Risk assessment and management
Risk Management
Introduction
Risk management is an essential ingredient of an organisation’s success. Before discussing risk management, it is crucial to first explain what risk management is and why is it needed. It is also important to discuss how various business functions can give rise to risk. Risk assessment is performed with the aid of various frameworks that will need to be considered in detail together with real-life examples of how corporations manage crisis.
A startup business needs to assess risk and manage it accordingly. This paper carries out this research and then reports its findings to the directors
Risk Assessment Report
To: Directors
From: Risk Analyst
Date: 7 June 7, 2013
Subject: Assessing the risk faced by a startup business and how different business functions are exposed to risks. The risk-management framework and the risk-management process are discussed in detail. Emphasis is also laid on business continuity and different approaches to crisis management.
1 Explanation of Risk Management
Risk management can be defined as a process which identifies risks and then analyses them in order to take appropriate action. Such action may be to accept risk, avoid it, or mitigate it. This, in turn, is dependent upon the level of risk tolerance the company has. A startup business must analyse risk and then take appropriate action (Uwf.edu, 1999).
Source: strikingprojectmanagement.com, 2013
1.1 Need for risk management
If there is no risk there is no return. The main motive behind risk management is to minimise the downside. Elimination of risk is not the main objective. The purpose of risk management is to give a clear indication of what risks to accept and to what extent (i.e. risk appetite) and what systems are in place to deal with those risks. There are several types of risks: interest rate, financial, market, project, business, foreign exchange, compliance, and operational risks. (Tattam, 2011, p.13).
The internal environment of a startup business may lack the internal control mechanisms and environment to identify, assess and, hence, manage those risks. This may be due to the inherent limitations of risk management, such as human override of controls or other factors, such as lack of management experience. A startup business should identify risk objectives that may include risk appetite. It then must assess its risk by identifying the probability of risk and its impact/consequence. Plans must be made to accept, mitigate or avoid risk. This is often known as risk response strategy. Control must be exercised by comparing plans versus actual results. Risks should be monitored on an ongoing basis to identify any deviations from the plan (Theirm.org, 2013).
1.2 Role of business functions in managing risk
The primary function of prevention, detection and correction lies with the board. Thus the strategic planning department, i.e. the board, has a pivotal role in managing risk. The marketing function faces risks of its own kind. Loss of market access, price risk and loss of marketing power are common marketing risks. Compliance risk arises when an entity fails to comply with the relevant laws and regulations. A startup business must comply with all the necessary regulations to avoid the risk of failure.
Operational risk is the risk that is associated with the operations of the organisation. This may include internal procedural breakdown. The accounts department of a startup organisation may be exposed to risks of its own kind. The most common example is the failure to comply with the relevant accounting standards. The category of accounting risk that management may be involved in is the window dressing of accounts and creative accounting.
Source: functions.essentials.com, 2013
The quality control department and the quality assurance department of a startup business may be exposed to risks of its own kind. If the business is a manufacturing concern, there is a risk that faulty products maybe produced. If such faulty products reach the consumer, they result will be dissatisfaction, leading to a loss in sales. Identification of faults in processes is as important as identification of faults in products. Environmental risks include the risk of being penalised if there is negligence relating to waste disposal and restoration of land. A startup business, if it is a listed entity, will be required to have an internal audit department. Failure to do so will result in delisting.
2 Risk Assessment
2.1 Analysing the risk assessment process
A startup business, in order to avoid any failures, must identify all possible risks the company faces. It is recommended that the board of directors appoint a risk management committee whose sole purpose will be to identify, assess and manage risk. On risk identification, the board will come to know of the various types of risk faced by the organisation such those associated with default, interest rate, liquidity, inflation, market, project, financial, business, foreign exchange, etc. It is possible that not all these risks will affect the organisation, hence it is recommended that directors be careful when assessing the type of risk.
Identification of risk is one thing and its analysis is another. A startup business must analyse the risk to understand how it affects the organisation. Assessment includes description and estimation. The organisation should estimate the likelihood of risk. Likelihood involves determining the probability of that risk affecting the organisation. Impact includes the likely consequence that risk may have if the risk does materialise.
Control measures include the internal controls put in place to prevent, detect and correct errors and risks. There are several controls: application, general, IT, physical, etc. The purpose of such control measures is to deal with risks of all kind. A startup business must keep in mind that controls have their own inherent limitations. They are vulnerable to employee collusion, management override, etc. It is recommended that the board of directors review the system of internal controls on an ongoing basis, as risks continue to evolve and change over time.
Source: healthcaresecprivacy.com, 2013
2.2 Risk management frameworks
A startup business must decide on a framework to use to manage risks. Enterprise Risk Management (ERM) programmers should be in place to deal with all possible risks faced by the enterprise. To achieve the organisation’s objectives, opportunities must be seized and risks managed via processes and methods known as ERM. Several frameworks can be used to manage risks (Hopkin, 2010, p. 357).
Actuarial Society Framework
This framework identifies the following types of risks: hazard, financial, operational, strategic and other types of risks. The process for managing risk involves establishing the context to identify the current environment in which the organisation operates. It then goes on to identify the types of risks, after which risks are analysed and quantified. Risk is then integrated to identify the possible linkages. Risks are prioritized and appropriate strategies developed to manage those risks. The processes are monitored and evaluated on an ongoing basis (Harris, 2009, p.10).
COSO Framework
This was published in 1992 and highlights the following components:
- scanning the internal environment
- setting appropriate goals and targets
- identifying possible events
- assessing and then responding to risks
- control activities to act as a deterrent
- monitoring and reviewing
ISO 31000
This is the latest risk management standard and focuses on risks faced by organisations across the globe. Much of the work in this area highlights corporate governance and explains how corporations should be governed. It is recommended that the board should have an audit committee, risk committee and other committees to manage the risks faced by the organisation. Using the correct risk management is essential, especially in an organization that is just starting up (Dnv.com, 2013).
Source: grc-resource.com, 2013
2.3 Risk management process and its role in business organisation
The first stage of the risk management process is the assessment of risk. For risk to be managed, it needs to be assessed properly. The risk-assessment frameworks have been discussed above. Risks should be reported by means of risk-management reports. The report should be accurate and should cover all or most of the material risks to which an organisation may be exposed. The depth and scope of the report will depend on the size and complexity of the organisation. It should indicate the amount of exposure and the identity of the risk that may emerge. Other features of a good risk-management report are clarity, frequency, usefulness and distribution. The report should prescribe risk treatment and residual risk reporting. Risk treatment is a mix of strategies employed to manage risk and residual risk is the risk that still remains despite of the treatment process.
The risk-management process should be ongoing and be carried out at regular intervals, with modifications made as and when need arises (Bis.org, 2011). Risks can be managed by avoiding them. This means that if a product is likely to have risks, do not launch it in the first place and avoid it. Risks can be transferred to an insurance company so that the impact of risks that do materialise is borne by the insurance company and not the organization. Risks can be mitigated by applying various tactics such as deploying strong systems of internal controls. Risks can also be accepted in circumstances where the company has no choice other than to proceed or the benefits outweigh the costs.
Source: labspace.com, 2013
3 Risk Management of Coca Cola
3.1 Main drivers of business risk
The Coca Cola Company categorizes strategic risks into societal and environmental. Strategic risks are at the heart of the ERM process at Coca Cola. Other risk determinants include competition from old rival, Pepsi and changes in markets stimulated by environmental factors, such as recessions and economic booms. The objective of the risk management process at Coca Cola is to minimise its exposure to various unforeseen events the company may face. Other drivers include financial risk that is not really faced by Coca Cola. A main component of financial risk is that the shareholders will lose their wealth if the company is unable to fulfill its obligations and creditors file for liquidation. Coca Cola, however, faces foreign exchange risks. This is because it has a global presence and payments are made and received across the globe.
The company is also exposed to operational risk. Despite having state-of-the-art and the latest production lines, it is still possible that a faulty product may be produced. Kinley, the company’s mineral water brand, sources its water from springs. There is the chance that contaminated water may reach the consumer, thereby creating an operational risk. Risks in the form of hazards cannot be avoided. Natural disasters such as earthquakes, floods, or tsunamis can hit any place in the world. This risk cannot be sidelined as Coke has a global presence.
Source: cob.unt.edu, 2013
3.2 High risk areas and the impact of different types of risk
Reputation is high risk for The Coca Cola Company. Its ongoing battle with beverage-maker Pepsi, has seen many unethical practices. Competitors are constantly trying to damage the reputation of the brand. The area of highest risk for the company is the physical safety of its recipe. Coke’s recipe has been under a severe threat from other market players. Without doubt, the long-lasting success of the company can be attributed to its recipe for making Coke. It is this recipe that has made the company what it is today. Physical security of the recipe is therefore something that the Coke acknowledges as the highest area of risk. Other areas include integrity of the data and systems. The company’s database has records of its key personnel, customers and suppliers. The success of the company lies in the procurement side of the value chain. Supplies must be sourced from the same place to give the same taste each and every time. Stringent IT controls therefore must be in place to safeguard the security of the information systems at the global headquarters of the company. Failure to do so may result in data theft and the ultimate collapse of the company. Therefore this is regarded as a high risk area.
3.3 Risk management strategies
Risk management starts from the two. Risks are allocated to different board committees. From this year, Coca Cola plans to launch an Enterprise Risk Council whose primary purpose will be to make sure that all possible risks are identified and understood. In decision making, such risks must also be considered in depth. Their appropriate consideration will lead to better handling of risk and hence its mitigation (Cokecce.com, 2013).
Many risk-management strategies include the prevention and detection of fraud. Systems and controls are in place to prevent fraud from employee collusion. Proper segregation of duties is in place to act as a deterrent. The value chain is as such that the transporters and the outbound logistics department might collude and commit fraud. Duties are segregated with stringent paperwork to ensure that goods are not misappropriated and payments are received in full.
Asset theft is a common type of fraud in organizations. Items from stationary to parts for transport vans may be stolen. To mitigate this risk, proper controls are in place such as surveillance cameras, regular inventory counts, etc., to ensure that assets do not get stolen. The production of Coke is an automated process with very little human interference. Despite this, there are certain health and safety risk in the manufacturing process. Coca Cola is a fizzy drink and is prepared and containers filled in a high pressure plant. If pressure is not managed effectively, an explosion may occur that could cause fatal injuries. To manage this risk, several pressure sensors are installed and employees are given safety equipment to avoid any unforeseen events.
4 Crisis Management
4.1 Vulnerability
With an organization the size of Coca Cola and its dynamic business and physical environment, effective crisis management techniques need to be in place. Crises can take any form: a natural crisis such as an earthquake or a technical crisis such as technology misuse due to complexity, etc. The company is vulnerable to crises due to its size. Since it is represented globally, it is prone to all sorts of natural crises. Earthquakes, tsunamis, floods, etc., can arise anywhere, leading to loss of physical property. The operating environment of Coca Cola is very diverse. Management crises can occur if management values become skewed and the organization goes astray by becoming a part of misdeeds and unethical practices.
Crises such as those mentioned above or in leadership can have disastrous effects on Coca Cola. They can result in loss of profits. If the production facility is completely destroyed by an earthquake, costs will be incurred when reconstructing the production and filling facility and landscaping the land. A disaster will also result in the loss of assets. All plants at The Coca Cola Company are automated and therefore their complete or partial destruction can result in the loss of precious assets. Economic sanctions may be imposed upon a country due to misconduct. If sanctions imposed in a country where Coca Cola already operates, it will need to terminate its operations, according to international law.
The crisis-management model is put in place to diagnose the problem, decide on a turnaround strategy and implement that strategy.
4.2 Approaches to crisis management an the impact of breaks in business continuity
The business continuity planning at Coca Cola revolves around managing its people. It focuses on where its people and human resources are located and how they can be moved around to benefit the organization. A lot of emphasis is laid on customer and stakeholder management. In its sustainability report, Coca Cola lays great emphasis on stakeholders. It engages in corporate social responsibility to show that the company is socially and morally responsible. Threat assessment includes identifying various threats the company faces as a whole. Theats can include various types of threats (even terrorist attacks).
Prior to the implementation of business-continuity planning, the plan must be communicated to all stakeholders. This is essential as the views all stakeholders must be taken into account when it comes to managing a crisis and planning for the future. A break in business continuity will affect the synergies Coca Cola currently enjoys. A break in continuity is in essence, a break in momentum that might prevent the organization from achieving its objectives (Sharp, 2008, p.102).
Conclusion
To conclude it, it can correctly be said that risk management is immensely important for the organization as it not only helps in the fulfillment of organizational objectives but also in safeguarding of shareholders’ wealth. To manage risk, various risk-management strategies need to be in place that must be devised after careful consideration of risk appetite. Crisis management and business continuity are closely related concepts. Inability to manage crises might result in breaks in business continuity which is lethal for any organization.
References
Bis.org (2011) International regulatory framework for banks (Basel III). [online] Available at: http://www.bis.org/bcbs/basel3.htm [Accessed: 3 Jun 2013].
Coca-Cola Hellenic Annual Report 2010, Annualreport.2010.coca-colahellenic.com (2010) The identification and management of risk – Coca-Cola Hellenic Annual Report 2010. [online] Available at: http://annualreport.2010.coca-colahellenic.com/corporate-governance/the-identification-and-management-of-risk.aspx?sc_lang=en [Accessed: 31 May 2013].
Cokecce.com (2013) Coca-Cola Enterprises : How We Manage CRS at CCE. [online] Available at: http://www.cokecce.com/corporate-responsibility-sustainability/how-we-manage-crs-at-cce [Accessed: 31 May 2013].
Crouhy, M., Galai, D. and Mark, R. (2000) Risk management. New York: McGraw Hill.
Dnv.com (2013) Risk management. [online] Available at: http://www.dnv.com/focus/risk_management/ [Accessed: 31 May 2013].
Frenkel, M., Hommel, U., Rudolf, M. and Dufey, G. (2005) Risk management. Berlin: Springer.
Harris, E. (2009) Strategic project risk appraisal and management. Farnham, England: Gower, P.108.
Hopkin, P. (2010) Fundamentals of risk management. London: Kogan Page, P. 357.
Investopedia.com (2013) Financial Risk Definition | Investopedia. [online] Available at: http://www.investopedia.com/terms/f/financialrisk.asp [Accessed: 31 May 2013].
Investopedia.com (2013) Foreign-Exchange Risk Definition | Investopedia. [online] Available at: http://www.investopedia.com/terms/f/foreignexchangerisk.asp [Accessed: 31 May 2013].
Investopedia.com (2013) Operational Risk Definition | Investopedia. [online] Available at: http://www.investopedia.com/terms/o/operational_risk.asp [Accessed: 31 May 2013].
Investopedia.com (2013) Risk Management Definition | Investopedia. [online] Available at: http://www.investopedia.com/terms/r/riskmanagement.asp [Accessed: 31 May 2013].
Khatta, R. (2008) Risk management. New Delhi: Global India Publications, Pp. 25-39.
Olson, D. and Wu, D. (2008) Enterprise risk management. Singapore: World Scientific, Pp. 18-23.
Russell, J. (n.d.) Introduction to Forex Risk Management. [online] Available at: http://forextrading.about.com/od/riskmanagement/a/risk_management.htm [Accessed: 31 May 2013].
Sharp, J. (2008) The route map to business continuity management. London: BSI, P.102.
Tattam, D. (2011) A short guide to operational risk. Farnham, England: Gower, P.13.
Theirm.org (2013) The Institute of Risk Management. [online] Available at: http://www.theirm.org/ [Accessed: 31 May 2013].
Ucanr.edu (1997) Marketing Risk. [online] Available at: http://ucanr.edu/sites/placernevadasmallfarms/Resources/Managing_Risk/Marketing_Risk/ [Accessed: 31 May 2013]
Uwf.edu (1999) Types of Risk. [online] Available at: http://uwf.edu/rconstand/5994content2003/T4-RiskReturn/T4-riskreturnP02.htm [Accessed: 31 May 2013].