ng

ni
CHAPTER 5

ar
Introduction to risk
e
ce am L
management
en tn in

s
ie
er ie er

op
ef V rtn

C
Pa
W

Introduction
Introduction
Assessment context context
Examination
AE

Topic List
TOPIC LIST
1 Introduction to risk
1 Introduction to risk
2 Risks for businesses and their investors
IC

2 Risks for businesses and their investors

3 Types of risk
3 Types of risk
R

4 Cyber risk
4 Cyber risk
5 Risk concepts
5 Risk concepts
6 The objectives of risk management
6 The objectives of risk management
7 The risk management process
7 The risk management process
8 Crisis management
8 Crisis management
9 Disaster recovery
9 Business resilience
Summary and Self-test
10 Disaster recovery and business continuity planning
Answers to Interactive questions
Summary and Self-test
Answers to Self-test
Technical references
Answers to Interactive questions
Answers to Self-test
Introduction

Learning outcomes Tick off

 Identify the main components of the risk management process and show how they
operate
 Identify the key issues in relation to risk and crisis management, business resilience,
business continuity planning and disaster recovery
 Specify different types of cyber risk and attack and the steps organisations can take

ng
to improve cyber security

Specific syllabus references are: 1h, i; 7c.

ni
Syllabus links

ar
The topics covered in this introduction to risk management are developed as well in Assurance

e
at Certificate level, in Audit and Assurance, Business Strategy and Technology, and Financial
Management at Professional level, and in the Advanced level assessments.

ce am L
en tn in
Assessment context

s
Questions on risk management will be set in the assessment in either MCQ or multiple response

ie
er ie er

format. They will be either straight tests of knowledge or applications of knowledge to a

scenario.
op
ef V rtn

C
Pa
W
AE
IC

144 Business, Technology and Finance ICAEW 2020

 1 Introduction to risk

Section overview
 Risk means that something can turn out differently to what you expected, or wanted.
 Risk exists in any situation, while uncertainty arises only because there is inadequate
information.
 Pure risk is the possibility that something will go wrong, and speculative risk is the
possibility that it will go well.
 Downside or pure risk represents a threat: things may turn out worse than expected.

ng
 Upside or speculative risk represents an opportunity: things may turn out better than
expected.

ni
ar
1.1 What is risk?
You know what risk is in everyday terms. You know it is risky to climb a tall ladder, no matter

e
what you may think there is at the top. You know it is risky to bet your life savings on a horse

ce am L
race, no matter how much you think you might win.
These things are risky because at the point when you decide to do them you cannot be sure
en tn in
how bad the outcome will be. You may fall off the ladder and injure yourself when you are half-

s
way up. The horse you back may be beaten at the winning post.

ie
er ie er

On the other hand, you cannot be sure how good the outcome may be, either: you cannot be
sure that the opportunities won't ever amount to anything. If you don't risk climbing the ladder
op
you will never be the owner of whatever it is at the top. Most people would think it is too risky to
ef V rtn

throw away their life savings on a race, but there is always the chance that your horse will win. If
C
you don't place the bet you will miss the opportunity.
Pa

Risks and opportunities exist because nobody knows what will happen in the future, and nobody
can control it. Of course you can control whether or not you climb the ladder, but you cannot
stop others from doing so, and you cannot stop entirely unexpected things from happening.
W

These issues can be summarised in the following definition of risk.

AE

Definition
Risk: The possible variation in an outcome from what is expected to happen.
IC

We can break this definition down to highlight the following issues to do with risk:
R

 Variability: events in the future cannot be predicted with certainty

 Expectation: we expect something to happen, or perhaps hope that it will not happen C
H
 Outcomes: this is what actually happens compared with what is intended or expected to A
happen P
T
E
1.2 What is uncertainty? R

Risk and uncertainty are not the same things: 5

 Risk (the possibility of variation) exists in any situation

 Uncertainty arises only because we are ignorant of all the facts: we lack information

ICAEW 2020 Introduction to risk management 145

 Definition
Uncertainty: The inability to predict the outcome from an activity due to a lack of information.

You can never avoid this uncertainty, in anything you do: it is something that you have to make
decisions about, or something you need to manage. If you decide to take a risk, or follow up an
opportunity, the outcome may be hugely beneficial – or it may ruin you.

1.3 What are upside and downside risks?

Because events could turn out either better or worse than expected, sometimes we refer to two-

ng
way risk or symmetrical risk.
The risk that something will go wrong is called 'downside risk', if it is likely that things will go

ni
right the term 'upside risk' is used.

ar
1.4 How far does risk affect a business achieving its objectives?
When considering whether a business will be successful and achieve its objectives, the term

e
'pure risk' describes the possibility that something will go wrong, speculative risk is the

ce am L
possibility that something could go better than expected (though it could go worse). If we all
focused on pure risk then there would be little point in taking a risk; the fact that something
en tn in
could go well is the basis on which business flourishes. It is helpful for businesses to think about

s
risk in the context of managing events with an eye on achieving objectives.

ie
er ie er

Definitions
op
ef V rtn

Downside risk: The possibility that an event will occur and adversely affect the achievement of
objectives.
C
Upside risk (opportunity): The possibility that an event will occur and positively affect the
Pa

achievement of objectives.

In this chapter we shall be concentrating on risk.

W
AE

2 Risks for businesses and their investors

Section overview
IC

 Risks for a business include poor market conditions, poor control and poor outcomes of
R

investments. Often businesses look particularly at the risks that they will fail to achieve their
critical success factors (CSFs). How far the business is prepared to take on these risks is a
measure of its risk appetite.
 The risk to those who finance the business (owners and lenders) is that they will suffer poor
rather than high returns on their investment.
 Both businesses and financiers have particular attitudes to the level of risk they are
prepared to endure: risk averse, risk neutral and risk seeking.

146 Business, Technology and Finance ICAEW 2020

2.1 Risks for the business
If the objective of a business is to maximise shareholder value then risks for the business are
risks of losses, resulting (directly or indirectly) in negative cash flows. When losses become
severe, there might be a risk of insolvency, leading to the liquidation of the business.
The activities of certain businesses are inherently risky because they are potentially dangerous to
public well-being: transport and pharmaceutical businesses are obvious examples.
The risks faced by businesses in general are as follows.
 There are risks that trade conditions might be poor, and sales might fall or costs might rise.
A new product launch might be unsuccessful, or an expensive research and development
project might fail to produce a new commercial product.

ng
 There is a risk that inadequate controls (quality controls, administrative controls, controls
over people etc) within the business may result in losses through inefficiency, damage to

ni
business reputation, or deliberate fraud.


ar
A business might face risks of a financial nature, and losses might occur because of the way
it has financed an operation.

e
The larger the business, the more varied are the risks.

ce am L
Interactive question 1: Business risk
en tn in

s
Try to identify a small business with which you have some familiarity, such as an audit client or
one you have worked for in a vacation. What risks does the business, as opposed to its owner(s),

ie
face?
er ie er

op
See Answer at the end of this chapter.
ef V rtn

C
Pa

2.2 Risks for investors

Lenders have to bear the risk that the business will default on its debt obligations, and fail to
make an interest payment or even become insolvent and be unable to repay the loan principal.
A lender will expect a higher return than that offered on, say, government securities or gilts
W

(commonly taken to be a risk-free investment), to compensate for the added risk.

AE

Shareholders are the ultimate bearers of risk. If a company becomes insolvent, they will lose all
their investment. More important, if company profits fall, dividends and the share price are also
likely to fall. Lenders are entitled to interest before any profits can be paid as dividend, so that
the risk to income is much less for lenders than for equity shareholders.
IC

Risk for shareholders is two-way: there is the possibility of poor returns (no dividends or low
R

dividends, and a fall in the share price), or profits and dividends might be higher than expected,
and the share price might rise by more than anticipated. Risk is greater for shareholders when
there is a greater possibility of wide variations in profits, dividends and share prices from year to C
year. The range of potential variation in returns is known as the volatility of returns. H
A
P
2.3 Risk and strategic planning T
E
In the strategic planning analysis process it is important to focus on risks that are specific to the R
business, or the industry sector in which it operates, rather than general ones. They should be
5
mapped to the relevant threats and opportunities that they represent to the business. A plan for
managing each specific risk can then be formulated.
It is often useful to relate risks to the business's critical success factors (CSFs), as a significant risk
is one that would create an obstacle to any of the CSFs.

ICAEW 2020 Introduction to risk management 147

 Definition
Critical success factor (CSF): 'Those product features that are particularly valued by a group of
customers and, therefore, where the organisation must excel to outperform the competition.'
(Johnson & Scholes, 2002)

2.3.1 Risk appetite

Not all risk is bad, and returns are generally higher for higher-risk projects. As part of the
planning process, the business needs to decide what its 'appetite' for risk is, and apply this in
choosing appropriate strategies.

ng
Definition

ni
Risk appetite: The extent to which a business is prepared to take on risks in order to achieve its
objectives.

e ar
The approach should be as follows.
1
2 ce am L
Decide what the business wants to achieve (the strategic objective).
Decide what the business's 'risk appetite' is, in other words the extent to which it is
en tn in
prepared to take on risks in order to achieve its objective.

s
ie
3 Find strategies to achieve the objectives that do not involve more risk than the business is
er ie er

willing to accept.
4
op
If there are no methods of reducing the risk to an acceptable level, the objective needs to
ef V rtn

be amended.
C
2.3.2 Attitudes to risk
Pa

 A risk averse attitude is that an investment would be chosen if it has a more certain but
possibly lower return than an alternative less certain, potentially higher return investment.
 A risk neutral attitude is that an investment would be chosen according to its expected
W

return, irrespective of the risk.

 A risk seeking attitude is that an investment would be chosen on the basis of it offering
AE

higher levels of risk, even if its expected return is lower than an alternative no-risk
investment with a higher expected return.
IC

2.3.3 Expected returns

R

When a business looks at an investment it has to judge what return is expected from it. For
instance, an investment of £100,000 at a rate of 5% has an expected return of £5,000.
When the business starts considering risk in relation to an investment it is also likely to derive a
range of possible returns from the investment, given best-case, worst case and most likely
scenarios. These can be combined in a weighted average to give the overall expected return.

148 Business, Technology and Finance ICAEW 2020

 Worked example: Expected return
Jack plc has the opportunity to invest £100,000 in a project. The project manager has estimated
three scenarios for the project's annual return, and the related returns and probabilities:
Probability Annual return
of scenario under the
occurring scenario
£
Worst case scenario 0.3 2,000
Most likely scenario 0.6 5,000
Best case scenario 0.1 10,000
The expected return for the project can be calculated using a weighted average:

ng
Annual return
Probability under the Expected return

ni
scenario (probability  return)
£ £

ar
Worst case scenario 0.3 2,000 600
Most likely scenario 0.6 5,000 3,000
Best case scenario 0.1 10,000 1,000

e
Expected return 4,600

ce am L
Note that the expected return of £4,600 is not actually predicted as a return; it is used instead as
an overall measure of the investment for decision-making and risk evaluation purposes.
en tn in

s
ie
er ie er

3 Types of risk
op
ef V rtn

Section overview
C
 Business risk arises from the business's nature, industry and environment.
Pa

 Financial risks can be controllable or uncontrollable.

 Operational risks arise from things just going wrong.
W

3.1 Business risk

Business risk arises from the nature of the entity's business, its industry and the conditions it
AE

operates in. Business risk is willingly taken by the business as part of its objective of making a
return.
Business risk includes:
IC

 Strategy risk: The risk that the business's objectives will not be achieved because it chooses
R

the wrong corporate, business or functional strategy. A key strategy risk in the current era of
rapid technological change is to fail to keep up with technological developments.
C
 Enterprise risk: The chance that a strategy will succeed or fail, and therefore whether the
H
business should have undertaken it in the first place. A
P
 Product risk: The chance that customers will not buy the company's products or services in T
the expected quantities. E
R
 Financial risk arises in part from how the business is financed and in part from changes in
the financial markets such as to interest rates and exchange rates (see section 3.2). 5

ICAEW 2020 Introduction to risk management 149

  Operational risk is the risk that something will just go wrong. It is not a risk that a business
willingly accepts and indeed a large part of both management and risk management is
attempting to make sure that potential operational risks do not occur (see sections 3.3 and
3.4).

3.2 Financial risk

Financial risk is a key concern to businesses and to professional accountants. There are two
types:
 Controllable financial risk is financial risk arising from factors that are within the business's
direct control. They arise in particular from:

ng
– How far the business chooses to finance itself by debt rather than shares (gearing risk).
High borrowing, in relation to the amount of shareholders' capital in the business,

ni
increases the risk of volatility in earnings, and insolvency
– How far the business deals with customers who end up not paying (credit risk)

ar
– How far the business's costs are incurred in such a way that there is increased
likelihood of it running short of cash (liquidity risk). A business is exposed to greater

e
liquidity risk if, for instance, it has a high proportion of fixed costs which must be paid

 ce am L
whatever its level of revenue
Uncontrollable financial risk is financial risk arising from factors that operate independently
en tn in

s
of the business. The key factor here is market risk, that is the risk of losses resulting from
changes in market prices or rates that the entity itself cannot control but can deal with or

ie
manage. These include share prices, commodity prices, interest rates and foreign exchange
er ie er

rates. Management of these financial risks is a key role for accountants using hedging and
other techniques
op
ef V rtn

Financial risk is assessed in greater detail in Financial Management at the Professional Level.
C
Pa

3.3 Operational risk

Unlike business risk, operational risk is not willingly incurred by the business in order to make a
return. Operational risk relates to things that just go wrong. A useful way of describing it is in
W

terms of what causes it.

AE

Definition
Operational risk: The risk that actual losses, incurred because of inadequate or failed internal
processes, people and systems, or because of external events, differ from expected losses.
IC

 Process risk is the risk that a business's processes may be ineffective (fail to achieve their
objectives) or inefficient (achieve their objectives but at excessive cost).
 People risk is the risk arising from staff constraints (for example insufficient staff, or inability
to pay good enough wages to attract the right quality of staff), incompetence, dishonesty,
or a corporate culture that does not cultivate risk awareness, or encourages profits without
regard to the methods used to make them.
 Systems risk is the risk arising from information and communication systems such as
systems capacity, security and availability, data integrity, and unauthorised access and use.
A key aspect of systems risk arises from the interconnectedness of computer systems via the
internet, known as cyber risk (see section 4).

150 Business, Technology and Finance ICAEW 2020

  Event risk is the operational risk of loss due to single events that are unlikely but may have
serious consequences. These include:
– Disaster risk: a catastrophe occurs, such as fire, flood, ill health or death of key people,
terrorism and so on
– Regulatory risk: new laws or regulations are introduced, affecting the business's
operations and profitability
– Reputation risk: the business's activities damage its reputation in the eyes of
stakeholders
– Systemic risk: failure by a participant in the business's supply chain or system to meet
its contractual obligations, so the system itself is at risk

ng
Another way of classifying event risks is according to their sources in the environment:
– Physical risks: such as climate and geology

ni
– Social risks: changes in tastes, attitudes and demography

ar
– Political risks: changes determined by government, or by a change of government
– Legal risks: the consequences of being unable to enforce contracts, of breaking the

e
law or otherwise of failing to meet legal duties or obligations. Legal risk can also arise

– ce am L
from changes in legislation and regulations
Economic risks: changing economic conditions such as a recession
en tn in

s
– Technology risks: changes in production or delivery technology and from the threat of

ie
cyber attack
er ie er

4 Cyber risk op
ef V rtn

C
Section overview
Pa

 Cyber risk is a type of operational risk that has become increasingly relevant to businesses
over the last few years. It is important to understand cyber risks and how they can be
mitigated.

W

Cyber risk is the risk of financial loss, disruption or damage to the reputation of an
organisation from failure of its information technology systems due to accidents, breach of
security, cyber attacks or poor systems integrity.
AE

 Cyber attacks are deliberate actions against an organisation. They include some low level
cyber threats (eg, phishing) as well as more serious attacks (hacking and DDoS).
IC

 Organisations can implement Cyber Essentials to improve their cyber security.

R

Definition
Cyber risk: Cyber risk is the risk of financial loss, disruption or damage to the reputation of an C
organisation from failure of its information technology systems due to accidents, breach of H
security, cyber attacks or poor systems integrity. A
P
T
E
Such a risk could materialise in the following ways: R
• Deliberate and unauthorised breaches of security to gain access to information systems for 5
the purposes of espionage, extortion or embarrassment (cyber attacks).
• Unintentional or accidental breaches of security, which nevertheless may still constitute an
exposure that needs to be addressed
• Poor systems integrity resulting in incomplete or corrupted data or processing

ICAEW 2020 Introduction to risk management 151

4.1 Cyber attack and threats to computer systems

Definition
Cyber attack: A deliberate action through the Internet against an organisation with the intention
of causing loss, damage or disruption to activities.

The National Crime Agency (NCA) website identifies the following as the most common
cyber-attacks and threats to computer systems:
 Hacking: using specialist software and tools to gain unauthorised access to systems

ng
(especially social media and email accounts) – see below
 Phishing: bogus emails that ask the user for security information and personal details

ni
 Malicious software (such as file hijacker/ransomware): where criminals hijack a user's files
and hold them to ransom

ar
 Distributed denial of service (DDoS) attacks: overwhelming websites and other online
services with vast amounts of internet traffic which is designed to crash, or stop the system

e
from working – see below

ce am L
Other types of cyber-attack, which are less common include:
en tn in
 Webcam manager: where the user's webcam is taken over

s
 Keylogging: where criminals record what the user types onto their keyboard

ie
 Screenshot manager: where screenshots are taken of the user's computer screen
er ie er

 Ad clicker: where a user's computer is directed to click a specific link

op
We shall explore the concept of cyber resilience (an organisation's ability to prepare for,
ef V rtn

respond to and recover from cyber-attacks) later in this chapter when we consider business
C
resilience.
Pa

4.2 Hacking
Hacking is one of the main methods that attackers use to gain access to computer networks. This
W

is achieved by the use of specialist software and other tools. The intruders are able to gain
unauthorised access to the network and take administrative control. This means they are able to
amend, copy and delete records, or even stop the network from operating.
AE

The main risk of hacking is that data stored on the network could be compromised. Personal
data (such as HR or customer records) as well as strategic and other sensitive data can be used
by the attackers to make money, usually through its sale to third parties, or to achieve some
IC

other purpose such as furthering a political agenda.

R

Another risk is that damage to computer networks could put the business's physical
infrastructure in danger, compromising its ability to operate. For example, if a travel company's
computer network goes down there is a risk that day-to-day business activities, such as booking
new holidays and managing existing ones, will cease with major implications for both the
business and its suppliers and customers.

4.3 Distributed denial of service (DDoS) attacks

DDoS attacks are designed to disrupt an organisation's online presence by preventing
legitimate users from accessing the organisation's online services. This is achieved by
overwhelming the organisation's website and communications links with a wave of internet
traffic that the system is unable to handle.

152 Business, Technology and Finance ICAEW 2020

 Criminals are able to organise DDoS attacks through the use of botnets. These are large groups
of individual computers that the criminals have previously compromised. On a signal sent by the
organiser of the attack, the affected machines are instructed to send messages simultaneously to
the target.

4.4 Tackling cyber attacks

There are a number of basic actions that businesses can take to counter the threat of cyber
attacks with better cyber security.

Basic action Explanation

ng
Report cyber attacks/incidents If cyber attacks and other cyber incidents are
reported, it allows law enforcement agencies
to investigate. This improves their

ni
understanding of the scale of cyber attacks
and helps shape future responses to them, as

ar
well as making sure that their resourcing and
funding as appropriate.

e
Cyber risk mitigation The more devices that an organisation

ce am L
connects to the internet, the more exposed it is
to potential attack. Cyber security is the main
method of mitigating cyber risk and is vital to
en tn in

s
protect the business' operating capability,
finances and reputation. Even basic cyber

ie
er ie er

security methods can reduce the risk of most

op attacks.
ef V rtn

Manage cyber security To be most effective, cyber security should be

integrated with risk management. The aim of
C
cyber security is to increase the difficulty that a
Pa

cyber attacker faces in order to make a

successful attack.
The appropriate level of cyber security
W

depends on the size of the organisation and

the cyber risk that it faces. Small organisations
or those with relatively low cyber risk should
AE

focus on the fundamentals. Larger

organisations or those with high cyber risk
should aim for greater depth of security.
IC

Promote awareness Organisations should promote best practice to

R

its stakeholders, such as employees, in regards

to cyber security. This could include setting a
strong password policy and encryption
C
methods, and making sure that users apply H
them. A
P
Share knowledge and expertise Organisations should share knowledge and T
expertise with other businesses and E
stakeholders. All parties are likely to gain R
something by sharing what they know.
5
Develop cyber skills and awareness Organisations should consider cyber security
training programs for new staff or employ staff
with good cyber security skills to help improve
the depth of knowledge within the business.

ICAEW 2020 Introduction to risk management 153

4.5 Importance of cyber security

Definitions
Cyber security: The protection of systems, networks and data in cyberspace; the procedures
used by a business to protect its information system (hardware, software and information) from
damage, disruption, theft or other loss.
Critical information assets: Assets which are fundamental to an organisation's core activities and
their performance, as well as its overall capability and viability.

The security of computer systems is of vital importance to businesses.

ng
 It is a legal obligation under data protection law and other regulations to protect certain
types of data in a computerised system.

ni
 Information accessed, stored, processed and made available online is of vital strategic and
commercial importance.

ar
 The connectedness of computer systems makes the threat of external attack ever more
likely.

e
ICAEW's Audit Insights, cyber security report (ICAEW, 2018) explains that many organisations

ce am L
have legacy IT systems. These are often fragmented, non-standard systems that are often
supported just by spreadsheets. In the long-term, organisations with such systems will need to
invest in technology in order to reduce complexity and to have resilience, recovery and
en tn in

s
responses to cyber breaches in place.

ie
In the first of the Audit Insights, cyber security reports (ICAEW, 2013), the following key
er ie er

challenges and priorities for boards in managing cyber risks were identified.
 op
Businesses should consider cyber risk in all their activities: the challenge here is to move
ef V rtn

cyber risk from being pigeon-holed as ‘IT’ to be seen as an integral part of all business risks.
C
 Businesses need to accept their security will be compromised: this emphasised a different
Pa

mindset, recognising some level of compromise as inevitable and broadening cyber

security activities beyond prevention to include intelligence, detection and response.
 Businesses should focus on their critical information assets: given the inevitability of
breaches, businesses need to prioritise their security activities around their most valuable
W

pieces of data, although identifying these was often a major challenge.

 Most businesses don’t get the basics right: the real challenge for businesses of all sizes is
AE

achieving basic cyber hygiene.

The content of these reports is important when we consider business resilience in section 9.
IC

4.6 Technical controls for cyber security

The 'Cyber Essentials' scheme was developed by the UK Government and industry bodies to
R

show organisations how to protect themselves against low-level cyber risks. It lists five controls,
in simple terms, that an organisation should have in place. Each of these controls are supported
by technical protections:

Controls Technical protections

Use a firewall to secure its internet connection Boundary firewalls and internet gateways –
software that intercepts network traffic in and
out of a system
Choose the most secure settings for its devices Secure configuration – ensuring the system is
and software set up with cyber security as a priority

154 Business, Technology and Finance ICAEW 2020

 Controls Technical protections

Control who has access to data and services Access control – physical and network
procedures to restrict access to a system
Protect itself from viruses and other malware Malware protection – software that prevents
and removes unwanted programs from a
system such as anti-virus software
Keep devices and software up to date (also Patch management – ensuring the latest
known as 'patching') updates to software are installed

These minimum cyber security controls should be applied to all areas of the business, such as

ng
cloud services, business and personal devices or specific technologies used in the organisation.
We shall look at information security in more detail in Chapter 6.

ni
5 Risk concepts

ar
Section overview

e
 How big a risk a business is facing is measured in terms of exposure, volatility, impact and
probability.
ce am L
en tn in
The scale of any risk for a business depends upon four key risk concepts.

s
 Exposure is the measure of the way in which a business is faced by risks. Some businesses

ie
er ie er

will by their very nature be less exposed than others. A transport company such as an airline
or a railway operator is considerably more exposed to the risk that its customers will be
op
injured while using its services than is a bank or a firm of accountants. A business that has
ef V rtn

minimal debt finance and no overseas customers or suppliers has little or no exposure to
the risks of either interest rate movements or exchange rate movements.
C
Pa

 Volatility is how the factor to which a business is exposed is likely to alter. A coffee
producer is dependent on good weather; businesses like fashion and music are subject to
changes in public taste. Some businesses operate in regions that are politically unstable.
 Impact (or consequence) refers to measures of the amount of the loss if the undesired
W

outcome occurs. Impact might be measured purely in financial terms, or in terms of delay,
injuries/loss of life or other ways depending on the risk being faced.
AE

 Probability (or likelihood) means how likely it is that a particular outcome will occur. In some
cases it is possible to estimate probability on the basis of past experience (historical
records) combined with information about all the factors involved and how they interact. In
IC

others it is much harder to estimate probability because no historical data exists. The
development of an entirely new product is an example.
R

The greatest risks for a particular business will arise when:

 exposure is high C
H
 the underlying factor is volatile A
 the impact is severe, and P
 the probability of occurrence is high T
E
Different combinations of these four risk concepts result in different levels of response from the R
business. 5

ICAEW 2020 Introduction to risk management 155

 6 The objectives of risk management

Section overview
 Risk management involves identifying, analysing and controlling those risks that threaten
the assets or earning capacity of the business so as to reduce the business's exposure by
either reducing the probability or limiting the impact, or both.

6.1 What is risk management?

ng
Definition
Risk management: The identification, analysis and economic control of risks which threaten the

ni
assets or earning capacity of a business.

ar
Risk management is actively used by many businesses, some of which employ risk managers.
Smaller businesses and individuals may not recognise a specific task of risk management but will

e
nevertheless have developed their own methods of analysing and managing risk.

ce am L
The purpose of risk management is to understand and then to minimise cost-effectively the
business's exposure to risk and the adverse effect of risks, by:
en tn in

s
 reducing the probability of risks occurring in the first place, and then if they do occur

ie
 limiting the impact they will have on the business
er ie er

6.2 op
When is risk management necessary?
ef V rtn

 There may be legal requirements to manage risk; you are required by law to insure your
C
car, for instance.
Pa

 Risk management (in the form of insurance) may be required by licensing authorities and
regulatory bodies. For example a football stadium would not be allowed to operate if it did
not have public liability insurance: ICAEW members in public practice must have
W

professional indemnity insurance (PII).

 Financial organisations may require risk management; if you have a mortgage your lender
AE

no doubt requires you to have buildings insurance to protect its security.

Interactive question 2: Indemnity insurance

IC

Find out, if you can, the basis of the requirement that chartered accountants should have to have
professional indemnity insurance (PII), and what it is designed to achieve.
R

See Answer at the end of this chapter.

Large listed companies in the UK are required to determine the nature and extent of their
significant risks and to maintain sound risk management systems.
A risk-based management approach is a requirement for all UK companies with a premium
listing under the UK Corporate Governance Code. We shall see more about this in Chapter 12.

156 Business, Technology and Finance ICAEW 2020

 7 The risk management process

Section overview
 Risk management involves identifying risk, assessing and measuring it in terms of
exposure, volatility, impact and probability, controlling it by means of avoidance, transfer
and reduction, accepting what remains and then monitoring and reporting on events.
 Risks can be identified by considering what losses would ensue: property, liability,
personnel, pecuniary and interruption loss.
 Once identified, the gross risk is measured by multiplying its probability (a value between

ng
0 and 1) by the impact (the value of the loss that would arise). The aim of risk management
is to minimise gross risk.


ni
Some risk can be avoided by not doing the risky activity, and some can be reduced by
taking precautionary measures. Some of what remains of the gross risk can be transferred

ar
to someone else, especially by insurance. The remaining gross risk must be accepted or
retained.

e
 All the elements of the risk management process must be monitored and reported on to
an appropriate person.

ce am L
en tn in

s
7.1 What is involved in the risk management process?

ie
er ie er

op Awareness and
ef V rtn

identification
C
Pa

Analysis: assessment
and measurement
W

Avoidance Response and control Sharing

AE

Acceptance Reduction
IC

Monitoring and reporting

Figure 5.1: Risk management process C

H
 Risk awareness and identification, using techniques such as brainstorming and analysis of A
P
past experience to identify the business's exposure to risks T
E
 Risk analysis (assessment and measurement): this considers the volatility of particular
R
factors, the probability of an event occurring and the severity of the impact if it does.
Measurement may be qualitative or quantitative 5

ICAEW 2020 Introduction to risk management 157

  Risk response and control: in essence a risk can be avoided (do not do the risky activity),
reduced (eg, by strictly controlling processes), shared (eg, with an insurer) or simply
accepted
 Risk monitoring and reporting is a continuous process
We shall look at each element of the risk management process in turn.

7.2 Risk awareness and identification

Risk awareness is partly a state of mind, but it is also dependent on how well the matter under
consideration is understood.

ng
Suppose a UK business was considering launching a new product in China but knew absolutely
nothing about doing business in China. It is highly likely that it will not be aware of the many
risks to which the business could be exposed because of factors such as different regulations,

ni
different ways of approaching customers, differences in disposable income and so on. The risks
remain to be identified.

ar
Definition

e
Risk identification: Identifying the whole range of possible risks and the likelihood of losses

ce am L
occurring as a result of these risks.
en tn in

s
Risk identification must be a continuous process, based on awareness and knowledge that:

ie
 potential new risks may arise
er ie er

 existing risks may change

op
Exposure to both new and altered risks must be identified quickly and managed appropriately.
ef V rtn

There are two approaches to identifying risks, which operate most effectively when combined.
C
 A top-down approach is led by the senior management/board of the business, spending
Pa

time on attempting to identify key risks. Often, this is linked to the business's CSFs: what
might happen to prevent us from achieving each CSF?
 A bottom-up approach involves a group of employees, with an expert in risk management,
W

working together to identify risks at the operational level upwards.

Categories of loss:
AE

 Property loss – possible loss, theft or damage of any static or moveable assets
 Liability loss – loss occurring from legal liability to third parties, personal injury or damage
to property
IC

 Personnel loss – due to injury, sickness or death of employees

R

 Pecuniary loss – as a result of defaulting receivables

 Interruption loss – a business being unable to operate due to one of the other types of loss
occurring
Identifying too many risks can make the risk management process overly complex. The business
should focus its efforts on significant risks: those that are potentially damaging to the business's
value.

7.3 Risk analysis: assessment and measurement

After risks have been identified, there should be a process of judging whether each risk is
serious, and which risks are more serious than others.

158 Business, Technology and Finance ICAEW 2020

 Definitions
Risk assessment: For each risk its nature is considered, and the implications it might have for the
business achieving its objectives; an initial judgement is then made about the seriousness of the
risk.
Risk measurement: Identifying the probability (likelihood) of the risk occurring, quantifying the
resultant impact (consequence) and calculating the amount of the potential loss using expected
values for gross risk.
Gross risk: The potential loss associated with the risk, calculated by combining the impact and
the probability of the risk, before taking any control measures into account.

ng
An aim of risk assessment should be to identify those risks that have the greatest significance,
and so should receive the closest management attention.

ni
Significance can be measured in terms of the potential loss arising as a result of the risk, that is

ar
its gross risk. This depends on:
 The potential impact, quantified as an expected value (usually using weighted averages as

e
we saw earlier in relation to expected returns)

ce am L
The probability of occurrence, measured mathematically, as a decimal between 0 and 1
en tn in
Gross risk = Probability × Impact

s
A method that is frequently used to assess risks is to plot each one on a risk map, showing

ie
impact on a scale of 1 to 10 (or just low to high) on one axis, and probability on a similar scale on
er ie er

the other axis.

op
ef V rtn

High
C
High significance
IMPACT

Pa

Low significance
W

Low
Low High
AE

PROBABILITY

Figure 5.2: Risk assessment map

IC

With regard to controlling risk the greatest attention may then be paid to risks that fall in the
R

high significance (high impact/high probability quadrant), bearing in mind that the quantum of
each in terms of gross risk should also be considered: a 'high significance' gross risk of only
£10,000 will probably draw less attention than a medium significance risk of £1 million, for C
example. H
A
In Chapter 12 we shall look at corporate governance and risk assessment relevant to large listed P
companies in the UK (the UK Corporate Governance Code and the FRC's guidance on risk T
E
management, internal control and related financial and business reporting). R

5
7.4 Risk response and control
Measurement (qualitative or quantitative) and assessment establish priorities that determine the
amount of management time that should be spent developing and implementing a response to

ICAEW 2020 Introduction to risk management 159

 control any particular risk: obviously, large gross risks in the high significance quadrant should
be considered first.
The possible responses to a risk, so as to control it, are as follows.
 Avoidance: not doing the risky activity. This may not be an option, but the first question
should always be 'Do we need to do this risky activity at all?'
 Reduction: doing the activity, but using whatever means are available to ensure that the
probability of the event occurring and the impact if it does are as small as possible.
 Sharing: for example taking out insurance against the risk, but only after every effort has
been made to reduce it, so that insurance premiums are kept as low as possible. Another
sharing strategy might be to enter an agreement with one or more other companies (joint

ng
ventures, outsourcing arrangements and partnerships with suppliers are all examples).
Hedging is a means of sharing market risk. Risk sharing is sometimes called risk transfer,
but it is rare to be able to transfer all the risk.

ni
 Acceptance (sometimes called retention): this should only be considered if the other

ar
options are not viable, for example if the costs of extra control activities and the costs of
insuring against the risk are greater than the cost of the losses that will occur if the event

e
happens. The concept of materiality should apply: immaterial risks can be accepted.
Nevertheless, risks that have been accepted should still be kept under review: new

ce am L
developments may mean that a different response becomes more appropriate.
en tn in
The risk map can be expanded to include risk responses depending on the assessment and

s
measurement of the risk.

ie
er ie er

High High impact, low probability

High impact, high probability

op
These risks might be shared using
These risks must be controlled,
ef V rtn

insurance, and at the same time

using avoidance, reduction and/or
the impact might be reduced so
C
IMPACT

sharing
that insurance premiums are lower
Pa

Low impact, low probability

Low impact, high probability
Often these risks are just
accepted, as the cost of avoiding, Reduction is the key response
W

reducing or sharing them exceeds here

Low the benefits
AE

Low High
PROBABILITY
Figure 5.3: Risk responses
IC

The controls that are put in place in response to risks can take a variety of forms.
R

 Physical controls such as locks, speed limits and clothing protect people, assets and money
 Financial controls such as credit checks, credit limits and customer deposits protect money
and other financial assets
 System controls include procedural controls, so that processes are carried out in the right
way, software controls in computer systems, and organisation controls on people so that,
for instance, they do not exceed their authority. Together system controls protect the
business's ability to perform its work
 Management controls include all aspects of management that ensure the business is
properly planned, controlled and led, such as the organisation's structure, and the annual
budget
We shall see more about controls later in this Study Manual.

160 Business, Technology and Finance ICAEW 2020

7.5 Monitoring and reporting risk
Monitoring risk should be a continuous, ongoing process, such that if a risky event does occur
then the action taken should include an immediate review of the management of that risk,
followed by changes as necessary. In this sense 'monitoring' is a form of control.
 Has corrective action now been taken? Has it been effective?
 Was the risk identified in the first place, and if not why not?
 If the risk was identified and planned for but the event still occurred is it because early
warning indicators were not monitored?
 If the response and/or controls were ineffective what changes or new procedures are

ng
necessary?
All identified risk management problems that could affect the organisation's ability to achieve its

ni
objectives should be reported to those in a position to take necessary action.
 The chief executive regarding serious problems

ar
 Senior managers regarding risk management problems that affect their units

e
 Managers in increasing levels of detail as the process moves down the organisational
structure

ce am L
The board of directors or audit committee should also be informed. The board or committee
en tn in
may ask to be made aware only of problems that meet a specified threshold of seriousness or

s
importance.

ie
er ie er

Premium listed companies (see Chapter 8, section 6) are required to follow the main principles
of the UK Corporate Governance Code so the board must:
op
ef V rtn

 Carry out robust assessments of the company's emerging and principle risks
 Monitor the company's risk management and internal control systems at least annually
C
Pa

 State whether it is appropriate to adopt the going concern basis of accounting in annual
and half-yearly statements
 Explain how the board assessed the prospects of the company in its annual report.
W

We shall see more about this in Chapter 12.

AE

8 Crisis management

Section overview
IC

 Crisis management involves identifying a crisis and planning a response to it.

R

 Three main types of crisis are financial, public relations and strategic.
 Businesses need contingency plans to deal with a crisis should it occur.
C
H
8.1 What is a crisis? A
P
T
Definition E
Crisis: An unexpected event that threatens the wellbeing of a business, or a significant R
disruption to the business and its normal operations which impacts on its customers, employees, 5
investors and other stakeholders.

Crises can be fairly predictable and quantifiable, or totally unexpected.

ICAEW 2020 Introduction to risk management 161

8.2 What is crisis management?

Definition
Crisis management: Identifying a crisis, planning a response to the crisis and confronting and
resolving the crisis.

Crisis management is much more commonly used in businesses now.

 Crises such as natural disasters and terrorism have been seen to have an even more
extreme effect in the context of global trade, so businesses are more motivated to manage

ng
crises better.
 Society is more litigious than it used to be, and businesses are expected to be able to deal

ni
better with crises now than in the past.
 Better IT and other technology systems allow businesses to be able to do more to avert

ar
and/or manage a crisis.
 Social media means that publicity surrounding any sort of crisis is widespread and can feed

e
on itself, raising the potential for very severe reputational consequences if damage

ce am L
limitation does not swing into action quickly.
en tn in
8.3 Types of crisis

s
ie
There are three main types of crisis in terms of their effects on the business:
er ie er

 Financial crisis – short-term liquidity or cash flow problems, and long-term solvency
problems
op
ef V rtn

 Public relations crisis – negative publicity that could adversely affect the success of the
C
business
Pa

 Strategic crisis – changes in the business environment that call the viability of the business
into question, such as new technology making old products or processes obsolete
There are many types of crisis in terms of their cause.
W

 Natural event – physical, especially environmental, destruction due to natural causes such
as earthquake
AE

 Industrial accident – buildings collapse, fire, release of toxic fumes, sinking or leaking of a
ship
 Product or service failure – product recall of faulty or dangerous goods; communications,
IC

systems or machine failure causing massive reduction in capacity; health scare related to
R

the product or industry

 Public relations disaster – pressure group or unwelcome media attention; adverse publicity
in the media; removal/loss/prosecution of chief executive officer or other key management
 Business crisis – sudden strike by workforce; sudden collapse of key supplier; withdrawal of
support by major customer; competitor launches new product; sudden shortfall in demand
 Management crisis – hostile takeover bid; death of key management; managers poached
by main competitor; boardroom battles
 Legal/regulatory crisis – product liability; new regulations increase costs or remove
competitive edge; employee or other fraud

162 Business, Technology and Finance ICAEW 2020

 8.4 Managing a crisis
A crisis happens when a risk becomes a reality. The business should seek to prevent crises, and
to have contingency plans should a crisis occur. It should also act to resolve an actual crisis in the
most effective way.

8.4.1 Crisis prevention

The business should always seek to prevent a crisis by planning ahead and projecting likely
outcomes; it should avoid decisions that have the potential to turn into a crisis.

8.4.2 Contingency planning

ng
The business should make a contingency plan for the worst and/or most likely crises to occur.
This must be kept up to date, and staff should be trained in how it should be implemented in the
event of a crisis.

ni
8.4.3 Effective action in the event of a crisis

ar
 Assess objectively the cause(s) of the crisis
 Determine whether the cause(s) will have a long-term or short-term effect

e
 Project the most likely course of events
 Focus resources on activities that mitigate or eliminate the crisis

ce am L
Look for opportunities
en tn in
In the event of a public relations crisis

s
 Act immediately to prevent or counter the spread of negative information; this may require

ie
er ie er

intense media activities


op
Use media to provide a counter-argument or question the credibility of the original
ef V rtn

negative publicity
C
Interactive question 3: Contingency planning
Pa

Consider what you would do if, at a time when your business has a small overdraft and very little
money expected in shortly, it is faced with a large demand from a government body which
requires settlement in one month.
W

See Answer at the end of the chapter.

AE

9 Business resilience
IC

Section overview
R

 Business resilience can be assessed using two factors: the processes and functions that
protect the organisation; and cross-cutting characteristics of the organisation that drive
resilience. C
H
 There are a number of features that resilient organisations share as well as a number of A
challenges to building resilience. P
T
 Organisations should measure their current levels of resilience in order to identify areas E
that can be improved. R

ICAEW 2020 Introduction to risk management 163

9.1 What is business resilience?

Definition
Business resilience: A business's ability to manage and survive against planned or unplanned
shocks and disruptions to its operations.

Organisations exist within the business environment. This environment is highly dynamic with
changes happening much of the time. Usually, these changes are small and unlikely to
significantly adversely affect most businesses (such as minor changes to legislation or tax rates).
However, from time-to-time, larger events can occur which shock organisations and can have

ng
significant detrimental effects on them (for example, strict new laws being enforced; economic
recessions and major uncertainties in the political or social contexts; new technologies and/or
new competitors disrupting an industry, as e-commerce has done to 'traditional' retailing).

ni
Other changes might be planned by the organisation itself. It may, for example, choose to make

ar
a major investment overseas, close down a significant operation, or stretch itself financially by
taking on high levels of debt.

e
Business resilience is the ability of an organisation to manage all of these changes and survive,
regardless of how disruptive these changes are.

ce am L
According to the ICSA Solutions report 'Building a resilient organisation', an organisation's
en tn in
resilience can be described on two axis.

s
Axis 1: Processes and functions that protect the organisation

ie

er ie er

Risk management
 Business continuity planning
 Security op
ef V rtn

 IT disaster recovery
 Health and safety
C
 Crisis management
Pa

 Internal audit
 Governance
Axis 2: More general ('cross-cutting') characteristics of the organisation that drive resilience
W

 The level of trust employees have in the organisation and its management
 The level of trust of customers in the organisation
AE

 The ability of the organisation to innovate

 The extent that organisational values are understood
 The extent that organisational values drive employee behaviour

IC

The ability of the organisation to operate risk management

 Employee morale
R

 Leadership and senior management involvement

Interactive question 4: Failing organisations

For an organisation that you are familiar with, or have read about in the press or online, that has
failed, consider the following:
 Why did it fail?
 What are the key factors (internal/external) which led to its failure?
 What do successful organisations in the same industry do differently, which has led to them
being successful?
See Answer at the end of this chapter.

164 Business, Technology and Finance ICAEW 2020

9.2 Resilient organisations
The ICSA report identifies the following features of resilient organisations:
 Have diversified resources and assets to facilitate alternative approaches and adaption to
change
 Build strong relationships and networks (both internal and external)
 Have the ability to respond rapidly and decisively to an emerging crisis
 Have the ability to review and adapt based on experience and changing circumstances
The report also identifies the following challenges to building a resilient organisation:

ng
Challenge Explanation

Lack of expertise As organisations become more complex, a

ni
greater degree of expertise is required to
ensure that approaches and activities used are

ar
robust and result in an appropriate level of
resilience.

e
Lack of input from senior management Directors delegate delivery of resilience

ce am L policies and procedures to operational

managers who may not fully understand what
en tn in
is required, or the urgency of the task in hand.

s
Siloes for delivery Implementation of resilience programmes may

ie
lack cross-organisational collaboration, with
er ie er

each business function only being concerned

op with their specific area. Therefore synergy that
ef V rtn

would be created if all business areas worked

together is lost.
C
Pa

Limited sharing of risk information Siloes also limit information sharing. Rather
than sharing the outputs of their work on
resilience, functions tend to keep the
information to themselves. Therefore the
W

opportunity to improve resilience by

cross-referencing and sharing results of
investigations is lost.
AE

9.3 Measuring resilience

IC

Because an organisation's environment is constantly changing, the level of its resilience will also
change. For example, it might have procedures in place to ensure that if interest rates rise, to say
R

5%, that it can cope financially, but what happens if interest rates rise to 10%?
Therefore it is important that organisations have a means of measuring their resilience, so that it
can adapt if necessary. C
H
The ICSA report identifies the following four metrics that can be used to measure resilience: A
P
 Compliance – how well the organisation complies with its standards and policies T
 Completeness – the scope of resilience (ie how wide a range of issues is the organisation E
R
prepared for)
 Value – qualitative and quantitative measures of how well the organisation can meet specific 5
outcomes
 Capability – evidence, collected through exercises and reviews, of the extent to which the
organisation has put resilience processes and procedures in place

ICAEW 2020 Introduction to risk management 165

9.4 Cyber-resilience

Definition
Cyber-resilience is the ability of an organisation to ensure that its data and information are
reliable, available, has integrity and is adequately protected from unauthorised access.

Cyber security is an important part of an organisation's resilience. It is a function that helps

protect organisations against the risk of cyber-attack and therefore provides resilience against
this type of threat. Security measures are, however, no guarantee of total protection and
therefore it is vital for organisations to have alternative, back-up plans to deal with cyber-attacks

ng
that do get through the defences.
As well as cyber security, organisations should also have appropriate IT disaster recovery

ni
procedures set up. Such systems provide back-ups of the data and information held by the
organisation that can be used to replace data and information lost in a cyber-attack.

ar
According to the ICAEW report, Developing a cyber-resilience strategy (2014), the following are
threats to an organisation's cyber-resilience:

e
 Mobile threats – this is the risk that mobile devices containing information, data and

ce am L
connections to an organisation's system are lost or stolen.
 Networking and cloud considerations – this is the risk that broadband, wi-fi and other
en tn in
network connections become unavailable and therefore users working remotely or via the

s
cloud cannot access the organisation's systems or data.

ie
er ie er

 Access controls in the mobile world – this is the threat that access controls to the

op
organisation's main system are compromised due to inferior controls being in place on
mobile devices. In some instances, the organisation does not have control over access if this
ef V rtn

is provided by third parties.

C
 Other threats – the report identifies a number of other threats, such as attacks on company
Pa

websites, social media and email. There are also threats such as fire, hardware failure and
burglary that will also prevent access to company systems.
To counter cyber-resilience threats, organisations should develop an information security plan.
W

Whilst the contents and details of a company's plan will depend on its business and systems, it
should cover the following areas.

AE

Securing system and device configurations

 Network security
 User privileges
 Home and mobile working
IC

 Removable media controls


R

User education and awareness

 Web services
 Legal requirements
 Compliance
 Incident management
 Monitoring
The report covers some specific cyber-resilience issues that organisations need to consider.
 Understand where all the information is – key information that is vital to the business should
be identified and located.
 Separate systems with different levels of trust – once the key information is identified and
located, trust levels can be set for networks so that there is adequate protection in place
(such as firewalls between networks).

166 Business, Technology and Finance ICAEW 2020

  User access rights and obligations – principles should be established to determine the
rights that people, organisations and systems have in regards to data and information. For
example, only a few individuals should be granted full administrator rights that enable them
to amend and delete data. There should be rules in place that set how and where data may
be accessed (such as restrictions on accessing the system in a public place).
 Address specific weaknesses – policies and procedures should be established to minimise
the risk to systems (such as rules governing how data may be transmitted to and from
mobile devices).
 Cover all key legal issues – the organisation must ensure full compliance with the Data
Protection Act.

ng
 Address third party relationships – where systems are provided by third parties the
relationship should be managed. In some instances (such as where a bespoke system is
provided) this can be set out in a contract and a degree of control achieved. However, for

ni
some systems (such as email services) this is not always possible and the organisation
should set out policies and procedures to control how such services are selected.

ar
 Conformance assessment and penetration testing – the organisation should set out policies
to control the extent to which systems conform to certain security profiles. These

e
assessments should be regular in order to determine whether systems are meeting security


criteria.

ce am L
In-house versus external managed security services – organisations may establish in-house
en tn in

s
data security teams and this allows maximum control over data security. However, smaller
organisations may need to outsource security due to the costs of resourcing it. If this is the

ie
er ie er

case then it is important for the organisation to retain as much control over it as possible.

op
Define specific responsibilities – policies should establish where responsibility for the
ef V rtn

various aspects of cyber-resilience lie. Users should be aware of what should happen if
threats to cyber-resilience occur.
C
 Monitoring and review – policies and procedures in relation to cyber-resilience should be
Pa

regaularly monitored and reviewed. They should be revised in order for the business to
maintain an acceptable risk profile.
Cyber risk and resilience has prompted a number of cyber security standards. ICAEW's report
W

Audit Insights: cyber security (2018) explains the following examples.

Standard Description
AE

ISO 27001 This is the best-established information

security standard. It is a management system
that provides a long list of potential controls
IC

that organisations can choose to adopt, based

R

on their risk assessment. It is supplemented by

a variety of more specific security standards in
the 27000 series, such as business continuity.
C
Cyber essentials This was created in 2014 by the UK H
A
Government, after it concluded that none of P
the existing standards met their specific needs. T
This aims to provide a baseline of cyber E
R
hygiene for all organisations and is being
pushed down supply chains for government 5
contracts.

ICAEW 2020 Introduction to risk management 167

 Standard Description

NIST (National Institute of Standards and This is a US framework that incorporates risk-
Technology) based cyber security standards based on
different industry sectors. They are also often
pushed down supply chains, such as defence,
and are fairly prescriptive in nature.
PCI-DSS (Payment Card Industry Data Security This is a standard that is specific to payment
Standard) cards – anyone processing payment card
transactions has to pass the assessment and
show compliance. This is a highly prescriptive

ng
standard, identifying the controls to be
adopted with regard to payment card data.
SOC for Cybersecurity This was published by the AICPA (American

ni
Institute of CPAs). It is for the reporting of
cyber risk management, and for providing

ar
assurance opinions on the cyber risk
management programme and associated

e
controls. While it is US-centric, it shows the

ce am L potential demand for better reporting and

assurance around cyber risks.
en tn in

s
9.5 Supply chain resilience

ie
er ie er

Supply chain disruption is a particular issue for companies that adopt a just-in-time approach to

op
inventory management. Such organisations receive deliveries almost at the point when the
ef V rtn

materials are needed in the production process and very little if any, spare inventory is held.
Therefore any disruption to the supply chain (such as late deliveries or the failure of a supplier)
C
will have a major impact on production.
Pa

Additionally, the more that companies outsource or work with partners (such as virtual
organisations) the more they depend on, and therefore must be able to rely on, their supply
chain. In a similar way to just-in-time organisations, virtual organisations will feel a great impact
from any disruption to their supply chain. Disruption in this case may relate to the failure of IT
W

systems to transfer data or information, as well as the failure of suppliers to meet deadlines or if
they cease operations.
AE

In response to this potential supply chain disruption, the FM Global Resilience Index is a
data-driven tool and repository that ranks business resilience in 130 countries. The purpose of
the index is to help executives evaluate and manage supply chain risk.
IC

10 Disaster recovery and business continuity planning

Section overview
 A disaster is a major crisis or event which causes a breakdown in the business's operations
and resultant losses.
 A business needs to recover from a disaster as quickly as possible. This is helped if the
business has a business continuity plan in place.

168 Business, Technology and Finance ICAEW 2020

10.1 Disasters

Definition
Disaster: The business's operations, or a significant part of them, break down for some reason,
leading to potential losses of equipment, data or funds.

We have seen that event risk is the operational risk of loss due to single events that are unlikely
but that may have serious consequences. Political risk is one example and is often associated
especially with less developed countries where events such as wars or military coups may result
in an industry or a business being taken over by the government and having its assets seized.

ng
Here are some examples, along with some responses and controls, based on reduction and
sharing of the risk of the disaster where it cannot be avoided.

ni
 A fire safety plan is an essential feature of security procedures, in order to prevent fire,
detect fire and put out the fire. Fire safety includes:

ar
– Site preparation (for example, appropriate building materials, fire doors)

e
– Detection (for example, smoke detectors)
– Extinguishing (for example, sprinklers)


–
ce am L
Training for staff in observing fire safety procedures
en tn in
Flooding and water damage can be countered by the use of waterproof ceilings and floors

s
together with the provision of adequate drainage.

ie
 Keeping up maintenance programmes can counter the leaking roofs or dripping pipes that
er ie er

result from adverse weather conditions. The problems caused by power surges resulting
op
from lightning can be countered by the use of uninterruptible (protected) power supplies.
ef V rtn

This will protect equipment from fluctuations in the supply. Power failure can be protected
against by the use of a separate generator.
C

Pa

Threats from terrorism can be countered by physical access controls and consultation with
police and fire authorities.
 Accidental damage can be avoided by sensible attitudes to behaviour while at work and
good layout of workspaces.
W

Any system which has suffered a disaster must recover as soon as possible so that further losses
are not incurred, and current losses can be rectified.
AE

What is considered a disaster is relative to the size of the business and the significance of the
item that breaks down. The failure of a hard drive in a single PC could be extremely serious for a
small business which depended on that one computer, but in a large business it might cause
IC

minimal inconvenience, so long as backup copies of data files are maintained.

R

Minor breakdowns occur regularly and require short-term recovery plans such as agreements
with a maintenance company for same or next-day on site repairs. Disasters which result in the
destruction of a major facility or installation require a long-term plan. C
H
A
P
10.2 Business continuity plans T
A business continuity plan will typically provide for: E
R
 Standby procedures so that some operations can be performed while normal services are
5
disrupted
 Recovery procedures once the cause of the breakdown has been discovered or corrected
 Personnel management policies to ensure that the above are implemented properly

ICAEW 2020 Introduction to risk management 169

 The plan must cover all activities from the initial response to the disaster (crisis management),
through to damage limitation and full recovery. Responsibilities must be clearly spelt out for all
tasks.
The contents of business continuity plans often include the following.

Section Comment

Definition of responsibilities It is important that somebody (a manager or co-ordinator) is

designated to take control in a crisis. This individual can then
delegate specific tasks or responsibilities to other designated
people.

ng
Priorities Limited resources may be available for processing. Some tasks
are more important than others. These must be established in
advance. Similarly, the recovery plan may indicate that certain

ni
areas must be tackled first.

ar
Backup and standby These may be with other installations, or with a business that
arrangements provides such services (eg, maybe the hardware vendor).
Alternatively, other processes may be possible, for instance

e
taking cash when credit/debit card processing is interrupted.

ce am L
Communication with staff The problems of a disaster can be compounded by poor
communication between members of staff.
en tn in

s
Public relations If the disaster has a public impact, the recovery team may come

ie
under pressure from the public or from the media.
er ie er

Risk assessment
op Some way must be found of assessing the particular
ef V rtn

requirements of the problem.

C
Worked example: ICAEW's business continuity plan
Pa

The ICAEW has its own business continuity plan, details of which can be found on its website
www.icaew.com/about-icaew/regulation-and-the-public-interest/business-continuity-plan
The plan covers its operational sites in Milton Keynes and London and accepts that the ICAEW
W

may need to materially reduce its immediate operations if the disruptive event is major.
Initially, the focus will be on recovering key business-critical activities. These have already been
AE

identified and will be guided by business impact analysis (BIA).

In the case of a major event occurring, the priority will be to:
 protect and preserve the safety and well-being of employees, visitors and contractors;
IC

 recover mission critical systems and resume critical ICAEW business operational activities;
R

 communicate appropriately with employees, media, principal contractors and stakeholders;

and
 continuously manage the recovery process to ensure timely and efficient resumption of
normal business.

170 Business, Technology and Finance ICAEW 2020

Summary and Self-test
Summary
The future is uncertain

EITHER OR

Positive event may occur Adverse event may occur Classifying risk
= OPPORTUNITY = RISK

ng
Faced by Faced by Risk concept
business investor Risk management • Volatility

ni
Aim to: minimise • Exposure
limit • Impact

ar
reduce • Probability
Critical success factors

e
Risk management Business resilience
Risk
appetite
ce am L
Strategic planning
Chapter 4
process
• see Fig 5.2 Effects
en tn in
Crisis

s
Causes

ie
er ie er

Attitude to risk Crisis

• Risk-averse
op
• Risk-neutral
management
• Contingency
ef V rtn

• Risk-seeking planning
• Prevention
C
• Action Occurs
Pa

Business continuity plan Disaster recovery plan

W
AE
IC

C
H
A
P
T
E
R

ICAEW 2020 Introduction to risk management 171

 Self-test
Answer the following questions.
1 Which of the following is a definition of risk?
A That events in the future cannot be predicted with certainty
B The element of a decision which is unknown
C The inability to predict the outcome of an activity due to a lack of information
D The possibility that an event will occur and adversely affect the achievement of
objectives

ng
2 Which of the following is a downside risk for a business?
A That costs might rise

ni
B That revenue might rise
C That controls may succeed

ar
D That quality might improve
3 Benbuck plc has had a wide range of returns to shareholders in recent years. This means

e
that as an investment Benbuck plc shares are:
A
B ce am L
volatile and low risk
non-volatile and low risk
en tn in
C volatile and high risk

s
D non-volatile and high risk

ie
er ie er

4 Strang plc is considering an investment in new production machinery. It has identified that

op
the machinery may soon become obsolete on the grounds of low productivity. This
ef V rtn

business risk could be identified as:

A a product risk
C
B a strategy risk
Pa

C an enterprise risk
D an event risk
5 Mimso Bank plc's staff appear to be unaware of the importance of risk. For Mimso Bank plc
W

this is:
A a business risk
AE

B an enterprise risk
C a financial risk
D an operational risk
IC

6 The size of the gross risk facing a business is measured as:

volatility  exposure
R

A
B impact  exposure
C impact  probability
D volatility  probability
7 In terms of risk management, choosing to transfer some risk is part of:
A risk awareness
B risk response
C risk assessment
D risk monitoring

172 Business, Technology and Finance ICAEW 2020

 8 Brando plc has 40 employees engaged in an activity that has been identified as having a
high element of risk to the company's reputation. The company decides that the activity is
necessary but that only 10 staff should be engaged in it in future, and these staff should
receive extra training. The risk responses that Brando plc has applied are:
A avoidance and reduction
B transfer and acceptance
C reduction and acceptance
D avoidance and transfer
9 Heller & Co is a firm of solicitors which has long been aware that the departure of one
partner, Mike Heller, would constitute a crisis for the firm. It has therefore ensured that he is
highly paid and that Sue Jones, another partner, shadows his work and knows his clients.

ng
On 15 June Mike walks out of the firm and provokes a serious crisis, which the firm's very
expensive PR consultants handle. The area of crisis management which Heller & Co has
neglected to address in their management of the crisis is:

ni
A crisis prevention

ar
B contingency planning
C analysis of the causes of Mike's actions on 15 June

e
D taking action to mitigate the crisis

ce am L
10 Klib plc operates in a politically unstable country. It has arranged that a consultancy firm
with access to similar facilities as Klib plc has a complete set of backup files for Klib plc. This
en tn in
strategy is part of Klib plc's:

s
A risk management

ie
B crisis management
er ie er

C disaster recovery planning

D
op
operational planning
ef V rtn

11 Which of the following statements best describes a cyber attack?

C
A Accidental damage to a computer system caused by an inexperienced user
Pa

B Data corruption caused by poor systems integrity

C Deliberate action through the internet causing loss or damage to an organisation
D Data loss caused by physical damage such as vandalism to a computer system
W

Now, go back to the Learning outcomes in the introduction. If you are satisfied you have
achieved these objectives, please tick them off.
AE
IC

C
H
A
P
T
E
R

ICAEW 2020 Introduction to risk management 173

Technical references
 ICAEW (2018) Audit Insights: Cyber security. London, ICAEW.

 ICAEW (2013) Audit Insights: Cyber security. London, ICAEW.

 ICAEW (2014) Developing a cyber-resilience strategy. London, ICAEW.

 ICSA Solutions (2014) Building a resilient organisation. London, ICSA

Publishing.

ng
ni
e ar
ce am L
en tn in

s
ie
er ie er

op
ef V rtn

C
Pa
W
AE
IC

174 Business, Technology and Finance ICAEW 2020

Answers to Interactive questions

Answer to Interactive question 1

For many small businesses the most evident risk is that customers do not buy what they supply,
whether because of competition, fashion or an economic downturn. This is also the risk that is
most difficult to deal with, though being well-informed and innovative help to ensure that the
business can react adequately. There is a real risk too that the costs of providing the goods or
service will rise, which again is hard to contend with as the business may have little or no
bargaining power. The risks from inadequate controls are less likely though more catastrophic;

ng
most small business owners are very closely involved in the running of it and keep close control
of quality, administration and staff, but there are plenty of businesses which have gone under
due to one fraud, or one lapse of quality. Finance is also a serious risk; bank overdrafts can be

ni
called in on demand, and cash flow has often caused very severe problems, even winding up, in
otherwise successful businesses.

ar
Answer to Interactive question 2

e
PII is a requirement not of the law but of ICAEW itself, which acts as regulator of its members

ce am L
both in and out of public practice. The work of ICAEW in regulating members is overseen by
Financial Reporting Council, which we shall see more about in Chapter 10. PII is intended to
en tn in

s
provide funds to persons who have suffered financial loss as a result of the negligence of a
chartered accountant; this is paid to the injured party, not to the chartered accountant, but it is

ie
er ie er

an example of how a person (the chartered accountant) may transfer some of the risks they face
to another entity, in this case the insurance company.
op
ef V rtn

Answer to Interactive question 3

C
You should not wait for further evidence before acting. Immediately take action to maintain or
Pa

increase cash flow:

 Accelerate receipts from customers even if this requires the granting of discounts
 Decelerate payments to suppliers even if this means losing discounts
W

 Increase short-term sales but maintain or increase margins on sales if possible

AE

 Reduce expenses:
– Eliminate non-essential expenses
– Sell surplus long-term assets
IC

– Reduce payroll if possible

– Renegotiate the overdraft and other debts
R

Answer to Interactive question 4 C

H
There is no 'answer' to this question as such, because responses will depend on the organisation A
that you chose. However, this is a useful exercise to get you thinking about business resilience P
issues from a 'real-world' point of view. T
E
R

ICAEW 2020 Introduction to risk management 175

Answers to Self-test
1 D Option A describes variability, option B is not a definition of risk and option C defines
uncertainty.
2 A All of the other options are upside risks.
3 C Volatility measures the variation of returns in terms of profits, dividends and share
prices; the more volatile the return, the higher the risk.
4 B
5 D This is a people risk, which is a kind of operational risk.

ng
6 C

ni
7 B
8 A Reducing the number of staff is a form of avoidance; training the remaining ones is a

ar
form of risk reduction.
9 C

e
10 C
11 C
ce am L
Cyber attacks are deliberate and take place through the internet.
en tn in

s
ie
er ie er

op
ef V rtn

C
Pa
W
AE
IC

176 Business, Technology and Finance ICAEW 2020