Recommend Risk Mitigation Strategies
Help Questions
CPA Business Analysis and Reporting (BAR) › Recommend Risk Mitigation Strategies
In enterprise risk management, 'risk appetite' refers to which of the following?
The level and type of risk an organization is willing to accept in pursuit of its business objectives
The minimum return required to justify accepting a given level of risk
The total amount of risk a company is exposed to across all business activities
The financial capacity to absorb losses without impairing operations
Explanation
Risk appetite is a deliberate strategic choice: how much risk, and of what kind, management and the board are prepared to accept in order to achieve business objectives. It guides risk-taking decisions and defines the boundary between acceptable and unacceptable risk levels. Option A describes total risk exposure, a measurement concept. Option C describes risk capacity (ability to absorb losses financially), which is related but distinct from risk appetite (willingness to accept risk). Option D describes a hurdle rate concept, not risk appetite.
An ERM assessment identifies: Risk 1 (probability 80%, impact $200,000), Risk 2 (probability 20%, impact $1,500,000), Risk 3 (probability 50%, impact $400,000). Management proposes prioritizing Risk 1 because it has the highest probability. Which concern does this raise?
Risk 1 is correctly prioritized because likelihood is the most important risk dimension
Risk 3 should be prioritized because it has the most balanced probability and impact profile
Expected value analysis shows Risk 2 has the highest expected loss ($300,000 vs. Risk 1 at $160,000 and Risk 3 at $200,000); prioritizing by probability alone misallocates risk management resources
All three risks should receive equal resources regardless of expected value
Explanation
Expected values: Risk 1 = 0.80 x $200,000 = $160,000; Risk 2 = 0.20 x $1,500,000 = $300,000; Risk 3 = 0.50 x $400,000 = $200,000. Risk 2 has the highest expected loss despite having the lowest probability. Managing risks by probability alone ignores the severity of potential outcomes. Risk prioritization should use expected value or a heat map combining probability and impact. Option B elevates probability as the sole criterion, which is analytically incorrect. Option C ignores the data entirely. Option D selects Risk 3, which has the second-highest expected value but is not the highest.
A company has $60,000,000 of variable-rate debt and has entered a swap on $30,000,000 (50% of exposure). A 1% rate increase costs an additional $600,000 annually ($300,000 remains unhedged). Which recommendation best addresses the remaining interest rate risk?
Refinance the remaining $30,000,000 to fixed rate immediately
The 50% hedge is optimal and no further action is warranted
Increase the swap to 100% of debt to fully eliminate interest rate risk
The appropriate hedge ratio depends on management's rate outlook and risk tolerance; a 50% hedge balances downside protection with retention of potential benefit if rates decline, and increasing coverage should depend on whether the $300,000 residual exposure exceeds the company's risk appetite
Explanation
There is no universally correct hedge ratio. A 50% hedge provides meaningful protection while retaining some benefit if rates decline. Whether to increase the hedge ratio depends on: the company's risk appetite for interest cost variability, management's view on the rate outlook, the cost of incremental swap coverage, and whether the $300,000 residual exposure is within the company's acceptable range. Option A treats 50% as definitively optimal without analysis. Option B recommends a specific action without knowing whether the timing or rate is favorable. Option C eliminates all interest rate risk but also eliminates any benefit from potential rate declines, which may be too conservative depending on circumstances.
An ERM assessment identifies a strategic risk: a new technology may render the company's core product obsolete within 5 years (35% probability, $40,000,000 revenue impact). The current response is annual monitoring. Which assessment is most analytically sound?
Monitoring is appropriate because the probability is below 50%
A 35% probability of a $40,000,000 impact represents a $14,000,000 expected loss; monitoring without action is insufficient at this magnitude, and the company should invest in R&D, explore partnerships, or develop a transition strategy
The $40,000,000 impact is too speculative to influence current strategic planning
Strategic risks are always uncontrollable and monitoring is the only viable response
Explanation
Expected loss = 0.35 x $40,000,000 = $14,000,000. This is a material strategic risk that warrants active management, not passive monitoring. A company that knows with 35% probability that its core product may be obsolete in 5 years has time to act: invest in next-generation product development, acquire or partner with companies developing the disruptive technology, or develop a strategic pivot plan. Waiting until the threat materializes leaves no time to respond. Option A uses a 50% probability threshold with no analytical basis. Option B dismisses a quantified material risk. Option D incorrectly treats strategic risks as inherently unmanageable.
In risk management, 'residual risk' is defined as:
Risk that has been formally accepted by management as within the company's risk appetite
The portion of risk that has been transferred to insurers or third parties
The total identified risk before any risk management actions are taken
The level of risk remaining after all applicable controls and mitigations have been applied
Explanation
Residual risk is what remains after controls are applied - the risk that cannot be fully eliminated. It is the gap between inherent risk (the starting exposure) and the protection provided by controls. Management evaluates whether residual risk is within the organization's risk appetite. If residual risk exceeds appetite, additional controls are needed. Option B describes inherent risk. Option C describes transferred risk, one component of risk response. Option D describes accepted risk, which may or may not be residual risk - residual risk can be accepted, reduced further, or transferred.
An annual risk assessment identifies three risks exceeding the stated risk appetite: Risk X (financial reporting, high impact), Risk Y (IT security, high impact), Risk Z (supply chain, medium impact). Management proposes addressing Risk Z first because of operational familiarity. Which recommendation is most analytically appropriate?
Address Risks X and Y first; risks exceeding the risk appetite threshold should be prioritized by expected impact, and the two high-impact risks warrant more urgent attention than the medium-impact supply chain risk regardless of operational familiarity
Address Risk Z first because management familiarity improves the probability of execution success
Risk X requires immediate external disclosure before any remediation can begin
Address all three risks simultaneously to demonstrate comprehensive risk management
Explanation
Risk prioritization should be impact-driven, not comfort-driven. Risks X and Y are both rated high impact and exceed the risk appetite threshold; Risk Z is medium impact. Beginning with the highest-impact risks reduces the most significant potential harm to the organization first. Prioritizing Risk Z because it is operationally familiar introduces a cognitive bias (tackling what we know rather than what matters most) that undermines sound risk management. Option B rationalizes a bias. Option C is impractical and may dilute execution quality across all three. Option D conflates risk remediation with disclosure requirements - financial reporting risks may require disclosure, but remediation should proceed regardless.
One customer accounts for 52% of a company's total revenue. Management argues this concentration is acceptable given the 8-year relationship with no payment issues. Which risk assessment is most analytically sound?
The long relationship fully mitigates the concentration risk
52% revenue concentration is typical and requires no specific mitigation
Relationship longevity does not eliminate concentration risk; if the customer reduces orders, changes suppliers, or faces financial difficulties, the company's revenue base would be severely impaired; active revenue diversification is warranted regardless of relationship quality
Concentration risk only applies when the customer is publicly traded
Explanation
A positive historical relationship is backward-looking evidence that does not protect against forward-looking risk scenarios. Concentration risk is fundamentally a structural vulnerability: if a single event - a customer strategic shift, financial distress, competitive loss, or relationship change - affects the dominant customer, the company faces severe revenue impairment. The fact that this has not happened in 8 years is not a guarantee that it will not happen. Revenue diversification is the structural solution. Options A, C, and D each dismiss a genuine structural risk without analytical basis.
A company is evaluating self-insurance versus property insurance ($480,000 annual premium). Self-insurance requires a $3,000,000 reserve. Historical annual losses average $95,000, with one loss exceeding $1,000,000 over 15 years. Which analysis is most relevant to this decision?
Self-insure only if total losses over 15 years exceed $7,200,000 in premium costs
Self-insure; the average annual loss of $95,000 is far below the $480,000 premium
Purchase insurance; premiums are always the economically superior choice
Evaluate the financial capacity to absorb tail risk: while average losses favor self-insurance, assess whether a $1,000,000+ event (once in 15 years historically) is survivable without an insurance payout, and whether holding a $3,000,000 reserve represents an acceptable opportunity cost
Explanation
The average annual loss ($95,000) is substantially below the premium ($480,000), suggesting self-insurance appears favorable on average. However, the relevant risk management question is not just the average - it is the tail. Can the company absorb a $1,000,000+ loss without impairing operations? Is tying up $3,000,000 in a reserve an acceptable opportunity cost? Insurance is most valuable for low-probability, high-severity events; if the tail event would be financially catastrophic, the premium represents valuable protection. Option A focuses only on averages, ignoring tail risk. Option B makes an unsupported universal claim. Option D uses a simplistic break-even that does not capture the insurance value of tail protection.
Industry data shows 60% of breaches result from phishing attacks. A company has annual phishing training, endpoint security, and a firewall. An external audit still rates phishing vulnerability as 'high.' Which risk mitigation recommendation is most appropriate?
Upgrade only the firewall as the most technically sophisticated control
Annual phishing training is industry-standard and sufficient
Enhance the phishing program: move to quarterly simulated exercises, implement multi-factor authentication to limit breach impact from compromised credentials, and establish an incident response plan to contain damage from successful attacks
Purchase cyber insurance as the primary mitigation approach
Explanation
An external audit rating the phishing vulnerability as 'high' despite existing controls signals that current measures are inadequate. Annual training is a known weak control - research shows its effectiveness decays within weeks. The recommended approach layers defenses: more frequent, realistic simulated phishing exercises improve awareness; multi-factor authentication ensures that a stolen password alone cannot grant system access; an incident response plan ensures rapid containment when a successful attack occurs. Option A accepts a control rated as inadequate. Option B relies on insurance as a primary mitigation rather than a complement. Option C addresses a different vulnerability than the one identified.
A 90-day cash forecast shows: beginning balance $800,000, projected collections $12,000,000, projected disbursements $13,500,000. Minimum required balance is $500,000. What is the projected shortfall and recommended mitigation?
Raise equity capital to address the liquidity gap
Draw on the revolving credit facility or arrange bridge financing to cover the projected $1,200,000 liquidity gap
Defer all capital expenditures until after the 90-day period
No action needed; disbursements can be reduced to offset the shortfall
Explanation
Ending cash before financing = $800,000 + $12,000,000 - $13,500,000 = -$700,000. Required minimum = $500,000. Shortfall = $500,000 - (-$700,000) = $1,200,000. A revolving credit facility is the appropriate short-term liquidity tool for a temporary cash gap caused by timing differences. Option A is speculative; operational disbursements may not be reducible. Option B (equity issuance) is an extreme and time-consuming solution for a short-term working capital gap. Option C (deferring capex) addresses only capital spending and may not close the full gap if the shortfall is driven by operating disbursements.