CMA P2 Risk Management PDF

Preview

Summary

Section D Risk ManagementSection D – Risk ManagementRisk management, including enterprise risk management (ERM, a subset of risk management), makes up 10% of the CMA exam.The topic of Risk Management begins with a discussion of traditional risk management, then discusses enterprise risk management, ...

Description

Section D

Risk Management

Section D – Risk Management Risk management, including enterprise risk management (ERM, a subset of risk management), makes up 10% of the CMA exam. The topic of Risk Management begins with a discussion of traditional risk management, then discusses enterprise risk management, and finally moves into a discussion of the enterprise risk management framework published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk Management: Integrating with Strategy and Performance (2017).

Introduction to Risk Management Risk is defined in a number of different but related ways. Enterprise Risk Management: Frameworks, Elements and Integration (SMA:ERMF), published by the Institute of Management Accountants (IMA) as part of their Statements on Management Accounting series, defines risk as follows: A risk is any event or action that can keep an organization from achieving its objectives.15 The preceding definition frames risk in negative terms; that is, risks are events that might cause harm to a business. “Risk” is not the same as “uncertainty.” Something that is uncertain is not known or is not definite. Therefore, “uncertainty” in the context of an event that may occur means it is not known whether the event will occur. Furthermore, the event may be a positive event or a negative event . Uncertainty has a neutral connotation, and uncertainty may lead to positive or negative outcomes. SMA:ERMF defines enterprise risk management as: A structured and disciplined approach: It aligns strategy, processes, technology, and knowledge with the purpose of evaluating and managing the uncertainties the enterprise faces as it creates value. . . It is a truly holistic, integrated, forward-looking, and processoriented approach to managing all key business risks and opportunities —not just financial ones—with the intent of maximizing shareholder value as a whole.”16 Furthermore, the Casualty Actuarial Society (CAS) defines enterprise risk management as “the discipline by which an organization in any industry assesses, controls, exploits, finances, and monitors risk from all sources for the purpose of increasing the organization’s short- and long-term value to its stakeholders.”17

Benefits of Risk Management Risk management is an essential activity for every organization. Although proper risk management cannot completely eliminate the chance of a negative event, it can reduce the probability of negative events and furthermore it can help reduce the amount of loss resulting from a negative event. Different organizations and industries will experience different benefits from effective risk management. However, some of the common benefits include: •

Increasing shareholder value through minimizing losses and maximizing opportunities.

•

Fewer disruptions to operations.

•

Better utilization of resources.

•

Fewer shocks and unwelcome surprises.

15

Paul L. Walker, Ph.D., CPA and William G. Shenkir, Ph.D., CPA, Enterprise Risk Management: Frameworks, Elements, and Integration, Statement on Management Accounting (Montvale, NJ: Institute of Management Accountants, May 2018) p. 31. 16

Ibid., p. 5, quoting J. W. DeLoach, Enterprise-wide Risk Management: Strategies for Linking Risk and Opportunity, Financial Times (London, England, 2000), p. 4. 17

Casualty Actuarial Society Committee on ERM, Overview of Enterprise Risk Management, 2003.

© 2018 HOCK international, LLC. For personal use by original purchaser only. Resale prohibited.

117

Risk Management

CMA Part 2

•

Employees, other stakeholders, and relevant governing and regulatory bodies are more confident in the organization.

•

More effective strategic planning.

•

Better cost control.

•

Timelier assessment of and grasp of new opportunities.

•

Better and more complete contingency planning.

•

Improved ability to meet objectives and take advantage of opportunities.

Types of Risk Risk can be classified in various ways and some classifications can overlap. Commonly-used classifications of risk are: 1)

Strategic risks are entity-level risks that affect the whole organization. Some examples of strategic risks include the economy, global market conditions, and risks that are connected to the organization itself such as reputation risk, brand risk (patent and trademark protection), leadership risk, and the risk of customers’ needs changing. Entity-level risks also include risks related to actions of competitors and changes in the regulations to which businesses are subject, as regulatory changes could cause significant increases in compliance expense. Of particular note are the unforeseeable, detrimental effects associated with political risk. Political risk arises when political conditions in a given country cause a company’s investments or assets—in that country or in other countries—to lose value or even to become worthless. Political risk includes the more benign, expected problems of taxes, regulations, and government bureaucracy. Consumer attitudes may vary from culture to culture. Corruption, official and unofficial, can add uncertainty to business transactions. More worrisome risks include blockage of fund transfers, inconvertible currency, currency devaluation, and inconsistent or contradictory enforcement of laws. Worst case scenarios might involve expropriation (that is, government seizure of private property with or without compensation), civil unrest, or war. Because strategic risks are so global in nature, it is difficult for management to directly or actively manage or reduce (mitigate) them. Furthermore, the number of things that could possibly go wrong on a global scale is vast; therefore, it is financially impractical to forecast, plan for, or influence all contingencies. At best, management and the board of directors should identify and monitor potentially troubling events.

2)

Operational risks result from inadequate or failed internal processes, people, or systems. Operational risks include supply chain risk, process execution risk, human resources risk such as employee turnover and performance incentive risk, technological risks such as glitches, failures, or security breaches, business continuity (that is, breaks in continuity), customer satisfaction (or dissatisfaction), and product or service failure. In addition, two specific subsets of operational risks are legal and compliance risk: a.

Legal risk arises from uncertainty related to legal actions or the applicability or interpretation of contracts, laws, or regulations.

b.

Compliance risk is the current or future risk to profits or to the company’s assets as a result of violations of, or nonconformance with, laws, rules, regulations, required practices, internal policies and procedures, or ethical standards.

Because operational risks are more directly under the influence of management than are strategic risks, management is in a good position to mitigate such risks proactively. 3)

118

Financial risks are connected to the financial health of the company. Capital availability is one of the most important financial risks. Financial risk can also arise from volatility of foreign currencies, interest rates, or commodity prices (inputs). Further financial risks can result from concentration of

© 2018 HOCK international, LLC. For personal use by original purchaser only. Resale prohibited.

Section D

Risk Management

customers and receivables, lack of liquidity, and trading activities. The need to comply with accounting standards, financial reporting requirements, regulatory reporting requirements, and tax regulations introduces important financial risks, as well. Borrowing money creates a form of financial risk for the following reasons:

4)

a.

Lack of cash flow may cause the firm to be unable to pay its interest and other obligations when they become due. As the proportion of fixed cost (that is, debt) financing to total financing in a firm’s capital structure increases, fixed cash outflows for interest expense also increase. When cash outflows for interest expense increase, the possibility of insolvency also increases.

b.

The payment of interest creates increased variability in earnings per share because the fixed interest costs increase the volatility of a firm’s earnings before taxes (EBT).

Hazard risks are risk events that can be insured against, such as natural disasters (with property insurance), death of a key employee (with key person life insurance), or personal injury on the business premises (with liability insurance).

In considering these four types of risks, volatility and time are features that impact the risk. •

Volatility refers to inconsistency of results. For example, if sales fluctuate wildly from day to day, sales are extremely volatile. Volatility increases risk because it increases uncertainty about the future and increases the probability of poor future results.

•

Time can also be a crucial element in risk. The longer the time period under consideration, the greater is the risk. For example, for a given project, the risk of overruns, employee turnover, adverse conditions, or unexpected delays increases with the passage of time because more opportunities exist for things to go wrong. Therefore, a project that covers a longer period of time is riskier than a project covering a shorter period of time.

Note: The above discussion on volatility and time focuses on their negative aspects. That said, it is entirely possible that volatility and time could have a positive effect on outcomes. However, since the topic is risk, emphasis is placed on the negative, rather than on the positive.

Internal and External Risk Risks can also be classified as internal or external risks. Examples of internal risks include: 1)

Infrastructure risk events such as changes to the organization or its policies. Changes can cause a decrease in customer satisfaction leading to customer complaints. Expansion of facilities carries a risk of lack of demand for the increased production.

2)

Process-related risk events such as changing the way a product is manufactured. Changes in processes can cause a wide range of risk events, for example processing errors and omissions.

3)

Internal technological risk events such as introducing new software.

Examples of external risks include: 1)

Competition and actions of competitors.

2)

Regulations and the company’s capacity or willingness to comply.

3)

Supply chain disruptions such as lack of availability or inclement weather.

4)

Political risk, including all the scenarios discussed above as strategic risks.

© 2018 HOCK international, LLC. For personal use by original purchaser only. Resale prohibited.

119

Risk Management

CMA Part 2

Question 66: The lawyers of Regional Tobacco Company have recently informed management that they believe that the company may lose an ongoing court case and as a result will be forced to pay a large monetary damage. The characteristics of the court and judicial system that influence the frequency and severity of losses is known as a)

Moral hazard.

b)

Compliance risk.

c)

Speculative risk.

d)

Legal risk. (HOCK)

Question 67: Mike Smith is the CFO at TechEquip Inc., a manufacturer of computer equipment. Smith learned last week that the accounting department has not completed any bank reconciliations for the last six months due to the implementation of a new accounting software package. What type of risk has Smith identified? a)

Financial risk

b)

Hazard risk

c)

Operational risk

d)

Strategic risk (ICMA Adapted)

Question 68: Riverfront Properties’ new apartment building was almost complete. There were a few inspections left to pass, and they did not have a certificate of occupancy. However, the owner felt that they were close enough that he allowed new tenants to begin moving in. The risk that the owner has created in this situation is best described as a)

operational risk, because the owner was not in compliance with laws and regulations.

b)

strategic risk, because the owner was not in compliance with laws and regulations.

c)

strategic risk, because the remaining inspections could determine that the building is uninhabitable.

d)

operational risk, because the remaining inspections could determine that the building is uninhabitable. (ICMA 2014)

120

© 2018 HOCK international, LLC. For personal use by original purchaser only. Resale prohibited.

Section D

Risk Management

The Risk Management Process The following list represents a general approach to the risk management process. However, it is important to bear in mind that the risk management process can be organized in a number of different ways. Steps may be added or altered in response to specific situations. Furthermore, enterprise risk management (covered next) introduces the importance of integrating strategy setting and performance with risk management. The basic steps in risk management are: 1)

Risk identification

2)

Risk assessment (qualitative and/or quantitative)

3)

Risk prioritization (deciding which risks to address and in what order)

4)

Response planning

5)

Risk monitoring

Step 1: Risk Identification Management, with oversight from the board of directors, analyzes the company’s internal business, external environment, business processes, existing controls, and any other areas of potential risk to identify all possible risk events that might adversely impact or otherwise prevent the company from achieving its objectives. The risk identification process should take place at all levels of the organization. Within each business unit, key employees in areas such as operations, finance and accounting, IT, and unit management should be tapped to take part in the identification of risks in their respective areas. When properly executed, the process of risk identification identifies risks that have a reasonable probability of occurring and impacting operations within a foreseeable period of time. Internal and external events that can entail risks include, but are not limited to the following events:

Internal Events •

Capital investments made to support strong customer demand, improve customer satisfaction, reduce downtime, and so forth.

•

Technological change creating the need for new processes and changed processes.

•

Personnel events such as work stoppages, employee fraud, or the loss of key employees.

External Events •

Economic events, both domestic and international, such as a recession or international trade events leading to currency and other price fluctuations.

•

Natural disasters such as fires, floods, hurricanes, earthquakes, or volcanoes.

•

Political events such as new regulations, changes in tax laws, and results of elections.

•

Social factors such as changing demographics.

•

Technological change creating opportunities for new products or services to offer.

Note: Enterprise risk management (covered next) emphasizes that risk identification must be considered in light of the overall strategic goals of the business, the threats and opportunities the business faces, and the strengths and weaknesses within the business as a whole, as well .

© 2018 HOCK international, LLC. For personal use by original purchaser only. Resale prohibited.

121

Risk Management

CMA Part 2

Event Identification Techniques Management needs to establish formal processes to review potentially significant risks in order to decide which events need further attention. The IMA’s Statement on Management Accounting, Enterprise Risk Management: Tools and Techniques for Effective Implementation (SMA:ERMT) lists the following techniques for identifying risks: 1)

Brainstorming sessions are meetings in which employees, management, or staff members are invited to discuss the risks they encounter in their particular fields and to develop solutions through dialogue and idea sharing. Brainstorming sessions can be limited to selected organization units; however, the results of the brainstorming work can be used by other units to identify their own risks.

2)

Event inventories and loss event data can be used in brainstorming sessions to provide the participants with risks to consider. Event inventories are detailed listings of potential events common to companies within a particular industry or to a particular process or activity common across industries. Loss event data could be a database on actual loss events that have taken place for a specific industry or an archive of actual events experienced by the company that only the longer-tenured management can recall. An archive of actual events that have occurred can serve as a resource of “lessons learned.”

3)

Interviews and self-assessment. Each unit assesses its risk management capability and submits its self-assessment to the risk management coordinator, who could be the chief financial officer, the controller, the chief operating officer, or the chief risk officer. The coordinator follows up with interviews to clarify issues. After the information has been completed, a cross-functional team might participate in a facilitated workshop to discuss it.

4)

Facilitated workshops involve a facilitator leading a discussion about events that may affect the achievement of the entity’s objectives, in order to identify the most critical risks. Alternatively, the workshop might focus on just one unit and on identifying that unit’s most critical risks. Workshops can be limited to management or they can include employees, customers, suppliers, or other stakeholders in order to draw on the accumulated knowledge and experience of management, staff, and other stakeholders through structured discussions. For example, a financial controller might conduct a workshop with the accounting team to identify events that could have an impact on the entity’s external financial reporting objectives. By combining the knowledge and experience of team members, important events are identified that otherwise might be missed.

5)

SWOT analysis is used for formulating strategy. “SWOT” stands for strengths, weaknesses, opportunities, and threats. Strengths and weaknesses are internal and include the company’s culture, structure, financial resources, and human resources. Opportunities and threats are external and are usually not under the control of management in the short run. They include political, societal, environmental, and industry risks. Serious consideration of the organization’s weaknesses and threats as a part of the strategic planning process can lead to explicit identification of risks.

6)

Risk questionnaires and risk surveys are other sources of information to identify potential risks by providing a l...