The board of YGT discussed its need for timely risk information. The consensus of the meeting was that risk consultants should be engaged to review the risks facing the company. One director, Raz Dutta, said that she felt that this would be a waste of money as the company needed to concentrate its resources on improving organizational efficiency rather than on gathering risk information. She said that many risks ‘didn’t change much’ and ‘hardly ever materialised’ and so can mostly be ignored. The rest of the board, however, believed that a number of risks had recently emerged whilst others had become less important and so the board wanted a current assessment as it believed previous assessments might now be outdated.
The team of risk consultants completed the risk audit. They identified and assessed six potential risks (A, B, C, D, E and F) and the following information was discussed when the findings were presented to the YGT board：
Risk A was assessed as unlikely and low impact whilst Risk B was assessed as highly likely to occur and with a high impact. The activities giving rise to both A and B, however, are seen as marginal in that whilst the activities do have value and are capable of making good returns, neither is strategically vital.
Risk C was assessed as low probability but with a high potential impact and also arises from an activity that must not be discontinued although alternative arrangements for bearing the risks are possible. The activity giving rise to Risk C was recently introduced by YGT as a result of a new product launch.
Risk D was assessed as highly likely but with a low potential impact, and arose as a result of a recent change in legislation. It cannot be insured against nor can it be outsourced. It is strategically important that the company continues to engage in the activity that gives rise to Risk D although not necessarily at the same level as is currently the case.
In addition, Risks E and F were identified. Risk E was an environmental risk and Risk F was classed as a reputation risk. The risk consultants said that risks E and F could be related risks. In the formal feedback to the board of YGT, the consultants said that the company had to develop a culture of risk awareness and that this should permeate all levels of the company.
(a) Criticise Raz Dutta’s beliefs about the need for risk assessment. Explain why risks are dynamic and therefore need to be assessed regularly. (8 marks)
(b) Using the TARA framework, select and explain the appropriate strategy for managing each risk (A, B, C and D). Justify your selection in each case. (6 marks)
(c) Explain what ‘related risks’ are and describe how Risks E and F might be positively correlated. (5 marks)
(d) The risk consultants reported that YGT needed to cultivate a culture of risk awareness and that this should permeate all levels of the company.
Explain and assess this advice. (6 marks)
(a) Criticise and explanation of dynamic
Criticise Raz Dutta’s beliefs
Raz Dutta is wrong in both of her assertions. The belief that risks do not change very much is only true in static environments. In reality, the changeability of risks depends upon the organisation’s place on a continuum between highly dynamic and completely static. The case mentions changes in some of YGT’s risks and this suggests that there is some dynamism in its environment. Clearly then, her belief is very difficult to defend.
Her belief that risks ‘hardly ever’ materialise may be historically true (but this is also unlikely) but the risk assessment highlighted at least two ‘likely’ risks which could well materialise. Risk D was assessed as ‘highly likely’ and Risk B was also likely with a high potential impact. Neither of these variables would be known were it not for intelligence gained as part of the risk assessment. Importantly, Risk B was a ‘high/high’ risk meaning that it is a likely risk with a high impact once it
materialised. Being unaware of this could have caused great damage to the organisation.
Why risk assessment is dynamic
Risk assessment is a dynamic management activity because of changes in the organisational environment and because of changes in the activities and operations of the organisation which interact with that environment. At YGT, the case describes Risk C as arising from a change in the activity of the company: a new product launch. The new product has obviously introduced a new risk that was not present prior to the new product. It may be a potential liability from the use of the product or a potential loss from the materials used in its production, for example.
Changes in the environment might include changes in any of the PEST (political, economic, social, technological) or any industry level change such as a change in the competitive behaviour of suppliers, buyers or competitors. In either case, new risks can be introduced, existing ones can become more likely or have a higher impact, or the opposite (they may disappear or become less important). The case describes Risk D as arising from a change in legislation which is a change in the external environment.
The strategies for each risk assessment are as follows:
Risk A is accept. This means that the likelihood is low and the impact is low such that even if the risk materialised, it would not have a high severity. The case says that the activity giving rise to Risk A is capable of making good returns so given that both likelihood and severity are low, there is no obvious reason to pursue any of the other strategies with regard to this risk.
Risk B is avoid. When the likelihood and impact are high, it would be irrational to accept the risk and so the risk should be avoided. This may involve changing behaviour or discontinuing a certain activity. The case says that the activity giving rise to Risk B is capable of making good returns, but importantly, it is not strategically vital. Given this, and because the case information does not mention the possibility of viably transferring the risk, there is no reason to bear the risk unless the potential return is very large and the company has a high risk appetite.
Risk C is transfer. YGT says that the activity giving rise to the risk must not be discontinued (so avoidance is not an option) and specifies that it can be transferred (‘alternative arrangements for bearing the risks are possible’). To transfer risk is to share it with another party. The most common way to do this is to insure against losses or to outsource or licence the activity to a third party thereby transferring that risk to that third party.
Risk D is reduce. The case emphasises that the risk cannot be transferred (by insurance or outsourcing) but that the activity that gives rise to the risk can be reduced. Reduction involves reducing the risk exposure by carrying out the activity in a different way, doing less of the activity that gives rise to the risk or adopting behaviour that, whilst still exposing the company
to the risk, results in a lower impact if the risk is realised.
(c) Related and correlated
Related risks are risks that vary because of the presence of another risk. This means they do not exist independently and they are likely to rise and fall in importance along with the related one. Risk correlation is a particular example of related risk.
Risks are positively correlated if the two risks are positively related in that one will fall with the reduction of the other and increase with the rise of the other. They would be negatively correlated if one rose as the other fell. In the case of environmental risks and reputation risk, they may be positively correlated for the following reasons.
Environmental risks involve exposure to losses arising from an organisation’s consumption of resources or impacts through its emissions. Where an environmental risk affects a sensitive situation, (be it human, flora, fauna or other), this can cause negative publicity which can result in reputation damage. These two risks can have a shared cause, i.e. they can arise together and fall together because they depend upon the same activity. They are considered separate risks because losses can be incurred by either of both of the impacts (environmental or reputational).
Activities designed to reduce environmental risk, such as acquiring resources from less environmentally-sensitive sources or through the fitting of emission controls, will reduce the likelihood of the environmental risk being realised. This, in turn, will reduce the likelihood of the reputation risk being incurred. The opposite will also hold true: a reduction of attention to environmental risk will increase the likelihood of reputation loss.
(d) Risk awareness
Risk awareness is a capability of an organisation to be able to recognise risks when they arise, from whatever source they may come. A culture of risk awareness suggests that this capability (or competence) is present throughout the organisation and is woven into the normal routines, rituals, ways of thinking and is taken-for-granted in all parts of the company and in all employees.
Risks can arise in any part of the organisation and at any level. Not all risks are at the strategic level and can be captured by a risk assessment. A culture of risk awareness will help ensure that all employees are capable of identifying risks as and when they arise.
Risks are dynamic and rise and fall with changes in the business environment and with changes in the company’s activities. With changes to the company’s risk profile occurring all the time, it cannot be assumed that the risks present at the most recent risk assessment will remain the same. Being prepared to adapt to changes is a key advantage of a culture of risk awareness.
A lack of risk awareness is often evidence of a lack of risk management strategy in the organisation. This, in turn, can be dangerous as the company could be more exposed to risk than it need be because of the lack of attentiveness by staff. A lack of effectiveness of risk management strategy leaves the company vulnerable to unrecognised or wrongly assessed risks.