2.3 - risk management & management control

learning outcomes

• understanding the concepts of risk and risk management

• exploring risk management techniques and disclosure

• examining the interrelation between risk management and management control

• developing risk management frameworks

• critically evaluating risk management

risk & risk management

defining risk & risk management

• risk - “uncertain future events which could influence the achievement of the organisation’s strategic, operational, and financial objectives” [IFAC,1999]

• risk management - “a process of understanding and managing the risks that the entity is inevitably subject to in attempting to achieve its corporate objectives“ [CIMA, 2005]

• the international risk management standard ISO [2009] defines risk as the effect of uncertainty on achieving objectives; with risk management being the set of principles, frameworks and processes for managing risk

purpose: shareholder value & sustainable performance

shareholder value = NPV of current business model + value of future growth options

• good risk management [RM] protects existing value and exploits opportunities for the future and increases the probability to achieve long-term sustainability

• RM is not intended or expected to eliminate risks altogether

• RM aims to increase stakeholders’ confidence about the company’s awareness of its risks

governance & RM

1990 - 2000: establishing internal control frameworks

• COSO framework [1992]:

  • COSO introduced a framework for internal control

  • internal control is defined as a process implemented by management, the board, and employees to provide reasonable assurance of achieving objectives

  • it consists of 5 key elements:

    • control environment [organisational culture, ethical values]

    • risk assessment [identifying and managing risks]

    • control activities [policies and procedures to manage risks]

    • information and communication [flow of information for decision-making]

    • monitoring [continuous review and improvement]

2000 - onwards: scandals and regulatory response

• financial scandals [e.g. Enron 2001]:

  • major corporate fraud cases [such as Enron’s collapse due to accounting fraud] exposed weaknesses in corporate governance and risk management

  • in response, governments implemented stricter regulations

• key regulations:

  • Sarbanes-Oxley Act [2002]:

    • requires companies to evaluate the effectiveness of their internal controls

    • focuses primarily on financial reporting rather than broader operational risks

  • COSO [2004] - enterprise risk management [ERM] framework

    • expanded internal control to cover overall risk management, not just financial controls

why didn’t this reform prevent future crisis?

• limitations of internal control regulation:

  • despite stricter regulations, the 2008 financial crisis still happened

  • key issue - evidence of internal control does not equal effectiveness of risk management

• Lehman brothers case [2008]:

  • Lehman Bros Annual Report [2007] stated their internal controls were “effective“ according to COSO criteria

  • h/e in 2008 Lehman brothers went bankrupt, showing that:

    • compliance with internal control regulations does not guarantee financial stability

    • SOX mainly focuses on financial reporting controls, but the banking crisis resulted rom broader risk management failures [e.g. excessive leverage, liquidity risks]

the important takeaways of this are:

• regulatory compliance [e.g. SOX, COSO] helps but does not eliminate financial crisis

• companies can meet formal requirements while still engaging in high-risk practices

• true risk management requires a holistic approach beyond just compliance with internal control frameworks

the concept of risk & integration with control systems

the concept of risk

risk can be viewed in multiple ways, depending on how it affects an organisation:

• risk as a threat - negative consequences that could harm an organisation [e.g. reputational damage, financial loss]

• risk as uncertainty - situations where outcomes are unpredictable, making decision-making more challenging

• risk as an opportunity - situations where risk-taking can lead to competitive advantages or innovation

types of risks

these risks impact organisations in different ways:

• reputational risk - damage to a company’s image due to scandals, poor business practices, or unethical behaviour

• business risk - risks associated with the company’s operational model, including market changes and competition

• financial risk - risk related to financial instability, liquidity issues, or market downturns

• environmental risk - risks due to climate change, sustainability concerns, and regulatory environmental compliance

• international risk - risks linked to global operations, such as political instability, exchange rate fluctuation, and trade restrictions

• human capital risk - risks related to employee management, talent retention, and workplace culture

risk categorisation [kaplan & mikes, 2011]

Kaplan & Mikes divide risks into 3 levels based on their nature and impact:

• level 3 - routine operational and compliance risks

  • risks that arise from day to day operations, such as process failures, system breakdowns, or regulatory non-compliance

  • these are often manageable with strong internal controls

• level 2 -strategic risks

  • risks that threaten a company’s ability to achieve its long term business objectives

  • these risks require proactive management and adaptation

• level 1 - external, uncontrollable risks

  • risks arising from external events, such as economic downturns, natural disasters, or geopolitical conflicts

  • these are difficult to predict and control, requiring contingency planning

sources of strategic risk [Simons, 2000]

according to Simons [2000], strategic risk occurs when unexpected events disrupt business strategies, making it harder for managers to execute their plans. key types of strategic risks include:

• operations risk - failures in business processes, production, or supply chain

• asset impairment risk - decline in the value of assets due to changing market conditions [e.g. technology becoming obsolete, brand devaluation]

• competitive risk - risk of losing market positions due to competitors introducing better products, services, or business models

how internal pressures can increase strategic risk

internal organisational factors can amplify strategic risks:

• pressures due to growth

  • rapid expansion can overstretch resources, leading to inefficiencies and operational risks

  • scaling too fast without proper risk controls can lead to financial instability

  • example - a company aggressively expanding into new markets without understanding local regulations may face compliance issues

• pressures due to culture

  • a toxic or unethical workplace culture can encourage risk-taking behaviour, leading to fraud or reputational damage

  • resistance to change can make companies slow to adapt to new market conditions

  • example - a rigid corporate culture may prevent employees from raising concerns about potential risks [e.g. financial mismanagement at Enron]

• pressures due to information management

  • poor information flow within an organisation can lead to bad decision-making

  • lack of transparency can hide underlying risks, leading to regulatory and operational failures

  • example - Lehman Bros risk exposure was hidden due to poor risk reporting, contributing to its bankruptcy

the important takeaways:

• risk can be seen as a threat, uncertainty, or opportunity

• strategic risk occurs when unexpected events disrupt business plans

• internal factors, such as growth pressures, corporate culture, and poor information management, can amplify strategic risks

• strong governance, transparency, and proactive risk management are essential to mitigate strategic risks

explanation of integrated RM and performance management

integration of RMS and PMS

the core idea is that risk and performance are two sides of the same coin and should be integrated. by aligning risk and performance management, organisations can:

• improve quality of decision making

• increase stakeholder confidence

• enhance efficiency by avoiding duplication of efforts

• improve overall strategic planning

key aspects of integration

• scope:

  • both RMS & PMS function as control systems

  • shift from technical [operational/tactical] to strategic decision making

  • helps organisations create value through better informed management

• measurement:

  • performance and risk are measured using qualitative and quantitative techniques

  • integration enables new control mechanisms such as co-developing budgets and Enterprise Risk Management [ERM]

risk and control techniques

RM involves various techniques depending on type of risk:

routine operational & compliance risks

• internal control systems to ensure compliance and efficiency

• financial control techniques’;

  • decision trees

  • probability distributions

  • cost-volume-profit [CVP] analysis

  • discounted cash flow [DCF]

  • capital asset pricing model [CAPM]

  • hedging techniques

• asset protection policies [e.g. cybersecurity policies]

• indicators like value at risk [VaR] and capital at risk [CaR] for financial risk assessment

external, uncontrollable risks

• scenario planning to anticipate extreme events

• “tail-risk“ meetings to prepare for low-probability, high impact risks

strategic risks

• risk reviews during strategy meetings

• risk mitigation initiatives to reduce exposure

• use of heat maps and key risk indicator [KRI] scorecards to visualise and manage risks

integrated risk map

the integrated risk map combines risk impact and probability [level of risk] with the level of control in place

key features of the integrated risk map [Arena et al. 2017]:

• vertical axis - represents level of risk [combinations of impact and probability]

• horizontal axis - represents level of control [extent of mitigating measures]

• helps organisations prioritise risks and improve control strategies

key risk indicators [KRIs] and internal risk disclosure

• KRIs

  • used to monitor organisational risks and control effectiveness

  • every strategic objective needs KRIs to flag potential issues

  • example - BP’s Deepwater Horizon accident - ineffective risk indicators led to a major disaster

• Parellel RM process

  • KRIs must work alongside KPIs

  • helps in tracking internal and external business drivers

  • encourages companies to improve operational performance while monitoring potential risks

integration - ownership

role of management accountants:

• play a key role in designing, planning, implementing, executing, and monitoring risk management activities

• traditional owners of PMS, ensuring financial and non-financial controls

• responsible for:

  • budget controls

  • capital expenditure evaluations

  • internal audit processes

  • performance measurement systems

disconnected vs. integrated RM configuration

disconnected configuration [less efficient]

• challenges

  • data duplication - multiple departments collect the same info

  • inefficiency in data collection - no clear link between risk and performance

  • lack of collective decision making arenas - no integration of risk and performance in meetings

• benefits

  • autonomy for individual departments

  • flexibility in decision making

integrated configuration [more efficient]

• benefits:

  • better decision making by simulating risks and performance together

  • resource savings through integrated planning

  • improved transparency with a unified set of risk and performance indicators

• challenges:

  • requires high resource investment to set up and maintain an integrated system

overall, integrating RMS and PMS enables organisations to align risk awareness with strategic planning. while disconnected systems may provide flexibility, integrated risk management leads to better decision making, resource optimisation, and enhanced stakeholder confidence

external risk disclosure

• risk reports are part of UK annual reports

• a report should include:

  • a systematic review of the risk forecast

  • a review of the risk strategy and responses to risks

  • a monitoring and feedback loop on action taken and assessments of significant risks

  • early warning indication

• but only little guidance in the Combine Code

risk management frameworks

RM aims and benefits

• if not only seen as a compliance function

  • organisations may improve their performance by adopting a holistic approach to RM

  • it reinforces strategic capability

  • it directs management attention

  • it improves communication

conditions for a success RM

• “not a matter of implementing a single management tool, but a company-wide integrated process“

• an effective RM framework should involve:

  • risk assessment

  • risk evaluation

  • risk treatment

  • risk reporting

• need to determine the entity’s:

  • risk culture

  • risk appetite

  • risk tolerance

enterprise risk management

• it seeks to integrate the management of all risks [kloman, 1992]

• a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives - COSO, 2004

• ERM is central in corporate governance

• beneficial to decision making and control

key elements of definition

• ERM embodied within the organisational strategy

• ERM takes an enterprise wide view of risks

• staff at every level of the organisation are involved in ERM

• identification of risks which may threaten the achievement of objectives is central to ERM

• risks are managed within the context of a specified risk appetite

the ERM framework

• ERM considers activities at all levels of the organisation:

  • enterprise level

  • division or subsidiary

  • business unit procedures

• but too much emphasis placed on compliance under SOX

• ERM aids the movement of risk management from a narrow technical focus

  • broader more holistic focus

  • risk no longer framed solely as a compliance led exercise [e.g. unlike SOX]

  • internal control now becomes part of risk management

  • operational risk is considered crucial, not all risks can be measured quantitatively

issues with risk management

risk management failures

in 09/2007, one of top 5 uk mortgage lenders, that raised 70% of money it used from other banks, had a formal approach to RM addressing liquidity, operational credit and market risk. in 2015, it announced Volkswagen had violated the clean air act by installing illegal software into their diesel vehicles

issues

• overconfidence

• consistency of preferences

• illusion of control

• risk of control

• resistance/managers perception

is RM still relevant? ERM [through COSO] focuses on internal control - does that protect us from excessive risk taking? - risk culture

risk management of nothing

power [2009] suggests that prior problems identified with ERM relate to implementation difficulties but what about design of ERM itself?