Risk Response

Enterprise Risk Management

1) Specialist branches of risk management:

a) Project
b) Energy
c) Finance
d) Operational and
e) Clinical
 Enterprise Risk Management

2) Enterprise Risk Management (ERM):

a) Moves away from the practice of risk management as a
separate management of individual risks
b) Considers the interrelationships among risks
i. Two or more risks can have an impact on the same activity
or objective
ii. Action on one risk may result in a negative impact on
another
c) Concerned with the management of key risks that may
affect objectives, key dependencies or core process
d) Also concerned with the management of opportunities.
 Enterprise Risk Management

3) Features of an Enterprise-wide Risk Management

Approach:
a) Encompasses all areas of organisational exposure to risk
(financial, operational, reporting, compliance,
governance, strategic, reputational, etc)
b) Prioritises and manages those exposures as an
interrelated risk portfolio rather than as individual ‘silos’ of
risk
c) Evaluates the risk portfolio in the context of all significant
internal and external contexts, systems, and
circumstances
 Enterprise Risk Management

d) Recognises that individual risks across the organisation

are interrelated and can create a combined exposure
that differs from the sum of the individual risks
e) Provides a structured process for the management of
all risks, whether those risks are primarily quantitative
or qualitative in nature
f) Seeks to embed risk management as a component in
all critical decisions throughout the organisations
g) Provides a means for the organisation to identify the
risks that it is willing to take in order to achieve strategic
objectives
 Enterprise Risk Management

h) Constructs a means of communicating on risk

issues, so that there is a common understanding of
the risks faced by the organisation, and their
importance
i) Supports the activities of internal audit by providing
a structure for the provision of assurance to the
board and audit committee
j) Views the effective management of risk as a
competitive advantage that contributes to the
achievement of business and strategic objectives
Source: Fundamentals of Risk management, 2nd
Edition, by Paul Hopkin
 Enterprise Risk Management

4) Definitions
a) RIMS: Enterprise risk management is a strategic business
discipline that supports the achievement of an organisation’s
objectives by addressing the full spectrum of its risks and
managing the combined impact of those risks as an
interrelated risk portfolio

b) COSO: Enterprise risk management is a process, effected by

an entity's board of directors, management and other
personnel, applied in strategy setting and across the
enterprise, designed to identify potential events that may
affect the entity, manage risk to be within its risk appetite and
provide reasonable assurance regarding the achievement of
entity objective
 Definitions of Enterprise Risk
Management

c) IIA: A rigorous and coordinated approach to assessing

and responding to all risks that affect the achievement of
an organisation’s strategic and financial objectives

c) HM Treasury: All the processes involved in identifying,

assessing and judging risks, assigning ownership, taking
actions to mitigate or anticipate them and monitoring and
reviewing progress.
 Enterprise Risk Management
5) Definition by Paul Hopkin:
a) ERM involves the identification and evaluation of significant
risks, assignment of ownership, and completion and monitoring
of mitigating actions to manage these risks within the risk
appetite of the organisation
b) The output is the provision of information to management to
improve business decisions, reduce uncertainty and provide
reasonable assurance regarding the achievement of the
objectives of the organisation (MADE2)
c) The impact of ERM is to improve efficiency and the delivery of
services, improve allocation of resources (capital) to business
improvement, create shareholder value and enhance risk
reporting to stakeholders

Source: Fundamentals of Risk management, 2nd Edition, by Paul

Hopkin
 Enterprise Risk management

6) Paul Hopkin says a comprehensive definition needs to

have three components:
a) The description of the process that underpins enterprise
risk management

b) Identification of the outputs of that process

c) The impact or benefits that arise from the outputs.

 Enterprise Risk Management

7) ERM in practice:
a) Risk management application should follow the principles
provided under PACED.
b) This includes the level of the Risk Manager or Chief Risk
Officer
c) For an organisation to fully enjoy the benefits of ERM as
detailed in the next slide it should always ensure that the
full range of significant risks facing an organisation is
evaluated. In addition
i. The interrelationship between risks should identified in order
to compile the total risk exposure of the organisation
ii. Comparisons made between the risk exposure, the risk
appetite and the risk capacity of the organisation
 BENEFITS OF ENTERPRISE RISK MANAGEMENT
FIRM Risk BENEFITS
Scoredcard
Financial  Reduced cost of funding and capital
 Better control of CapEx approvals
 Increased profitability
 Accurate financial risk reporting
 Enhanced corporate governance
Infrastructure  Efficiency and competitive advantage
 Achievement of the state of no disruption
 Improved supplier and staff morale
 Targeted risk and cost reduction
 Reduced operating costs
Reputational  Regulators satisfied
 Improved utilisation of company brand
 Enhanced shareholder value
 Good reputation and publicity
 Improved perception of organisation
Marketplace  Commercial opportunities enhanced
 Better marketplace presence
 Increased customer spend (and satisfaction)
 Higher ratio of business successes
 Lower ratio of business disasters
Source: Fundamentals of Risk management, 2 nd Edition, by Paul Hopkin
 Enterprise Risk Management

8) ERM and Business Continuity

a) ERM and BCM are closely related as the risk
management process and the business impact analysis
are closely related
b) They both involve evaluation of objectives and identifying
individual risks that could impact those objectives
c) Both involve the identification of key dependencies and
functions that must be in place for the continuity and
success of a business
d) The main difference is that whilst ERM is about
management of risks that could impact processes, BCM
is concerned with actions that should be taken to maintain
the continuity of individual activities.
 Enterprise Risk Management

9) ERM in Energy and Finance

a) The objective of ERM in the finance sector has been to
enhance shareholder value whilst in the energy sector the
ERM is closely linked to the management of treasury
risks, hence the development of hedging.

b) Operational Risk Management (ORMI in the financial

sector involves the calculation of the capital that should
be held in reserve to cover the consequences of identified
risks materialising
i. The aim of ORM is that risks will be better identified and
managed thereby help lower the capital that may be
required to meet the consequences of the risks
materialising
 Enterprise Risk Management
10) Future Developments in ERM
a) Currently the COSO ERM framework is predominant
because the Surbanes-Oxley Act in the USA requires
companies to comply with the COSO Internal Control
framework of 1992. US companies and their subsidiaries
throughout the world therefore need to comply.
b) Other Standards have come up and most are being
modified to be in line with the ISO 31000
c) Further developments likely include:
i. Ensuring risk management activities are fully embedded into
the operations of organisations through LILAC
ii. Demonstrating measurable financial benefits of
implementing ERM by enhancing ORM activities.
d) ERM is here to stay but has to demonstrate significant
and measurable financial benefits.
?
 Importance of the Risk Appetite
1) Risk Appetite, Risk Capacity and Risk Exposure
a) Risk Appetite: This demonstrates the total value of the
corporate resources that the board of the organisation is
willing to put at risk.
i. Regardless of the likelihood of the risk materialising, the
impact is so small that it would not be significant if it did
occur.
ii. Also the likelihood of the event occurring is considered so
remote that it is assumed that it would not occur.
iii. If it does occur however it would be very serious (the
global financial crisis is a good example).
iv. A risk-by risk approach is used to determine acceptable
levels of the risk and this provides an indication of the
organisation’s risk appetite.
 Importance of the Risk Appetite

b) Risk Capacity: the capability of the organisation to

take risk

c) Risk exposure: the cumulative total of all the

individual values of risk associated with the risks
facing the organisation
 Importance of the Risk Appetite

2) An organisation must decide how much it wishes to

put at risk.
b) This ensures the organisation does not expose itself to
too much or too little risk.
c) An organisation also needs to fully utilise its risk
capacity to ensure it is taking the optimal level of risk or
achieve what COSO has called the “sweet spot”.
d) In taking risk, the organisation needs to consider its risk
capacity, the industry in which it operates and
prevailing market conditions.
 Importance of the Risk Appetite

3) The risk appetite is an important component in the

risk ranking phase of the risk assessment process.
i. It is the next phase after the risks have been analysed
in terms of likelihood and impact (risk rating).
 Risk and Uncertainty

4) In the figure on the next slide, the sum of the hazard

tolerances, control acceptance and opportunity
investment represents the risk appetite of the
organisation
a) The figure further illustrates the range of outcomes for
different risk exposures.
b) For opportunity investment, a range of outcomes, from
complete loss of the invested losses to a substantial gain.
c) The losses may at times exceed the initial investment, if
the total negative risk exposure associated with the
investment is not correctly calculated.
 RISK AND UNCERTAINTY

Increasing Gain

Range of
Risk appetite possible (95%)
Point A

Increasing Increasing
hazard opportunity
tolerance investment

Best Risk appetite

possible Point B
outcome Range of possible
(95%) outcomes (95%)

Increasing loss
Worst possible
outcome (95%)

Hazard Tolerance Control Acceptance Opportunity Investment

 Risk and Uncertainty

a) The figure also illustrates the relationship between risk

and uncertainty.
i. It illustrates the typical range of outcomes for hazard
risks, controls risks and opportunity risks.
ii. It further illustrates that the sum of all hazard tolerances,
control risk acceptance and opportunity investments
represent the total risk appetite of the organisation.*
iii. The curved lines represent the range of possible
outcomes for each risk position, to within 95% certainty or
a 1 in 20 chance of being outside their range.
iv. For hazard risk, if the organisation decides to chose a
particular risk appetite (Point A), a range of possible
outcomes for that appetite is possible- the 95% certainty
lines.
 Risk and Uncertainty

v. For opportunity risk, the organisation may agree on Point

B as its risk appetite for that risk.
 The range of possible outcomes varies from negative to
positive
 This is represented by the 95% certainty lines

vi. The figure demonstrates that a range of possible

outcomes is possible when a value is put at risk.

vii. There will be a cost associated with each hazard

risk, in terms of the cost of incidents that occur and
also in terms of the cost of loss-prevention, damage
limitation and cost-containment activities.
 For each hazard risk, there will be a range of possible
outcomes, all of them negative.
 Risk and Uncertainty

v. An organisation will need to quantify the possible

hazard risks and the costs associated with those risks.

vi. It should then decide how much hazard risk it is willing

to tolerate, and this forms part of its risk appetite.

vii. There will also be control risks embedded within the

projects the organisation may undertake.
v. The cost of the necessary controls should be part of the
overall cost of the project.
vi. The cost of these controls represent the control acceptance of
the organisation.
 Importance of Risk Appetite

e) The portion of risk appetite associated with

opportunities is considered to be the opportunity
investment that the organisation is willing to embrace.
i. Normally organisations expect a positive return from an
investment opportunity, but that investment may result in
a positive or negative return.
ii. If total negative risk exposure was not calculated
properly, the negative outcome may turn out to be higher
than the investment.
 Importance of Risk Appetite

f) An organisation that has the appetite to invest a

certain amount of money should have the
capacity to endure any loss that may result.
g) Also the total amount invested, or value at risk,
should be within the risk capacity of the
organisation
Risk Appetite, Exposure and Capacity (optimal)

Impact
Ultimate Risk
Capacity

Optimal Risk
Exposure

Likelihood

Comfort zone
Cautious zone
Concerned zone
Critical zone

Risk Exposure

Risk capacity
 Risk Appetite and The Risk Matrix
a) The slide above illustrates the concept of risk appetite, risk
exposure and risk capacity in a risk averse organisation:
i. The pink shaded area represents the comfort zone, the unshaded
represent the cautious zone area, the grey shaded area, the
concerned zone and the red shaded area, the critical zones.
ii. The risk appetite lies between the cautious and concerned zones.
iii. In the unshaded and grey shaded areas, management judgement
is required before the risk is accepted
iv. The broken shaded line represent the optimal risk exposure
v. The red shaded area represents the critical risk and these will only
be accepted if there is a business imperative.
vi. The ultimate risk capacity is well within the red shaded area.
vii. The risk capacity is well above the risk appetite and the ultimate risk
exposure.
viii. The organisation is therefore taking risks within its risk appetite and
not exceeding its risk capacity
 Risk Appetite, Exposure and Capacity
(optimal)
Impact

Actual Risk
Exposure

Ultimate Risk
Capacity

Likelihood
Comfort zone
Cautious zone
Concerned zone
Concerned zone

Risk capacity

Risk Exposure
 Importance of Risk Appetite

b) In a risk aggressive organisation shown above, the comfort

zone for accepting risk is much larger.
a) The cautious and concerned zones, including the critical
risk zone are much smaller and the critical zone is even
much smaller, representing a limited audit universe.
b) This organisation has a more aggressive attitude to risk, it
has fewer risks in the critical zone.
c) The risk universe, being the risks subject to board
attention, is very restricted.
d) A risk will have to have a high likelihood and high impact
for it to receive board attention.
e) The ultimate risk capacity of the organisation lies within
the unshaded zone.
f) The organisation could therefore be taking risks beyond
its capacity
g) To make matters worse, its risk exposure is well within its
critical zone, making the organisation vulnerable to risk.
 Importance of Risk Appetite

e) Once a risk exposure increases to be above the risk

appetite line, it is necessary to apply risk escalation
procedures:
i. Reporting the risk exposure to more senior management
ii. Reporting the risk exposure to a specialist risk function or
internal audit.
 Importance of Risk Appetite
c) Identification of the risk appetite is a matter of
judgement exercised at different levels within the
organisation.
i. The risk appetite is a strategy driver at board and senior
management level
ii. It may be considered an operational constraint at line-
management level because they have to comply with a
risk appetite established by board and senior
management.
iii. At individual level, it may be a behaviour regulator.
 Individuals have to comply with a risk appetite established
by board and implemented by line management.
 Importance of Risk Appetite
d) The risk appetite has to be set in the context of the
organisation, its strategy, projects and routine
operations.
i. Because of this requirement, it would be difficult to
recognise the risk appetite at an early stage.
 Risk Appetite Statements

7) Risk appetite may be a driver of strategy, a planning

guide for tactics or a set of operating constraints.
i. Organisations, in coming up with their risk appetite
statements, should clearly state the focus of their risk
management strategies, whether is-
 A driver of risk
 A planning guide, or
 A set of operating constrains.
 Risk Appetite Statements

ii. In financial institutions, risk is at the heart of the business

and the appetite to, say lend money will reflect its risk
appetite and is the driver of its business.
 Risk is the driver of business and thus they have to
embrace risk in order to gain benefits.
 Risk Appetite Statements

iii. In other organisation, risk is not a driver of the business,

but a consequence of the strategy, tactics and the
operations that the business undertakes.
 Risks are inherent to its operations.
 Risk is therefore used as a planning tool for organisation
to decide whether it wishes to adopt certain tactics given
the inherent risks in those tactics, projects or changes.
 The organisation therefore has to operate within certain
tolerance levels and manage uncertainty associated with
risk.
 Risk Appetite Statements

iv. In other organisations risk represent constraints that are

placed on its staff.
 These include authorisation levels, expenditure limits,
etc, and are often built in the delegation of authority
structures of the organisation
 Levels of authority are an indication of the risk appetite
of the organisation
 Exposure to risk is a consequence of the size, nature
and complexity of the organisation
 Risk Appetite Statements
ASSESSMENTS DESCRIPTION
High risk-appetite The college accepts opportunities that have an
inherently high risk that may result in reputation
damage, financial loss or exposure, major
breakdown in IT systems, significant incidents of
regulatory non-compliance or high potential risk
of injury to staff and students
Moderate risk- The college is willing to accept risks that may
appetite result in reputation damage, financial loss or
exposure, major breakdown in IT systems
significant incidents of regulatory non-
compliance, potential risk of injury to staff and
students
Modest risk The college is willing to accept some risks in
appetite certain circumstances that may result in
reputation damage, financial loss or exposure,
major breakdown in IT systems, significant
incidents of regulatory non-compliance,
potential risk of injury to staff and students
Low risk appetite The college is not willing to accept risks in
circumstances that may result in reputation
damage, financial loss or exposure, major
breakdown in IT systems, significant incidents of
regulatory non-compliance, potential risk of
injury to staff and students
 Risk Appetite Statements from a Manufacturing Organisation

BUSINESS DESCRIPTION
COMPONENT
Target credit Maintain a credit rating of at least BBB+
rating
Earnings per share Maintain an earnings per share level within the
upper quartile of the peer group
Target capital Maintain a debt to capital ratio in the range 45%
ratio to 50%
Self-sustaining New business will not dilute target capital ratio
growth and maintain a capital working ratio in the range
1.5% to 2%
Financial strength Maintain an earnings-before-interest and taxes-
to-interest ratio between 5% and 7.5%
Customer No single customer will exceed 15% of total
dependencies sales
Regulatory Score in the upper quartile of the peer set in
compliance regulatory reviews
Social Seek a position in the upper quartile of the peer
responsibility group in social responsibility index
 Risk Management and Uncertainty

8) Risk management is mostly about reducing the

range of possible outcomes or uncertainty
a) This involves managing and reducing the level of
inconsistency in which risk are managed. This is
done through internal controls.
b) This requires the design and implementation of
appropriate controls
c) Risk management is not just about ensuring
existing controls are identified and the need for
additional controls documented.
 Risk Management and Uncertainty

d) It also requires the identification of critical

controls, those that are the most important in
managing significant risks.
i. Successful risk management also requires
ensuring controls are always effectively
implemented.
ii. Risk assessment is a tool that can be used to
manage significant risks as they ultimately lead
to the identification of the critical controls
iii. Risk assessment should also include evaluating
the level of effectiveness and efficiency of
different controls-a tactic usually employed by
internal auditors.
 RISK MANAGEMENT AND UNCETAINTY

Increasing gain

Opportunity
management

Increasing
opportunity
Increasing hazard
investment
tolerance

Hedging
Risk response or JVs
and loss
control Internal
control

Exposure before
risk control
measures

Exposure after risk

control measures

Insurance
Increasing loss

Hazard tolerance Control acceptance Opportunity investment

 Risk Management and Uncertainty

e) The diagram above demonstrates the effect of

different control mechanisms and the effect they may
have on the range of possible outcomes or uncertainty
i. It demonstrates the value of critical controls in
changing the range of possible outcomes at a particular
level of risk exposure.
ii. It shows the effect of different control mechanisms on
the range of possible outcomes
 the impact of loss control
 The impact of insurance
 The contribution of opportunity management, and
 Hedging or joint ventures on opportunity risks.
?
Tolerate, Treat, Transfer and Terminate
 The 4Ts of Hazard Response

a) Risk analysis and evaluation assist with the

measurement and ranking of risks and determination of
risk significance.

b) Priority significant risks facing an organisation are those

that have:
i. High or very high impact in relation to the benchmark test
for significance;
ii. High or very high likelihood of materialising at or above the
benchmark level;
iii. High or very high scope for cost effective improvement in
control.
 The 4Ts of Hazard Response

c) Generally it is significant risks that need senior

management and board attention.
d) However, regulatory risks, because of their nature, will
need to receive appropriate attention from board and
management. (refer to next slide for examples of
penalties).
e) The benchmark test for significance should be set at a
level that represents a significant impact for the
organisation.
f) Reviews of existing controls will then be made to
determine if they are reducing those risks to acceptable
levels.
 The 4Ts of Hazard Response

f) Examples of pay outs resulting from regulatory non-

compliance
 Regulatory settlements by top US banks, including
Bank of America ($16.7 billion) and Citi ($7 billion) in
2014, and JPMorgan Chase ($13 billion) in 2013.
 The largest settlements for violating financial sanctions
came against PNB Paribas in 2014 ($8.9 billion); for
violating false drug promotion came against
GlaxoSmithKline in 2012 ($3 billion); and for violating
anti-bribery regulations came against Siemens in 2008
($800 million).
 The 4Ts of Hazard Response
g) Decisions will then need to be made on any additional
actions required(risk responses).

h) The 4Ts (explained at next slide) are used to respond to

hazard risk, these are:
i. Tolerate
ii. Treat
iii.Transfer
iv. Terminate.
Please note that the British Standard BS31100 and ISO
31000 use the more generic term “risk treatment” which
the BS31100 defines as the “process of developing,
selecting and implementing controls”, and ISO 31000
defines it as “development and implementation of measures
to modify risk”.
 The 4Ts of Hazard Response
(Orange Book)

Response Description
Tolerate The exposure may be tolerable without any further action being
(accept/retain) taken. Even if not tolerable, the ability to do anything may be limited
or it may not be cost effective to do so.
Treat (control or The purpose of treatment is not to obviate the risk but to reduce it to
reduce manageable levels. The activity giving rise to the risk is retained but
controls are instituted to constrain the risk to acceptable levels. The
greater number of risks will fall into this category.
Transfer or insure Transfer may be the best response to some risks. It could be by
or contract insurance, subcontracting or going into a joint venture. A third party
absorbs part of the risk.

Terminate or avoid Terminate or avoid the source of the risk. This option may be limited
or eliminate in the public sector. Termination also means foregoing the
opportunities that may be related to pursuing the activity bearing the
risk.
 Risk Matrix and
the 4Ts of Hazard Management
Impact

Transfer Terminate
the risk to another the activity generating the
party risk

Tolerate Treat
the risk and its likely the risk to reduce the likely
impact impact and exposure

Likelihood
 Risk Matrix and
the 4Ts of Hazard Management

i) Can also be used to illustrate the 4Ts of risk response

 In each of the four quadrants of the risk matrix, one of the
4Ts is dominant.
 Tolerate will be the main response for the low likelihood/low
impact risks.
 Treat will be dominant for high likelihood/low impact risks.
 Transfer will be dominant for high impact/low likelihood
risks.
 Terminate will be dominant for high impact/high likelihood
risks
 The next slide demonstrates the range of potentially risks
that may associated with the FIRM risk scorecard
 The 4Ts of Hazard Response
j) There is generally a relationship between the response and
the likelihood/impact relationship:
i. Tolerate will be the main response for the low likelihood/low
impact risks.
ii. Treat will be dominant response for high likelihood/low impact
risks.
iii. Transfer will be dominant response for high impact/low
likelihood risks.
iv. Terminate will be dominant for high impact/high likelihood risks.
k) By placing each risk on the FIRM risk scorecard on the risk
matrix, its position on the matrix will give the most likely
response to that risk.
i. If risk assessment undertaken at the current level, the effect of
the existing controls will already have been evaluated as part of
the risk assessment.
 Risk Responses
1) Tolerate Risk
a) Demonstrates the organisation’s readiness to bear the
risk, after consideration of cost-effective controls, in
order to achieve its objectives (ISO Guide 73)
b) Refers to specific or individual risk. Its different from the
risk appetite.
c) Can be influenced by:
i. Legal and regulatory requirements
ii. Generally organisations tolerate risks that are within their
risk appetite
iii. An organisation may tolerate risk levels that are high
because:
 They are potentially profitable or relate to a process
that is fundamental to the nature of the organisation.
 Risk Response

d) An organisation may also have a current level of risk

beyond its comfort zone and its risk capacity.
e) It may even have risk above its risk capacity but this
may not be sustainable.
f) Normally risks are accepted or tolerated after the
consideration of all cost effective controls
i. Risk in this case is tolerated at its current level.
 Risk Responses

2) Treat Risk
a) Applied mostly in situations of high likelihood and low
impact risk
b) Normally done at inherent or current level so that when
treatment measures have been put in place, the new
current or target level will be acceptable.
c) Consideration is given to both the likelihood and
impact of the risk
d) Cost-effective treatment measures should be directed
at reducing the likelihood of the risk occurring and
reducing its impact if it materialises
 Risk Responses

3) Transfer/Share Risk
a) Normally associated with situations of low-
likelihood/high impact risk
i. Insurance is the main tool used for hazard risk transfer
and to a lesser extent control risk
ii. However some risk cannot be insured because of the
cost involved or are uninsurable
iii. Other forms are, joint-ventures, risk hedging, and out-
sourcing.
iv. The cost of transfer is a component of risk financing
 Risk Responses
4) Terminate/Avoid Risk
a) Mostly associated with high-likelihood, high-impact risk.
It may mean:
i. Stopping the process or activity
ii. Substituting an alternative process
iii. Outsourcing the activity associated with the risk
b) Where an organisation cannot terminate a risk because
the activity associated with the risk is fundamental to its
operations, alternative control measures would be
necessary.
i. Control measures may be a combination of risk treatment
and risk transfer.
ii. Some risks however may just have to be accepted
despite the fact that they will be at unacceptable levels.
 Risk Responses for Control Risks
(The 4As of Control Risk)

a) Approach to management of control risk generally similar to

hazard risks but there are differences in the range of
response options available.
b) The emphasis for project risk is to achieve progress in
accordance with the project plan with minimum variations
from the plan, in terms of the budget, time and quality.
c) For project/control risks, the following response options are
available:
i. Accept
ii. Adopt
iii. Adapt
iv. Avoid
 Risk Response for Project Risks
(The 4 As of Project Risk Management)

a) For project risk management, mostly concerned with

measurement of uncertainties and control management,
the following options are available for projects:
i. Accept: the risk or uncertainty for low-exposure/low-
uncertainty risks.
ii. Adapt: processes and procedures for high-risk-
exposure/low-uncertainty risks.
iii. Adopt: contingency plans and responses for low-
risk/high-uncertainty risks.
iv. Avoid: the risk or uncertainty for high-exposure/high-
uncertainty risks.
 Risk Matrix and
the 4As of Control Risk Management
Increasing
uncertainty
Adopt Avoid
appropriate the uncertainty attached
contingency plans to the risk

Accept Adapt
the uncertainty procedures and
attached to the risk introduce controls

Risk exposure
 Responses for Project Risk

1) Range of responses
a) Low-uncertainty and low-exposure risks will be
accepted. Bring in controls that detect failures
b) Low-uncertainty but high exposure risks, introduce
relevant controls and adapt appropriate procedures.
Reduces the level of uncertainty
c) Low-exposure but high-uncertainty risks, transfer to
a third party or adopt contingency plans to manage
them.
d) High-exposure and high-uncertainty risks, avoid
within the project, when feasible
 Risk Response for Opportunity Risks
(The 4 Es of Opportunity Risk Management)

a) The emphasis for opportunity risk is the development

and implementation of efficacious strategy
b) Requires the evaluation the risk associated with each
available strategy and the level of reward that the
strategy will deliver.
c) For opportunity risks, the following response options are
available:
i. Exploit
ii. Exist
iii. Explore
iv. Exit
 Risk Matrix and
the 4Es of Opportunity Risk Management
Potential Reward

Exploit Exit
Opportunity until Depending on risk
competitors arrive appetite and capacity

Exist Explore
In mature/declining Entrepreneurial
markets opportunities

Risk
Exposure
 Risk Response for Opportunity Risks
(The 4 Es of Opportunity Risk Management)

1) Range of Responses:
a) High risk/low potential rewards (Start-up):
Explore entrepreneurial opportunities
b) High risk/high reward: if growth is too slow whilst
risk remains too high, exit from those operations
depending on risk appetite and risk capacity
c) High rewards/low risk: Exploit opportunities until
competition arrives
d) Low exposure and low potential rewards
(mature market): you may stay in. Exist or accept
the situation.
 Opportunity Risks and Risk Appetite
Potential
Reward Expand if
resources allow

Exploit the Expand if

opportunity resources allow

Exist in the mature Explore the

market opportunity

Level of Risk
 Opportunity Risks and Risk Appetite

a) In the figure above an organisation may have a viable

business opportunity but lacks resources to exploit on
its own

b) It has three options

i. It may exit the opportunity because it does not have
the risk appetite or risk capacity
ii. It may sell the opportunity to an organisation with the
appetite, capacity and the resources to pursue the
opportunity
iii. It may seek to share that opportunity
 Opportunity Risks and Risk Appetite
c) If the organisation is not able to sell or share the
opportunity, the only option is to exit
d) Most organisations with a viable opportunity which
they lack capacity to take will wish to benefit from it,
its thus would be most preferable to:
i. Share the opportunity with someone long-term, or
alternatively
ii. Sell the opportunity as this will provide a profitable exit.
e) Sharing will mean reducing the risk but also the
sharing the benefits.
f) The decision will depend on the business strategy, ,
risk appetite, risk capacity and availability of someone
willing to share
?
Risk Control Techniques
 HAZARD RISK ZONES
Appetite
Impact line

Cautious or concerned Critical Zone

Dominant response will
Zone
be
Dominant response will be
Transfer Terminate

Critical line

Judgement line

Cautious or
Comfort Zone Concerned Zone
Dominant response Dominant response
will be will be
TOLERATE Treat

Likelihood
 Risk Control

1) Hazard Risk Zones

The diagram in the slide above illustrates that
there are three zones on the risk matrix.
a) The Comfort Zone: this is for predominantly low-
likelihood and low-potential-impact events.
i. There is always a level of impact that will always be
within the comfort zone.
ii. The same applies with likelihood, there is always a level
of risk whose likelihood is considered so low that it will
not happen.
 Risk Control
b) Cautious and Concerned Zones: as the risk likelihood
and potential impact increases, a point is reached where
judgement is required as to whether the risk should be
tolerated.
i. Within the cautious zone actions will usually be taken to
treat and/or transfer the risks within this zone.
ii. The risk appetite separates the cautious and concerned
zones
iii. The cautious and concerned zone together represent the
acceptable variability of level of risk
 It represents the tolerance by the organisation to
acceptable variability of volatility in the level of that
particular risk
 Risk Control

c) Critical Zone: as the risk likelihood and potential

impact increases further, a critical line is reached.
i. Above this line, the organisation becomes concerned
about tolerating those risks and will seriously consider
terminating exposure to them.
ii. It is possible that the organisation may not be able to
terminate these risks for two possible reasons:
 Because they represent a business imperative (it
has to be done), or
 Because they are associated with a high-risk-high
reward strategy that the board has adopted.
 Risk Control

2) Type of Controls
a) The table on the next slide describe the range of
controls that can be applied to hazard risks.

b) The table on the slide following that provides the

dominant responses associated with the risk each
risk type.
 Hierarchy of Hazard Risk Control :PCDD
TYPE DESCRIPTION
Preventive These controls are designed to limit the probability of an undesirable
(terminate) outcomes being realised. The more important it is to stop an
undesirable outcome then the more important it is to implement
appropriate preventive controls
Corrective These controls are designed to limit the scope for loss and reduce
(treat) any undesirable outcomes that have been realised. They may also
provide a route of recourse to achieve some recovery against loss or
damage.
Directive These controls are designed to ensure that a particular outcome is
(transfer) achieved. They are based on giving directions to people on how to
ensure that losses do not occur. They are important, but depend on
people following established safe systems.

Detective These controls are designed to identify occasions of undesirable

(tolerate) outcomes having been realised. Their effect is, by definition, “after the
event “so they are only appropriate when it is possible to accept that
the loss or damage has occurred.
 Examples of the Hierarchy of Hazard Risks
TYPE Hierarchy of controls for H & S Hierarchy of controls for
Risks fraud
Preventive • Elimination or removal of the source • Limits of authorisation and
(terminate) of the hazard separation of duties
• Substitution of the hazard with • Pre-employment screening of
something less risky potential staff

Corrective • Engineering containment using • Password or other access

(treat) barriers or guards controls
• Exposure reduction by job rotation or • Staff rotation and regular
limitation on hours worked change of supervisors

Directive • Training and supervision to enforce • Accessible, detailed written

(transfer) procedures system and procedures
• Personal protective equipment and • Training to ensure
improved welfare facilities understanding of procedures

Detective • Health monitoring to enquire about • Reconciliation, audit and

(tolerate) potential symptoms review by internal audit
• Health surveillance to seek early • Whistle-blowing policy to
symptoms report (alleged) fraud.
 Bow-tie and Types of Controls

Source Consequences

Flood Financial

Fire Infrastructure

Cost containment
Loss prevention
Damage
to
Earthquake Reputational
Premises

Break-in Marketplace
Damage limitation

Prevention
Corrective

Directive

Detective
 Bow-tie and Types of Controls

1) Can be used to illustrate the role of the four types of

controls
a) Preventive controls apply to actions taken before the
event occurs
b) Detective controls apply to circumstances after the
event has occurred
c) Corrective and directive controls can be relevant to
loss prevention, damage limitation and cost
containment-representing the three phases of loss
control
 Risk Control

1) Preventive Controls
a) These are designed to prevent wrongful acts before
they occur. Like they say, prevention is better than
cure but these will not prevent or eliminate all risks
cost-effectively.
b) Examples are:
i. Separation of duties
ii. Use of barriers or guards
iii. Use of passwords
iv. Staff rotation or regular change of supervisors.
v. Elimination of a hazardous or substitution of the
hazard with something less hazardous.
 Risk Control

 Advantages are:
 They are generally considered simple and cost-effective.
 They eliminate the hazard so that no further consideration
of it is required.

 Disadvantages are:
 It may mean elimination of beneficial activities or
substituting them with something less efficient and
effective.
 Risk Control
2) Corrective Controls
a) These are designed to correct wrongful acts when they
have happened.
b) Examples are controls related to loss limitation activities

3) Directive Controls
a) Designed to advise staff on how they should undertake
tasks.
b) Examples are:
i. Financial instructions
ii. General Orders
iii. Health and Safety Instructions
c) Advantages are that they can be explained during a normal
training and instruction session provided for all staff.
d) They however may require constant supervision and reminding.
 Risk Control
4) Detective Controls
a) These are designed to detect wrongful acts when they
occur. They are closely related to review and monitoring
exercises undertaken as part of the risk management
process.
b) Examples are:
 Stock or assets checks to ensure that stocks or assets have
not been removed without authorisation.
 Reconciliations
 Performance appraisals do detect if staff are performing to set
standards
c) They are often simple. In certain circumstances they have
to be performed to detect the risk. Prevention and other
control types may not detect these risks.
d) The disadvantage is that the event would have already
occurred.
?
Control of Selected Hazard Risks
 Control of Selected Hazard Risks

1) Cost of Control
a) To reduce risk from an inherent to a residual or target
level of risk, internal controls have to be introduced.
a) These controls have a cost and such costs form part of
total cost of risk for the organisation
b) In considering the current/residual/target level of risk, an
organisation has to consider the costs involved.
c) These form part of the total cost of risk for the
organisation
d) Part of the risk management exercise involves the
evaluation of the cost effectiveness of these controls
 Control of Selected Hazard Risks

b) The diagram on the next slide demonstrates the control

effect.
i. The longer the line, the greater the control effect, and
ii. The longer the line, the greater control effort is required
in terms of management time, effort, and money.
iii. The diagram also illustrates the distance between the
inherent and current level of risk.
iv. If a target level of risk is established, additional controls
would be required
 Illustration of Control Effect
Impact

Control 1

Control 2

Likelihood
 Control of Selected Hazard Risks

v. It illustrates the importance of assessing risk at inherent

level first, so that the impact of the control effort required
to bring it to acceptable levels can be established.
vi. The cost of each control effected can be measured and a
cost-benefit of individual controls will be established.
vii. Risk treatment requires the selection and implementation
of controls to reduce the likelihood and impact of a risk.
viii. This requires the selection of cost effective, preventative
and corrective controls, in that order.
ix. Management will then need to introduce directive controls
aimed at directing the actions of people involved in
managing that particular risk.
 Risk Control
3) A holistic risk management process requires that:
a) Prevention controls be introduced as the first option.
b) If prevention is not possible, or cannot eliminate all risks,
corrective controls should be introduced to minimise the
likelihood and impact of an adverse event.
c) If cost-effective prevention and correction controls cannot
reduce the risks to acceptable levels, the next option would be
directive and detective controls, alternatively.
d) Always select the cost effective controls when selecting and
implementing controls.
e) The diagram on the next slide provides an analysis of the
balance between the cost of controls and their effectiveness if
implemented
 Cost-effective Controls

Net cost of
Risk
Cost of
controls
Potential
loss

Judgement Further controls

Cost-effective required not cost effective
controls
 Control of Selected Hazard Risks
4) The diagram demonstrates that:
a) There is an optimum level of control that represents the
lowest total cost as a balance between cost of control
and the level of potential loss.
b) A significant reduction in potential loss is achieved by
introducing cost-effective controls
i. This is labelled “Cost-effective controls”
c) The centre section illustrates that spending more on
controls achieves a reduction in the net cost of risk, but
up to a point
i. In this section, judgement is required on whether to
spend the additional sum on controls
 Control of Selected Hazard Risks

d) On the right-hand side of the diagram, spending more

on controls only a marginal reduction in potential loss
a) Further controls would not be cost effective
 Control of Selected Hazard Risks
Common Hazard Risks
a) The following section gives examples of common
hazard risks faced by an organisation
b) They describe what could go wrong in relation to the
hazard risk and the issues that need to be evaluated
c) In addition available control options are provided
followed by consideration of controls that are
necessary and appropriate
Control of Selected Hazard Risks

1. FRAUD
Why Fraud Occurs
The Fraud Triangle
 Fraud
 An organisation will need to carry out an analysis of the
effectiveness of its fraud controls
 This includes:
 Check the losses in terms of money and goods, and
 Evaluating areas where controls are insufficient.
 This should be a proactive action that includes:
 An analysis of vulnerable assets
 Who is responsible
 How fraud might be undertaken, and
 Effectiveness of existing controls
 When fraud occurs, this should be investigated and a
report supplied to the audit committee.
 In addition, an organisation should have a fraud policy
 Risk Control

5) Controls of Financial Risks: Fraud

a) The following preventive, directive and detective
controls are available for minimising the risk of fraud:
i. Improve recruitment procedures
ii. Reduce the motive for fraud
iii. Reduce the number of assets worth stealing
iv. Minimise the opportunity for fraud
v. Increase the level of supervision
vi. Improve financial controls and management systems
vii. Improve detection of fraud
viii. Improve record keeping.
 Health and Safety
2) Health and Safety at Work

• Dangerous machinery
• Pressure systems
• Noise and vibration
• Electrical safety
• Hazardous substances
• Lifting and manual handling
• Slips, trips and falls
• Human factors and repetitive strain injury
• Radiation
• Vehicle and driving risks
• Fire safety
• Stress at work
 2. Health and Safety

a) This is a highly regulated risk in most countries, e.g. the

Workers Compensation Act No.23 of 1998, Cap 47:03
b) There is need to undertake risk assessment in relation
to health and safety.
c) This can include:
i. Identification of the hazard
ii. Identification of who might be injured by the hazard
iii. Analysis of how it would be in a injury occurred
iv. Details of controls in place
v. Information on further actions that are required
 Health and Safety

d) After carrying out a risk assessment, the organisation

will need to come up with controls, being,
preventative, corrective and directive, in that order,
aimed at minimising the risk, controlling the hazard
and controlling staff and exposure, respectively.
e) Organisations are also expected to have SHE
policies.
f) Incidents will also need to be thoroughly investigated
and if appropriate, reports given the regulators.
 3. IT Security
a) A key dependent for most organisations
i. Failure of a computer system can be a very disruptive
event for an organisation

The main causes of loss associated with IT systems are:

• Theft of computers and other hardware
• Unauthorised access into IT systems
• Introduction of viruses into the system
• User error, including loss or deletion of information
• IT project failure
 IT Security

Consequences of IT failure are:

• Loss of business or customers
• Loss of credibility or goodwill
• Cash-flow problems
• Reduced quality of service
• Inability to pay staff
• Backlog of work or loss of production
• Loss of data
• Financial loss
• Loss of customer account information
• Loss of financial controls
 IT Security

ii. Most organisations will need to have an IT policy that is

designed to ensure correct use of data as well as
protecting the IT infrastructure of the organisation

iii. This should include:

ii. Information on responsibility for IT systems
iii. Back-up and recovery procedures
iv. Anti-virus and spyware procedures
v. Use of personal data
vi. Personal use of the internet
vii. Restrictions on personal e-mails.
 4. Human Resources

a) Risks associated with the employment of staff

and the utilisation of human resources are:
i. Employee engagement and termination
ii. Legislative and regulatory compliance
iii. Recruitment, retention and skills availability
iv. Pension arrangements
v. Performance and absence management
vi. Health and safety
 5. Property Fire Protection

a) A common risk in most types of organisations.

b) Organisation therefore have to carry out risk fire

assessment after which a fire risk strategy would be
developed based on the common causes of fire at
work places.
 5. Property Fire Protection
c) Possible causes of fire at work are:
i. Electrical hazards
ii. Hot works
iii. Machinery
iv. Smoking materials
v. Flammable liquids
vi. Bad housekeeping
vii. Arson
d) Most important reasons for fire protection at work is the
safety of people who may be affected by fire.
e) Should also consider the disruptions it could cause.
There should therefore be adequate loss-control
techniques, e.g., sprinkler systems.
 Property Fire Protection

c) Prevention controls required include, maintenance

of electrical installations, the avoidance of sources
of ignition,

d) Correct storage of flammable and combustible

materials
 6. Control of Reputation Risks
Brand Protection
a) One of the most valuable assets of any organisation is
its brand name. It is therefore critical that it is not
damaged.
b) The following are possible causes damage to brand
and controls:
Possible damage causes:
• Changes in government policy
• Changes in the marketplace
• New entrance into the marketplace
• Price and specification competition
• Counterfeiting and fake goods
• Inappropriate franchisee behaviour
• Failure of sponsor or joint-venture partner
 Control of Reputation Risk

Possible controls:
• Detailed contract stating expectations and
requirements
• Extensive training for franchisees on the quality
of the product.
• Arrangement for procurement of supplies
 7. Control of Marketplace Risks

1) Technology Developments
a) Technology Developments:
i. These include the need to keep up with technology
changes in the industry.
ii. It also means keeping up with customer
expectations and demands, covering convenience,
quality, price and fashion.
iii. Possible controls are:
i. Joint-venture partnerships
ii. Share expertise
iii. Share cost of developing new technologies.
 Risk Control

2) Regulatory
a) This involves compliance with various
regulatory agencies.
Learning from Controls
 Control-benefit Analysis

Impact or Potential Loss

Before
control

After
control

Cost
of
control
Likelihood of loss
 Learning from Controls
a) Decisions have to be made on the most appropriate and
cost effective controls to be used to manage hazard risks.
i. The figure on the previous slide demonstrates the profile
of expected losses before and after a specific control is
introduced.
ii. Whether a control is introduced is a matter of
organisational judgement
iii. If the risk has a low likelihood of materialising, then the
cost of the control may be greater than the anticipated
benefits.
iv. Therefore when evaluating the reduced exposure to loss,
there is also the need to look at the cost of the applicable
control.
 Learning from Risk Control

v. There is need to ensure continuous improvement in the

effectiveness and efficiency of the controls employed.
vi. Controls should therefore be reviewed on a continuing
basis
 This involves the “plan, do, measure and learn” (PDCA)
approach.
 Learning from Control
1. Planning
(strategic and business
objectives)
• Investment appraisal
• Design of control
• Feasibility study
4. Learning
(continuous improvement)
• Management oversight
• Post implementation review
• Decide adequacy of control
2. Implementing
(core processes and functions)
• Project risk management
• Plan implementation
• Implementation of control
3. Measuring
(key performance indicators)
• Value added control
• Monitor effectiveness
• Evaluate risk performance
 Learning from Risk Control

vii. The constant evaluation of controls ensures that:

 The controls are effective in producing the required, and
controlling the risk to a standard set in the risk
management policy
 The efficiency of the existing controls can be evaluated
so that decisions can be made on their cost
effectiveness.
viii. The efficiency of the existing controls can be evaluated
and decisions made as to whether the current level of
control is achieved cost-effectively.
ix. Continuous review of controls ensures they remain
effective- both in design and application.
 Learning From Control

b) When carrying out a cost-benefit analysis, recognise

that not all outcomes are equally likely should a risk
materialise
i. Judgement is therefore required in deciding whether to
invest in further controls.

c) Judgement is also required in undertaking risk analysis,

risk evaluation, and when considering the effectiveness
of existing controls and the need for additional controls.
i. Such judgement is based on current intelligence.
 Learning From Control

ii. Learning from control is not just about increasing their

efficiency, but
iii. Their effectiveness, and
iv. Ensuring they are the correct controls.
 Learning from Opportunity Risk
Management

1) For opportunity risk, there is need to pay attention to the

relationship between risk exposure and the reward that
is being sought.
a) The diagram in the slide above demonstrates that:
i. Initially as risk exposure increases, a higher reward is
expected and the increase in rewards is greater than the
increase.in risk exposure
ii. Ultimately there will be an increase in exposure but no
increase in expected reward.
 Therefore there will be no benefit in taking that extra
exposure.
 In between these two situations, increasing risk exposure
will produce a marginal increase in anticipated rewards.
 Learning from Opportunity Risk
Management

iv. It is in this intermediate stage that management

judgement is required as to whether the increase in
exposure is within the risk appetite of the
organisation.

iv. The above analysis can also be done for hazard

risks, whereby the cost of further controls has to
be evaluated against the reduced risk exposure
that would result.
?
Insurance and Risk Transfer
 Insurance and Risk Transfer

1) Nature and Importance of Insurance

a) Insurance is considered by some as the main hazard
risk transfer tool available

b) Some however consider it as the last response,

forming part of cost containment and coming after:
i. Loss Prevention, and
ii. Damage Limitation
 Insurance and Risk Transfer

c) Insurance involves the payment of a certain amount of

money in the event of the defined circumstances arising
or defined event occurring.

d) It is a cost containment measure

e) Mostly applicable for low-probability/high-impact risks

such as destruction of assets.

f) Also available for the cost of implementing disaster

recovery plans and business continuity plans, and

g) To cover the increased cost of operation

 Insurance and Risk Transfer
g) Insurance may come in two ways:
i. First-party insurance- the insurer pays for losses
suffered directly by the insured.

ii. Third-party insurance- the insurer pays compensation to

other parties if they have been injured or suffer losses
because of the activities of the insured.
h) The insurance contract is a contract of utmost good
faith;
i. The insured party is expected to disclose all information
relevant to the insurance contract.
ii. If not disclosed, the insurer or underwriter has the right to
refuse to continue to provide insurance cover and may
refuse to pay any claims that have arisen.
 Insurance and Risk Transfer

i) Advantages
i. It provides indemnity against an expected loss.
ii. Can reduce uncertainty regarding hazard events if
they occur.
iii. Can provide economic benefits to the insured. The
loss may be greater than the premiums.
iv. Can provide access to specialist services as part of
the insurance premium, such as advice on loss
control.
 Insurance and Risk Transfer

j) Disadvantages:
i. Delays experienced in obtaining settlement of claims.
ii. Difficulties arising in quantifying the financial costs
associated with the loss.
iii. Disputes regarding extent of insurance coverage and
exact terms and condition of the contract.
iv. Under-insurance by the insurer arising from difficulty in
deciding the limit of indemnity appropriate for liability
exposures.
 Insurance and Risk Transfer

2) Alternatives to Insurance
a) Alternatives to insurance in the case of hazard
risks:
i. Conventional insurance
ii. Contractual transfer of risk
iii. Captive insurance companies
iv. Pooling of risks in mutual insurance companies
v. Derivatives and other financial instruments
 Insurance and risk Transfer
(Contractual risk Transfer)

1. Contractual Risk Transfer is a resource used to draft

rock solid risk transfer and insurance clauses for
construction contracts, leases, purchase orders, rental
agreements, oil and gas drilling and production contracts,
and many other contractual agreements.
a) The purpose of this action is to take a specific risk, which is
detailed in an insurance contract, and pass it from one
party who does not wish to have this risk (the insured) to a
party who is willing to take on the risk for a fee, or premium
(the insurer).
 Insurance and Risk Transfer
Risk Pool

2. A risk pool is a method by which insurance

companies control the risk of insuring against
catastrophic events or extending insurance to
individuals or businesses likely to create sizable
claims.
a) If a claim arises from a natural disaster or catastrophic
weather event such as a hurricane, the companies
spread the losses among all members, and single
members of the risk pool are protected from claims so
large they would bankrupt the company, leaving their
claimants with nothing.
 Insurance and risk Transfer
Risk Pool

b) The pool must cover claims in the same category,

such as fire or flood, and in a specific geographic
area, usually an entire state.

c) In the event of a natural disaster, the insurance

companies participating in the risk pool draw on the
assets of the pool, in an amount determined by the
agreement, and are protected from paying out
hundreds or thousands of expensive claims on their
own
 Insurance and risk Transfer
(Captive Insurance)
3. Captive insurance companies are insurance
companies established with the specific objective of
insuring risks emanating from their parent group or
groups, but they sometimes also insure risks of the
group's customers.
a) This is an alternative form of risk management that is
becoming a more practical and popular means through
which companies can protect themselves financially
while having more control over how they are insured.
 Insurance and Risk Transfer

b) Provided by an organisation whose primary business is

not provision of insurance services:
i. Involves provision of insurance capacity for the
organisation by using its internal financial resources to
fund certain anticipated losses or insurance claims
ii. Normally provided by a parent company (parent of the
captive or parent organisation) domiciled in a location that
has favourable regulatory and accounting regime and
encourages the provision of this service.
 Insurance and Risk Transfer

c) Advantages of Captive Companies

i. Savings in overall insurance costs because of lower
premiums.
ii. Access to reinsurance markets, where premium rates
and risk capacity can be favourable.
iii. Greater risk awareness and greater concern about loss
control through exposure to cost of insurance claims.
iv. Greater insurance claims can be offered than is
available in the commercial market.
v. Certain tax benefits available from having a captive
insurance company.
 Insurance and Risk Transfer

c) Disadvantages of Captive Insurance Companies:

i. The captive may be exposed to insurance claims that would
otherwise have been paid by the commercial insurance market
ii. The parent has to allocate capital to ensure adequate solvency of
the captive insurance company
iii. Large losses paid by the captive normally consolidated to the
parent balance sheet. Therefore the organisation ultimately pays
for the losses.
iv. Compliance difficulties arising from captive writing business in
other countries.
v. May involve significant administrative costs, time, and effort in
management of the captive by parent
 Insurance and Risk Transfer
(Derivatives and Other Financial Instruments)

4. A derivative is a financial instrument which derives its

value from the value of underlying entities such as an
asset, index, or interest rate—it has no intrinsic value
in itself.
a) Derivative transactions include a variety of financial
contracts, including structured debt obligations and
deposits, swaps, futures, options, caps, floors,
forwards, and various combinations of these.
i. A financial instrument is a tradeable asset of any kind;
either cash, evidence of an ownership interest in an entity, or a
contractual right to receive or deliver cash or another financial
instrument..
 Insurance and Risk Transfer

3) Types of Insurance:
a) Legal and contractual obligations
i. Employers' liability-compensation to employees injured
at work.
ii. Public liability- compensation to public or customers
iii. Product liability- compensation for damage or injury
iv. Professional indemnity- compensation to client for
negligent advice.
 Insurance and Risk Transfer

b) Balance sheet/profit and loss protection

i. Business premises-damages to premises by adverse
events
ii. Business interruption-loss of profit and increase in cost
of working
iii. Asset protection-losses such as:
• Loss of cash
• Goods in transit
• Credit risk
• Fidelity guarantees (staff dishonesty)
• Machinery breakdown
iv. Motor insurance
v. Terrorism
vi. Loss of key personnel
 Insurance and Risk Transfer

c) Employer benefit/protection of employer assets.

i. Life and Health-benefits to employees that can include:
• Life cover
• Critical illness cover
• Income protection
• Private medical costs
• Permanent health
• Personal accident
• Travel injury/losses

ii. Directors’ and Officers’ Liability- legal and compensation

costs
 Insurance and Risk Transfer

4) Evaluation of Insurance
a) Because of the many different types of insurance
available , it is critical that each organisation evaluates its
insurance requirements
b) The following factors need to be considered:
i. Specific activities and features of the organisation
ii. The portfolio of risks the organisation faces-this results in a
careful review of how much insurance an organisation
wishes to purchase
c) The table below provides a checklist for organisations to
decide which types of insurance are required
 Identifying the Necessary Insurance
Features of the Business Insurance Requirement
1 Business has employees Employers’
liability
2 Employees travel outside the country Business travel
3 Members of the public could be affected Public liability
4 Business supplies products or components Product liability
or recall
5 Business provides professional advice Professional
liability
6 They or dishonesty by employees could Fidelity
occur guarantee
7 Business occupies business premises Premises
insurance
8 Premises has machinery or other stock Contents cover
9 Business depends on machinery or Engineering
computers insurance
10 Business could be disrupted by fire, flood Business
etc interruption
11 Business is involved in transporting goods Goods in transit
12 Business has motor vehicles on public Motor
roads
13 Business provides life benefits to Life and health
employees
14 Certain staff are key to operation of Key person
business
15 Business would suffer in event of a bad Trade credit
debt
16 Business has directors and/officers (D & O) D and O liability
 Insurance and Risk Transfer
5) Purchase of Insurance
a) The following factors need to be considered in purchasing
insurance:
i. Cost: the premiums required from the insured, level of self-
insurance (excess/deductible)
ii. Coverage: limitations, warranties and exclusions.
iii. The capacity of the insurer is willing to offer in relation to the
value of the assets/exposure that need to be insured
iv. The capabilities of the insurer to provide other services like
loss control services and assistance with business continuity
planning.
v. The financial security, status, and capabilities of the
insurer.
vi. Compliance; taxes, with requirements to issue contract
before the policy commences (contract certainty) and issues
relating to acceptance/approval/admittance of policy in
certain countries.
Thank you for your attention