Case Study UMW Holdings Berhad 35

36 Case Study UMW Holdings Berhad (a) First Line of Defence The first line of defence is provided by senior management. Management Committee members, Heads of Operating Companies and Heads of Corporate Divisions are accountable for all risks and internal controls assumed under their respective areas of responsibility. Senior management is also responsible for creating a risk-awareness culture, which will ensure greater understanding of the importance of risk management and internal control whilst ensuring its principles are embedded in key operational processes and in all projects. (b) Second Line of Defence The second line of defence is provided by the Risk Management, Compliance and Integrity functions. These functions are responsible for monitoring the risk management and internal control activities in the Group to ensure effective implementation and compliance with the Group s policies and guidelines. 36

37 Case Study UMW Holdings Berhad (c) Third Line of Defence The third line of defence is provided by the Group Internal Audit Division ( GIAD ). GIAD provides independent assurance of the adequacy and reliability of the risk management processes and system of internal control, and ensures compliance with risk-related regulatory requirements. 37