1

RISK MANAGEMENT I: BF 2201

TOPIC 1: INTRODUCTION TO RISK IN BUSINESS MANAGEMENT
1. Introduction
One of the reasons the study of risk management is fascinating is that the nature of risk has
changed and continues to change over time, making old remedies outdated and requiring
constant reinvention. In the last 20 years, there are three broad trends that have emerged in
the shifting landscape of risk.

• Risk is global: As businesses, economies and markets have become global, so has risk. To
illustrate the interconnectedness of markets and the possible “contagion” effects of risk,
consider a small but telling example. On February 27, 2007, investors in the United States woke
up to the news that stocks in Shanghai had lost 9% of their value overnight. In response, not
only did the Dow drop more than 400 points (about 4.3%), but so did almost every other
market in the world.

• Risk cuts across businesses: In contrast to earlier times, when risks tended to be sector
focused, what happens in one sector increasingly has spillover effects on others. In early
2007, for instance, the laxity with which credit had been offered to customers with poor
credit histories opened up that entire market, called the sub- prime loan market to a
potential shakeout. Analysts following Yahoo, the internet search company, worried
that its revenues and earnings would be hurt because so much of the advertising on
web sites comes from lenders in the sub-prime market.

• The Emergence of Financial Market Risk: As firms have flocked to financial markets to raise
both debt and equity and become increasingly sophisticated in their use of the
derivatives markets, they have also made themselves more vulnerable volatility in these
markets. A firm with healthy operations can be put on the defensive because of
unanticipated turbulence in financial markets. Across the worlds, firms are finding that
risk can and often does come from financial rather than product markets. As risks
become more international, spread across sectors and encompass both financial and
product markets, it should be no surprise that firms are finder fewer and fewer safe
havens. As little as 20 years ago, there were still firms that operated in relatively secure
habitats, protected by governments or geography against competition. They could
predict their revenues and earnings with a fair degree of certainty and could make their

1
 2

other decisions on how much to borrow or pay in dividends accordingly. In the United
States, there were large sections of the economy that were insulated from risk; the
regulated phone and power companies may not have had stellar growth but they did
have solid earnings. In Europe, protection from foreign competition allowed domestic
companies in each country to preserve market share and profits even in the face of
more efficient competitors overseas. There is one final point to be made about the
ubiquity of risk. In the last decade especially, it can be argued that the balance of power
between businesses and consumers has shifted decisively in the consumer’s favor.
Armed with better information and more choices, consumers are getting better terms
and, in the process, lowering profits and increasing risk for businesses.

Choices to be made when confronted with Risk!

Individuals and businesses have only three choices when it comes to dealing with risk.

• The first is to denial: do not acknowledge that risk exists and hope it goes away. In this
idealized world, actions and consequences are logical and there are no unpleasant
surprises.
• The second is fear, take the opposite tack and allow the existence of risk to determine
every aspect of behavior. Cowering behind the protection of insurance and risk hedges,
you hope to be spared of its worst manifestations. Neither of these approaches puts you
in any position to take advantage of risk.
• But there is a third choice: accept the existence of risk, be realistic about both its odds
and consequences, and map out the best way to deal with it. This, in our view, is the
pathway to making risk an ally rather than an adversary.

Take Note: Your biggest risks will come from places that you least expect them to come from
and in forms that you least expected them to take. The essence of good risk management is to
be able to roll with the punches, when confronted with the unexpected.

Definition
The notion of “risk” and its ramifications permeate decision-making processes in each
individual’s life and business outcomes and of society itself. Indeed, risk, and how it is managed,

2
 3

are critical aspects of decision making at all levels. We must evaluate profit opportunities in
business and in personal terms in terms of the countervailing risks they engender. We must
evaluate solutions to problems (global, political, financial, and individual) on a risk-cost, cost-
benefit basis rather than on an absolute basis. Because of risk’s all-pervasive presence in our
daily lives, you might be surprised that the word “risk” is hard to pin down. For example, what
does a businessperson mean when he or she says, “This project should be rejected since it is
too risky”? Does it mean that the amount of loss is too high or that the expected value of the
loss is high? Is the expected profit on the project too small to justify the consequent risk
exposure and the potential losses that might ensue? The reality is that the term “risk” (as used
in the English language) is ambiguous in this regard. One might use any of the previous
interpretations. Thus, professionals try to use different words to delineate each of these
different interpretations.
Risk considers a measure for the frequency/probability of events and a measure for the
consequences. There are different definitions of risk in the literature. Some examples are:
– “Risk is the combination of probability and the extent of consequences” (Ale 2002)
– Risk is the “effect of uncertainty on objectives” (ISO 2009).
– Risk refers to uncertainty or the variability of returns associated with a given asset
(Mudida & Ngene, 2010).
Most definitions do not ask for a special relation between probability and consequences on the
one hand and risk on the other hand. The classical definition of risk has the strong requirement
of proportionality (Dörr and Häring 2006, 2008;Mayrhofer 2010):
“Risk should be proportional to the probability of occurrence as well as to the extent of
damage.” Blaise Pascal (1623–1662)
Formalized this reads as follows:
Classical definition of risk: Risk is proportional to a measure for the probability P of an event
(frequency, likelihood) and the consequences C of an event (impact, effect on objectives):
R = PC
Classification of Risk
Risks can be classified by their different attributes, who they affects and whether they have
positive or negative outcomes. Examples for classifications are:
– Local versus non-localized risks,
– Risks per event, in case of an event (conditional risks), per time interval, or per life cycle,
– Risks on demand versus continuous risks,

3
 4

– Individual versus collective (group) risks,

– Voluntary versus involuntary risks,
– Perceived or subjective risks versus objective risks,
– Risks based on (semi-)quantitative estimates versus quantitative risk computations,
– Statistical historic risks versus risks based on models,
– Source of risk: man-made, technical, natural, natural-technical,
– Objects, persons or body parts at risk: risk for machinery, personnel, third party, health, lung,
etc. affected by the risk, e.g. natural risks, technical risks, risks for the health, and social risks
(Proske 2004).
Examples of risks which match these classifications are:
– Local individual annual risk of injury due to terroristic explosions,
– Total average fatal collective annual risk of a given scenario,
– Collective total risk expressed using a frequency-number curve (F-N-curve); frequency of one
or more injuries per year, frequency of ten or more injuries per year due to an explosive storage
site.
Types of Risks

1. Pure versus Speculative Risks

Pure Risk: Features some chance of loss and no chance of gain (e.g., fire risk, flood risk, etc.)
Speculative Risk: Feature a chance to either gain or lose (including investment risk, reputational
risk, strategic risk, etc.).
2. Diversifiable/Idiosyncratic and Non- diversifiable/Systemic Risks
Diversifiable Risk: Are those that can have their adverse consequences mitigated simply by
having a well-diversified portfolio of risk exposures. For example, having some factories located
in no earthquake areas or hotels placed in numerous locations in the United States diversifies
the risk. If one property is damaged, the others are not subject to the same geographical
phenomenon causing the risks. A large number of relatively homogeneous independent
exposure units pooled together in a portfolio can make the average, or per exposure, unit loss
much more predictable, and since these exposure units are independent of each other, the per-
unit consequences of the risk can then be significantly reduced, sometimes to the point of
being ignorable

4
 5

Non-diversifiable Risks: Systemic risks that are shared by all, on the other hand, such as global
warming, or movements of the entire economy such as that precipitated by the credit crisis of
fall 2008, are considered no diversifiable. Every asset or exposure in the portfolio is affected.
The negative effect does not go away by having more elements in the consequences can be
mitigated simply by having a well-diversified portfolio of risk exposures. Risks viewed as being
amenable to having their financial consequences reduced or eliminated by holding a well-
diversified portfolio.
Fig. 1: Examples of Pure versus Speculative Risk Exposures

Pure Risk-Loss or No Loss Only Speculative Risk-Possible Gains or Losses

 Physical damage risk to property e.g.  Market risks: interest rate risk, foreign
caused by fire, flood, weather exchange risk, stock market risk
damage  Reputation risk
 Liability risk exposure e.g. products
liability, premise liability, employment
practice liability  Brand risk
 Innovational or technical
obsolescence risk  Credit risk-at the individual enterprise
 Operational risk: mistakes in process level
or procedure that cause losses  Product success risk
 Mortality and morbidity risk at the
individual level  Public relation risk
 Intellectual property violation risks
 Environmental risks: water, air,  Population changes
hazardous chemical and other
pollution, depletion of resources,  Market for the product risk
irreversible destruction of food chains
 Natural disaster damage: floods,
earthquakes, windstorms  Regulatory change risk
 Man-made destructive risks; nuclear
risks, wars, unemployment,
population changes, political risks  Political risk
 Mortality and morbidity risk at the
societal and global level as in
pandemics, social security program
exposure, nationalized health care
systems  Accounting risk
 Longevity risk at the societal level
 Genetic testing and genetic
engineering risk
 Investment risk
 Research and development risk

5
 6

Fundamental Risk: Risk that affect society in general or broad groups of people, and are beyond
the control of any one individual, e.g. pollution.
Particular Risk: Risk over which an individual may have some measure of control, e.g. risk
attached to smoking.
Risk and Uncertainty
We all have a personal intuition about what we mean by the term “risk.” We all use and
interpret the word daily. We have all felt the excitement, anticipation, or anxiety of facing a
new and uncertain event (the “tingling” aspect of risk taking). Thus, actually giving a single
unambiguous definition of what we mean by the notion of “risk” proves to be somewhat
difficult. The word “risk” is used in many different contexts. Further, the word takes many
different interpretations in these varied contexts. In all cases, however, the notion of risk is
inextricably linked to the notion of uncertainty. We provide here a simple definition of
uncertainty:
Uncertainty is having two potential outcomes for an event or situation; and you do not know
the possible and/or the chances of each outcome occurring. It may arise due to lack of
information about input/output relationships or the environment within which the business
operates. Certainty refers to knowing something will happen or won’t happen. We may
experience no doubt in certain situations. No perfect predictability arises in uncertain
situations. Uncertainty causes the emotional (or physical) anxiety or excitement felt in uncertain
volatile situations. Gambling and participation in extreme sports provide examples. Uncertainty
causes us to take precautions. We simply need to avoid certain business activities or
involvements that we consider too risky. For example, uncertainty causes mortgage issuers to
demand property purchase insurance. The person or corporation occupying the mortgage-
funded property must purchase insurance on real estate if we intend to lend them money. If we
knew, without a doubt, that something bad was about to occur, we would call it
apprehension or dread. It wouldn’t be risk because it would be predictable.
Risk will be forever, inextricably linked to uncertainty. As we all know, certainty is elusive.
Uncertainty and risk are pervasive. While we typically associate “risk” with unpleasant or
negative events, in reality some risky situations can result in positive outcomes. Take, for
example, venture capital investing or entrepreneurial endeavors. Uncertainty about which of
several possible outcomes will occur circumscribes the meaning of risk. Uncertainty lies behind
the definition of risk.
While we link the concept of risk with the notion of uncertainty, risk isn’t synonymous with
uncertainty. A person experiencing the flu is not necessarily the same as the virus causing the
flu. Risk isn’t the same as the underlying prerequisite of uncertainty. Risk (intuitively and
formally) has to do with consequences (both positive and negative); it involves having more
than two possible outcomes (uncertainty). The consequences can be behavioral, psychological,
or financial, to name a few. Uncertainty also creates opportunities for gain and the potential for

6
 7

loss. Nevertheless, if no possibility of a negative outcome arises at all, even remotely, then we
usually do not refer to the situation as having risk (only uncertainty).
Risk and Return
Risk: Refers to the variability of returns associated with a given asset. A K.100, 000 government
bond that guarantees it holders K500 interest after 30 days has no risk since there is no
variability associated with the return (it’s a government bond). On the other hand, an
investment in a firm’s ordinary shares which over the same 30 days may earn between K0 and
K500 is very risky because of the high variability of its return. The more certain the returns from
an asset, the less variability and consequently the less risk associated with the asset. No
investment will be undertaken unless the expected rate of return is high enough to compensate
the investor for the perceived risk of the investment.
Return: Any cash payments received due to ownership plus a change in market price divided by
the beginning price. For example, one might buy a share for K100 that would pay K6 in cash to
you and be worth K108 one year later. The return in this case would be (K6 + K8)/K100= 14%.
Thus return arises from two sources: income plus any price appreciation (or loss in price). Risk-
averse businesses may be willing to tolerate a higher level of risk provided they receive a higher
level of return.
Businesses should be concerned with reducing risk where possible and necessary, but not
eliminating all risks, whilst managers try to maximize the returns that are possible given the
levels of risk. Most risks must be managed to some extent, and some should be eliminated as
being outside the scope of the remit of the management of a business.
Risk and Corporate Governance
Some of the grey areas in corporate governance include shareholder’s concern, which is profit
maximization and director’s remuneration. On shareholder’s concern, although profit
maximization is the desire of any shareholder, the relationship between the attainment of
profit/returns and the level of risk is a matter of concern. Should directors pursue profit no
matter what level of risk is underneath?
On director’s remuneration, a link or lack of it, between remuneration and risks involved
becomes an area of concern. If the aspect of risk is ignored in remuneration and instead risk is
only thought about in line with turnover or profits achieved, then directors could decide that
the company should bear risk levels that are higher than shareholders deem desirable.
Therefore it is important that directors find other ways of paying sufficient attention to risk but
at the same time avoiding bearing excessive risk. Directors’ are therefore required by best
corporate governance practices to:
a. Establish appropriate control mechanisms for dealing with the risks the organization
faces.
b. Monitor risks themselves by regular review and a wider annual review.

7
 8

c. Disclose their risk management processes in the accounts.

Risk is threat and opportunity

Risk is the combination of both danger and opportunity. Market volatility can ruin you or make
you wealthy. Changing customer tastes can lay your entire market to waste or allow you to
dominate a market. Business failures and large losses come from exposures to large risks but so
do large profits and lasting successes.

The trouble with risk management is that people see one side or the other of risk and respond
accordingly. Those who see the bad side of risk, i.e. the danger side, either argue that it should
be avoided or push for protection (through hedging and insurance) against it. On the other side
are those who see risk as upside and argue for more risk taking, not less. Not surprisingly, their
very different perspectives on risk will lead these groups to be on opposite sides of almost
every debate, with the other side tarred as either “stuck in the mud” or “imprudent”.

Risk is a combination of potential upside with significant downside and requires a more
nuanced approach. If we accept the proposition that we cannot have one (upside) without the
other (downside), we can become more realistic about how we approach and deal with risk. We
can also move towards a consensus on which risks we should seek out, because the upside
exceeds the downside, and which risks are imprudent, not because we do not like to take risk
but because the downside exceeds the upside.

Take Note: Risk is a mix of upside and downside. Good risk management is not about seeking
out or avoiding risk, but about maintaining the right balance between the two.

Can Risk be measured?

There is a widespread belief even among risk managers that some risks are too qualitative to be
assessed. This notion that some risks cannot be evaluated, either because the likelihood of
occurrence is very small or the consequences too unpredictable can be dangerous, since these
are exactly the types of risks that have the potential to create damage. The debate should be
about what tools to use to assess risk rather than whether they can be assessed. At the risk of
sounding dogmatic, all risks can and should be assessed, though the ease and method of
assessment can vary across risks.

TOPIC 2: BUSINESS RISKS

The Nature of Business Risk

8
 9

Broadly defined, Business risk management is concerned with possible reductions in business
value from any source. Business value to shareholders, as reflected in the value of the firm’s
common stock, depends fundamentally on the expected size, timing, and risk (variability)
associated with the firm’s future net cash flows (cash inflows less cash out flows). Unexpected
changes in expected future net cash flows are a major source of fluctuations in business value.
In particular, unexpected reductions in cash inflows or increases in cash outflows can
significantly reduce business value. The major business risks that give rise to variation in cash
flows and business value are price risk, credit risk and pure risk.
a. Price Risk: Refers to uncertainty over the magnitude of cash flows due to possible
changes in output and input prices. Output price risk refers to the risk of changes in the
prices that a firm can demand for its goods and services. Input price risk refers to the
risk of changes in the prices that a firm must pay for labor, materials, power and other
inputs to its production process. Analysis of price risk associated with the sale and
production of existing and future products and services plays a central role in strategic
financial management. Three specific types of price risk are commodity price risk,
exchange rate risk and interest rate risk.
b. Credit Risk: The risk that firms customers and the parties to which it has lent money will
delay or fail to make promised payments. Most firms face some credit risk for account
receivables. The exposure to credit risk is particularly large for financial institutions, such
as commercial banks, that routinely make loans that are subject to risk of default by the
borrower. When firms borrow money, they in turn expose lenders to credit risk (i.e. the
risk that the firm will default on its promised payments). As a consequence, borrowing
exposes the firm’s owners to the risk that the firm will be unable to pay its dents and
thus be forced into bankruptcy, and the firm generally will have to pay more to borrow
money as credit risk increases.
c. Pure Risk: The risk management function in the medium-to large corporations (and the
term risk management) has traditionally focused on the management of what is known
as pure risk. The major types of pure risk that affect businesses include:
(i) The risk of reduction in value of business assets due to physical damage, theft,
and expropriation, i.e. seizure of assets by foreign governments.
(ii) The risk of legal liability for damages for harm to customers, suppliers,
shareholders and other parties.
(iii) The risk associated with paying benefits to injured workers under workers’
compensation laws and the risk of legal liability for injuries or other harms to
employees that are not governed by workers’ compensation laws.
(iv) The risk of death, illness, and disability to employees (and sometimes family
members) for which businesses have agreed to make payments under employee
benefits plan, including obligations to employees under pension and other
retirement savings plans.

9
 10

I. Strategic Risks

These are risks that relate to the fundamental and key decisions that the directors take about
the future of the organization. Strategic risk is the potential volatility of profits caused by the
nature and type of the business operations. The strategic plan any business and organization
adopts may include concentration of resources, mergers, acquisitions and exit strategies. These
will have major impacts on costs, prices, products and sales. This may have an impact on how
resources are allocated to achieve the goal set in the strategy. Businesses/organizations need to
guard against these risks to ensure that business processes and operations are not aligned to
strategic goals.

For a strategy of an organization to work, relations with stakeholders are very important due to
consequences of non-cooperation. Stakeholders include investors, suppliers, employees and
customers. Investors are always concerned with financial returns, accuracy and timeliness of
information and quality leadership. If they choose, for one reason or another, not to contribute
new funds, that may affect the strategy of the organization.

Other factors that affect strategy and consequently contribute to the occurrence of strategic
risk include the type of industry/market, state of the economy, competitors, stage in the
product’s life cycle, inputs, level of operating gearing (proportion of fixed costs in total costs),
R/D capacity, ability to innovate and technology.

II. Operational Risk

The first definition is the broadest. It defines operational risk as any financial risk other than
market and credit risk. This definition is perhaps too broad, as it also includes business risk,
which the firm must assume to create shareholder value. This includes poor strategic decision
making, such as entering a line of business where margins are too thin. Such risks are not
directly controllable by risk managers. Also, a definition in the negative makes it difficult to
identify and measure all risks. This opens up the possibility of double counting or gaps in
coverage. As a result, this definition is usually viewed as too broad.

At the other extreme is the second definition, which is the narrowest. It defines operational risk
as risk arising from operations. This includes back office problems, failures in transaction
processing and in systems, and technology failures in transac- tion processing and in systems,
and technology breakdowns. This definition, however, just focuses on operations, which is a
subset of operational risk, and does not include other significant risks such as internal fraud,
improper sales practices, or model risk. As a result, this definition is usually viewed as too
narrow.

The third definition is intermediate and seems to be gaining industry acceptance. It defines
operational risk as the risk of loss resulting from inadequate or failed internal processes, people

10
 11

and systems, or from external events

This excludes business risk but includes external events such as external fraud, security
breaches, regulatory effects, or natural disasters, physical damage risk, data/systems integrity
risk, fraud risk as well as Internet risk.

Fig. :Internal Risks

People Processes Systems

Employee collusion/fraud Accounting error Data quality

Employee error Capacity risk Programming errors

Employee misdeed Contract risk Security breach

Employers liability Misselling/suitability Strategic risks

(platforms/suppliers)
Employment law Product complexity
System capacity
Health & safety Project risk
System compatibility
Industrial action Reporting error
System delivery
Lack of knowledge/skills Settlement/payment error
System failure
Loss of key personnel Transaction error
System suitability
Valuation error

Fig.: External Risks

External Physical
Legal Fire
Money laundering Natural disaster
Outsourcing Physical security
Political Terrorist
Regulatory Theft

11
 12

Supplier risk
Tax

III. Financial Risk

These are risks faced by different players in the financial market like financial services providers,
insurance companies, security/investment firms, mutual/hedge funds, depository institutions
and financial intermediaries. Some of the risks include:
Market Risk: Risk incurred in the trading of assets and liabilities due to changes in interest rate,
exchange rates and other asset prices.
Interest Rate Risk: Risk incurred when the maturities of assets and liabilities are mismatched.
Credit Risk: The risk that the promised cash flows from loans and securities held by debtors
may not be paid in full. This can be in two forms; firm-specific credit risk in which case the risk
of default of the borrowing firm associated with the specific types of project risk taken by that
firm, and systematic credit risk which is the risk of default associated with general economy
wide or macro conditions affecting all borrowers.
Liquidity Risk: The risk that a sudden surge in liability withdrawals may leave a financial player
in a position of having to liquidate assets in a very short period of time and at low prices. This
happens when a financial player like a financial intermediary’s liability holder, like depositors or
insurance policy holders, demand immediate cash for the financial claims they hold with
another player, or when holders of credit lines suddenly exercise their right to borrow.
Currency Risk: This is evident in international trade where foreign exchange is involved. It is the
risk that exchange rate changes can affect the value of one’s assets and liabilities denominated
in foreign currencies. Due to inflation (fluctuation of an economy’s currency), one’s assets and
liabilities may either gain value or lose value. There are three types of currency risk:
(i) Transaction Risk: Risk arising from exchange rate movements between the time of
entering into an international trade transaction and the time of cash settlement. It
also arises due to transaction risk exposure. Transaction exposure involves the
exchange loss or gain on existing foreign currency-denominated transactions. This
comes about when the trade agreement does not specify whether payment is on
spot rate or forward rate. For example, Air Malawi Ltd enters into an agreement
with Airbus Industries to buy planes amounting to USD 1,000 million. The price is
fixed in USD. Air Malawi will receive the planes immediately, but will make payment
of the total value of USD 1,000 million after six months. The current spot exchange
rate is K6.60/USD. At the current exchange rate, the value of the contract is: USD
1,000 million times 6.60= K6, 600 Million. The exchange rate can change in the six
months. Suppose at the end of six months the exchange rate is K 6.95/USD. Air

12
 13

Malawi will have to spend K 6,950 Million. The problem arises due to the fact one
cannot predict what the exchange rate would be.
(ii) Translation Risk: The changes in balance sheet values of foreign assets and liabilities
arising from retranslation at different prevailing exchange rates at the end of each
year. Arises from translation exposure, which is the exchange gain or loss occurring
from the difference in the exchange rates at the beginning and the end of the
accounting period. For example, a Malawian company with subsidiaries in RSA and
many other countries in SADC. The financial statements of its subsidiaries will be
stated in the local currencies in which they operate. When the company
consolidates financial statements of its subsidiaries with its financial statements, it
will have to translate local currencies to the home currency. The exchange rate at
the end of the accounting period may differ from the rate in the beginning of the
accounting period. It is an accounting gain or loss, and it may not be related to
economic gain or loss. A company is exposed to translation risk loss if it uses current
exchange rate to translate its assets and liabilities.
(iii) Economic Risk: The effect of exchange rate movements on the international
competitiveness of the organization, e.g. in terms of relative prices of
imports/exports, the cost of foreign labor. Arises from economic exposure, which is
the change in the value of the firm caused by the unexpected changes in the
exchange rate. It is also known as operating exposure or the long-term cash flow
exposure. Therefore, exchange risk may be defined as the variability of the firm’s
value resulting from the unanticipated exchange rate changes. If the exchange rates
between countries doing trade change, then the values of the cash flows in each
country will change, affecting the operating profitability.
NB: Of these three, transaction risk has the greatest immediate impact on day to day cash flows
of an organization, and there are many ways of reducing or eliminating this risk, for example by
the use of hedging techniques.
Financial Records and Reporting Risk: Financial records risk can also be said to include
misstatement risks. This relates to published financial information. Arises from breakdown in
the accounting systems, unrecorded liabilities and unreliable accounting records.
IV. Legal and Political Risk
This comes about due to exposure to different legal as well as political systems especially when
international trade is involved. Different countries enact different legal framework different
from another country. A firm willing to do business in such a country with a different legal
framework would be required to adapt to that country’s legal system. Breaches of these
legislation, regulations or codes of conduct can have very serious consequences for
organizations. Risks include financial or other penalties including untimely closedown, having to
spend money and resources in fighting litigation and loss of reputation. Similarly, some political
systems in different countries may impose increased taxes and this may weaken profitability.

13
 14

Political risk is the risk that political action will affect the position and value of an organization.
It is connected with country risk, which is risk associated with undertaking transactions with, or
holding assets in a particular country.
v. Technological risk:
Include (a) physical damage risks (fire, water, damage to buildings, lighting, electrical storms,
political terrorism), (b) data and systems integrity risk (human error, technical error). These
risks may be particularly significant because of the nature of computer operations. The
processing capabilities of a computer are extensive, and enormous quantities of data are
processed without human intervention, and so without humans necessarily knowing what is
going on; (c) fraud risk arising from computer fraud that usually involves the theft of funds by
dishonest use of a computer system. Include input fraud (e.g. entering non-existent employee
on the salary file), processing fraud (where a programmer or someone who has broken into the
system may alter a program), output fraud (documents being stolen or tampered with and
control totals being altered); (d) internet risk, (corruptions like viruses, hackers, downloading of
inaccurate information or imperfect or virus-ridden software, interceptions or the breaking
down of the communications link itself).
vi. Reputation Risk
Loss of reputation caused as a result of the adverse consequences of another risk; due to poor
customer service as well as failure to innovate. The loss of reputation will be usually perceived
by external stakeholders, and may have serious consequences, depending on the strength of
the organization’s relationship with them.
vii. International Business Risk
Challenges include social, political, business as well as repatriation of money.
viii. Trading Risk:
Both domestic as well as international traders will face trading risks. They include physical risk,
trade risk (risk of customer refusing to accept the goods on delivery or cancellation of the order
in transit), liquidity risk (inability to finance organizations’ trading activities), probity risk
(dishonesty/unethical behavior by one or more participants in a particular process).

TOPIC 3: RISK ASSESMENT

Risk exists because of the inability of the decision maker to make perfect forecasts. Forecasts
cannot be made with perfection or certainty since the future events on which they depend are
uncertain. An investment is not risky if we can specify a unique sequence of cash flows for it.
But the whole trouble is that cash flows cannot be forecast accurately, and alternative
sequences of cash flows can occur depending on the future events. Thus, risk arises in

14
 15

investment evaluation because we cannot anticipate the occurrence of the possible future
events with certainty and, consequently, cannot make any correct prediction about the cash
flow sequence. Uncertainty of future economic conditions, which leads to the inability to
predict consistent sequence of cash flows, gives rise to risk.
Forecasting of future economic conditions is influenced by a number of events. Three broad
categories of events include:
(a) General Economic Conditions: Includes events that influence the general level of
business activity. The level of business activity might be affected by such events as
internal and external economic and political situations, monetary and fiscal policies, and
social conditions.
(b) Industry Factors: This category of events may affect all companies in an industry. For
example, innovations in the telecommunication industry can affect companies in such
industry.
(c) Company Factors: This category of events may affect only the company. The change in
management, strike in the company, a natural disaster such as flood or fire may directly
affect a particular company.
Keys to good risk assessment.
The first is better quality and more timely information about the risks as they evolve, so that
the element of surprise is reduced. It can be argued that we are better off than we were in
earlier generations. There is more information available to decision makers, with a larger
portion of it being provided in real time. The tools available have also become more accessible
and sophisticated, with technology lending a helping hand. The advances in risk assessment
should not lead to false complacency or to the conclusion that risk management has become
easier as a consequence for three reasons.
(I) The risks being assessed are also becoming more global and complex and it is an interesting
question as to whether the improvements in information and assessment are keeping up with
the evolution of risk.
(II) The risk management is still a relative game. In other words, it is not just how well a
business or investor assesses risk that matters, but how well it does it relative to the
competition. The democratization of information and tools has leveled the playing field and
made it possible for small firms to take on much larger and more resource-rich competitors.
(iii) As both the data and the tools become more plentiful, picking the right tool to assess a risk
(and it can be different for different risks) has become a more critical component of success at
risk management.
NB: To pick the right tool to assess risk, you have to understand what the tools share in
common, what they do differently and how to use the output from each tool.

15
 16

Good risk measurement/assessment should lead to better decisions. Superior information and
the best tools for risk assessment add up to little, if they do not lead to better decisions when
faced with risk. In many businesses, those who assess risk are not necessarily those who make
decisions (often based on those risk assessments) and this separation can lead to trouble. In
particular, risk assessment tools are often not tailored to the needs of decision makers and are
often misread or misused as a consequence.
Risk Management and Risk Analysis
Risk Analysis: The determination of risks in a given context.
Risk Management: Consists of risk analysis and the handling (mitigation) of risks, including
changing the context.
Risk Analysis Framework
Identification, assessment, profiling /mapping, quantification and consolidation
I. Risk Identification
No one can manage a risk without first being aware that it exists. Some knowledge of perils,
what items they can affect and how, is helpful to improve awareness of whether familiar risks
(potential sources and causes of loss) are present, and the extent to which they could harm a
particular organization. Risk managers should also keep an eye open for unfamiliar risks that
may be present. Actively identifying the risks before they materialize makes it easier to think of
methods that can be used to manage them.
Is the first step in the risk management process. It is the identification of loss exposures. It is a
continuous process, so that new risks and changes affecting existing risks may be identified
quickly and dealt with appropriately, before they can cause unacceptable losses. Some of the
considerations in identifying risk include:
(a) Comprehensive checklists of common business exposures that can be obtained from risk
management consultants and other sources.
(b) Analysis of the firm’s financial statements
(c) Discussions with line managers throughout the firm
(d) Surveys of employees
(e) Discussions with insurance agents and risk management consultants.
Regardless of the specific methods used, risk identification requires an overall understanding of
the business and the specific economic, legal, and regulatory factors that affect the business.
Some of the business loss exposures include property loss exposure (book value, market value,
firm-specific value, replacement cost new), liability losses (legal: settlements, judgments, legal
costs, lawsuits-reputation at stake), loss of human resources (injuries, disabilities, death,
retirement, turnover due to contractual commitments and compulsory benefits), and loss from
external economic forces (changes in prices of inputs and outputs, changes in exchange rate).

16
 17

Other considerations when identifying risk include:

 The risks should be specific to the market sectors in which the business operates
 The risks should be specific to the company’s circumstances at a given time
 It will be important to know how change is affecting the company’s risk profile
 It is important to consider problems that the company or it competitors have
experienced recently
 Business probity issues should be considered, e.g. those relating to fraud where the
 ‘mqcompany might be especially vulnerable.
Risk Conditions
Means of identifying conditions leading to risk (potential sources of loss) include:

(i) Physical inspection: which will show up risks such as poor housekeeping, e.g. rubbish left
on floors, for people to slip on and to sustain fires
(ii) Enquiries: from which the frequency and extent of product quality controls and checks
on new employees’ references, for example, can be ascertained
(iii) Checking a copy of every letter and memo issued in the organization for early
indications of major changes and new products
(iv) Brainstorming with representatives of different departments
(v) Checklists ensuring risk areas are not missed
(vi) Benchmarking against other sections within the organization or external experiences
Event Identification
Event analysis includes identification of:
(a) External events such as economic changes, political developments or technological
advances, changes in prices of inputs and outputs, changes in exchange rates
(b) Internal events such as equipment problems, human error or difficulties with products
(c) Leading event indicators. By monitoring data correlated to events, organizations identify
the existence of conditions that could give rise to an event, for examples customers who
have balances outstanding beyond a certain length of time being very likely to default
on those balances
(d) Trends and root causes.
(e) Escalation triggers, certain events happening or levels being reached that require
immediate action
(f) Event interdependencies, identifying how one event can trigger another and how events
can occur concurrently

17
 18

2. Risk Assessment
It is not always simple to forecast the financial effect of a possible disaster, as it is not until after
a loss that all the hazards-the extra expenses (resulting exposure to higher costs due to higher
operating costs), inconveniences and loss of time can be recognized. Even then, it can be
difficult to identify all of them.
Property and Liability Loss Exposures
The table below gives some of the practical questions asked when assessing business property
and liability loss exposures:

Type of Loss Property Losses (Internal) Liability Losses (External)

(Questions to ask) (Questions to ask)
Direct Losses 1. What types of 1. What parties might be
property are subject harmed by the firm
to damage or (customers, suppliers
disappearance? etc)?
2. What factors (perils) 2. How might these parties
can lead to loss? be harmed?
3. What is the value of 3. What is the potential
property exposed to magnitude of damages?
loss? 4. What is the potential
4. Will the property be magnitude of defense
replaced if it is lost? costs?

1. Will revenues
Indirect Losses 1. Will the firm have to decline in
raise external funds to response to
replace uninsured possible
property? damage to the
2. Assuming firm’s
replacement, will the reputation? (a)
firm suspend or cut What is the
back operations potential
following a direct magnitude of
loss? this loss? (b)
3. If the firm suspends or What actions
cuts back its might reduce
operations: (a) What the resulting
is the potential indirect losses
duration and how and at what
much normal profit cost?
could be lost (b) What 2. Will products
operating expenses and services

18
 19

would continue likely be

despite the abandoned or
suspension or products
slowdown (c) Will recalled in the
revenue losses event of large
continue after normal uninsured
levels of production losses?
are resumed, and if 3. Will the firm
so, what actions might have to raise
reduce these losses additional
and at what cost? capital in the
4. If the firm continues event that cash
operating at pre-loss flows decline?
levels: (a) what 4. Could large
facilities or resources uninsured
will be needed? (b) losses push the
What will be the firm into
additional cost from financial
using alternative distress?
facilities or resources?

Property Loss Exposures: In addition to identifying what property is exposed to loss and the
potential causes of loss, the firm must consider how property should be valued for the purpose
of making risk management decisions. Several valuation methods are used:
(i) Book Value: The purchase price minus accounting depreciation; is the method
commonly used for financial reporting purposes. However, since book value does
not necessarily correspond to economic value, it is generally not relevant for risk
management purposes (except for the tax reasons).
(ii) Market Value: Is the value that the next highest valued user would pay for the
property
(iii) Firm-specific Value: Is the value of the property to the current owner. If the
property does not provide firm specific benefits, the firm specific value will equal
market value. Otherwise, firm-specific value will exceed market value.
(iv) Replacement cost new: Is the cost of replacing the damaged property with new
property. Due to economic depreciation and improvements in quality, replacement
cost new often will exceed the market value of the property.
Indirect Losses: Can also arise from damage to property that will be repaired or replaced.
For example, if a fire shuts down a plant for four months, the firm not only incurs the cost of
replacing the damaged property, it also loses the profits from not being able to produce. In
addition, some operating expenses might continue despite the shut down (e.g. salaries for

19
 20

certain managers and employees and advertising expenses). These exposures are known as
business income exposures or business interruption exposures, and they are frequently
insured with business interruption insurance.
Liability Losses
Firms face potential legal liability losses as a result of relationships with many parties,
including suppliers, customers, employees, shareholders, and members of the public. The
settlements, judgments, and legal costs associated with liability suits can impose substantial
losses on firms. Lawsuits also may harm firms by damaging their reputation, and they may
require expenditures to minimize the costs of this damage. For example, in the case of
liability to customers for injuries arising out of the firm’s products, the firm might incur
product recall expenses and higher marketing costs to rehabilitate a product.
3. Risk Profiling /Prioritization
This stage involves using the result of a risk assessment to group risks into risk families.
Once identified, risks must be prioritized. This can be done initially by examining the ‘gross
risks’ associated with an event or situation. A gross risk is the probability of an event or
situation occurring coupled with an estimate of its impact (before taking into account of the
application of control measures). The potential impact should be assessed not merely in direct
financial terms, but more broadly by reference to the potential effect on the realization of
corporate objectives.
Some companies use two-by-two diagrams to divide risks as follows:
IMPACT OF RISK

High Impact High Impact

Low likelihood High likelihood

B A
Low impact Low impact

Low likelihood High likelihood

D C

20
 21

Likelihood of risk occurring

Box A shows risks requiring immediate action

Box B, those for which a contingency plan is needed
Box C, those for which action should be considered
Box D, those of lesser concern but nevertheless requiring periodic review
Risk Mapping/Profiling can help organizations:
 Determine a company-wide risk appetite in a framework that can be applied across all
operations
 Catalog their critical risks and ensure they are mitigated and managed
 Develop a dynamic financial model of the company that incorporates all the major risks
affecting earnings
4.Risk Quantification
Risks that require more analysis can be quantified, where possible results or losses and
probabilities are calculated and distributions or confidence limits added on. From this exercise
the organization can ascertain key figures like:
 Average or expected result or loss
 Frequency of losses
 Chances of losses
 Largest predictable loss
to which the organization could be exposed by a particular risk. The risk manager must also be
able to estimate the effects of each possible cause of loss, as some of the effects that he needs
to consider may not be insured against. The likely frequency of losses from any particular cause
can be predicted with some degree of confidence, from studying available records. This
confidence margin can be improved by including the likely effects of changed circumstances in
the calculation, once they are identified and quantified. Risk managers must therefore be aware
of the possibility of the increase of an existing risk, or the introduction of a new risk, affecting
the probability and/or possible frequency of losses from another cause. Ultimately, the risk
manager will need to know the frequency or magnitude of losses that could place the
organization in serious difficulties.

Statistical Techniques for Risk Analysis

If we wish to understand and use the concepts of risk, we need to be able to measure these

21
 22

concepts’ outcomes. Psychological and economic research shows that emotions such as fear,
dread, ambiguity avoidance, and feelings of emotional loss represent valid risks. Such feelings
are thus relevant to decision making under uncertainty. Our focus here, however, will draw
more on financial metrics rather than emotional or psychological measures of risk perception.
We thus discuss measurable and quantifiable outcomes and how we can measure risk and using
numerical methods.

A “metric” in this context is a system of related measures that helps us quantify characteristics
or qualities. Any individual or enterprise needs to be able to quantify risk before they can
decide whether or not a particular risk is critical enough to commit resources to manage. If
such resources have been committed, then we need measurements to see whether the risk
management process or procedure has reduced risk. And all forms of enterprises, for financial
profit or for social profit, must strive to reduce risk. Without risk metrics, enterprises cannot tell
whether or not they have reached risk management objectives. Enterprises including
businesses hold risk management to be as important as any other objective, including
profitability. Without risk metrics to measure success, failure, or incremental improvement, we
cannot judge progress in the control of risk.

Indeed, if they cannot measure risk, enterprises are stuck in the ancient world of being helpless
to act in the face of uncertainty. Risk metrics allow us to measure risk, giving us an ability to
control risk and simultaneously exploit opportunities as they arise. No one profits from
establishing the existence of an uncertain state of nature. Instead, managers must measure and
assess their enterprise’s degree of vulnerability (risk) and sensitivity to the various potential
states of nature.

Statistical techniques are analytical tools for handling risky investments. These techniques,
drawing from the fields of mathematics, logic, economics and psychology, enable the decision
maker to make decisions under risk or uncertainty.

i. Probability: Is a measure of someone’s opinion about the likelihood that an event

will occur. Probability is used in Capital Budgeting. The probability of an event is the
chance that the event will occur. If an event is certain to occur, we say that it has a
probability of one of occurring. If an event is certain not to occur, we say that its
probability of occurring is zero. Thus, probability of all events to occur lies between
zero and one. If all possible events or outcomes are listed and a probability is
assigned to each event, the list is called probability distribution, and it identifies all
the possible outcomes for the random variable and the probability of the outcomes.
Probabilities can be assigned to possible outcomes from an investment. If for
example, you buy a bond you expect to receive interest on the bond in addition to a

22
 23

return of the original investment. The possible outcomes for this investment are that
the issuer will make the required payments or that the issuer will default on the
payments. The higher the probability of default, the riskier the bond, and a higher
risk is also associated with a higher required rate of return.

Example 1:

We approximate the probability distribution for the Kwacha amount of damages to Mr

Ndekha’s cars during the coming year. Our approximation will assume only five possible levels of
damages: K0, K500, K1, 000, K5, 000 and K10, 000. The table below lists the probabilities of each
of these outcomes:

Possible Outcomes for Amount of Damages Probability /Chance /Expectation (x)

(p)

K0 0.50

K500 0.30

K1, 000 0.10

K5, 000 0.06

K10, 000 0.04

NOTE: The sum of the probabilities/chances equals 1; this must always be the case.

The most likely outcome for Mr. Ndekha is zero damages, and the least likely outcome is that
damages equal K10, 000.

Probability distribution can be summarized in terms of two variables:

(a) Expected Rate of Return: If we multiply each possible outcome by its probability of
occurrence and then sum up these products, we will arrive at a weighted average of
outcomes. The weights are the probabilities and the weighted average is the expected
rate of return. Like in the example of Mr. Ndekha’s car: Expected Value (X)= 0(0.50) +
500(0.30) + 1,000(0.10) + 5,000(0.06) + 10, 000(0.04)
Thus if some variable x has its values specified with associated probabilities p , then :
Expected Value of x=∑ px
In other words, an expected value (expectation) is obtained by multiplying each original
value by its probability and adding the results.

23
 24

This is equal to K950. This is weighted average of outcomes or expected rate of return.

Example 2:

A stock market analyst makes wrong decisions with probability 0.2 and he has just advised you
to buy some stock. If you previously believed that the stock in question had 70% chances of
success, what must this percentage be revised to in the light of the analyst’s advice given the
following table:

Analyst’s Advice

Buy Not Buy Total (%)

Result Success 56 14 70

Failure 6 24 30

Total 62 38 100

Note: If A and B are two events of a probability, the Pr(A/B)= Pr(A).Pr(B/A)/Pr(B)

We require Pr(Stock success/Analyst says buy)= 56/62= 0.903 or 90.3%

Or using the other formula;

Put S=Success, F=Failure, B=Buy and N=Not buy.

We are given that Pr(s)= 70 or 0.7

Therefore Pr(F)= 1-0.7=0.3

But also Pr(analyst makes wrong decision)=Pr(B/F)= 0.2,

And , Pr(analyst makes right decision)= Pr(B/S)=1-0.2= 0.8

THEREFORE: Pr(S/B)= (0.7) (0.8)/ (0.7)(0.8) +(0.7) (0.8)

=0.56/0.56+0.56= 0.903 OR 90.3

24
 25

5. Risk consolidation, risk review and portfolio management

Risk that has been analyzed and quantified at the divisional or subsidiary level needs to be
aggregated to the corporate level and grouped into categories. This aggregation will be
required as part of the overall review of risk that the board needs to undertake. There must
be systems in place in any organization to:
 Identify changes in risks as soon as they occur
 Enable management to monitor risks regularly
 Enable managers to carry out a wider annual review covering the way the
organization deals with risk.
The process of risk categorization also enables the risks categorized together to be managed by
the use of common control systems.

6. Impact of Risk on Stakeholders

A company’s stakeholders normally include shareholders, employees, suppliers, customers,
regulators etc. There are several reasons that the extra risk carried by company A creates
indirect costs that reduce its value relative to Company B. For example, bankruptcy and
distress costs (expectation of increased losses of a company may lead to the fall of the
company’s share price), raising funds; costs & difficulties (expectation of increased losses can
also lead to difficulties for a company to raise funds, or may lead to the company raising funds
at a high price). Many managers, academics and policy makers argue that companies should not
focus on maximizing the worth of their shareholders, but should also be concerned with the
welfare of stakeholders. Those of this view are of the opinion that companies can maximize the
wealth of their shareholders by building valuable relationships with various stakeholders.The
Turnbull Guidance

In a paper titled “The Boardroom Imperative on Internal Control,” by Anthony Carey and Nigel
Turnbull, the following highlights are noted:

 Risk management should be an integral part of every business and not just an
exercise in meeting regulatory requirements
 Evaluating and controlling risks effectively will ensure that opportunities are not
lost, competitive advantage is enhanced, and less management time is spent
firefighting
 The likely reduction in surprises and the increased ability to meet objectives will
strengthen shareholder confidence in the corporate business process
 The Turnbull report, prepared by a working party of the Institute of Chartered
Accountants and Wales and endorsed by the Stock Exchange, seeks to reflect

25
 26

best business practice by adopting a risk-based approach to designing, operating,

and maintaining a sound system of internal control.
 The guidance it offers comes in the form of a framework rather than a rulebook,
and is planned so that each company can tailor the way it is applied to its specific
circumstances
 The report stresses that control should be embedded in the culture and
processes of the business. It is better therefore to build appropriate mechanisms
into existing management information systems than to develop entirely separate
risk reporting models
 All employees have some responsibility for internal control. Collectively, they
should have the necessary knowledge, skills, information, and authority to
operate and monitor the internal control systems
 Communication between different levels of the organization and across
departments plays a pivotal role in a successful risk management system


a. Stakeholders’ Attitude to Risk

Stakeholder’s response to risk: the risk that organizations will take actions or events will
occur that will generate a response from stakeholders that has an adverse effect on the
business. To assess the importance of stakeholder response to risk, the organization needs
to determine how much leverage its stakeholders have over it.

b. Shareholders

They can affect the market price of shares by selling them or they have the power to
remove management. It would appear that the key issue for management to determine is
whether shareholders:

 Prefer a steady income from dividends (in which case they will be alert to the
threats to the profits)
 Are more concerned with long-term capital gains
c. Risk Tolerances of Shareholders

Some shareholders will, for the chances of higher level of income, be prepared to bear greater
risks that their investments will not achieve that level of income. It is therefore important for

26
 27

management to maintain individual links with individual shareholders to understand their

preference with regard to the risk profile of their investment.

d. Debt providers and creditors

Debt providers are most concerned about threats to the amount the organization owes and
can take various actions with potentially serious consequences such as denial of credit,
higher interest charges or ultimately putting the company on liquidation. When an
organization is seeking credit or loan finance, it will obviously consider what action creditors
will take if it does default. However, it also needs to consider the ways in which debt
finance providers can limit the risks of default by for example requiring companies to meet
certain financial criteria, provide security in the form of assets that can’t be sold without
the creditor’s agreement or personal guarantees from creditors. These mechanisms may
have a significant impact on the development of an organization’s strategy. There may be a
conflict between strategies that are suitable from the viewpoint of the businesses’ long-
term strategic objectives, but are unacceptable to existing providers of finance or are not
feasible because finance suppliers will not make finance available for them, or will do so on
terms that are unduly restrictive.

e. Employees

These will be concerned about threats to their job prospects (money, promotion, benefits
and satisfaction) and ultimately threats to the jobs themselves. They will also be concerned
about threats to their personal well-being, particularly health and safety issues. The
significance of risk will be determined with the variety of actions employees can take.
Possible actions include pursuit of their own goals rather than shareholder’s interests,
industrial action, refusal to relocate or resignation.

Risks of adverse reactions from employees will have to be managed in a variety of ways:

 Risk Avoidance: legislation requires that some risks, principally threats to person
should be avoided
 Risk Reduction: limiting employee discontent by good pay, conditions etc.
 Risk Transfer: e.g. taking out insurance against key employees leaving
 Risk Acceptance: accepting that some employees will be unhappy but believing the
company will not suffer a significant loss if they leave
f. Customers and Suppliers

Suppliers will be concerned about the risk of making unprofitable sales while customers will
be concerned with threats to their getting the goods or services that they expect, or not

27
 28

getting the value from the goods or services that they expect.

Building long-term relationships with customer-suppliers is important because it has an

impact on their attitudes. A desire to build relationships implies involvement of the staff
who are responsible for building such relationships in the risk management process

TOPIC 4: CONTROLLING RISK

Introduction
Because risk management policy goes hand in hand with the strategic plan of organizations,
how organizations deal with risk will not only be determined by events and the information
available about the events, but also management perceptions or willingness to take risk.
These factors will also influence risk culture, the values and practices that influence how an
organization deals with risk in its day-to-day operations.
General Attitudes towards Risk

Different people have different attitudes toward the risk- return tradeoff. People are risk averse
when they shy away from risks and prefer to have as much security and certainty as is
reasonably affordable in order to lower their discomfort level. They would be willing to pay
extra to have the security of knowing that unpleasant risks would be removed from their lives.
Economists and risk management professionals consider most people to be risk averse. So, why
do people invest in the stock market where they confront the possibility of losing everything?
Perhaps they are also seeking the highest value possible for their pensions and savings and
believe that losses may not be pervasive.

A risk seeker, on the other hand, is not simply the person who hopes to maximize the value of
retirement investments by investing the stock market. Much like a gambler, a risk seeker is
someone who will enter into an endeavor (such as blackjack card games or slot machine
gambling) as long as a positive long run return on the money is possible, however unlikely.

Finally, an entity is said to be risk neutral when its risk preference lies in between these two
extremes. Risk neutral individuals will not pay extra to have the risk transferred to someone
else, nor will they pay to engage in a risky endeavor. To them, money is money. They don’t pay
for insurance, nor will they gamble. Economists consider most widely held or publicly traded
corporations as making decisions in a risk-neutral manner since their shareholders have the
ability to diversify away risk—to take actions that seemingly are not related or have opposite
effects, or to invest in many possible unrelated products or entities such that the impact of any

28
 29

one event decreases the overall risk. Risks that the corporation might choose to transfer remain
for diversification.

I. Risk Attitudes
(a) Personal Views/Personality and Risk Perception: One of the important sets of
influences to risk perception is one’s own innate disposition. Personality comprises a
largely inborn set of dispositions, feelings, biases and characteristics that tend to be
manifested in preferences, sensitivities, habits and reactions. An important element of
personality that relates to risk is sensation seeking. This aspect comprises four elements
of thrill; adventure seeking, experience seeking, lack of inhibition, and susceptibility to
boredom. Research studies have linked sensation seeking with a number of risk
behaviors such as making risky financial decisions, taking large gambling bets,
participation in dangerous sports, socially risky behavior and reckless driving. In such
surveys, managers acknowledge the emotional satisfaction from successful risk-taking,
although this is unlikely to be the most important influence on appetite. Individuals vary
in their attitudes to risk and this is likely to be transferred to their roles in organizations.
(b) Response to Shareholder Demand: Shareholders demand a level of return that is
consistent with taking a certain level of risk. Managers will respond to these
expectations by viewing risk-taking as a key part of decision-making.
(c) Organizational Influences: May be influenced by significant losses in the past, changes
in regulation and best practice, or even changing views of the benefits risk
management can bring. The size, structure and stage of development of the
organization also influence attitude to risk:
i. Large organizations are likely to require more formal systems and will
have to take account of varying risk appetites and incidence among its
operations. However a large organization will also be able to justify
employing risk specialists, either generally or in specific areas of high risk
such as treasury.
ii. The risk management systems employed will be dependent on the
organization’s management control systems that will depend on the
formality of structure, the autonomy given to local operations and the
degree of centralization deemed desirable
iii. Attitudes to risk will change as the organization develops and its risk
profile changes; e.g. attitude to financial risk and gearing will change as
different sources of finance become necessary to fund larger
developments.
(d) National Influences: National culture influences attitudes towards risk and uncertainty.
Surveys suggest that attitudes to risk vary nationally according to how much people are

29
 30

shielded from the consequences of adverse events.

(e) Cultural Influences: FOUR points according to Adams:
i. Fatalists: See themselves as having no control over their own lives and hence risk
management is pointless; nothing they can do can make any difference to a
situation
ii. Hierarchists: Exist largely in a bureaucratic organization with formal structures
and procedures. They are likely to emphasize risk reduction through formal risk
management procedures including research to establish the facts, increased
regulation, and an emphasis on risk reduction, avoidance and discouraging risk-
taking behavior.
iii. Individualists: Seek to control their environment rather than let their
environment control them. They will often be found in small single-person
dominated organizations with less formal structures, and hence risk
management too will be informal, if indeed it is considered at all.
iv. Egalitarians: Are loyal to groups but have little respect for procedures. They are
often found in charities and public sector, non-profit making activities. Their
preference will be for sharing of risks as widely as possible, or transfer of risks to
those best able to bear them

(f) Entrepreneurial Risk: Risk that is integral to the pursuit of business opportunities. Risk is
bound up with entrepreneurship. Two types of uncertainty affect entrepreneurial
attitudes; (i) Uncertainty regarding market demand (ii) Uncertainty regarding their own
entrepreneurial ability.
Entrepreneurs tend to be risk-averse as far as demand uncertainty is concerned.
However, they are overconfident with respect to ability uncertainty. Some argue that
this reflects a distinguishing feature of entrepreneurs, their level of confidence in being
able to handle unforeseen events.

II. Risk Management Systems

What is a management system?

It is a framework of structures and procedures that ensure the organization can carry out
the tasks required to achieve its objectives. In some areas, it is also known as a Framework.

It seeks to identify the major risks, and manage them systematically, avoiding the
occurrence of surprises.

30
 31

Elements of a Risk Management System

TASK EFFECT

Understand your risks Discover what risks the organization is prey

to, and measure their likely impact

Set a risk policy Decide on the business’ attitude to risk

Decide how to deal with them: write This ensures that there is an agreed method
procedures to manage risks for managing the company’s risks

Assign roles and responsibilities Determine who will take responsibility for
managing risks

Train staff; communicate effectively Make sure that people are engaged in
managing risk

Keep records This allows you to see when or if important

areas are moving outside that area of safety

Conduct regular internal audits Audits ensure that every risk is regularly
checked

Regularly review audit findings This makes sure that management examines
the audit findings, and takes corrective
action

Institute a contingency plan The plan aims to guide the business through
a period of crisis

Engage external assessors The system should be examined by

independent outsiders, who are free from
internal politics or culture

To be effective, a risk management system must detail all the company’s major risks, ranging
from environmental to governance.

a. Nature of Enterprise Risk Management: Enterprise Risk Management is a process,

effected by an entity’s board of directors, management and other personnel, applied in
strategy and across the enterprise, designed to identify potential events that may affect

31
 32

the entity and manage risks to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives. The definition can be
dissected as follows:
(i) It is a Process: It is a means to an end, that should ideally be intertwined with
existing operations and exist for fundamental business reasons
(ii) It is operated by people at every level of the organization and is not just
paperwork. It provides a mechanism helping people to understand risk, their
responsibilities and levels of authority
(iii) It is applied in strategy setting, with management considering the risks in
alternative strategies
(iv) It is applied across the enterprise. This means it takes into account activities at
all levels of the organization from enterprise-level activities such as strategic
planning and resource allocation, to business unit activities and business
processes. It includes taking an entity level portfolio view with risk. Each unit
manager assesses the risk for his/her unit. Senior management ultimately
considers these unit risks and also interrelated risks. Ultimately they will
assess whether the overall risk portfolio is consistent with organization’s risk
appetite
(v) It is designed to identify events potentially affecting the entity and manage risk
within its risk appetite, the amount of risk it is prepared to accept in pursuit of
value. The risk appetite should be aligned with the desired return from a
strategy
(vi) It provides reasonable assurance to an entity’s management and board.
Assurance can at best be reasonable since risk relates to the uncertain future
(vii) It is geared to the achievement of objectives in a number of categories,
including supporting the organization’s mission, making effective and
efficient use of the organization’s resources, ensuring reporting is reliable,
and complying with applicable laws and regulations

Because these characteristics are broadly defined, they can be applied across
different types of organizations, industries and sectors. Whatever the
organization, the framework focuses on achievement of objectives.

An approach based on objectives contrasts with a procedural approach based on

rules, codes or procedures. A procedural approach aims to eliminate or control
risk by requiring conformity with the rules. However, a procedural approach
cannot eliminate the possibility of risks arising because of poor management
decisions, human error, fraud or unforeseen circumstances arising.

32
 33

b. Framework of COSO Risk Management: The framework consists eight interrelated

components.
Component Explanation

1.Internal or control environment This covers the tone of an organization,

and sets the basis for how risk is viewed
and addressed by an organization’s
people, including risk management
philosophy and risk appetite, integrity and
ethical values, and the environment in
which they operate.

2. Objective Setting Objectives for the entity should be in place

and the chosen objectives should support
and align with the entity’s mission and be
consistent with its risk appetite.

3. Event Identification Both internal and external events which

affect the achievement of an entity’s
objectives must be identified,
distinguishing between risks and
opportunities.

4. Risk Assessment Risks are analyzed, considering likelihood

and impact, as a basis for determining how
they should be managed.

5. Risk Response Management selects risk responses such

as avoidance, reduction, transfer, or
acceptance, which are used to develop a
set of actions to align risks with the entity’s
risk tolerance and risk appetite.

6. Control activities or procedures Policies and procedures are established

and implemented to help ensure the risk
responses are effectively carried out.

7. Information and communication Relevant information is identified,

33
 34

captured and communicated in a form and

timeframe that enable people to carry out
their responsibilities. Effective
communication should be broad-flowing
up, down and across the entity. There
should also be effective communication
with third parties such as shareholders and
regulators.

8. Monitoring Risk management processes are

monitored and modifications are made if
necessary.

COSO: Committee of Sponsoring Organizations of the Treadway Commission

Different commentators have developed guidance on enterprise risk management in

different ways. Ernst and Young identified six components of risk management:
 Risk strategy
 Risk management processes
 Appropriate culture and capability
 Risk management functions
 Enabling technologies
 Governance
c. Benefits of Risk Management System
i. It is better to tackle risk in an integrated and systematic way rather than work on
individual elements. Working on individual problems means that you may overlook
some risks, and fail to control others
ii. A RMS may also be a good defense in law. If you can show that the company had a
system in place for managing risk, and that it was therefore taking reasonable steps to
control/prevent a crisis, the judge is likely to look more favorably on the business in the
aftermath of a crisis
iii. It reduces the company’s exposure to risk
iv. Leads to greater profits
v. Helps ensure a better use of resources
vi. Makes organizations alert to changes in the market and society
vii. Makes financial distress less likely
viii. Can reduce the company’s tax burden or liability

34
 35

d. Challenges that emerge when implementing a RMS

a) Systems could be awkward/cumbersome and bureaucratic/routine

b) If a system is imposed simply to please a major customer

c) Becoming a routine and inflexible and eventually failing to anticipate new dangers

NB: A good RMS must allow and encourage “blue sky” thinking (not restricting yourself to the
limitations of your present condition. It must avoid being mechanistic and being overly focused
on the company’s internal processes.

e. Risk Management Strategies

Introduction: It is important to note that individuals or organizations cannot reduce their risk
unless they control a large enough number of exposure units. Obviously most organizations
cannot meet this condition. The question therefore arises; “what alternatives are there for
handling risk?” The ways of handling risk may be grouped as follows:
(a) Assuming the risk-risk retention: Risk assumption or risk retention is perhaps the most
widely used of all ways to handle risk. It can be planned or unplanned. Planned risk retention,
also called self-insurance, is conscious and deliberate assumption of recognized risk. The
organization decides to pay losses out of currently available funds. In some cases, a reserve or
“rainy day” fund may be established to cover expected losses. It must be noted that
establishing a reserve fund is not equal to insuring against losses. If a person/organization saves
K100, 000 in the bank to pay for a possible occurrence of an electric fault, this organization has
no way of knowing whether or not this fund is adequate. A single occurrence of an electric fault
could easily exhaust the savings, and a second occurrence may take place before the savings
could be restored. Thus, the risk of loss of savings due to electrical fault has not actually been
reduced. However, a properly drawn insurance plan in which the risk of loss is effectively
transferred to another will take care of an indefinite/numerous number of electrical faults.
(b) Combination of objects/property subject to Risk: Into a large enough group to enable
accurate prediction of loss. This includes insurance mechanism and diversification. The method
of combination is the system of handling risk that usually involves the use of large numbers.
This is possible because it is a widely agreeable truth that when sufficiently large numbers are
grouped together, the actual loss experience over a period of time will closely approximate the
probable loss experience. To the extent that this is true, risk has been greatly reduced or even
eliminated for all concerned. Commercial insurance companies utilize the combination method
as the basis of their insuring operations. These companies simply persuade a large number of
organizations, to pool their individual risks in a large group, and reduce or eliminate their risks
(predictability of losses arising from the law large numbers). This can be compared to an

35
 36

alliance of a group of nations to ward off an attack. The uncertainty of loss from one
unprofitable line of business is reduced by the presence of other lines of business.
(c) Transferring or shifting risk to some other individuals: In this method, one organization
pays another to assume a risk that the transferor desires to escape. The risk bearer agrees to
assume the risk for a price. The risk of loss is often the same to the transferee as it was to the
transferor. The risk bearer or transferee, however, may have superior knowledge concerning
the probability of loss, and thus may be in a better financial position to assume the risk than the
transferor. Nevertheless, the risk still exists. Examples include insurance, lease, and rent.
(d) Utilizing loss-control activities: Although loss control or prevention is not insurance, it does
however, usually reduce the degree of risk. Even though the probable losses are reduced, risk
may yet be present since there is still the possibility that there may be substantial deviations
from the underlying probability.
(e) Avoidance of risk: This involves the avoidance of the possibility of loss in the first place, thus
avoiding risk. It’s a method widely used by those with a high aversion toward risk. Thus, a
person/organization may not enter a certain business at all, and avoid the risk of losing capital
in that business. A person may avoid the use of airplanes, and thus avoid the risk of dying in a
plane crash. An insurance company may avoid underwriting a certain line of insurance, and thus
avoid the risk of loss in that line.
(f) Insurance against risk: Large companies should set up their own captive insurance
companies. This keeps the cash in the business and provides insurance at reasonable rates,
thereby saving the profit margin that would have gone to an outside insurance company. The
risk is retained inside the company, but the business pay sufficient money into the captive to
pay out in the event of claims.
(g) Monitor the Risks: Measure the risks, have an early warning system, keep documentation,
audit the risks and setting a risk management budget.
(h) Contingency Planning: Despite the greatest precautions, things can go wrong
(i) Opt for diversified portfolios
(j) Communication of risk: Risk communication is the process by which the results of risk
assessment and risk management are communicated to decision makers and stakeholders.
Adequate communication is essential in explaining official policies to stakeholders who always
perceive that they are exposed to the risks.
Risk Management Methods
These methods, although not mutually exclusive, can be broadly classified as:
a. Loss Control: These are actions that reduce the expected cost of losses by reducing the
frequency of losses and/or the severity/size of losses that occur. It is also known as risk

36
 37

control. Actions that primarily affect the frequency of losses are commonly called loss
prevention methods e.g. routine inspection of an aircraft for mechanical problems, while
actions that primarily influence the severity of losses that do occur are often called loss
reduction methods. Viewed from another perspective, there are two general
approaches to Loss Control; (1) Reducing the level of risky activity. Exposure to losses
can be completely eliminated by reducing the level of activity to zero, that is, by not
engaging the activity at all. This strategy is called Risk Avoidance. (2) Increasing
precautions against loss for activities that are undertaken.
b. Loss Financing: This is a method used to obtain funds to pay for or offset losses that
have occurred. Sometimes called risk financing. There are four broad methods of
financing losses; retention, insurance, hedging and contractual risk transfers.

TOPIC 5: PROJECT RISK MANAGEMENT

Projects take different forms: road construction to database, introduction of new
products, corporate acquisition, drug research etc.
Projects have much in common: Big investments, complex mix of peoples and
assets, uncertain outcome and a high risk of failure.
Many businesses are wholly project-based, whether management consultant or film
studios. So their entire existence is routinely at risk. And failed projects have a
devastating effect on corporate success.
Whatever format they take, projects routinely overrun on cost and time, and don’t
work as they should. In many cases, the project is shelved. E.g Peoples Shops.
The thing that commonly applies to many major projects is the cost. An expansion
drive of shops in various localities may cost millions of Kwachas. This level of
investment makes even the largest and most profitable firms nervous.
Risk Management Process in Project Risk
To minimize risk in projects, companies can adopt some steps as follows:
Planning for Risk
1. Obtain adequate information
2. Examine all the options
3. Carry out a risk assessment
4. Allocate experienced staff
5. Create a project plan
Risk Control

6. Invest one step at a time

7. Build in flexibility

37
 38

8. Review progress regularly, review external information

9. Spread the risk
1. Obtain Adequate Information

Do proper market research findings that include technical data and information on similar
projects undertaken by other firms. This might not always be possible because data can be
commercial secret.

A decision often has to be made about building a factory, depot, and shopping mall because the
current one is operating at maximum capacity or because management wants to invest in a
new opportunity.

Information about costs and timing is vital at all stages of a project.

2. Examine all Options

Consider all available options before choosing to adopt a particular project. Instead of building
new shopping mall, you may have to buy already existing ones. Or instead of launching a new
product nationally, you opt for a regional launch.

3. Carry out a Risk Assessment

Risk assessment should examine the project’s sensitivity to various factors like a rise in raw
materials’ costs or a downturn in demand. Companies often fail to identify threats to their
projects. As a result, they are ill equipped to fight back if these threats appear on the horizon.
Assessment enables companies to avoid surprises.

Assessment can be in the form of brainstorming or involve experts from different disciplines.

4. Allocate Experienced Staff

Appoint a manager who has previously carried out a similar project. If consultants are used,
they should have worked on similar activities in the past.

5. Create a Project Plan

Plan must contain all the necessary costs, milestones to be achieved and other data needed.
Use of project management software and a database that allows different members to input
and review the information can be useful and helpful.

6. Invest One Step at a Time

38
 39

Avoid committing the company to the entire costs of investment. For example, a project can go
through steps like market research, engineering design, site preparation, order equipment,
installation and commissioning of equipment. At any of these stages, a decision can be made to
either go ahead or not. So commitment of all funds at once might lead to loss of capital for
other investments.

7. Build in Flexibility

That the project’s product can be diverse. Then, if the market forecasts are incorrect, the
project won’t become a white elephant.

While increasing flexibility can increase costs, the company may decide that the reduction in
risk will be worth it.

1. Review Progress Regularly

Continually assess whether the need that prompted the adoption of the project remain true.
This allows the company to either alter the project or halt it.

Management must review the ‘business case’- the reason behind the project; to see whether it
is still valid. Management must also compare the milestones thus achieved against set targets,
and identify where problems may be occurring.

2. Spread the Risk

The cost of the project can be shared with other partners. Although this reduces the company’s
profit, it also means that the potential losses will be equally reduced. Moreover, the other
partners may have skills or assets that the company does not possess, whether in political
contacts, experience of similar projects or marketing skills.

Another way of spreading the cost is to lease the equipment. This helps to delay payment and
minimizes the effect on cash flow.

SCOPE OF EXAM

1. Roles of a Risk Manager

2. Know business as well as financial risks
3. Speculative as well as pure risks
4. Risk assessment-probability (calculation and why is it better than psychological
methods)
5. Some steps in project risk management

39
 40

6. Risk management framework

40