P1 saltoc december 2009 part a

Yes. ‘Embedding’ means that with everything the company does there should be attention to risk.

With respect to the scenario we could say that this has not happened:

If time and effort is to be spend analysing risk and devising defences where necessary, this cost should be recognised in the budget. For example, in some companies it might mean that more employees are needed (eg a whole internal audit department). To justify the inclusion of additional expenditure in the budget some assessment of the impact of risks has to be made so that Costs< Benefits of avoiding a melt-down.

It requires senior management to buy into the concept of the importance of risk. Here, there are poor relations between the FD and Harry and Laura. Buck-passing is of little use.

The poor relations seem to cause high turnover which will mean there are lots of relative newcomers who might not yet understand where the big potential problems are.

If Harry and Laura are responsible for aspects of risk, this needs to be formally recognised and appraised.

The appropriate rick-culture needs to be adopted ie recognise where risks are, recognise their potential impact and taking the problems seriously.

With regard to your second question, following on from what I’ve said above, managing risk takes time and effort. For example, having people fill in and sign-off checklists, looking at people’s work to see if they have done what they should have, performing surprise spot-checks. Peter and Ken seem to want risk control without incurring any time or bother and regard risk management as an unnecessary nuisance overhead whereas it is fundamental to the company’s long-term well-being.

You are right on both.

Risk management is not an end in itself and must involve comparing costs and benefits.