4.1 Risk Management
A QUICK REVIEW
Objectives of Risk Management:
To prepare the firm for potential losses in the most economical way.
To reduce of anxiety and fear of unadjusted exposures.
To meet any legal obligation.
To ensure that after a loss occur, the firm can resume at least partial operations within some reasonable time period. The ability to operate after a loss is extremely important. A public utility firm must continue to provide service.
To ensure that EPS can be maintained if the firm continues to operate. However, a firm may incur substantial additional expenses to achieve this goal.
Risk analysis: Risk analysis is a procedure to identify threats & vulnerabilities, analyze them to ascertain the exposures, and highlight how the impact can be eliminated or reduced. In other words, risk analysis refers to the uncertainty of forecasted future cash flows streams, variance of portfolio/stock returns, statistical analysis to determine the probability of a project’s success or failure, and possible future economic states. Risk analysts often work in tandem with forecasting professionals to minimize future negative unforseen effects.
Methods of Risk analysis:
Qualitative Methods:
This method of risk analysis is most often used for decision making in business projects; entrepreneurs base themselves on their judgment, experience and intuition for decision making.
These methods can be used when the level of risk is low and does not warrant the time and resources necessary for making a full analysis.
These methods are used when the numerical data available are not adequate for quantitative analysis that would serve as the basis for a subsequent and more detailed analysis of the entrepreneur’s global risk.
Qualitative risk analysis is referred as the base for quantitative risk analysis, and it’s beneficial because not only the uncertainty in the project gets reduced, but you also focusses on the high-impact risks. Thus, it helps the prioritization of risk.
Semi-Quantitative Methods: Risks are classified as high, medium or low, with a detailed descriptions of likelihood and consequences. These classifications are shown in relation to an appropriate scale for calculating the level of risk. It is important to give careful attention to the scale used in order to avoid misunderstandings or misinterpretations of the results of the calculation.
Quantitative Methods:
Quantitative risk analysis tallies the possible outcomes for the project and figures out the probability of accomplishing project objectives.
This assists decision-making, especially when there is uncertainty in the planning phase. It helps project managers create realistic cost, schedule and targets.
These are considered to be those that enable us to assign values of occurrence to the various risks identified, that is, to calculate the level of risk of the project. The misconceptions regarding the ERM:
Enterprise risk management is not a function or department. It is the culture, capabilities, and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with a purpose of managing risk in creating, preserving, and realizing value.
Enterprise risk management is more than a risk listing. It requires more than taking an inventory of all the risks within the organization. It is broader and includes practices that management puts in place to actively manage risk.
Enterprise risk management addresses more than internal control. It also addresses other topics such as strategy-setting, governance, communicating with stakeholders, and measuring performance. Its principles apply at all levels of the organization and across all functions.
Enterprise risk management is not a checklist. It is a set of principles on which processes can be built or integrated for a particular organization, and it is a system of monitoring, learning, and improving performance.
Enterprise risk management can be used by organizations of any size. If an organization has a mission, a strategy, and objectives—and the need to make decisions that fully consider risk—then enterprise risk management can be applied.
Risk Analysis Methods: There are several risk analysis methods that assist risk managers in their decision-making process. Some of these involve the use of risk analysis tools such as charts and documents. In the following lines a brief discussion is embarked upon.
Bow Tie Analysis: This qualitative risk analysis method is used to identify causes and consequences for all potential project risks. The project management team must first identify risks that might affect the project and then think
about causes, consequences and more importantly, a risk mitigation strategy for them. It’s a very versatile method that can be used in any industry.
Risk Analysis Matrix: The risk analysis matrix assesses the likelihood and the severity of risks, classifying them by order of importance. It’s main purpose is to help managers prioritize risks and create a risk management plan that has the right resources and strategies to properly mitigate risks. Risk likelihood is measured on a relative scale, not a statistical one, which makes it a qualitative risk analysis tool.
Risk register: A risk register is a crucial project management tool to document project risks. It’s a document that lists all the potential risks that could occur during the project execution phase, as well as critical information about them. It is used as an input for the risk management plan, which describes who’s responsible for those risks, the risk mitigation strategies and the resources needed. Creating a risk register usually involves several, reliable information sources such as the project team, subject matter experts and historical data.
SWIFT Analysis: Structured What If Technique (SWIFT) is a risk analysis method that focuses on identifying potential risks associated with changes made to a project plan. Risk manager is responsible and is required to come up with any what if questions they can to find out all the potential risks that could arise. SWIFT Analysis is a structured brainstorming method of determining what things can go wrong and judging the likelihood and consequences of those situations occurring.
PAST EXAMINATION QUESTIONS
OBJECTIVE QUESTIONS
Q. 1 ____________ is a comprehensive and integrated approach to addressing Corporate Risk.
[Dec. 2021, 1 Mark]
Ans. Enterprise Risk Management (ERM)
Q. 2 Vertical analysis is useful in comparing the performance of several companies in the _____ group.
[Dec. 2021, 1 Mark]
Q.
4 Business risk:
(a) Arises due to the default in meeting the financial obligations as and when due for payment.
(b) Arises due to changes in demand and supply, expectations of the investors, information flow, investors risk perception etc.
(c) Is determined by how the business invests its funds.
Ans. Same
Q. 3 _______ involves splitting up a large company such as a conglomerate comprising of different divisions, into separate companies.
[Dec. 2021, 1 Mark]
(d) Is defined as exposure to a loss in offshore landing, caused by events in a particular country.
[Dec. 2016, 1 Mark]
Ans. (c) Is determined by how the business invests its funds. (A refers to financial
Ans. Demerger
risk, B refers to market risk and D refers to country risk).
Q. 5 Risk mapping:
(a) Is a procedure to identify threats and vulnerabilities?
(b) Denotes acceptance of the loss or benefit arising out of a risk when it takes place.
(c) Is one of the popular methods of measuring financial risks?
(d) Promotes awareness of significant risks through priority ranking, facilitating the efficient planning of resources.
[Dec. 2016, 1 Mark]
Ans. (d) Promotes awareness of significant risks through priority ranking, facilitating the efficient planning of resources.
Q. 6 Risk Management Strategies are:
(a) Avoid Risk, Reduce Risk, Retain Risk, Combine Risk
(b) Transfer Risk, Share Risk and Hedge Risk
(c) Both (a) and (b)
(d) None of the above
[June 2017, 2 Marks]
Ans. (c) Both A and B
Q. 7 Which one of the following strategies is not for managing risk?
(a) Risk-Avoidance Strategy
(b) Risk-Transferring strategy
(c) Risk-Measurement Strategy
(d) Risk-Acceptance Strategy
[June 2019, 2 Marks]
Ans. (c) Risk measurement strategy
Q. 8 Risk management techniques do not include _________.
(a) Risk avoidance
(b) Risk premium
(c) Risk retention
(d) Risk transfer
[Dec. 2022, 2 Marks]
Ans. (b) Risk premium
Q. 9 The risk which is primarily influenced by the level of financial gearing, interest cover, operating leverage and cash flow adequacy is called ________ risk.
(a) Financial
(b) Business
(c) External
(d) Exchange
[June 2023, 2 Marks]
Ans. (a) Financial
Q. 10 A colour coded version of the risk map is known as:
(a) Red-Blue risk map
(b) Red-Yellow map
(c) Heat map
(d) None of the above
[June 2025, 2 Marks]
Ans. (c) Heat map
Q. 11 Which of the following is not a risk management strategy?
(a) Avoidance
(b) Retention
(c) Asset
(d) Transfer
Ans. (c) Asset
[June 2025, 2 Marks]
Q. 12 The COSO Framework of ERM advocates 8 interrelated components of an ERM. Which one of the following is not a component of the said framework?
(a) Risk response
(b) Risk avoidance
(c) Risk assessment
(d) Monitoring
[June 2025, 2 Marks]
Ans. (b) Risk Avoidance
THEORY QUESTIONS
Q. 1 To be effective, any Enterprise Risk Management (ERM) implementations should be integrated with strategy-setting. Do you agree? Give your views bringing out the basic elements of ERM and the reasons why ERM is implemented. [June 2015, 10 Marks]
Write the needs of implementation of Enterprise Risk Management. [Dec. 2016, 4 Marks]
What is the essence of ERM? What is the actual need for implementing ERM? [June 2017, 10 Marks, Dec. 2019, 3 Marks]
Briefly explain the term “Enterprise Risk Management” (ERM). What are the basic needs for implementation of ERM?
[Dec. 2017, 10 Marks]
Ans.: The Enterprise Risk Management is defined as a process, affected by an entity’s Board of Directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
It is a structured and embedded approach that supports the alignment of strategy, processes, people, technology, and knowledge with the purpose of evaluating and managing the uncertainties an organization faces as it creates value. In so doing equip the organization with quality management information to make decisions more effectively and with more confidence.
The essence of ERM is built around the pragmatic use of risk management as an effective management tool and to be a significant driver of value. In today’s economic climate, the demand for a more comprehensive approach to risk management to ensure that risks and opportunities are systematically identified and the risk responses are developed has never been more critical.
ERM is about designing and implementing capabilities for managing the risks that matter. The greater the gaps in the current state and the desired future state of the organizations risk management capabilities, the greater the need for ERM infrastructure to facilitate the advancement of risk management capabilities over time. ERM is about establishing the oversight, control and discipline to drive continuous improvement of an entity’s risk management capabilities in a changing operating environment.
ERM deals with risk and opportunities affecting value creation or preservation. ERM is a comprehensive and integrated approach to addressing corporate
risk. ERM enables management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value.
BASIC ELEMENTS OF ERM:
Strategy/objective setting – Comprehending the strategies and associated risks of the business.
Risk identification – Create a profile of major risks that can negatively impact the company’s overall financials.
Risk assessment – Identified risks are analyzed on the basis of their likelihood of occurrence and magnitude of impact.
Risk response - The various risk response strategies are considered and the appropriate actionable response which aligns identified risks with management’s risk tolerances are selected.
Communication and monitoring - Relevant information and data need to be constantly monitored and communicated across all departmental levels.
Others - A process, ongoing and flowing through an entity which is effected by people at every level of an organization and applied in strategy setting across the enterprise, at every level and unit and includes taking an entry-level view of risk.
Geared to the achievement of objectives in one or more separate but overlapping categories. It is a means to an end, not an end in itself.
NEED FOR IMPLEMENTATION OF ERM:
Reduce unacceptable performance variability.
Holistic Risk View: It provides an integrated approach to managing all types of risks (strategic, operational, financial, compliance).
Strategic Alignment: Aligns risk-taking with organizational goals to enhance decision-making.
Regulatory Compliance and Corporate governance: Helps meet legal and regulatory requirements effectively.
Minimization of Losses: Identifies potential threats early and reduces the impact of unexpected events.
Improved Stakeholder Confidence: Builds trust among investors, customers, and regulators by demonstrating responsible risk management.
Operational Efficiency: Streamlines processes by reducing redundancies and enhancing control mechanisms.
Reduce unacceptable performance variability.
Successfully respond to a changing business environment.
Enhanced Risk Awareness: Promotes a risk-aware culture throughout the organization.
Protection of Assets and Reputation: Minimizes disruptions and protects the organization’s reputation from risk-related damages.
Value Creation and Sustainability: Supports long-term growth and sustainability by proactively managing uncertainties.
Q. 2 Define the term Risk Management. State briefly its basic objectives.
[June 2015, 5 Marks]
Ans. : Risk management is the process of identifying, measuring, assessing, evaluating, and prioritizing risks followed by integrated and economical application of resources to reduce, observe, and control the probability or impact of unfortunate events or to maximize the realization of opportunities. It is through risk management that risks to any specific program are assessed and systematically managed to reduce risk to an acceptable level.
Risk management is the act or practice of controlling risk. It includes risk planning, assessing risk areas, developing risk handling options, monitoring risks to determine how risks have changed and documenting overall risk management program.
Risk management is a systematic approach to setting the best course of action under uncertainty by identifying, assessing, understanding, acting on and communicating risk issues.
OBJECTIVES OF RISK MANAGEMENT
To prepare the firm for potential losses in the most economical way.
To reduce of anxiety and fear of unadjusted exposures.
To meet any legal obligation.
To ensure that after a loss occur, the firm can resume at least partial operations within some reasonable time period. The ability to operate after a loss is extremely important. A public utility firm must continue to provide service.
To ensure that EPS can be maintained if the firm continues to operate. However, a firm may incur substantial additional expenses to achieve this goal.
Anticipating the uncertainty and the degree of uncertainty of the events not happening the way they are planned.
Channelizing events to happen the way they are planned.
Setting right at the earliest opportunity, deviations from plans, whenever they occur.
Ensuring that the objective of the planned event is achieved by alternative means, when the means chosen proves wrong.
Q. 3 Risk Management Process refers to the process of measuring or assessing risk and then developing strategies to manage risk. Discuss the steps, which are taken to minimize the risk.
[June 2015, 5 Marks]
Ans. :
Risk identification: Detecting potential risks that could affect the objectives of a project or business. This step involves event identification and data collection process. The institution has to put in place a system of capturing
information either through brainstorming, expert interviews, historical data analysis, checklists, or SWOT analysis.
Risk Assessment (Analysis): Evaluating the likelihood and potential impact of identified risks through qualitative and quantitative methods.
Risk Evaluation: Comparing estimated risks against risk criteria or tolerance levels set by the organization to decide which risks are acceptable and which need treatment.
Capital Allocation: Risk Analysis, Monitoring & Reporting sends information to the top management of the organization to take strategic decisions. Capital allocation plays key role in management decision making.
Risk Treatment (Mitigation Strategies): Developing and implementing strategies to manage risks like avoidance of the activity that causes the risk, reduction the impact or likelihood, transfer the risk to a third party (e.g., insurance) or acceptance and monitoring low-impact risks.
Monitoring and Review: Continuously tracking identified risks, detecting new ones, and evaluating the effectiveness of mitigation strategies to adapt to changes in the risk environment and maintain control.
Communication and Consultation: Keeping stakeholders informed throughout the risk management process to ensure transparency, gains support, and improves decision making.
Q. 4 Write a short note on Risk Management Process.
[Dec. 2015, 2.5 Marks]
Ans. : Risk management is the process of identifying, evaluating, and prioritizing risks followed by integrated and economical application of resources to reduce, observe, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.
The process of risk management embrace 5 specific steps:
Identification an assessment of risk: Risk should be identified before it is managed. For the purpose, the risk of the enterprise needs to be categorised in silos as discussed in the previous section.
Analyse the risk: After identification of the risk the task of the risk manager is to look into the nature, magnitude and consequence of the risk. During this step, the risk management team will examine the probability of occurrence and consequence of each risk in order to identify the focus area. Factors such as possible financial loss, time lost, and severity of impact play a part in precisely analyzing each risk. By placing each risk under the microscope, the risk manager exposes any common issues across a project and further improve the risk management process for future projects
Prioritize the risk: An organization is exposed to various forms of risk. On the basis of the analysis undertaken in step 2 the risk manager has to prioritize which risk to focus when. This step gives the risk manager a comprehensive view of the task at hand and pinpoints where the team’s focus should lie. This helps identification of useful solutions for each risk.
Mitigate the risk: After prioritisation of the risk, which assist risk manager to focus which risk to target upon, he attempts mitigating the particular risk. Starting with the highest priority risk first, the risk management team under the guidance of the risk manager delves in eliminating the risk or at least reducing the risk so that the negative impact is minimised and the strategic goal can be accomplished.
Monitor the risk: Risk management is a continuous process and it is very important that risk along with the measures adopted in step four is monitored. For this transparent communication among the risk manager and the stakeholders is crucial.
Q. 5 There are various Strategic Decisions for managing risk. State these strategies and briefly explain each of them in three or four sentences.
[Dec. 2015, 10 Marks]
Ans. :
Risk Handling: In ideal risk management, a prioritization process is followed whereby risks with the greatest loss and the greatest probability of occurring are handled first and risks with lower probability loss are handled later.
Risk Reduction (Mitigation): Risk reduction aims to minimize the likelihood or impact of risks by implementing control measures. This could involve diversifying suppliers, improving quality control, or investing in better forecasting tools. It does not eliminate risk entirely but lowers the potential negative effects. It involves methods that reduce severity of the loss arising from risk consequences. Risk Reduction can be achieved through:
Loss prevention
Loss control
Risk Avoidance: This strategy involves eliminating activities or processes that expose the organization to risk. This is prevention and a proven strategy. This strategy results in complete elimination of exposure to loss due to a specific risk. It may involve avoidance of an activity, which is risky. It includes deliberate attempt on the part of the person taking risk decision not to perform an activity or not to accept a proposal, which is risk prone. This strategy can be approached in two ways:
Do not assume risk
Discontinuation of an activity to avoid risk
Risk Sharing (Transfer): It means causing another party to accept the risk, typically by contract, it involves a process of shifting risk responsibility on others. The organization transfers part or all of the risk to another party, such as through insurance, outsourcing, or partnerships. Insurance is one type of risk transfer, which is widely used in common parlance.
Risk Hedging: It is a systematic process of reducing risk associated with an investment proposal or in some other assignments where risk is inevitable i.e. the risk is of such nature that it cannot be avoided altogether.
