Question Verbs

QUESTION VERBS

ACCA examiners have highlighted the lack of understanding of the requirements of question verbs as the most serious weakness in many candidates’ scripts. Given below are some common question verbs used in exams.

Analyse

· Intellectual level 2, 3

· Actual meaning Break into separate parts and discuss, examine, or interpret each part

· Key tips Give reasons for the current situation or what has happened.

Apply

· Intellectual level 2

· Actual meaning To put into action pertinently and/or relevantly

· Key tips Properly apply the scenario/case.

Assess

· Intellectual level 3

· Actual meaning To judge the worth, importance, evaluate or estimate the nature, quality, ability, extent, or significance

· Key tips Determine the strengths/weaknesses/importance/significance/ability to contribute.

Calculate

· Intellectual level 2, 3

· Actual meaning To ascertain by computation, to make an estimate of; evaluate, to perform a mathematical process

· Key tips Provide description along with numerical calculations.

Comment

· Intellectual level 3

· Actual meaning To remark or express an opinion

· Key tips Your answer should include an explanation, illustration or criticism.

Compare

· Intellectual level 2

· Actual meaning Examine two or more things to identify similarities and differences

· Key tips Clearly explain the resemblances or differences.

Conclusion

· Intellectual level 2 ,3

· Actual meaning The result or outcome of an act or process or event, final arrangement or settlement

· Key tips End your answer well, with a clear decision.

Criticise

· Intellectual level 3

· Actual meaning Present the weaknesses/problems; evaluate comparative worth Don’t explain the situation. Instead, analyse it

· Key tips Criticism often involves analysis.

Define

· Intellectual level 1

· Actual meaning Give the meaning; usually a meaning specific to the course or subject

· Key tips Explain the exact meaning because usually definitions are short.

Describe

· Intellectual level 1, 2

· Actual meaning Give a detailed account or key features. List characteristics, qualities and parts

· Key tips Make a picture with words; identification is not sufficient.

Discuss

· Intellectual level 3

· Actual meaning Consider and debate/argue about the pros and cons of an issue. Examine in-detail by using arguments in favour or against

· Key tips Write about any conflict, compare and contrast.

Evaluate

· Intellectual level 3

· Actual meaning Determine the scenario in the light of the arguments for and against

· Key tips Mention evidence/case/point/issue to support evaluation.

Explain

· Intellectual level 1, 2

· Actual meaning Make an idea clear. Show logically how a concept is developed. Give the reason for an event

· Key tips Don’t just provide a list of points, add in some explanation of the points you’re discussing.

Illustrate

· Intellectual level 2

· Actual meaning Give concrete examples. Explain clearly by using comparisons or examples

· Key tips Add in some description.

  

Interpret

· Intellectual level 3

· Actual meaning Comment on, give examples, describe relationships

· Key tips Include explanation and evaluation.

List

· Intellectual level 1

· Actual meaning List several ideas, aspects, events, things, qualities, reasons, etc

  Key tips Don’t discuss, just make a list.

Outline

· Intellectual level 2

· Actual meaning Describe main ideas, characteristics, or events

· Key tips Briefly explain the highlighted points.

Recommend

· Intellectual level 3

· Actual meaning Advise the appropriate actions to pursue in terms the recipient will understand

· Key tips Give advice or counsel.

Relate

· Intellectual level 2, 3

· Actual meaning Show the connections between ideas or events

· Key tips Relate to real time examples.

State

· Intellectual level 2

· Actual meaning Explain precisely

· Key tips Focus on the exact point.

Summarise

· Intellectual level 2

· Actual meaning Give a brief, condensed account Include conclusions. Avoid unnecessary details

· Key tips Remember to conclude your explanation.

Types of Business Risks

Types of Business Risks

1. Finance risk/ going concern risk
This is potentially the most serious risk facing a company. A company will not be able to operate as a going concern. Specific going concern indicators include:

• Competitors who are not exposed to the same manufacturing and exchange rate  risks 
• Falling sales 
• Increasing borrowings
• Cash management issues 

2. Currency risk
Currency risk occurs when companies trade with customers or suppliers in other jurisdictions. The risk relates to exchange rate movements that affect the value of debts or payments to overseas companies.


3. Interest rate risk
This risk relates to changes in interest rates, particularly where company has borrowed money. The risk-is interest rates will Increase, adversely affecting repayments (unless the terms of the loan are for a fixed rate of interest).


4. Credit risk
This is the risk that customers fail to meet their obligations to pay invoices on time. Lack of cash collections affects a company in three ways:

• Collection falls, meaning that less cash is available to pay company expenses 
• There may be an Increased Incidence of bad debts, further decreasing cash collections 

5. Liquidity risk
This is the risk that a company cannot pay its debts as they fall due to a mismatch between inflows and outflows. This can be confirmed by the situation when a company secures short term borrowings on long term assets.


6. Financial risk
Financial risk in this area normally relates to the need to restate financial information due to errors or irregularities in the accounting systems.

RISK AND OPPORTUNITY

Explain how risks can present an opportunity to the organisation and how effective risk management can help a company achieve competitive advantage.

Historically, the focus of risk management has been on preventing loss. However, recently, organisations are viewing risk management in a different way, so that:

• risks are seen as opportunities to be seized
• organisations are accepting some uncertainty in order to benefit from higher rewards associated with higher risk - risk management is being used to identify risks associated with new opportunities to increase the probability of positive outcomes and to maximise returns 
• effective risk management is being seen as a way of enhancing shareholder value by improving performance.

Incurring an acceptable amount of risk tends to make a business more competitive. Conversely, not accepting risk tends to make a business less dynamic, and implies a ‘follow the leader’ strategy. Incurring risk also implies that the returns from different activities will be higher – the ‘benefit’ being the return for accepting risk. Benefits can be financial – decreased costs, or intangible – better quality information. In both cases, these will lead to the business being able to gain competitive advantage.

Focusing on low-risk activities can easily result in a low ability to obtain competitive advantage –where there is low risk there is often only a limited amount of competitive advantage to be obtained. 

High-risk activities can similarly generate low or high competitive advantage. Activities with low competitive advantage will generally be avoided. There remains the risk that the activity will not work, and that the small amount of competitive advantage that would be generated is not worth that risk. Other high-risk activities may generate significant amounts of competitive advantage. These activities are worth investigating because of the high returns that can be generated.

If a business does not take some risk, it will normally be limited to activities providing little or no competitive advantage, which will limit its ability to grow and provide returns to its shareholders. The challenge to the organisation is to manage the risks to ensure that the benefits are realised. 

Roles of Risk Committee

Roles of Risk Committee 

A risk committee usually takes some of the roles of the audit committee, partly to help lighten its burden. 

The risk committee will assess the company’s risk strategy and advise the main board of its appropriateness. It will also assess how “embedded” the risk strategy is throughout the company and advise the board of how this can be improved. 

The committee will monitor overall risk exposure, and will monitor strategic risks in detail. Some monitoring of operational risks will occur, albeit to a smaller degree.

The risk committee will also oversee the risk management department to ensure that its concerns are being properly dealt with by the main board. Risk reports will be received from throughout the business to understand how successfully risk is being managed, and to help identify the emergence of new risks.

Some liaison with the audit committee is likely, as there is an obvious link between risks, controls, and the financial reporting function of the company.

Feedback will also be received from the internal audit department on recommendations for improvements in risk management processes and control systems.

Role of Internal Audit in Internal Control and Risk Managment

Role of Internal Audit in Internal Control and Risk Managment

Internal auditors provide assurance to a company’s directors that the company’s risk management systems and internal controls are operating effectively.

Whilst the Risk Management department of a company will actually assess and manage the risks, the internal auditor’s role is to check all aspects of this process and report back to the board, typically through the audit committee, on how the risk management processes can be improved. 

For example, the internal auditor will assess how effectively risks are being identified. The auditor will look at the methods being used for risk identification, and the people who are doing it, and will use his experience to suggest alternative methods, or maybe to suggest that the wrong people are currently doing it and need to be replaced. The auditor will look at all other stages in the risk management process as well, questioning risk measurement techniques, the design of risk solutions, how the implementation of these solutions could be improved etc. 

Historically, the auditor’s primary role has been in ensuring that the actual risk management solutions chosen (e.g. internal controls, insurance, hedging) are happening, and are operating effectively. Control procedures will be tested, levels of insurance assessed to ensure they are appropriate and hedging positions checked to verify they are covering currency risks adequately. 

Whilst the Risk Management department would be expected to check their own work to ensure it is effective, the existence of an independent internal audit function is likely to provide greater assurance to the board.

FACTORS AFFECTING RISK STRATEGY

Discuss what factors are likely to affect a board’s choice of risk strategy in a company listed on stock exchange.

Factors Affecting Risk Strategy

1. Risk Attitude

• The risk attitude of the directors will be a big factor in how much risk is taken. If the directors’ personalities are those of natural risk-takers, then they will tend to take a lot of risk. Obviously if they are relatively risk-averse, then they will not take much risk.

• The directors are agents of the shareholders, so they will need to consider the risk attitude of the shareholders when deciding on a risk strategy. Of course, if the shareholders are risk-averse, they will probably have appointed a board that is also risk-averse, so the attitude of directors may already be matched to that of the shareholders.

• The risk attitude of other key stakeholders, such as employees, customers, industry regulators etc. will also need to be considered, depending on the type of industry that the company is in.

2. Risk Capacity

Risk taking requires resources such as time, staff, and money. Therefore a company must understand the resources that it has at its disposal when forming its risk strategy, or it will not be able to deliver it.

3. Position of Company

The position of the company, and its future strategy and objectives, will also affect risk strategy. A company that is currently in trouble may have to take higher risks in an attempt to survive. In a similar way, companies looking for rapid growth are unlikely to achieve it without taking significant risks.

DIVERSIFICATION - REDUCE LEVEL OF RISKS?

Evaluate whether Diversification is an effective way for companies to reduce their overall level of risks

Diversification involves companies moving into new business areas, either in terms of different products, different ways of delivering these products, or different countries. Many large businesses have achieved expansion using this method, often because they feel they have grown as large as they can do within existing markets. 

1. It is often argues that diversification can reduce overall business risk by “smoothing” a company’s performance over time. In a well-diversified company, when one part of the business is under-performing another part is likely to be over-performing, resulting in the positives and negatives largely cancelling each other out and overall profit remaining relatively stable. Large supermarkets, such as Tesco, are a good example of this.

2. Diversification often also brings expansion, and financial risks may be reduced if new economies of scale are available as a result of entering into new markets. 

3. Being involved in so many markets may also improve the company’s image, therefore reducing reputation risk.

However, 

1. Diversification may not reduce risk at all if the new markets entered into by a company have the same pattern of returns as existing markets. In fact, in this case risk exposure is actually going to increase, not decrease. 

2. It can also be argued that moving into new markets, potentially ones where the company lacks a proven track record, will expose the company to a new set of risks which may increase overall business risk.

3. As with all risk management, a reduction in risk is likely to lead to a reduction in return. In choosing to spread its operations over many markets, a company may find that it loses its specialist skills in its core market and becomes average at everything and brilliant at nothing. As a result, returns may be “smooth” but the average profit margin is highly likely to reduce in the process. 

4. Also, as companies increase in size and the variety and complexity of operations increases, the risks of mistakes being made, poor control systems, fraud etc. are all likely to increase unless the company’s risk management systems keep up with the growth and changes.

Framework for assessing risk

Risk is assessed by considering each identified risk in terms of two variables:

• its hazard (or consequences or impact) and,

• its probability of happening (or being realised or ‘crystallising’).

The most material risks are those identified as having high impact/hazard and the highest probability of happening. Risks with low hazard and low probability will have low priority whilst between these two extremes are situations where judgement is required on how to manage the risk.

In practice, it is difficult to measure both variables with any degree of certainty and so if is often sufficient to consider each in terms of relative crude metrics such as ‘high/medium/low’ or even ‘high/low’. The framework can be represented as a ‘map’ of two intersecting continuums with each variable being plotted along a continuum.

Typical roles of a risk management committee

The typical roles of a risk management committee are as follows:

1. To agree and approve the risk management strategy and policies. The design of risk policy will take into account the environment, the strategic posture towards risk, the product type and a range of other relevant factors.

2. Receiving and reviewing risk reports from affected departments. Some departments will file regular reports on key risks (such as liquidity assessments from the accounting department, legal risks from the company secretariat or product risks from the sales manager).

3. Monitoring overall exposure and specific risks. If the risk policy places limits on the total risk exposure for a given risk then this role ensures that limits are adhered to. In the case of certain strategic risks, monitoring could occur on a very frequent basis whereas for more operational risks, monitoring will more typically occur to coincide with risk management committee meetings.

4. Assessing the effectiveness of risk management systems. This involves getting feedback from departments and the internal audit function on the workings of current management and risk mitigation systems.

5. Providing general and explicit guidance to the main board on emerging risks and to report on existing risks. This will involve preparing reports on apparent risks and assessing their probability of being realised and their potential impact if they do.

6. To work with the audit committee on designing and monitoring internal controls for the management and mitigation of risks. If the risk committee is part of the executive structure, it will likely have an advisory role in respect of its input into the audit committee. If it is non-executive, its input may be more directly influential.

Stages of a risk audit

There are four stages in a risk audit. Together these comprise an audit or review of the risk management of an organisation.

Identification

Identification of risks is the first part of any risk audit.

Risk can be defined as the realised future loss arising from a present action or inaction. Risks come and go with the changing nature of business activity, and with the continual change in any organisation’s environment.

To carry out this identification exercise the auditors would need to interview key staff, likely to be departmental managers, and potentially employees and experts to establish their views of the major risks facing the company.

This exercise could be further supported with analyses of external market data, particularly looking at the markets or businesses upon which the company is so reliant and the long-term impact of any efficiency measures taken to date.

Assessment

Once identified, the next task is to assess the risk.

Each identified risk needs to be measured against two variables: the probability (or likelihood) of the risk being realised; and the impact or hazard (what would happen if the risk was realised). These two intersecting continua can be used to create a probability/impact grid on to which individual risks can be plotted.

This assessment requires a significant amount of judgement on the part of the auditor, and may necessitate input from staff within the business. It may not be possible to assign monetary values to all risks, but an assessment of high or low should be reached.

Review

At the review stage, the auditor analyses the controls that the organisation has in the event of the risk materialising. For example, this could involve looking at contingency plans which the company has initiated.

Where risks have been accepted, a review is undertaken of the effectiveness of planning for measures such as financing, customer support, help lines and so on, should the unavoidable risk materialise.

This review stage can represent a substantial task, as the response to each assessed risk is a part of the review and there may be many risks to consider.

Report

Finally, a report on the review is produced and submitted to the board, probably via the audit committee or to the Risk & Compliance Manager.

The report would list the key risk areas, i.e. those assessed as high (high probability and/or high impact), and for each of the risks would discuss the effectiveness of the existing controls in place.

For any ineffective areas that expose the business to potential losses, the auditor will most likely recommend courses of action that may be taken to improve risk management.

Generic risk

Generic risk refers to risks that affect all businesses. They may affect businesses

in different ways, but all will be impacted.

Examples of generic risks include:

• the impact of the global recession on demand for all products and services.
• the risk that governments may revoke planning permission or change regulations in response to political pressures.
• the risk that major investment projects experience cost or time over-runs.

Specific risk

Specific risk refers to risks that affect only the specific business in question. The range of specific risks will be dependent upon the breadth of definition of the specific business sector.

Example of specific risk

A specific risk that faces the air transport industry is that consumers may move away from air travel in response to environmental concerns.

The case for the mandatory external reporting of internal controls and risks

1. Disclosure allows for accountability. Had investors been aware of the internal control failures and business probity risks earlier, it may have been possible to replace the existing board before events deteriorated to the extent that they sadly did. In addition, however, the need to generate a report on internal controls annually will bring very welcome increased scrutiny from shareholders and others. It is only when things are made more transparent that effective scrutiny is possible.

2. Secondly, I am firmly of the belief that more information on internal controls would enhance shareholder confidence and satisfaction. It is vital that investors have confidence in the internal controls of companies they invest in and increased knowledge will encourage this. 

3. Furthermore, compulsory external reporting on internal controls will encourage good practice inside the company. The knowledge that their work will be externally reported upon and scrutinised by investors will encourage greater rigour in the IC function and in the audit committee. This will further increase investor confidence.

4. Internal controls and risks are simply too important an issue to allow companies to decide for themselves or to interpret non-mandatory guidelines. It must be legislated for because otherwise those with poor internal controls will be able to avoid reporting on them. By specifying what should be disclosed on an annual basis, companies will need to make the audit of internal controls an integral and ongoing part of their operations. 

INFORMATION ON MATTERS OF INTERNAL CONTROL AND RISK

Why the flow of information upwards to the board on matters of internal control and risk is so important

In the first instance, the information provided enables the board to monitor the performance of the company on the crucial issues in question. This includes compliance, performance against targets and the effectiveness of existing controls. By being made aware of the key risks and internal control issues at the operational level, the board can work to address them in the most appropriate way.

The board also needs to be aware of the business impact of operational controls and risks to enable us at board level to make informed business decisions at the strategic level. If the board receiving incomplete, defective or partial information then they will not be in full possession of the necessary facts to allocate resources in the most effective and efficient way possible.

The board has the responsibility to provide information about risks and internal controls to external audiences. Best practice reporting means that they have to provide information to shareholders and others, about the systems, controls, targets, levels of compliance and improvement measures and they need quality information to enable us to do this. 

********************************

Quality Characteristics of Information

The information the board receives on risks and internal controls should be high quality information. This means that it enables the full information content to be conveyed to the board in a manner that is clear and has nothing in it that would make any part of it difficult to understand. 

The communications should be reliable, relevant and understandable. They should also be complete. 

Reliable

By reliable I refer to the trustworthiness of the information: the assumption that it is ‘hard’ information, that it is correct, that it is impartial, unbiased and accurate. In the event that you must convey bad news such as some of the issues raised by the loss of the Mary Jane, we expect you to do so with as much truthfulness and clarity as if you were conveying good news.

Relevant

By relevant I mean not only that due reports should be complete and delivered promptly, but also that anything that you feel should be brought to the board’s attention, such as maritime safety issues, emergent risks, issues with ports, etc. should be brought to our attention while there is still time for us to do something about it. 

Understandable

Information conveyed must be understandable. This means that it should contain a minimum of technical terms that may not be understandable to some members of the board. All communication should therefore be as plain as possible within the constraints of reliability and completeness. 

Complete

By complete, I mean that all information that we need to know and which you have access to, should be included. Particularly with relevance to risks, all relevant information must be conveyed regardless of the inconvenience that it may cause to one or more colleagues.

How Using a systematic approach to Control and Risk Management can enable companies to fulfill the core aims of Corporate Governance

Ensuring Integrity

The problem that an organization may face as a result of the lack of integrity of its staff should be part of the risk assessment processes. Risk such as probity risks are significant risks which should be assessed and managed. An important aspect has been stressing the role of directors in influencing the culture, tone and core value of the company.

Promotion of strategic objectives

Guidance in risk management models stresses the need for risk management to be aligned with the strategic objectives. Most risk management models have objective setting as s key stage. 

Control over companies

Risk management models emphasize the importance of companies building into their systems the need to follow governance guidance. Two of the four types of objectives in the COSO framework are reliability of reporting and compliance with applicable laws and regulations.

Enhancing risk management

Key feature of risk management model is that they demonstrate how risk management is a continual process. Models show the need to assess organization-wide risks and also specific process or unit risks. They are also used to assess the interaction between risks. Models show that risk management is a logical process, taking the organization through initial risk identification, then identification of events that may cause risks to crystallize, assessment of how great losses might be and in the light of these how best to respond to risks. This will help to identify who should be responsible for which aspects of risk management.

Involvement of shareholders

All risk management models have information provision as a key stage, and this includes information provision to shareholders. Australia and New Zealand Standard on risk management has communication and consultation as an underlying stage of its risk management model, reflecting the requirement in governance reports for communication with major stakeholders.

Protection of shareholders and stakeholders

Risk management models aim to reinforce the protection given to shareholders and other stakeholders. Adopting a systematic approach to risk management should make sure that the risks for investors are at appropriate levels, given the strategic objectives of the company. Effective risk management should mean that the directors are not reckless in their decisions, and consider the risk of solvency problems very seriously.

Establishment of accountability

Risk management models reinforce the idea that clear organizational structures strengthen governance. Responsibility for decision-making is a key part of the internal environment of organizations. Some risk management models emphasize the responsibilities of specific individuals, for example CIMA’s model stresses the need to establish a risk management group. Other models build in decision-making as a key stage

Maintenance of effective scrutiny

Models emphasize the importance of monitoring risk management procedures and controls once they are in place. The feedback from this monitoring will impact upon future risk assessments and also lead to continuous improvements in processes. Some models, for example the CIMA model, emphasize this by showing risk management as a circular process. 

Provision of accurate and timely information

As indicated, information provision is a key stage of risk management models. The CIMA model puts information for decision-making at the centre of the model, with all the risk management stages feeding into it.

Why risk assessment is dynamic

Risk assessment is a dynamic management activity 

1. because of changes in the organisational environment and 
2. because of changes in the activities and operations of the organisation which interact with that environment.

A risk may arise from a change in the activity of the company: a new product launch. The new product may introduce a new risk that was not present prior to the new product. It may be a potential liability from the use of the product or a potential loss from the materials used in its production, for example.

Changes in the environment might include changes in any of the PEST (political, economic, social, technological) or any industry level change such as a change in the competitive behaviour of suppliers, buyers or competitors. In either case, new risks can be introduced, existing ones can become more likely or have a higher impact, or the opposite (they may disappear or become less important). Risk may arise from a change in legislation which is a change in the external environment.

Roles of a risk manager/risk department/risk management function

1. Providing overall leadership, vision and direction, involving the establishment of risk management (RM) policies, establishing RM systems etc. Seeking opportunities for improvement or tightening of systems.

2. Developing and promoting RM competences, systems, culture, procedures, protocols and patterns of behaviour. It is important to understand that risk management is as much about instituting and embedding risk systems as much as issuing written procedure. The systems must be capable of accurate risk assessment.

3. Reporting on the above to management and risk committee as appropriate. Reporting information should be in a form able to be used for the generation of external reporting as necessary. 

4. Ensuring compliance with relevant codes, regulations, statutes, etc. This may be at national level (e.g. Sarbanes Oxley) or it may be industry specific. Banks, oil, mining and some parts of the tourism industry, for example, all have internal risk rules that risk managers are required to comply with.

5. Establishing a common risk management language including common measures around likelihood and impact and common risk categories.

6. Implement a set of risk indicators and reports including losses and incidents, key risk exposures and early warning indicators.

7. Primary champion of Risk Management at strategic and operational levels.

8. Developing risk responses including contingency and business continuity programs

Risk Management Strategies

There are four strategies for managing risk and these can be undertaken in sequence. In the first instance, the organization should ask whether the risk, once recognised, can be transferred or avoided.

Transference

means passing the risk on to another party which, in practice means an insurer or a business partner in another part of the supply chain (such as a supplier or a customer).

Avoidance

means asking whether or not the organisation needs to engage in the activity or area in which the risk is incurred.

Reduction

If it is decided that the risk cannot be transferred nor avoided, it might be asked whether or not something can be done to reduce or mitigate the risk. This might mean, for example, reducing the expected return in order to diversify the risk or re-engineer a process to bring about the reduction or by risk sharing.

(Risk sharing involves finding a party that is willing to enter into a partnership so that the risks of a venture might be spread between the two parties. For example an investor might be found to provide partial funding for an overseas investment in exchange for a share of the returns)

Acceptance

Finally, an organisation might accept or retain the risk, believing there to be no other feasible option. Such retention should be accepted when the risk characteristics are clearly known (the possible hazard, the probability of the risk materialising and the return expected as a consequence of bearing the risk).

Risk Embeddedness

Risk embeddedness refers to the way in which risk awareness and management are interwoven into the normality of systems and culture in an organisation. These two twin aspects (systems and culture) are both important because systems describe the way in which work is organised and undertaken, and culture describes the ‘taken-for-grantedness’ of risk awareness and risk management within the organisation.

The methods by which risk awareness and management can be embedded in organisations are as follows:

1. Aligning individual goals with those of the organisation and building these in as part of the culture. The need for alignment is important because risk awareness needs to be a part of the norms and unquestioned assumptions of the organisation. 

2. Training of staff at all levels is essential to ensure risk is embedded throughout the organisation. 

3. Including risk responsibilities with job descriptions. This means that employees at all levels have their risk responsibilities clearly and unambiguously defined.

4. Establishing reward systems that recognise that risks have to be taken (thus avoiding a ‘blame culture’). Those employees that are expected to take risks (such as those planning investments) should have the success of the projects included in their rewards.

5. Establishing metrics and performance indicators that monitor and feedback information on risks to management. This would ensure that accurate information is always available to the risk committee and/or board, and that there is no incentive to hide relevant information or fail to disclose risky behaviour or poor practice. A ‘suggestion box’ is one way of providing feedback to management.

6. Communicating risk awareness and risk management messages to staff and publishing success stories. Part of the dissemination of, and creating an incentive for, good practice, internal communications is important in developing culture and continually reminding staff of risk messages.

Defining reputation risk

• Reputation risk is one of the categories of risk used in organisations. 
• It was identified as a risk category by Turnbull and a number of events in various parts of the world have highlighted the importance of this risk. 
• Reputation risk concerns any kind of deterioration in the way in which the organisation is perceived, usually, but not exclusively, from the point of view of external stakeholders. 
• The cause of such deterioration may be due to irregular behaviour, compliance failure or similar, but in any event, the effect is an aspect of corporate behaviour below that expected by one or more stakeholder. 
• When the ‘disappointed’ stakeholder has contractual power over the organisation, the cost of the reputation risk may be material.

Effects of poor reputation on financial situation

There are several potential effects of reputation risk on an affected organisation. 

1. When more than one stakeholder group has reason to question the otherwise good reputation of an organisation, the effect can be a downward spiral leading to a general lack of confidence which, in turn, can have unfortunate financial effects. 

2. In particular, however, reputation risk is likely to affect one or more of the organisation’s interactions with resource providers, product buyers, investors or auditors/regulators.

3. Resource provision (linked to resource dependency theory) may affect recruitment, financing or the ability to obtain other inputs such as (in extremis) real estate, stock or intellectual capital. 

4. Within product markets, damage to reputation can reduce confidence among customers leading to reduced sales values and volumes and, in extreme cases, boycotts. 

5. Investor confidence is important in public companies where any reputation risk is likely to be reflected in market value. 

6. Finally, auditors, representing the interests of shareholders, would have reason to exercise increased scrutiny if, say, there are problems with issues of trust in a company. It would be a similar situation if the affected organisation were in an industry subject to high levels of regulation.

Related and Correlated Risks

Related risks are risks that vary because of the presence of another risk. This means they do not exist independently and they are likely to rise and fall in importance along with the related one. Risk correlation is a particular example of related risk.

Risks are positively correlated if the two risks are positively related in that one will fall with the reduction of the other and increase with the rise of the other. They would be negatively correlated if one rose as the other fell. 

********************************************************

In the case of environmental risks and reputation risk, they may be positively correlated for the following reasons:

Environmental risks involve exposure to losses arising from an organisation’s consumption of resources or impacts through its emissions. Where an environmental risk affects a sensitive situation, (be it human, flora, fauna or other), this can cause negative publicity which can result in reputation damage.

 These two risks can have a shared cause, i.e. they can arise together and fall together because they depend upon the same activity. They are considered separate risks because losses can be incurred by either of both of the impacts (environmental or reputational).

Activities designed to reduce environmental risk, such as acquiring resources from less environmentally-sensitive sources or through the fitting of emission controls, will reduce the likelihood of the environmental risk being realised. This, in turn, will reduce the likelihood of the reputation risk being incurred. The opposite will also hold true: a reduction of attention to environmental risk will increase the likelihood of reputation loss.