Chapter5 Risk attitudes and internal environment ACCA P1
Key terms about risk Risk appetite: the nature and strength of risks that an organization is prepared to bear. Risk-averse and risk-seeking(two extremes) Risk appetite and internal environment Risk attitude: the directors’ views on the level of risk that they consider desirable. Risk capacity: the nature and strength of risks that an organization is able to bear.
Risk appetite-influencing factors Personal views(leader of an organization) Shareholder’s demand(return) Organizational influences Size of the organization Structure Attitudes to risk National culture
Risk and stakeholders Shareholders: their preference on steady dividends(short-term), or long-term capital gains. Debt providers and creditors: return the money on time Employees: their job prospects, job and well-being Customers and suppliers: long-term relationship Wider community
Internal control environment The overall attitude, awareness and actions of directors and management regarding internal controls and their importance in the entity. The internal environment encompasses the management style and corporate culture and values shared by all employees. It provides the background against which the various other controls are operated. An effective control environment can make a big contribution to the quality of financial reporting. Risk awareness is very critical.
Risk awareness The ability of an individual to recognize and measure the risk associated with something. (June, 2014, 2(a)) Risk awareness should be embedded within an organization’s processes, environment, culture, structure and systems. Risk awareness should be taken for granted at all levels of the organization, and should be the foundation of all control systems. Elements of a consistent embedded approach identified by Ernst and Young.
Dec, 2009, 4 (a) Describe what ‘embedding’ risk means with reference to Saltoc company. (6 marks)
Dec, 2009, 4 Embedding risk Good IC start with a full risk assessment and this control should be introduced and amended to respond to changes in the risk profile as appropriate on an ongoing basis. To have risk awareness and risk systems embedded implies a number of things. It means that RM is included within the control systems of an organization. (对IC非常重要) When embedded, risk is interconnected with other systems so that risks must be taken into account before other ICs will work effectively.(与其他系统相关) In an embedded risk system, risk is not seen as a separate part of IC but is ‘woven in’ to other ICs and is a part of the organization’s culture. This is a part of the taken-for- grantedness of embedded risk systems when woven into culture.(是企业文化的一部分)
Dec, 2009, 4 Finally, the management of risk is ‘normal’ behavior at all levels. Behavior concerned with risk management is never seen as ‘odd’ or ‘interfering’ bit as much a part of the normal business activity as trading and adding shareholder value.(已经成为企业的日常行为)
Dec, 2010, 4 (b) Define ‘risk embeddedness’ and explain the methods by which risk awareness and management can be embedded in organizations.
Culture and risk culture Culture is the pattern of basic assumptions that a given group has invented, discovered, or developed, in learning to cope with its problems of external adaptation and internal integration, and that have worked well enough to be considered valid, to be taught to new members as the correct way to perceive, think and feel in relation to these problems. Risk culture: cope with risks
Risk culture- about strategy Defenders(防御型) - Liking low risks, secure markets, and tried and trusted solutions. - Doing things right Prospectors(探索型) - Focus on results, prospecting risks - Doing the right things Analyzers(分析型) - Balancing risk and profits, following change
Types of culture-Deal and Kennedy Criteria: the risks employees need to take & and how quickly the employees get feedback Process culture (程序型) - Low risk and little or no feedback - Bureaucratic but producing consistent results Work hard, play hard culture(努力工作,尽情享乐型) - Few risks with rapid feedback - Typically in large organization
Types of culture-Deal and Kennedy Bet your company culture (赌一把型) - High risk and slow feedback - involving development or exploration projects Tough-guy macho culture(硬汉型) - High risks and quick feedback - A very stressful culture like fast-moving financial activities
Changing the risk culture The strength of the control environment and the commitment of top management. Embedding risk awareness and effective communication Necessary training and involving in the RM process. Performance appraisal and measurement Changing the existing risk attitudes Communication and dialogue, job satisfaction, learning experiences, key personnel, infrastructure.
Risk management responsibility Everyone in the company has responsibilities of risk management. The board: determining RM strategy, monitoring risk, setting policies on IC, seeking assurance for the effectiveness, communicating with employees. The chief executive: considering risk and control environment, promoting good culture, monitoring other senior management. Risk committee
RM responsibility-risk committee It is a separate board committee, and sometimes the audit committee shoulder its responsibility. Differences between RC and AC It can be staffed by Eds Having a wider remit Taking the lead in promoting awareness and driving changes in practice Can carry out special investigations. It deals with significant financial market risk.
RM responsibility-risk committee Approving the organization’s RM strategy and policy. Reviewing reports on key risks Monitoring over exposure to risks Assessing the effectiveness of the RM systems Providing early warning to the board Reviewing the company’s statement on IC, in conjunction with the audit committee. Dec, 2008, 2, (a) Describe the typical roles of a risk management committee. (6 marks)
Risk management responsibility Internal and external audit- chapter 8 Line managers: identifying and evaluating risk, designing and operating an appropriate system of IC, having a awareness of the risks, communicating RM policies to staff, carrying out detailed RM functions. Staff: following RM procedures
Special RM personnel- risk manager Providing the overall leadership, vision and direction of ERM. Establishing an integrated RM framework. Promoting an ERM competence throughout the entity. Developing RM policies. Establishing a common RM language. Implementing a set of risk indicators and reports. Dealing with insurance companies. Allocating economic capital to business activities based on risks. Reporting to the CEO on progress and recommending action as needed. Jun, 2009, 4, (a) Describe the roles of a risk manager
Special RM personnel- RM department Setting policy and strategy for RM Primary champion of RM at a strategic and operational level Building a risk aware culture within the organization Establishing internal risk policy and structures Designing and reviewing processes for RM Coordinating the various functional activities Developing risk response processes Preparing reports on risks for the board and stakeholders
Objective and objective setting Types of objectives Mission-general, visionary, unwritten, and open-ended Corporate objectives-entity level, explicit, quantifiable and capable of being achieved Subsidiary objectives-lower level The objective-setting could be supported by environmental analysis: simplicity/complexity & stability/dynamism Levels of strategy: corporate, business, operational Well-defined objectives and strategies are important to ERM. Risk appetite and risk tolerance should be considered.