A certain risk level is inherent in running a business. A company cannot completely eliminate risk, but it can control or at least successfully manage risk. A company’s management has to make decisions and choices regarding acceptable risk levels, especially in terms of financial issues.
1. Internal Sources of Risk
Internal risks are risks arising in the internal environment of the organization and/or supply chain: its organizational structure, stems and processes, strategies, policies, governance, technology, management and human resources. Examples’ of internal risks include the following:
a) Human personality factors: e.g. over-confidence, carelessness, resistance to rules and policies and so on
b) Cultural values and norms: e.g. macho cultures encouraging dangerous ‘horseplay’ or competitive risk-taking; blaming cultures discouraging disclosure and problem reporting; and so on
c) Group dynamics: e.g. risky decision-making by over-cohesive teams (due to ‘group think’); poorly functioning teams; lack of leadership
d) Human error and inexperience: e.g. lack of training, instruction or supervision; poor flow of job-related information and performance feedback; unclear goals and instructions; and poor performance management (failure to identify improvement and learning needs, and lack of improvement interventions)
e) Business management: e.g. uncontrolled costs; poor strategic pleasing, product and market planning or financial management; poor supply chain relationship management; lack of investment in product development; poor investment appraisal and so on
f) Malicious activity e.g. fraud, sabotage, theft, data theft or industrial espionage, or unethical conduct facilitated by poor corporate governance, lack of ethics management, lack of support for whistle blowers, and lack of security provisions (e.g. against theft, computer: viruses and hacking and so on).
g) Breakdown of technology, equipment or systems e.g. through lack of maintenance, incorrect usage, lack of contingency planning (e.g. for power failure)
h) Security risks: e.g. unprotected or unauthorized access to facilities, unsecured cash, assets or data, attacks on personnel (including kidnapping, ransom and extortion), industrial espionage
i) Lack of internal controls: e.g. financial controls, security system, policies and policy reviews, risk monitoring and assessment, internal and external audits, contingency plans.
j) Workplace hazards: risk of accidents and ill health arising from a range of health and safety hazards, including: materials handling; poor ergonomic design; poorly maintained or unhygienic work. Environments; work-related stress; poorly maintained or incorrectly used machinery; the use and storage of hazardous substances; non-use or misuse of protective equipment; and additional risks to certain categories of employee (such as young workers, pregnant workers, new and temporary. workers, or night- shift workers)
k) Poor employee relations: causing a risk of industrial action, loss of productivity, instability and loss of morale (caused by excessive employee turnover), and difficulties attracting and retaining talent
l) Loss of key personnel and knowledge: through natural wastage (without succession planning), accelerated wastage (through failure of retention policies), downsizing or outsourcing.
An organisation’s systems of internal controls are designed to manage internal risk. Internal controls facilitate the effectiveness and efficiency of operations and contribute to delivering risk objectives. Internal controls are put in place to manage both internal sources of risk and the impacts of external sources of risk.
• The nature and extent of the risks facing the organisation
• The extent and categories of risk that it is acceptable to bear
• The likelihood of the risk occurring
• The organisation’s ability to reduce the incidence and impact on the business of risks that do materialise
Internal controls are subject to limitations and these limitations should be considered as part of the risk management process.
• Directors and managers are responsible for the establishment, implementation and continuance of internal controls. Although the processes will be the subject of review and auditing it is effective management that ensures successful delivery.
• Internal controls provide reasonable assurance but are not a total guarantee against risk.
• Within any organisation there will be gaps that can be exploited by individuals. Internal controls must be responsive to potential gaps within the system.
2. External Sources of Risk
An organisation’s external environment must be monitored in order to ascertain any potential risks coming from the changing situation. One management tool that can be used to illustrate the external factors and/or risks facing an organisation is the STEEPLE framework.
• Socio-cultural (e.g. demographics, cultural differences and/or employment practices);
• Technological (e.g. market risks for finished products and automation and its associated workforce rationalisation and or changes in job roles and skills requirements)
• Economic (e.g. rates of inflation, interest and taxation throughout the different geographical areas of the supply chain);
• Environmental (e.g. availability of resources and commodities, Laws and regulation covering pollution, carbon emissions and waste management)
• Political (e.g. governmental policies covering laws, grants and subsidies);
• Legal (e.g. Employment rights, anti-slavery codes of conduct, health and safety and environmental protection);
• Ethical (e.g. provenance of ethical sourced goods and commodities). The aforementioned examples are not exhaustive and marks were available for valid alternative examples of risk given