specimen paper - the chartered insurance institute · make full use of the specimen paper you can...
TRANSCRIPT
P67SP
P67SP
SPECIMEN
PAPER
P67 – Fundamentals of risk management This Specimen Paper is intended as a guide to candidates preparing for an examination in Risk management. It provides candidates with an insight into the different style of questions in the question paper and indicates the depth and breadth of answer sought by examiners. It also indicates the structure of the full question paper which will be presented to candidates when they sit the examination in October 2014. The answers presented in the question paper provide an outline of the key points which candidates could beneficially cover in responding to the questions. They are not intended as a definitive answer to each of the questions: in many instances the examiners can allow scope for well reasoned, alternative views to gain good marks. Careful preparation is a major factor in achieving examination success. Giving attention to these specimen questions should therefore help candidates to feel more confident that they are prepared for the forthcoming examination, and can demonstrate their knowledge to its full extent.
P67SP 2
CONTENTS
Important guidance for candidates............................................................................................3 Specimen paper...........................................................................................................................6 Examples of answers.................................................................................................................11
P67SP 3
IMPORTANT GUIDANCE FOR CANDIDATES
Introduction The purpose of this Specimen Paper is to help you to understand how examiners seek to assess the knowledge and skill of candidates. You can then demonstrate to the examiners that you meet the required levels of knowledge and skill to merit a pass in this unit. During your preparation for the examination it should be your aim not only to ensure that you are technically able to answer the questions but also that you can do justice to your abilities under examination conditions.
Before the examination Make sure you have a copy of the current Diploma in Insurance Information for Candidates Details of administrative arrangements and the regulations which form the basis of your examination entry are to be found in the current Diploma in Insurance Information for Candidates brochure, which is essential reading for all candidates. It is available online at www.cii.co.uk or from Customer Service. Study the syllabus carefully It is important to study the syllabus, which is available online at www.cii.co.uk or from Customer Service. The questions in the question paper are based directly on the syllabus, so it is vital that you are familiar with it. Read widely Your knowledge should be wider than the scope of one book. While books specifically produced to support your studies will provide coverage of the syllabus areas, you should be prepared to read around the subject. A reading list can be found at the end of the syllabus. Make full use of the Specimen Paper You can use Specimen Papers as ‘mock’ question papers, attempting them under examination conditions as far as possible, and then comparing your answers to the examples of good ones. Understand the nature of assessment Each Specimen Paper contains a full question paper and examples of good answers. The examples of good answers show the type of responses the examiners are looking for, and which would achieve high marks. However, you should note that there are alternative answers to some question parts which would also gain high marks. For the sake of clarity and brevity not all of these alternative answers are shown. Know the structure of the examination Familiarise yourself with the structure of the question paper and the time allowed to complete it. This information can be found on the question paper included within each Specimen Paper.
P67SP 4
In the examination Do justice to yourself in the examination Assuming you have prepared adequately, you will only do justice to yourself in the examination if you follow two common sense rules:
Spend your time in accordance with the allocation of marks as indicated on the question paper. If you do not complete the whole question paper, your chances of passing may be reduced considerably. Do not spend excessive time on any one question. If you have used up the time allocation for that question, leave some space, go on to the next question, and only return to the incomplete question after you have completed the rest of the question paper. The maximum
marks allocated to each question and any constituent parts are given on the question paper; the number of marks allocated is the best indication of how much time you should spend answering it.
Take care to answer the precise question set. You will see that the examples of good answers provided in this Specimen Paper are quite focused and precise; alternative answers would only be acceptable if they still answer the question. However brilliantly you write on a particular topic, if it does not provide a satisfactory answer to the precise question as set, you will not score the marks allocated. Many candidates leave the examination room confident that they have written
‘good’ answers, only to be mystified when they receive a disappointing result. Often, the explanation for this lies in a failure to think carefully about what the examiner requires, before putting pen to paper.
Order of tackling questions
Tackle the questions in whatever order you feel most comfortable with. Generally, it is better to leave any questions which you feel less confident in answering until you have attempted those with which you are more familiar, but remember not to spend excessive time on your ‘good’ questions.
Handwriting
Provided your handwriting is legible, you will not lose marks if it is untidy. We recommend that you do not write in block capitals, because you will be slowed down so much by doing so and, paradoxically, block capitals can become more difficult to read than joined-up writing when done quickly. Answer format Unless the question requires you to produce an answer in a particular format, such as a letter or a report, you should use ‘bullet points’ or short paragraphs, since this allows you to communicate your thoughts in the most effective way in the shortest time. The good answers give an indication of which style is acceptable for the different types of question. Calculators If you bring a calculator into the examination room, it must be a silent, battery or solar powered, non-programmable calculator. The use of electronic equipment capable of being programmed to hold alphabetical or numerical data and/or formulae is prohibited. You may use a financial or scientific calculator, provided it meets these requirements. It is important that you show all the steps of any calculation in your answer. The examination is testing your ability to carry out all the appropriate steps in calculating a value. A proficient mathematician is someone who follows the correct method, i.e. carries out the appropriate steps. The majority of the available marks will be allocated for demonstrating the correct method of calculation. After the examination All Diplomas in Insurance examiners, one of whom will mark your answer book, are either active practitioners in the insurance industry or are experts on the subject. They have been specially trained to mark question papers using a detailed marking scheme. The marking of each examiner is closely monitored by a Senior Examiner during the marking period and sampling of marked answer books is carried out.
1
2
P67SP 5
After all the answer books have been marked, a moderation meeting is held, at which all available statistical information is considered, together with the views of the Senior Examiner for that unit and other assessment experts. At the meeting, a pass mark is set to ensure that the standard of knowledge and skills required to gain a pass in the examination is comparable with that of previous question papers.
P67SP 6
P67
THE CHARTERED INSURANCE INSTITUTE
DIPLOMA
SPECIMEN PAPER
UNIT P67 Fundamentals of risk management
© The Chartered Insurance Institute 2014
P67SP 7
THE CHARTERED INSURANCE INSTITUTE
P67 – Fundamentals of risk management
Instructions to candidates Read the instructions below before answering any questions
Three hours are allowed for this paper which carries a total of 200 marks, as follows:
Part I 14 compulsory questions 140 marks Part II 2 questions selected from 3 60 marks
You should answer all questions in Part I and two out of the three questions in Part II.
You are advised to spend no more than two hours on Part I.
Read carefully all questions and information provided before starting to answer. Your answer will be marked strictly in accordance with the question set.
The number of marks allocated to each question part is given next to the question and you should spend your time in accordance with that allocation.
You may find it helpful in some places to make rough notes in the answer booklet. If you do this, you should cross through these notes before you hand in the booklet.
It is important to show each step in any calculation, even if you have used a calculator.
If you bring a calculator into the examination room, it must be a silent, battery or solar-powered non-programmable calculator. The use of electronic equipment capable of being programmed to hold alphabetic or numerical data and/or formulae is prohibited. You may use a financial or scientific calculator, provided it meets these requirements.
Answer each question on a new page. If a question has more than one part, leave six lines blank after each part.
P67SP 8
PART I
Answer ALL questions in Part I
Note form is acceptable where this conveys all the necessary information
1. (a) Identify three essential elements of a coherent management and procedural framework for risk management to be effective in an organisation:
(3 marks)
(b) Identify and briefly explain the governance and financial reporting regulations imposed in the US in 2002.
(3 marks)
2. Identify eight of the issues associated with risk perception as identified by Slovic. (8 marks)
3. (a) Explain in detail:
(i) Speculative risks. (4 marks)
(ii) Pure risks. ( 2 marks)
(b) Identify and explain briefly two other types of risk excluding reputational, legal and regulatory risk.
(6 marks)
4. Identify ten potential benefits of risk management to an organisation. (10 marks)
5. (a) Define stakeholders in relation to risk. (1 mark)
(b) Identify three types of stakeholder and explain the types of risk that might arise from their interests.
(9 marks)
6. (a) Define off balance sheet assets. (1 mark)
(b) Identify four off balance sheet assets and explain briefly why they must be protected.
(8 marks)
7. (a) Identify six emerging risks that organisations now face. ( 6 marks)
(b) Explain how new risks can emerge in the course of major projects. ( 6 marks)
P67SP 9
8. Explain the five key steps of the risk management process that must take place. (10 marks)
9. (a) Define Enterprise Risk Management (ERM) and explain briefly its role. (3 marks)
(b) Identify the five main benefits to an organisation of implementing a successful ERM framework.
(5 marks)
(c) Explain briefly the two key elements of a successful ERM system. (4 marks)
10. (a) Identify, for organisations large enough to have a central risk management team, the five likely areas of responsibility you would expect the risk management experts to have.
(5 marks)
(b) Explain what you would expect to be included in a risk architecture document issued by an organisation’s Board of Directors.
(7 marks)
11. (a) State, according to the Institute of Internal Auditors (IIA) the purpose of the internal audit.
( 2 marks)
(b) Identify three roles that will be included in an audit and three that will not be included.
(6 marks)
12. Identify and explain briefly six key sources of internal information. (15 marks)
13. (a) State, according to HM Treasury, the definition of risk appetite. (2 marks)
(b) Identify what must be considered when an organisation sets it risk appetite. (2 marks)
(c) Outline what an organisation’s risk appetite policy must allow for. (2 marks)
14. Explain, when measuring risk impact, five of the damage criteria used to compare and prioritise risk.
(10 marks)
P67SP 10
PART II
Answer TWO of the following THREE questions
Each question is worth 30 marks
15. As part of its process of risk management, an organisation has identified a risk which is
unacceptable.
(a) Explain the three high level options available to the organisation for controlling the risk.
(15 marks)
(b) Explain how the organisation could prepare for an unexpected significant loss incident which could threaten the survival of the organisation.
(5 marks)
(c) Explain how and why the risk management process should be monitored and reviewed.
(10 marks)
16. (a) Identify and explain the four broad classes of risk control available to organisations that can be deployed to treat risks.
(20 marks)
(b) Explain the purpose of and benefits of risk registers and what they might contain. (10 marks)
17.
(a) Discuss, following a risk incident, the four financial cost categories with reference to the appropriate International Standard.
(20 marks)
(b) Explain the purpose and process of business continuity management (BCM) in relation to a manufacturing or product processing business.
(10 marks)
P67SP 11
Example answers for Part I (Compulsory questions)
1. (a) The framework must be: organisation-wide, an integral part of the organisation and its culture; and organised to allow for both audit and continuous change.
(b) In the USA stringent governance and financial reporting regulations were imposed by Sarbanes-Oxley Act 2002 covering all companies listed on the New York Stock Exchange. Corporate governance requirements specifically emphasised risk management controls and recommended risk management standards to be followed. These developments were echoed in the UK with particular attention paid to the role, responsibilities and actions of directors, chief executives and senior management of organisations, who were to be held accountable for their long-term decisions.
2.
P67SP 12
3.
(a)
(i)
Speculative risk is where someone deliberately chooses to place money or other resources at risk in the hope of obtaining a positive outcome.
The objective of an organisation using capital (money) in this way would be to make a profit or secure another long-term objective. As part of this decision, an organisation should consider what gain could be made and balance this with the ‘downside’ risk of things not turning out as predicted. Examples could include decisions whether to invest in a new product, the timing of such an investment or perhaps whether to enter a new market or a new country.
If you make a strategic decision that affects the long-term future of an organisation you are taking a speculative risk. You could be committing substantial financial or other resources in support of your reading of future events. The effects of a wrong decision may be devastating. In financial organisations, speculative risk could involve betting large sums of money on their assessments of future market or currency variations.
(ii) Pure risk is a category of risk in which loss is the only possible outcome: there is no beneficial result.
Pure risk is related to events that are beyond the risk taker’s control and, therefore, a person cannot consciously take on pure risk. This is opposite to speculative risk.
(b) Two from:
Strategic risk: closely related to speculative risks are strategic decisions or risks, which are
usually associated with the long-term objectives of an organisation. As such they invariably relate
to decisions the organisation makes about its direction, product mix and target markets.
Organisation may well see strategic risks to incorporate failings around the sale of inappropriate
products or services, lack of long-term planning, failure of strategic partnerships or alliances
(including outsourcing) and the implementation of inappropriate mergers and acquisitions.
Operational risk: is generally defined as risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.
Operations of an organisation can encompass a wide array of risks, examples of which may include:
the management of fraud (both internal and external);
damage to physical assets;
business disruption;
system failure;
employment practices;
workplace safety;
outsourcing;
supplier disruption; and
customer service issues.
System failures would include IT failure, process breakdown and potential damage caused by, say, a fire, terrorist or arson attack, events that may need continuity or related recovery plans.
P67SP 13
Market risk: (also sometimes referred to a systematic risk) is concerned with the risk of losses in trading positions arising from movements in market prices.
Equity, interest rate, currency and commodity price movement and changes fall within this area, leading to careful monitoring of stock, interbank lending rates (such as LIBOR) or foreign monetary exchange rates. Other areas of potential concern arise through changes in world market prices of essential commodities such as corn or crude oil.
Largely driven by economic factors, market risks can be heavily influenced by events such as natural disasters, recessions, political turmoil or terrorist attacks. Market risk can include equity risk (relating to organisation-wide investments), property price risk (relating to changes in value of aggregate holdings of property owned by an organisation) and solvency risk, the risk of going bankrupt.
Liquidity management, investment returns, mix and concentration of various assets and liabilities are also likely to be of significant concern to all risk professionals looking to manage market risks, and the closely associated financial risks of an organisation.
Credit risk: is risk that a counterparty will suffer real or perceived deterioration in financial strength, or be unable to pay amounts in full when due.
Factors that influence credit risk can include the type of business or industry sector, customer profiles, and the geographical, economical, political or social standing of the counterparty.
Credit risk is associated with credit worthiness of those with whom an organisation does business. An organisation will review as many sources of public information as it can access and also consider approaching appropriate credit rating agencies in order to try and determine the financial strength of those it deals with. Credit risk can affect suppliers, business partners, agents and customers.
Liquidity risk: is the risk of running out of cash when it is needed to meet financial obligations (e.g. the payment of valid insurance claims).
Liquidity is fundamental in any organisation. If an organisation cannot pay its debts as they fall due and no one is prepared to supply additional cash to the company, either as capital or in the form of loans or overdrafts, then almost certainly the company will fail, no matter how technically ‘profitable’ it may be.
Liquid funds can be cash or liquid assets. Asset liquidity is the ease with which an asset can be turned into cash should the investor need it. Real estate, for example, is relatively illiquid; if a property owner needs to convert their investment into cash, the selling process can be prolonged and the outcome uncertain. Shares in public companies on the other hand are relatively liquid as they can be sold quickly and easily, although at current market price. In the middle are bonds and securities, with fixed redemption dates normally between one and twenty years from the date of purchase, depending on their type.
Business risk: is the probability of loss inherent in an organisation’s operations and environment, such as competition and adverse economic conditions that may impair its ability to provide returns on investment.
Likely to be captured under this broad heading are risks arising from changes in competitive environment and increase in market share of competitors. In addition, there may be consideration of changes that may affect the industry within which the organisation operates. Examples would be risks to its overall stability, consolidations, regulation or maybe changes in consumer or supplier expectations.
P67SP 14
Insurance risk: associated with any one insurance contract is twofold; uncertainty that an insured event will occur, and uncertainty of the amount of any resulting claim.
For example, with life related products, which are long-term contracts with individual policyholders provided by an appropriate insurer, there are inherent risks relating to mortality, morbidity or expenses variances.
Similarly, with general insurance products, which are short-term contracts with individual policyholders such as domestic motor or home insurance, there are financial risks for an insurer in estimating reserves, with associated uncertainty of financial liability for potential future claims.
4. Ten from:
Compliance with legislation and regulation.
Improved corporate governance (top management control).
Understanding (and therefore avoiding or reducing) operational risk.
Understanding risks associated with opportunities (and therefore better choices).
Improvements in both internal and external risk reports and communications (increase in
stakeholder satisfaction and possible decrease in cost of borrowing).
Avoidance of disasters.
Reduction in frequency of incidents.
Reduced cost of incidents.
Reduced insurance costs.
Increased likelihood of meeting organisation objectives.
Preservation of reputation.
Improved health and safety.
Quicker recovery from emergencies.
P67SP 15
(5) (a) A stakeholder is defined as any individual, group or organisation that can affect, be affected by, or perceive itself to be affected by, a risk.
(b) Employees:
Creating the right working environment is a primary aim of many organisations, particularly those that need to foster creative talent. Anything that might make employees dissatisfied must be viewed as a risk that threatens efficient operation and achievement of objectives. Organisations may depend very heavily on key management or specialist staff and many take out insurance to mitigate the effects of key people leaving or suffering ill health.
The behaviour of employees will not always be aligned with organisation objectives. Risks of fraud and general negligence must be considered and precautions taken against wilful damage being caused by disgruntled staff.
Suppliers:
Organisations and their suppliers are interdependent. Good quality, on-time deliveries are required from the supplier and dependable payments from the organisation. Each must have confidence that the other party will perform.
Exactly where the risk lies in respect of perceived defaults will depend on the wording of the legal agreement between the two. Organisations must not assume that risk is automatically subcontracted with a task.
Customers and other recipients of service:
Most business customers will move to other organisations if they lose confidence in either delivery or quality. Sales teams will find it increasingly difficult to find new customers. Non-commercial organisations, such as public service organisations or charities, will face difficult relationships with their service recipients should confidence be lost.
Failure to deliver contracted services on time with sufficient quality can lead to litigation for damages or restitution. An organisation also retains legal responsibilities in addition to those specifically mentioned in a supply contract.
Distributors:
Distributors are in effect wholesale customers. All the comments about customers therefore apply.
Some distributors depend on few or even one source of supply (e.g. a distributor of new motor vehicles). Failure of that one source of supply could damage that distributor in many different ways. It can even cause the distributer to fail altogether if an adequate replacement supplier is not found soon enough.
Regulators:
There are various regulators which, in many different ways, will take a continuing interest in an organisation. Failure to satisfy the statutory and other requirements of these regulators can result in them imposing substantial fines, restricting business or closing down a business altogether. Adverse regulator comment will invariably damage reputation.
The media:
The media has many forms including local and national newspapers, television and radio, popular and professional magazines and, increasingly, the internet.
We can view the media as wholesale distributors of the reputation of an organisation and its officials. If a publication is negative about an organisation much damage can be done. This is so whether the story reflects the truth, only part of the truth, or even is factually incorrect.
P67SP 16
Private investors:
Private, monetary investors can range from family, partners, employees, associated companies and other investors in an organisation. Often they can be more exposed to devastating loss than stock market investors who have more opportunity to spread their investments, and therefore risk, across different companies and markets.
There are also ‘investors’ who have a non-monetary stake in the organisation. They stake their professional and personal reputations alongside that of the organisation. They too can suffer loss alongside any damage to the organisation itself. They can find it a very long and difficult process to rebuild this type of asset.
Banking industry:
Banking and investor finance companies will maintain an interest in the fortunes of those organisations to which they have provided money. If that money is perceived to be at greater risk due to an unexpected downturn in the strength of an organisation, the cost of borrowing can increase significantly.
If financiers believe there is sufficient cause for concern, they may demand that assets that are security for loans be sold immediately and loans repaid. The lender can have that power under the terms of the loan or mortgage agreement. Primarily the decision when to sell mortgaged assets will be based on the interests of the financier and not necessarily the longer-term interests of the organisation and its other stakeholders.
Quoted shareholders:
Quoted shareholders come to an organisation through stock markets in various forms. Usually the investor has many choices beyond the subject organisation and can switch funds rapidly. In addition, stock market sentiment has many other influences beyond the success of an individual quoted organisation and thus its behaviour becomes a risk in itself.
Falling stock values can increase the cost of borrowing capital. If lenders perceive that the relationship between total borrowings and the net value of the company is narrowing they can demand higher interest rates and security.
Single points of influence can affect shares widely. These influences include credit rating agencies, such as Standard & Poor’s and investment analysts employed by larger brokers and merchant banks.
Business partners:
Organisations and individuals often share objectives and responsibilities. This sharing is mostly defined by contract defining what those objectives and responsibilities are. Often there is a sharing of brand values and reputation, and situations are created where each depends on the other to meet its own responsibilities and needs. Failure of one can be destructive to the other; hence there are important stakeholdings in the quality and delivery of the other organisation or organisations. Franchises and jointly owned organisations are common examples of interdependent business partners.
The environment:
Increasingly there is public and statutory interest in the quality of the environment. You will know this is a very wide subject not only covering pollution of the physical environment, but everything from renewable sources of material, waste disposal, energy and water conservation, waveband utilisation and fair trade issues. Organisations violating environmental legislation risk heavy penalties and fines.
Rules apply to restrict proliferation of dangerous articles and substances, to protect children, and to discourage potentially addictive activities like smoking, drinking and gambling. Specific regulations govern imports and exports and general movement of goods likely to be of use to terrorist activities. Organisations may need to consider their vulnerability to fraud, money laundering and insider dealing as well as corporate manslaughter and other potentially criminal acts.
P67SP 17
Others:
Individual organisations may have their own different stakeholder pressures. One example would be a political organisation with its own dependencies to protect. Another example of responsibilities to others can be to industry pressure groups, or alternatively, industry associations.
Competitors too are a form of stakeholders. If an organisation is weakened by an unexpected event there may be a whole range of competitors who will see the incident as an opportunity for themselves.
6. (a) Off balance sheet assets are valuable items that are not always included in balance sheet figures.
(b) Four examples are:
Intellectual assets are assets that are information rather than hard material things. This
not only includes information that is documented but the information and knowledge that
lies accumulated within a trained and experienced workforce and is crucial to the product
or service delivery. Intellectual assets embrace such things as licences, enabling software,
patents, contracts, relationships with workforces and others, audit trails, research outputs,
credit ratings, recipes and current work.
The reputation of, and confidence in, the organisation. Even a non-profit-making
organisation can have an equally important dependency on the value of its ‘brand’ or
reputation to maintain good and efficient working relationships with its service users.
The network of critical suppliers, the relationships and the contracts. Without suppliers the
business would not be able to function.
The distribution system and its relationships and contracts. The risk here relates to sales,
the lifeblood of organisations.
P67SP 18
7. (a) Six examples of emerging risks:
New health risks, such as AIDS, MRSA and BSE/mad cow disease.
Increase risk and changing methods of terrorism.
Technology risks, such as e-commerce and identity theft.
Developments in genetic engineering and stem cell research.
Effects of high density electromagnetic fields, solar flares and global warming.
Environmental damage.
(b) Many new risks can emerge in the course of major projects.
Examples of major projects include:
Building a nuclear facility.
Designing and commissioning a new hospital complex.
Developing a new pharmaceutical product.
Installing a new deep sea oil drilling platform.
Developing a supersonic airliner.
Planning a manned space mission to Mars.
People engaged in major projects look for new and emerging risks as part of their risk management process and engage with others in similar situations through various professional bodies and seminars.
Risk professionals need both knowledge and imagination to identify emerging risks. Anything that encourages discussion of risk must increase the chances of identifying possible new risks that may occur, and comparison across disciplines might help broaden trends of thought. Away from major projects, risk professionals could use similar brainstorming and recording techniques within their own organisation if this can be arranged. Other useful current information can be found in professional magazines and news articles and through internet websites.
P67SP 19
8. The five key steps in the risk management process are:
Establish the context. Obviously it is necessary to start with a clear understanding of the
objectives, structure and culture of an organisation before proceeding to identify risks. This
process results in the development of a risk management philosophy on which all future risk
management decisions will depend. In large organisations this philosophy will be defined and
reflected in a formal risk policy document issued for the guidance of staff.
• Identify risks. Understand what threats there are. What might make it more difficult to achieve
stated objectives, or indeed prevent achieving them altogether?
• Analyse risks. Understand the potential within those threats for damage to the organisation and
its stakeholders. Assess likely frequency of risk damage from each of those threats:
Could it happen?
How bad would the loss or damage be?
How often could it happen?
• Evaluate risks. Decide what risk levels – both single and cumulative – are acceptable; and
thereby identify those risks that are at a level or frequency that are unacceptable to the
organisation.
• Treat risks. Steps must be taken to control or limit the impact of those risks deemed
unacceptable. One or more of the following actions may be appropriate.
reduce likelihood and/or frequency;
reduce impact, whether it is human, operational or financial;
transfer the risk to another organisation;
prepare for the incident by continuity planning.
9. (a) The structure an organisation sets up to control risk management across the whole of their organisation is known as enterprise risk management (ERM). As well as being a framework to control risk management activities, ERM systems allow all the risks involved in an organisation to be looked at together and from different perspectives. This is known as a holistic approach.
(b) The benefits of a successful Enterprise Risk Management Framework to an organisation are:
better informed strategic decisions;
successful management of change and higher operational efficiency;
organisations can expect more accurate financial reporting;
reduced borrowing costs; and
improved competitive advantage.
(c) The two key elements of a successful Enterprise Risk Management System are:
A workable framework clarifying functional responsibilities and interactions, and the
systems for internal communication, reporting and control.
P67SP 20
A set of terms of reference for key staff applicable to the organisation. This clarifies individual functional responsibilities and individual requirements for communication, reporting and control.
10. (a) The five likely areas of responsibility I would expect the risk management experts to have are:
Training.
Provision of procedural advice.
Coordinate and report on risk management performance.
Maintain central files and registers.
Maintain standards in line with best industry practice.
(b) I would expect the following to be included in a risk architecture document issued by an organisation’s board of directors:
specify the board member or subcommittee responsible for risk management;
state in general terms how risk is perceived; and
specify the roles and responsibilities of any senior risk professionals or departments.
It should also define a general framework for identifying, evaluating and reporting risks, specify an authority to approve risk management related aspects of procedures, clarify the role of risk committees and lay down guidelines for auditing and assurance. It should be made clear that the board expects regular assurance that approved procedures are being followed and expected benefits are being obtained.
The risk management architecture document should be reviewed at least every one to two years to reflect major changes in an organisation or its environment.
11. (a) According to the Institute of Internal Auditors (IIA) the aim of internal audit is to evaluate and contribute to improvement of governance, risk management and control process using a systematic and disciplined approach.
(b) Three functions that will be included in an audit are:
Assurance that key risks are adequately reported and managed.
Assurance that risks are correctly evaluated.
Assurance that risk management processes are effective.
Three functions that will not be included in an audit are:
Accountability for risk management.
Changing risk management processes.
Setting risk management appetites.
P67SP 21
12. People:
Risk managers should know the risk they are expected to manage and other personnel are expected to focus on risk as part of their wider responsibilities. These people will be a useful source of information. Others that may have management of risk considered to be a part of their role can include:
Design engineers.
Facilities managers.
Project managers.
Legal officer.
Product development manager.
Company secretary.
Meetings:
Organisations have formal meetings to coordinate their activities. Some meetings will be at fixed periods with a similar agenda each time, while others will be ad hoc to discuss a particular matter needing resolution. The outcome of formal meetings will normally be recorded in a document known as minutes, even if the document is just a record of decisions taken or actions required. Properly written minutes will allow people absent from the meeting to learn about key decisions or activities that were made. Some meetings will be of more concern to the risk department than others, and it may be necessary to have a representative present to access detail. For others, reading the minutes should enable judgements to be made if anything is worth following up. As most important decisions are taken or ratified at formal meetings, they are a vital source of regular information about ongoing activities. The risk department will of course organise meetings specifically to discuss matters affecting risk and disseminate minutes for more general information.
Committees:
A nominated group of people holding meetings for a particular reason is known as a committee. The risk department should be involved in all committees that discuss risk.
A board risk subcommittee will be authorised to fulfil board responsibilities regarding risk.
Larger companies may also have an equivalent audit subcommittee. The purpose of an audit subcommittee is to stand back from the organisation’s functional executives and take a view on the behaviour of its managers and the effectiveness of business controls.
Some regulatory authority requirements and guidelines encourage an audit committee to be in place. As this committee is discussing strategic risk controls, the risk department should be present or, at the very least, be required to report on risk exposures to that committee. Cooperation and a good relationship can bring benefits to both parties.
Documents:
Examples of useful documents may include the following:
Proposal papers.
Auditors’ report.
Insurance documents.
Procedures manuals.
Historical risk reports
P67SP 22
Databases:
We have separated databases from the general heading of documents because databases imply continuously updated information sources, whereas documents are essentially snapshot reports associated with a specific date. Many organisations keep records in database form simply to make use of search facilities and for ease of record retrieval. A common example would be a health and safety incident log. Loss and near miss databases are other examples, especially in financial service organisations.
Observation:
Our list of internal information sources would not be complete without mention of personal observation. Trained risk professionals recognise risks and hazards as they go about their daily business. Other people will have noticed the same problems and pitfalls but perhaps not appreciated their full risk significance. A good risk professional will reflect on their observations and make notes prompting further investigation.
13. (a) According to HM Treasury, Risk appetite is defined as the amount of risk that an organisation is prepared to accept, tolerate, or be exposed to at any point in time.
(b) Risk appetite must consider all types of risk and in terms of both threat and opportunity.
(c) As well as setting limits on the amount of ‘downside’ risk an organisation is prepared to accept, the appetite policy must allow for controlled risk taking where anticipated long-term gains outweigh potential short-term losses.
14. When measuring risk impact, five of the damage criteria used to compare and prioritise risk are:
Health damage, injury or loss of life
In Western society we take the view that no unreasonable risk to human beings is justified and UK legislation imposes duty of care responsibilities on organisations. This is backed up by detailed and extensive health and safety requirements and regulations. Risk is not confined by an insurance policy, and any activity or lack of activity that results in personal health or injury damage can be very expensive if subsequent litigation occurs.
Asset loss
Most asset losses can be measured in monetary values and a risk department will be concerned, as are insurers, with concepts of indemnity. The issue is not just insurance specific, as a risk team will be looking to determine what monies are needed to return the organisation back to the position it enjoyed before the risk incident.
Assets recorded and summarised on the balance sheet will have readily accessible accounting values that can be used. Other assets will require conversation with relevant departments to assess the financial effect of resulting loss of business if those assets are devalued.
Time and resources
There are some risks where lost time is the most critical element of damage. Failure to meet delivery schedules can cause penalty clauses to be invoked, clients to move elsewhere and loss of reputation.
Another critical issue can be loss of resources or tying up resources on damage limitation, crisis management or communication issues. The cost here is not just the cost of resources used, but also the cost of lost business opportunities that could have been exploited had those resources been available.
P67SP 23
Business survival
Any risk that threatens the survival of an organisation needs high priority attention even if the probability of it materialising is remote. For these risks a single incidence is unacceptable unless adequate defences are in place.
Some survival risks may be high monetary value incidences of common risks, such as physical damage, fraud or misuse of funds, but others may not be measurable in financial terms. All business is based on confidence and loss of confidence can have severe consequences. Examples of issues that could affect confidence are damage to the credibility of a brand, concern with regulatory approvals and licences, security of intellectual assets, and mistrust of strategic direction. An organisation must retain the confidence of all its stakeholders with their different, sometimes overlapping and conflicting, types of interest.
Aggregate loss
It is not just the cost of a single incident that needs quantifying, but also total costs that may be incurred by multiple incidents of the same type over a period of time. Losses must be aggregated when a risk results in simultaneous multiple incidents of damage. Crime losses, fires, deaths, weather damage, contract default and many other losses can happen more than once in any specified time period. The financial reporting year of the organisation may be a useful reporting period, or the period may extend over the shorter or longer timescale of a particular project.
P67SP 24
Example answers for PART II questions.
15. (a) Organisations have a number of choices available when setting out to control an unacceptable risk. They can retain the risk, reduce the risk down to acceptable levels or transfer the risk to insurers or other parties. They can also prepare continuity plans that will enable them to manage themselves through an incident in a way that will avoid unacceptable levels of damage.
Retaining the risk:
An organisation may consider that if a particular risk incident occurs, ‘worst case scenario’ damage would not be sufficient to divert the organisation from its objectives and responsibilities. In addition this would not adversely affect stakeholders’ expectations to an unacceptable level. If this is so, a decision could be made to accept the consequences if a risk incident were to occur.
In large organisations, a group office may formally advise smaller units and subsidiaries that losses that would be disproportionate to the size of the unit can be carried cost effectively by group office. This allows the strength of group office to be used as a cost-effective risk measure for the division. Care needs to be taken, however, not to over expose minority shareholders in such a subsidiary.
When accepting exposures we also need to remember that an incident, say a hurricane, can happen more than once in any accounting period.
Reducing the risk:
Prior to a loss occurring, an organisation has plenty of opportunity to reduce the chance of a risk incident happening.
Physical controls can include fire protection, health and safety measures, security controls, duplication offsite of computer data etc. Organisations may choose to move parts of the organisation away from the rest and thus create two or more independent risks. This can avoid a single point of failure concentration of risk that would be a much more destructive exposure.
Non-physical controls can include effective staff recruitment and other procedures that remove an unacceptable concentration of people risks. Some large organisations will have a limit to the number of board members or key managers travelling in one form of transport. Investors may demand to see succession planning in an organisation where they see an unacceptable dependency on one senior executive. Manufacturers can decide that they would never source key ingredients from a single supplier or country.
Throughout all these measures, employee awareness and training are vital risk tools. As time passes without incident so risk awareness decreases and also the probability of risk is downgraded. People may discount risks entirely if past management has been effective and discontinue ongoing precautions. A public health issue illustrates this point. Do we continue with vaccination programmes once a disease has been eliminated?
Transferring the risk:
Insurance is often the first thought when transferring the risk of financial loss. It is a valuable tool in transferring to another organisation those exposures that cannot safely be managed internally. There are, however, other ways of transferring risk.
An organisation may create and fund a different legal entity, such as a captive insurance company to carry its risks. Financial instruments such as derivatives can also be used.
Lawyers will use contract wordings to move the consequences of a risk incident from one contracting party to another. The directors, however, must still be sensitive to the fact that the failure of that counterparty may still leave unacceptable exposures at their own door.
P67SP 25
Furthermore, some risks, such as the safety of their own employees, cannot be transferred.
Business strategies can be used to prevent exposing an organisation to any one loss that is considered to be unacceptable. The policy may be, for example, to ensure that all borrowings can be made only in the same currency as its corresponding assets. Thus a currency movement will affect borrowings and assets equally with no net loss to the organisation.
(b) Continuity plans can be drawn up that will enable them to manage themselves through an incident in a way that will avoid unacceptable levels of damage.
Continuity planning is a process where an organisation will anticipate an incident and prepares a plan to manage the consequences so that the incident does not threaten the survival of the organisation.
This can be simple but very effective, e.g. backing up computer data frequently and storing the back-up tapes off-site. Continuity planning can also be sophisticated and expensive. It can include contracts for stand-by machinery and computers, standby suppliers, detailed recovery plans and exercises for staff involved.
Continuity plans can prepare for a whole range of incidents, such as computer failure, product recalls, kidnap, terrorism, fire, weather damage, major fraud, aggressive media attention. They set out to requisition urgently needed resources, ensure effective control of the management of the incident, organise recovery, and ensure that crucial and urgent functions and credibility are maintained throughout. Continuity plans will also set out procedures to collect costs and other data necessary for any insurance recovery claim.
(c) Monitoring and reviewing:
All organisations must adopt some form of quality control. In large organisations, particularly those in regulated business sectors, this may be an elaborate structure of audit arrangements, reporting directly to the board on a regular basis. In small organisations the owner/manager may personally assess the quality of work being done and product being supplied. Manufacturing organisations invariably adopt quality procedures, from regular goods inspections, through to quality circles and continuous improvement initiatives.
Like any other established procedures, risk management procedures can be audited to see if they are being followed and if they are achieving required objectives. Both procedures and achievements can be tested against those of similar organisations and against established standards to see if they can be improved. We will come back to this process of benchmarking later on in the study text.
Where an organisation has dedicated risk professionals, they too will be interested in quality control to assess risks involved in failing to meet either contractual or statutory requirements in products and services supplied. There will inevitably be some overlap of interest as risk professionals seek to manage quality risk, a task that may have been allocated to others. Whether quality monitoring and control is allocated to specialist functional groups or embedded in the responsibilities of operational managers, ultimate responsibility lies with the directors of an organisation, who have to satisfy other stakeholders.
Organisations must establish effective internal controls to satisfy stakeholders of their ability to properly manage risk. We will see later on that in some cases controls will be mandatory requirements of regulators, or required by law to demonstrate the existence of adequate corporate governance. Compliance with international standard ISO 31000 would be regarded as a suitable benchmark against which risk control systems could be measured.
P67SP 26
16. (a) The four broad classes of risk controls are explained below:
Preventive – Most controls implemented in organisations are preventive controls, which are designed to reduce the possibility of undesirable outcomes. A common example is separation of duties. To prevent irregularities in purchasing departments, for example, the person responsible for placing orders for required goods and services should not be the one who authorises the payment of invoices. Similarly, a checkout operator is not the person who checks till contents at the end of each day.
Another preventive control is to limit specified actions only to authorised personnel. For example, only suitably qualified and trained people would be permitted to sign off designs, authorise price quotations or perform certain operations. Unwanted publicity can be prevented by allowing media to access only trained press officers.
At a higher level, preventive controls could be strategic decisions to avoid certain types of activity. Examples would be a government deciding not to include nuclear power in its national energy policy or a property insurer excluding risks from floods.
Corrective – Corrective controls are designed to correct undesirable outcomes which have already occurred. They are a means of recovery against loss or damage. An example would be contract terms that allow a supplier to recover goods that have not yet been paid for from a customer whose business is in receivership or administration. Continuity planning is another corrective control. Organisations plan for business continuity and recovery after events which they could not prevent.
Insurance is a form of corrective control as it facilitates financial recovery when an insured risk materialises. Insurance transfers the consequences of risk to the insurer. Risks and/or consequences can be transferred to other organisations by contract, for example when operations are outsourced. Whether such measures are corrective or preventive will depend on precise wording of the contract and its interpretation under governing law.
Directive – Directive controls are instructions or regulations designed to ensure that a particular outcome is achieved. They are important when people’s behaviour can avoid an undesirable event. Directive controls are commonly associated with health, safety and security. Examples are requirements to wear protective clothing while performing dangerous duties, or that staff are trained to certain skill levels before being allowed to work unsupervised.
Checklists, worksheets and test schedules are directive controls. They are designed to ensure all critical aspects of a task have been properly addressed and completed. Such instructions are particularly important in assembly, maintenance, testing and repairs of components of systems where utmost reliability is essential. The aviation industry, for example, relies on correct and thorough engine testing and maintenance to keep its aircraft flying. Other examples would include nuclear power and oil and gas exploration.
Detective – Detective controls are designed to identify unwanted occurrences that have already happened and are, therefore, only appropriate when it is possible to accept the loss or damage incurred. Stock or other asset checks are examples of detective controls. They detect theft or similar anomalies. Reconciliation is another technique. Reconciling authorised payments with bank statements will detect unauthorised transactions.
Audits, inspections and similar quality controls are detective. They look for causes of defects in products and procedures, with a view to introducing changes in the future. Accident investigations and ‘black box’ analyses following aviation disasters are other detective examples.
P67SP 27
(b) Risk registers can fulfil a dual role, both facilitating practical management of risk and helping
to instil or consolidate risk management culture into day-to-day operations. The latter objective
is achieved by embedding the risk register in a controlled environment that enables
operational managers throughout an organisation to safely access risk information, update
specified data fields, and participate in decision making regarding appropriate responses.
Design of a risk register must allow useful information to be produced. Design must take into account what internal and external reporting is required, and in what form. What information will help management make critical decisions and influence strategic plans? What links are required to other facilities? How much access should be allowed?
Information must be stored in a form that is easy to extend and change. As its risk register matures, an organisation will discover more uses for the information and will add further analysis or detail to the categories.
A risk register contains various information which an organisation needs to manage risks. Essential data such as risk description, probability and impact assessment is supplemented by information about existing risk controls, ranking, priorities and risk ownership. The register could also allow for recommendations for new or improved risk controls, action plans for their implementation and plans for updating and review.
P67SP 28
17. (a) Following a risk incident, the four categories of financial cost are:
Monetary:
Initial monetary cost of an incident is often clearly defined for an organisation. As well as the cost of replacing any assets that have been lost, it will include awards made against them by courts, litigation costs and any regulatory fines. Total monetary cost, however, is more complicated than this.
Large, unexpected outgoings can damage cash flows that are needed to keep an organisation functioning. An organisation may have substantial assets, but it is not always possible to realise those assets quickly to fund losses. Typical examples would be assets invested heavily in machinery and property.
Raising cash quickly is always a difficult exercise as assets may have to be sold at less than full value or lenders may be reluctant to provide finance at reasonable rates of interest. Even if money is available immediately to replace plant or equipment, it could take months or years for them to be constructed, delivered and brought on stream.
Assessing replacement costs is not in itself always straightforward. Having suffered a substantial loss, the board of an organisation will want to assess the situation to see if a replacement facility is the best way forward. Often they will use the opportunity to construct something better or more flexible than the one that was lost. In any case, direct replacement may not be possible as building methods, planning controls and access to materials may have changed.
Steps that may need to be taken, even before building work starts, say after a major fire at key premises belonging to an organisation working on oil extraction, could include:
• appointing architects and quantity surveyors to make suggestions and draw plans;
• checking and applying for new planning permissions where necessary;
• preparing specifications for builders and equipment suppliers;
• considering and negotiating tenders;
• ordering replacement machinery well in advance; and
• retraining staff where necessary or replacing with new skills.
During this time the organisation will be facing a shortfall in income if sales have slowed or stopped. Finally, there will be continuing fixed costs to pay. These include such things as the cost of wages, rent and even some new costs, such as redundancy payments to some employees. In addition, following a major incident, there may be additional injury costs to pay.
Timing:
We have seen that delays in completing rebuilding work or replacing assets are an important factor in the total cost of damage. The longer it takes to re-establish normal working, the longer receipts will be delayed, with consequent increases in borrowings and interest payments. Share values may also fall.
Some costs of damage may not need to be financed immediately. A common type of such a cost arises from liability claims. Often, a prosecuting personal injury solicitor will be reluctant to settle until the full long-term extent of an injury is known, so there may be a period of time before the full cash award is needed. However, interim payments, where required, still need to be funded quickly.
When accounting for future unspecified payment liabilities, organisations will take legal advice as to the likely amount to be paid and the possibility that interim payments may be made, and then work backwards towards the current ‘present day value’ cost. The current cost will need to assess:
P67SP 29
inflation on the claim itself;
whether interim interest may be awarded by the court on the amount paid; and conversely
any values gained from funds held awaiting payment. Insurers use actuaries for such
calculations.
There can be other timing issues. In assessing potential costs of possible incidents risk professionals have to consider that there may be more than one similar incident in a given accounting period, as we touched on in chapter 5. Would this be significant enough to affect share price? If an organisation is planning to raise capital from the stock market or is already vulnerable to takeover, this could be a major issue.
Administration:
A significant incident can divert valuable management time away from the ongoing needs of a business. Similarly, a large number of individual incidents use up resources. An insurer, for example, would not just finance insured losses. They may also administer the claims portfolio, negotiate with claimants, manage claims costs down and retain financial and statistical control. Such incidents may also distract managers away from more productive business issues. For example, overseeing the need to collect, document and verify evidence for large and complex claims will be a major management task.
An organisation choosing to retain risks internally may need to create an infrastructure that can handle what may be a large number of individual incidents and their aftermath. However, it is unlikely that an internal department will have the skills to contain costs as effectively as an outsourced claims handling operation, whether as an insurer or even a specialist claims management company.
Opportunity:
Loss events may detract from an organisation’s ability to achieve its business and financial plans. This is known as an opportunity cost as the organisation is unable to pursue opportunities which would have generated profits.
Opportunity costs arise when an organisation can no longer produce goods and services due to machine downtime or location damage; or are prevented from pursuing new products or market opportunities through lack of resources. Such costs can be compounded if competitors, detecting a weakness, take the opportunity to target customers or the distribution base.
Other problems can arise that prevent resources being used as originally intended. An incident and its location may be adjudged a crime scene by police, who will demand quarantine of that area until they have completed their investigations. This can take days, weeks, or in the case of a serious incident, months. An organisation can be denied access to its own premises and property in this way until police are satisfied that a crime has or has not been committed. To compound the annoyance, media, politicians, local authorities and lobby groups may react to the organisation’s difficulties.
In addition, there is a range of statutory agencies that have the power to impose an investigation on an organisation. In the UK these include the Environment Agency, Health and Safety Commission, HMRC and others. There are equivalents in many other countries, all of whom can hugely distract from an organisation’s ability to restore its usual activities.
(b) Organisations have to recognise that some events cannot be either totally avoided or insured, so they need to plan what they are going to do if a major incident occurs. This process is known as business continuity management (BCM). The objective is to keep a system operational despite losses occurring and to restore it as quickly as possible to its original state. Plans and procedures are put in place to limit the extent of damage, financial or otherwise, a significant event may cause.
The manufacturing organisation will be looking to ensure that critical dependencies are protected or duplicated and available in time to avoid organisational damage. They will be looking to achieve fast and visible control of any incident and its aftermath. Security and safety
P67SP 30
will need to be reinstated where appropriate, and retention of key financial and operational controls will be fundamental. An organisation will also be striving to protect its brand value and ensure its immediate responsibilities are met.
Each major incident has unique circumstances that determine its eventual outcome. However, whatever their cause or effect, major incidents are always followed by the same pattern of activities. First there is immediate emergency action, then temporary measures to continue some operations, finally a permanent solution to restore previous facilities or improve them.
In May 2012 the International Organization for Standardization (ISO) published ISO 22301 (Societal security – Business continuity management system – Requirements) which is the new international standard for business continuity management and builds of the provisions provided by the BSI (British Standards Institution) standard BS 25999. ISO 22301 covers the whole process of setting up and maintaining systems to deal with potential disruptions. The standard is spilt into ten main clauses. The new standard supersedes BS 25999 and puts a much greater emphasis on monitoring performance and aligning business continuity management. It is a guide both to BCM planning processes and management of an overall programme through training, exercises and reviews to ensure BCM plans stay current and up-to-date.
ISO 22301 establishes a comprehensive six step process cycle:
The objective is to set a standard for organisations that need to be confident they are capable of dealing with emergency situations and recognise they must be able to justify this confidence to their stakeholders.