BS Chapter 9 - Risk Management

Approached to choosing scenarios as a basis for decisions are:

- Assume the most probable - Hope for the best - Hedge (choose strategy that produces satisfactory results across all scenarios but is not optimal for any single scenario) - Flexibility (wait & follow approach of others) - Influence (try to influence events so that favoured scenario evolves)

Effective & efficient communication is vital for the business as it is vital that:

- everyone in RM must be aware of importance to the business, the risk priorities of the business & their role within the process - knowledge from any new risks identified by one area of the business should be tranferred to all areas of the business so it can be incorporated into business-wide risk management strategy - all levels of management are regularly updated about management of risk in their area of responsibility to enable them to monitor adequacy & completeness of any risks plans & controls - procedures in place for escalation of any issues arising

Risk management models:

Involves continuous process of identification, assessment, treatment, monitoring & review RM models designed to show that RM is continuous & that it is a logical process. Aims to demonstrate interaction & comparison of risks as well as assessment of individual risks Risks change & therefore compliance must be continuous Process is circular with results of monitoring & review feeding back into process to redefine the identification, assessment & treatment process

Risk overview

Risk arises when there is a variety of possible outcomes Risk management is concerned with positive & negative aspects of risk. Business will look to minimise downside risk whilst leave itself open to upside risk 'Risk' often muddled with 'uncertainty' which is strictly speaking differnet because uncertainty cannot be quantified Modern thinking suggests all future outcomes are subject to uncertainty which ranges from a 'clear enough' future to 'true ambiguity' Risk management therefore requires management to treat all risks it can forecast but also take courses of action to cope with risks it cannot forecast

RM Process:

Strategic Objectives 1. Risk appetite 2. Risk identification 3. Risk analysis 4. Risk evaluation & response 5. Risk monitoring & reporting 6. Review process & feedback to 1.

Risk Reduction: = retaining the activity in the business whilst undertaking actions to reduce the risk to acceptable levels establishing systems & procedures to mitigate the effects of probability of any risks e.g. alarm system, sprinkler systems Mitigating controls include:

- Preventative controls: controls designed to minimise probability of occurence of undesired event e.g. no smoking rules, segregation of duties, authorisation limits - Corrective controls: controls designed to correct effects of undesired event e.g. sprinkler system - Directive controls: controls designed to ensure particular outcome is achieved, e.g. H&S requirements: protective gloves - Detective controls: designed to identify occurence of risk events e.g. alarm systems, financial reconciliations, inventory checks

Risk identification techniques: Management must identify types of risk faced by business. Risk identification must be a continuous process so that new risks & changes to existing risks can be quickly identified 2 broad approaches:

- Risk sources: management deals with the source, whether internal or external, of risk - Risk events: management address the specific identified threats or events themselves

Reporting on Risk Management: UK Turnbull report states board should disclose at a minimum in the FS: - the existence of a process for managing risk - how board has reviewed effectiveness of the process - that the process accords with the Turnbull guidance also include:

- acknowledgement that board are responsible for company's system of internal financial control & for reviewing its effectiveness - an explanation that such a system is designed to manage rather than eliminate the risk of failure to achieve business objectives & can only provide reasonable (not absolute) assurance against material misstatement or loss - summary of the process that the board have used to review the effectiveness of the system of internal financial control & consider the need for an internal audit function if the company does not have one. should also be disclosure of the process the board has used to deal with material internal control asepcts of any significant problems disclosed in the FS - information about those weaknesses in internal financial control that have resulted in material losses, contingencies or uncertainies that require disclosure in the FS or the auditor's report on the FS

External considerations:

- all orgs operate with trading partners: customers, suppliers - communication of risk issues with business partners is essential especially where one business is dependent on another - differing risk appetites & priorities may mean partner does not have requisite policies & procedures in place to satisfy org's own risk appetite - management need assurance that partners have implemented adequate & appropriate risk management strategy - all business stakeholders are concerned by risk therefore important to communicate how org is managing risk & manage stakeholder expectations

Why manage risk? Corporate Governance (chapter 8) encourages good practice re risk management & risk assessment Risk-based management approach is required for all UK listed companies under UK Corporate Governance Code which sets out principles re management of risk:

- board is responsible for determining nature & extent of significant risks it is willing to take to achieve its strategic objectices & should maintain sound risk risk management & internal control systems - board should at least annually conduct a review of the effectiveness of the company's risk management & internal control systems & should report to S/H that they have done so. Review should cover all financial operational & compliance material controls

Other considerations re risk treatments: any system of risk treatment should as a minimum provide:

- effective & efficient operation of the organisation - effective internal controls - complaince with laws & regulations effectiveness of internal controls can be assessed on extent to which it reduces or eliminates associated risk important, however, that the control put in place is proportionate to the risk. cost effectiveness of IC relates to cost of implementing the control compared to the risk reduction benefits expected compliance with laws & regs is not optional & breaches may result in penalties org must understand applicable laws & implement system of control to achieve compliance

UK Corporate Governance Code recommends following the Turnbull Guidance on internal controls which emphasises that the board of directors must:

- ensure the company has an effective system of internal control covering financial operational & compliance controls as well as risk management systems - review effectiveness of internal control system in addressing the risks that the board has identified - report of the internal control system every year S/H need to feel confident that the board are aware of the risks facing the org & has a system in place to monitor & control them. Board should seek to adopt risk controls and to make the deployment of them transparent and visible

Other influences on risk appetite: Management may be responding to other factors in shaping the risk appetite of the firm:

- expectations of S/H e.g. firm with long history of stable, unremarkable performance will attract blue chip investors - organisational attitudes e.g. management may be influenced by significant past losses, changes in regs etc - national origin of the organisation: e.g. UBS Switzerland higher capital ratios than UK & US banks. some cultures have higher uncertainty avoidance - regulatory framework e.g. banks required to maintain prudent reserves - nature of ownership e.g. state owned enterprises stand little to gain from succesful but risky ventures but will lose a lot from unsuccessful ones - personal views on risk taking

The system recommended by Turnbull report is noteable because:

- it is forward looking - it is open, requiring appropriate disclosures to all stakeholders about the risks being taken - it doesn't seek to eliminate risk & is constructive in its appraoch to opportunity management as well as concerned with disaster prevention. to succeed companies are not required to take fewer risks than other companies but are required to know what they can handle and disclose& control adequately - unifies all business units of a company into an integrated risk review so that the same risk terminology is applied throughout the company - it is strategic & driven by business objectives, particularly the need for the company to adapt to its environment - it should be reevaluated on a regular basis - it should be durable, evolving as the business & its environment changes - communication of risks helps S/H make informed decisions. S/H are prepared to tolerate risk provided they receive an acceptable level of return

Risk management policies fulfil other functions too. We are primarily concerned with how they mitigate financial loss risk to organisation, which can arise from:

- litigation from persons injured from activities of org or its staff - fines from regulatory bodies - loss of assets due to theft or damage - costs of making up for errors - revenues lost due to breakdowns e.g. plant - loss of reputation

Incorporating risk & uncertainty into decision making. Techniques for dealing with uncertainty. Business can build confidence into its decision by reducing uncertainty. Techniques for dealing with uncertainty & risk in decision making include:

- making prudent estimates of outcomes to assess the worst possible situation - assessing the best & worst possible outcomes to obtain a range of possible outcomes - using sensitivity analysis to measure the impact of changes in forecast estimates

Risk monitoring, reviewing & reporting: Management must establish systems for monitoring & reviewing for 2 reasons:

- monitor effectiveness of current risk management process - monitor whether risk profile is changing or not processes needed to see if risks still exist, whether new risks have arisen or whether likelihood or impact have changed processes should report significant changes that impact on risk priorities. these should be embedded into normal reporting procedures so that risk management is regularly reported alongside other things like financial performance overall risk profile should be reviewed regularly to give assurance that there are appropriate controls in place for the org's current activities & that controls are understood & followed

E.g.s of risk monitoring processes

- regular review of projects against specific costs & completion milestones - systems of notification of incidents - internal audit functions - employment of compliance-monitoring staff - skills assessment & medical examinations of staff & managers to ensure competence & fitness to work - fire drills, evacuations, disruption operations practices - use of embedded IT to monitor risk - intelligence gathering on occurences elsewhere e.g. experiences of fraud, industry controversies e.g. banking, equipment recalls/ failures, outcomes of legal cases - monitoring of regulatory framework of the industry to ensure compliance Monitoring & review process should also establish if: - controls adopted achieve required results - procedures adopted & info gathered were appropriate - improved knowledge would have helped reach better decisions & how to implement into future assessments

Reactors - inconsistent attitude to risk

- respond inconsistenly or are unable to respond effectively to changes & developments in business environment - seldom make changes until forced to do so - no consistent or clearly defined strategy & lack consistency within business structure - tend to make one of following strategic mistakes: 1. management fail to develop viable org strategy 2. management develops appropriate strategy but technology structure processes are not appropriately linked to that strategy 3. management adheres to particular strategy that is not relevant to business environment

Courtney et al describe 4 classes of uncertainty:

1. Clear enough futures - future can be assessed with reasonable accuracy because it follows on from past without major change e.g. forecast of bread sales made by management of bakery 2. Alternative futures - outcomes depend on an event e.g. the value of rights to make national football team merchandise depends on whether they qualify for the World Cup or not 3. Range of futures - outcome varies according to a number of variables that interact, e.g. hotel operator's forecast of sales of holiday accomodation depend on temperature, price of flights, level of disposable income etc 4. True ambiguity - very high uncertainty due to the number and unpredictability of the variables influencing the outcome e.g. investment in emerging economies where the outcome will be determined by political events, global economic developments, natural & man-made disasters, cultural & religious change 1 & 2 could be quantified with tolerable accuracy but 3 & 4 are much more uncertain Risk management requires management to treat risks that it can forecast but also to take the courses of action to cope with the risks that it cannot forecast

Influence of managerial culture - Miles & Snow identified 4 strategic types of business defined by orientation of management to strategic challenges

1. Defenders: firms like low risk, secure markets, tried & trusted solutions. Stories & rituals reflect historical continuity & consensus. Decision making relatively formalised 2. Prospectors: dominant beliefs more to do with results & therefore risks are taken 3. Analysers: try to balance profits & risk using core of stable products & markets as source of earnings to move into innovative prospector areas. Analysers follow change but do not initiate it 4. Reactors: do not have viable strategies (unlike 1, 2 & 3 above) & live hand to mouth muddling through. Reactor is sub-optimal in its performance Findings suggest that direct match needed org's mission, org's strategies & org's behaviour

Risk description: Risk description table can be used to facilitate identification & assessment of risks & should include:

1. description of the risk 2. scope of risk (events & impact) 3. nature of risk (financial, hazard, strategic, operational etc) 4. parties affected: how internal & external parties will be affected 5. quantification of risk: probability & scale of any losses or gains, possibly including Value at Risk assessment 6. risk tolerance/ appetite: level of risk considered acceptable for this matter 7. risk treatment & control: means by which risk is managed at present & assessment of current risk controls in force 8. potential action for improvement: risk reduction options 9. strategy & policy developments: identification of functions responsible for developing strategy & policy 1-4 can be done at risk identification stage but remainder must be done as part of ongoing continuous process of risk management

Scenario Building: Scenarios are used in 2 situations:

1. to develop contingency plans: to cope with arrival or threat of risk which are of indeterminable probability e.g. chemical company spillage develop scenario of major spillage at plant & set up emergency routines to deal with it, but cannot assess how likely spillage is to occur in actual practice 2. as a prediction technique: a series of alternative pictures of the future operating environment are developed that are consistent with current trends. impact of each scenario upon business is assessed & plans drawn up for each event or how to protect against it

Risk Retention:

= All risks that are not avoided or transferred fall into this catagory Involves tolerating the loss when it arises Many risks are tolerable without any further action being taken = Viable strategy where cost to insure the risk over time is greater than total losses sustained over time, aka Self Insurance Risk Retention = only option for some uninsurable risks e.g. effects of war. Decision to tolerate risk in this instancemay be supplemented by contingency planning to mitigate effects Most insured risks carry an excess which counts as a retained risk as is any amount of loss in excess of the insured sum

Sensitivity Analysis: simplest form = changing value of one variable in order to test its impact on the final result

= an attempt at priority setting - look at how sensitive results are to changes in assumptions, allows org to ascertain which perameters will have the biggest impact on a decision & therefore which ones need to be forecast most accurately - various mathematical techniques exist for SA e.g. NPV - SA allows org to consider range of possible outcomes by asking 'what if?' Qs e.g. what will happen to profits if price of components increases 10%? e.g. what would happen to demand if SP increased by 15%? e.g. what will happen to Revenue if market share drops 5%? - SA can only consider changes to one variable at a time & therefore SA doesn't allow for interaction between variables

Risk management & business continuity planning (BCP) Business Continuity Planning:

= process through which a business details how & when it will recover & restore operations interrupted by the occurence of a rare but massive risk event Because all businesses must accept some level of residual risk, BCP has been developed to deal with the consequences of realised residual risks = unpredictable one off events e.g. building fire, terrorism, earthquakes, pandemic illness Factors to consider: - securing interim management & staff - inventory replacement - restoration of data & other IT systems - securing interim premises - management of PR issues

Evaluating & addressing risk: Risk evaluation:

= the process by which a business determines the significance of any risk & whether those risks need to be addressed risk evaluation should be carried out for both: - new business proposals & changes to operations - existing business operations once risk analysis is complete & business risk tolerance established, management should make decisions re significance of risks to org & whether each risk should be accepted or treated risk criteria likley to include consideration of e.g. costs vs benefits, legal requirements, socioeconomic & environmental factors, stakeholder concerns etc

Risk management policy: Risk is unavoidable & strategy must reduce risk to acceptable levels:

All levels of business required to be involved in risk management, reporting, communication: Board - overall view & demand policies Managers of Business Units - assess risk from business unit perspective & ensure risk management policies implemented Individuals - may become aware of or manage specific risks

Analysers - balanced attitude to risk & return

Analysers: - between prospectors & defenders - balance risk avoiding attitude with risk seeking attitude - less innovative than prospectors - wait to see market's reaction to new developments & then carefully analyse key success factors for new opportunities before committing - once product is developed, formalised structures & processes developed to achieve high efficiency to build market share similar to defenders to build revenue - operate in two market areas - relatively stable & innovative & regularly changing - operate like defenders in stable areas & like prospectors in changing areas - keep close eye on competitors & rapidly adapt where changes look promising - moderate levels of efficiency overall - highly efficient in stable areas & less efficient in changing areas - key business = marketing, applied research & production

Risk Avoidance:

Not undertaking or terminating any activity that carries risk e.g. do not enter contracts with certain countries or not buying business to avoid tax consequences. Avoiding risk also means losing out on potential opportunity & gain therefore isn't always answer to all risks

The Risk Management Standard issued by the Institute of RIsk Management sets out responsibilities of directors in this respect:

Board has responsibility in determining strategic direction of the org and for creating the environment and structures for risk maangement to operate effectively Board should, at a minimum, in evaluating its system of internal control, consider: - nature & extent of downside risks acceptable for the company to bear within its particular business - likelihood of such risks becoming a reality - how to manage unacceptable risks - company's ability to minimise the probability & impact on the business - costs & benefits of the risk control activity undertaken - effectiveness of risk management process - risk implications of board decisions Risk management should be embedded through the strategy & budget process Business's success partly down to how it manages risks & exploits opportunities. Risk management therefore not just a regulatory environment or defensive tactic to avoid losses but is integral to seeking & exploiting competitive advantage

Margin of Safety: e..g business deciding whether to go ahead with new product or expand overseas may want to know how much margin of safety exists between planned & break even levels of sales:

Break Even Analysis: = measure of sensitivity of profit to changes in output: Total contribution - Total fixed costs = Profit Total contribution = Contribution per unit x Output @ BE point: Total contribution = Total fixed costs Thus: Contribution per unit x Output = Total fixed costs Therefore: BE output = Total fixed costs/ Contribution per unit So to achieve required level of profit (say £10,000) then: Required output = Total fixed costs + £10,000/ Contribution per unit

Feedback, communication & learning

Communication & learning is not a separate stage in the risk management process but a continuous process which must operate at every stage of the process Org's risks are dynamic and change as its operations & environment change - learning from experience: the effectiveness of the planned RM process must be reviewed and appraised regularly so that risk plans can be updated, revised to accomodate new risks or changes to existing risks in light of anything learned e.g. IT dept learn from system failure how to restore files & backup files - constant updating: in a dynamic business risks are in constant state of flux. systems required to identify new risks & changes to existing risks therefore RM is continuous process where risks continuously assessed & plans continuously refined (especially in light of occurrence of any risk event). experiences of different divisions of business should be shared

Risk management needs to be top-down process to ensure integration across business. Should be embedded in systems & culture to become integral part of operations & finance e.g. risk management policies:

Corporate codes of conduct - e.g. control risks from discrimination, bribery etc. how staff relate to each other Environmental policies - energy use, emissions, recycling, waste disposal Health & Safety policies - H&S officers, routine testing & risk assessment, fire procedures Financial controls - budgetary control, capex authorisation procedures, FA systems, credit control procedures, insurance of assets Information systems controls - creation of information officers, regulations on use by staff, password & access controls, back up & standby systems, firewalls Personnel controls - background checks, interviews, discipline procedures, ID requirements, attendance monitoring, appraisals Internal Audit processes - assuring financial systems in relation to requirements for statutory audits & business assurance re internal controls

Defenders - low risk tolerance

Defenders: -specialist providers of specific product/ service - concentrate on core technology, often vertically integrated - often have stable structure & strong finance & highly efficient processes - gives them competitive advantage & they seek to maintain this through intensively incremental improvements - narrow area of ops & top management with expertise in these areas - do not tend to look for opportunities outside sphere of expertise - seek to protect market position through efficient production, strong internal controls, continuity & reliability - tend to perform best in stable markets with high barriers to entry as can protect market position through high cost efficiency & utilisation of bespoke standardised processes - basic strategy used by defenders is to agressively maintain maraket share in chosen market segment - prefer to seek increase in depth of expertise inside current market rather than seek new developments outside sphere of expertise - look to grow cautiously & incrementally - risk tolerance is low

RM approach will depend on org's appetite for risk which should link in with business objectives & strategy Risk appetite:

Extent to which company is prepared to take on risks in order to achieve its objectives

In Practice - Risk vs Uncertainty

In practice, distinction is blurred e.g. Huge losses by insurance underwriting syndicates show assessments of risk used in insurance have been compromised by unanticipated events e.g. flooding & hurricanes Despite using term 'risk', many business strategies are taking place in situations of uncertainty: A management team that only undertakes strategies in which the likelihood of success or failure can be precisely quantified would launch no new products, enter no new markets and research no new technologies

Addressing risk:

Involves selection of procedures to monitor, control & mitigate effects of risk. Possible approches to treatment of risk: - Avoidance/ Abandon - immediate action e.g. stop ops - Reduction/ Control - take action e.g. increase control - Transfer - insure/ develop contingency plan - Retention/ Accept - risk not worth any of above methods Preferred option of risk management may not be possible. Risk response can be linked into the severity/frequence matrix: Low Severtiy Low Frequency: Accept Low Severity High Frequency: Control or Reduce High Severity Low Frequency: Transfer High Severity High Frequency: Abandon or Avoid

Margin of Safety:

Margin of Safety: = (Planned sales - Breakeven sales)/ Planned Sales The greater the margin of safety the less sensitive the profits to a sudden fall in sales

Prospectors - risk takers

Prospectors: - opposite of defenders - proactive & pursue aggressive strategy towards addressing new market opportunites - entrepreneurial attitude & constantly seeking new products/ markets & responses to emerging trends- willing to take on risks associated with new developments & maintain flexibility to respond to change - they are innovators & their innovations cause change & uncertainty to which their competitors must respond - risk seekings looking to benefit from taking entrepreneurial risk - tend to be less efficient than defenders due to continually changing structure of operations & technology - utilise many technologies in broad range of operations & regularly prototype potential new products - uncertainties re their innovations & how market may react, planning tends to be broad & less intensive - business management structure tends to be product based - management results orientated & appraised by ref to managers in similar org

Risk & Uncertainty: Technical distinction between risk & uncertainty

Risk = quantification of the potential variability in a value based on past data Uncertainty = non-quantifiable e.g. whether a customer will be retained for the next 2 years Risk should be defined as a measure of the variability in the value of a factor that is capable of statistical or mathematical evaluation For the purposes of risk management, risk can be defined as the combination of the likelihood of an event and its consequences: Risk = Likelihood x Impact Given that we are mainly interested in the financial impact of risk this can be stated as : Risk = Likelihood x Financial consequences

General attitudes:

Risk Averse, Risk Neutral, Risk Seeking

Risk Analysis: Once org has identified risks, need to understand scale of risk by risk assessment & profiling Org's likely exposure to loss can be assessed by quantitative or non-quantitative methods for risk assessment & prioritisation Result of this should be a risk profile for the firm which management can use to set priorities for risk mitigation Risk assessment:

Risk assessment is establishing the financial consequences of each risk event (severity) and its likelihood of occurence (frequency) Financial consequences can be easy to measure e.g. value of lost inventories, rebuilding premises etc or may be more awkward e.g. if loss of life involved. May not know full extent until after event Assessment of probability of occurence is often more problematic especailly re events such as natural disasters

What is risk?

Risk can be both positive and negative. Risk implies variability which can work both against the company (a risk) or in its favour (an opportunity) Risk is more than probability. It includes consequences. Chance of flipping a coin & getting heads = 50%. It only becomes a risk if we gamble on the outcome. Larger the amount at stake, the bigger the risk, but the probability stays the same Risk is different to uncertainty which arises due to lack of information about the future

Risk Identification:

Risk identification sets out to identify an org's exposure to risk Requires knowledge of the operation, market in which it operates & the legal, social, political and cultural environment in which it exists

Risk management involves:

Selection, implementation, monitoring & review of suitable risk treatments for each risk identified Effective risk management enables business to: - reduce business threats to acceptable levels - make informed decisions re potential opportunities Allows stakeholders to have confidence in business & its future

Types of Risk: Ultimately all business risks will be reflected in financial risk For purpose of managing risk it helps to break risks down further into their origins Business risk: Variability of returns due to how business trades or operates, exposure to markets, competitors, exchange rates. This business risk can be sub-analysed into:

Strategic risk: Risks associate with business's LT strategic objectives, potential variability of business returns arising as result of company strategy & position in respect of competitors, customers, reputation, legal & regulatory change, political change. Also encompasses knowledge management i.e. effective management & control of knowledge resources e.g. key personnel, intellectual property & production technology Operational risk: Variability arising from effectiveness of how business is managed & controlled on day to day basis, accuracy & effectiveness of its IS & a/c systems, reporting systems, management & control structures. Also encompasses compliance with H&S, consumer protection, data protection etc Hazard risk: Exposure to natural events & their impacts, actions of employees, consequences of accidents on business, trading partners or customers Financial risk: Risk arising as a result of how business is financed. Level of gearing, exposure to credit, interest rates, exchange rates, liquidity. Financial risk tends to amplify inherent business risk at low levels of gearing & at high levels may directly contribute to risk of business failure. Interest, exchange rates, taxes, state of economy will bear more heavily on firms with operations limited to one country than they will upon a transnational operator Compliance risk: Risk arising from non-compliance with laws & regs by the company or breaches by a stakeholder which can have consequences for the company. May relate to financial laws/regs (pensions, social security, tax) or non financial laws/regs (H&S) Internal risks: Risks arising internally over which the company can exercise complete control (whether it does or not) External risks: Risks arising from factors outside control of the business over which it has no influence e.g. natural disasters SWOT PESTEL & 5 Forces useful to identify riks

Risk Transfer:

Tranfer of risk to third party either contractually or by hedging Insurance & many outsourcing contracts = contractual method Financial risks usually hedged using derivatives

Risk estimation:

can be quantitative, semiquantitative, or qualitative in terms of probability of occurence & possible consequence quantitative risk assessment involved determination of measured figures for probabilities & consequences producing specific quantified measure of likelihood & of impact some types of risk lend themselves to this process e.g. insurance companies have detailed statistical information on occurence of many risk events. also have detailed estimates of cost of repairing the insured loss other types of risk are very difficult to assess e.g. impact of event on reputation of a business hard to quantify & risk assessment therefore more subjective in this case

Risk Appetite:

considers extent to which organisation is prepared to take on risk to achieve objectives Miles & Snow provide charaterisation of firms' attitudes to risk & how it influences strategies: Defenders, Prospectors, Analysers, Reactors Attitudes to risk also influenced by S/H expectations, regulatory framework & national/ cultural factors

Risk management:

increasingly recognised as being concerned with both positive and negative risk & looks to control risk from both perspectives e.g. buying a house with fixed interest rate eliminates 2 types of risk - upside and downside risk businesses will look to manage downside risk whilst attempting to leave themselves open to upside risk, although this flexibility may come at a price premium, e.g. capped loan rate mortgage

Risk Management:

process of identifying & assessing risks & the development, implementation & monitoring of a strategy to respond to those risks

Risk Profiling:

result of risk analysis process is an overall risk profile detailing each of the risks along with an estimate of the risk to the company the risk profile ranks each identified risk to give a view of the relative importance, forming the primary tool for prioritising & addressing risks 'Severity/ Frequency' matrix can be used to do this (aka Likelihood/ Consequences' matrix) this profile can then be used to set priorities for risk mitigation. risks catagorised as high frequence & high severity should be prioritised & dealt with first the risk profile will: - describe the risk & the business area affected - describe the primary control procedures in place - indicate areas where the level of risk control investment might be increased or decreased

Uncertainty:

the inability to predict the outcome from an activity due to a lack of information

Upside risk (speculative risk or opportunity):

the possibility that something could go better than expected (best case scenario)

Downside risk (pure risk):

the possibility that the outcome will be worse than expected i.e. something will go wrong, worst case scenario

Risk:

the possible variation in outcome from what is expected to happen