© 2021 Chartered Accountants Australia and New Zealand ABN 50 084 642 571. All rights reserved.
Page 1
Risk and Technology Case Study Part (a) V3.0
Assessment 2
Case study
Risk and Audit Committee paper appendices
Appendix 1: Risk Appetite Statement
The information below is an extract from a paper presented by the CFO in the second meeting of the Risk and
Audit Committee.
Risk category Principles and guidance Risk appetite
| Pandemic Significant uncertainty with different countries having variations on regulations relating to travel, lockdowns, the opening of venues and other factors. Need to comply with health directives in different countries. Unable to estimate the financial and other impacts on the business. Moderate |
| Cyber and data security Clean Hotels is the holder of sensitive data, and there is a rapid evolution in societal, regulatory and media scrutiny of privacy arrangements. There is potential for financial and reputational damage due to a data breach. Low |
| Legal, ethical and regulatory compliance Failure to operate within contractual and regulatory requirements, or within societal expectations, will result in loss of reputation, fines and impact Clean Hotels’ operations. Low |
AssignmentTutorOnline
Health and safety Clean Hotels seeks to create authentic
customer experiences and relationships and
ensure all employees return home safely.
Failure to meet legislative requirements, and
to operate within Clean Hotels’ policies and
procedures, can lead to death or serious injury
to customers or hotel staff.
Low
© 2021 Chartered Accountants Australia and New Zealand ABN 50 084 642 571. All rights reserved.
Page 2
Risk and Technology Case Study Part (a) V3.0
Risk category Principles and guidance Risk appetite
| Food safety and hygiene Clean Hotels seeks to create authentic customer experiences and relationships. Failure to manage supply chain and preparation and storage of food may result in food poisoning, leading to financial and reputational damage. Low |
| Change The flexibility and resilience to execute change relating to external and internal challenges. Moderate |
| Growth Clean Hotels is looking to increase its portfolio of hotels in the target regions. The risk has increased due to uncertainty relating to the COVID-19 pandemic. High |
| Foreign exchange Clean Hotels operates in multiple locations with different currencies. Variation in exchange rates will impact the profitability of hotels and the value of hotels within consolidated financial statements. Foreign exchange is linked to demand for travel, so fluctuations will impact demand. Moderate |
| Interest rates Clean Hotels is the holder of freehold land with debt required to operate the business and acquire land. Fluctuations in interest rates can lead to reduced profitability and cash flow. Low |
Digital transformation
Clean Hotels seeks to innovate, implement
emerging technologies to improve cost
management and create an authentic customer
experience. Clean Hotels is willing to be a first
mover with the implementation of technology.
Low
© 2021 Chartered Accountants Australia and New Zealand ABN 50 084 642 571. All rights reserved.
Page 3
Risk and Technology Case Study Part (a) V3.0
Appendix 2: Risk Register
Inherent risk assessment Residual risk assessment
| Risk category | Risk description | Likelihood | Consequence | Risk rating | Key controls | Likelihood | Consequence | Risk rating |
| A Pandemic Loss of revenue due to regulation on travel, lockdowns and venue capacity or opening hours. Failure to comply with health directives resulting in fines and/or reputational damage. Variation in regulation and health directives in each location leading to increased risk. Increased risk of cyber and data security due to increased remote working. Reduced availability of critical workforce. Likely Catastrophic Very high Non-essential employees are working from home where possible avoiding the risk of cross-infection. Annual business plan updated with all discretionary spending reduced to minimum possible. Personalised training for team members on regulatory requirements and health directives. Possible Major High |
B Cyber and
data security
Data breach (customer,
employee, and other
sensitive data)
resulting in financial
and reputational
damage.
Likely Major High IT security controls
are in place.
Possible Minor Low
© 2021 Chartered Accountants Australia and New Zealand ABN 50 084 642 571. All rights reserved.
Page 4
Risk and Technology Case Study Part (a) V3.0
Inherent risk assessment Residual risk assessment
| Risk category | Risk description | Likelihood | Consequence | Risk rating | Key controls | Likelihood | Consequence | Risk rating |
| A continuous cybersecurity program is managed across the hotels (reviewed by the Executive Committee). Adoption of the NIST cybersecurity framework. IT strategy is in place, providing a structured approach to Clean Hotels’ management of IT, data and cybersecurity. |
C Legal, ethical
and regulatory
compliance
Failure to comply
with regulatory
requirements or failing
to act in good faith
when applying
regulation leading to
a breach of societal
expectations.
Likely Major High Legal counsel reviews
and approves all
contracts with liability
caps included, with
obligations tracked in
legal database.
Clean Hotels adopts a
self-disclosure policy
for all regulatory
breaches.
Possible Medium Moderate
© 2021 Chartered Accountants Australia and New Zealand ABN 50 084 642 571. All rights reserved.
Page 5
Risk and Technology Case Study Part (a) V3.0
Inherent risk assessment Residual risk assessment
| Risk category | Risk description | Likelihood | Consequence | Risk rating | Key controls | Likelihood | Consequence | Risk rating |
| Legal counsel reviews all proposed legislation and updates policies and procedures where required. Staff training presented monthly. |
D Health and
safety
Death or serious injury
to guest or hotel staff.
Likely Major High Clean Hotels maintains
health and safety
procedures which
comply with regulatory
requirements.
Monthly compulsory
staff training is run on
health and safety
procedures.
Clean Hotels
maintains access to
all appropriate plant
and equipment to
ensure it uses the
right tools for the job.
A safety and risk
culture is embedded
within the Clean Hotels
group, ensuring all
staff have the right to
speak up and report
safety issues.
Possible Medium Moderate
© 2021 Chartered Accountants Australia and New Zealand ABN 50 084 642 571. All rights reserved.
Page 6
Risk and Technology Case Study Part (a) V3.0
Inherent risk assessment Residual risk assessment
| Risk category | Risk description | Likelihood | Consequence | Risk rating | Key controls | Likelihood | Consequence | Risk rating |
| E Food safety and hygiene Death or illness to guests or hotel staff due to food contamination. Possible Medium Moderate Qualified food service staff are employed, with all staff completing a food safety qualification. Weekly training provided to all staff in food preparation and service. Procurement contracts require supply chain to comply with all food safety requirements with Clean Hotels able to complete unannounced audits. Unlikely Minimal Very Low |
F Change Failure to implement
technology effectively
resulting in reduced
profitability and a loss
of market share.
Almost certain Major Very high The growing hotel
chain is adopting new
and emerging
technologies to serve
customers better.
Possible Medium Moderate
© 2021 Chartered Accountants Australia and New Zealand ABN 50 084 642 571. All rights reserved.
Page 7
Risk and Technology Case Study Part (a) V3.0
Inherent risk assessment Residual risk assessment
| Risk category | Risk description | Likelihood | Consequence | Risk rating | Key controls | Likelihood | Consequence | Risk rating |
Existing legacy
booking systems are
being replaced with
new technology that
interface with different
devices and booking
apps for a seamless
booking process for
customers.
Digital capability
increased, such as
using social networks
to enhance the
customer experience.
Change management,
project management,
and capability
increased to ensure
projects are financially
and operationally
viable, with all change
projects required to
proceed through a
change management
process based on the
size and complexity of
the project.
© 2021 Chartered Accountants Australia and New Zealand ABN 50 084 642 571. All rights reserved.
Page 8
Risk and Technology Case Study Part (a) V3.0
Inherent risk assessment Residual risk assessment
| Risk category | Risk description | Likelihood | Consequence | Risk rating | Key controls | Likelihood | Consequence | Risk rating |
G Growth Failure to integrate
existing hotels and new
acquisitions resulting in
failure to achieve group
synergies and meet
return on asset targets.
This strategic priority
may be an opportunity
if there are distressed
high-quality properties
available in the market.
It may also be a high
risk if there is
uncertainty in the
market.
Almost certain Major Very high Centralised digital hub
for policies, procedures
and learning materials
to ensure single source
of knowledge for
employees.
Governance and
control framework with
established delegation
of authority enabling
decisions on
investment decisions
to be made quickly
and efficiently.
Established approach
to investment decisionmaking and system
development requiring
decision to pass a
gating process (Clean
Hotels Investment
Review).
Possible Major High
© 2021 Chartered Accountants Australia and New Zealand ABN 50 084 642 571. All rights reserved.
Page 9
Risk and Technology Case Study Part (a) V3.0
Inherent risk assessment Residual risk assessment
| Risk category | Risk description | Likelihood | Consequence | Risk rating | Key controls | Likelihood | Consequence | Risk rating |
| H Foreign exchange Fluctuations in foreign exchange rates resulting in: reduced traveller demand and therefore profitability change in costs of source products leading to reduced profitability. Possible Major High Clean Hotels promotes locally to ensure a mix of international and local guests. Supply chain contracts are entered into with local currency where possible. Material foreign exchange transactions are hedged. Possible Medium Moderate |
||||||||
| I Interest rates Increased interest rates leading to reduced profitability and cash flow. Possible Major High Treasury department sources the cheapest interest rate available and monitors changing rates. Treasury department uses interest rate swaps to fix cash flows on variable debt. Possible Minor Low |
J Digital
transformation
Failure to implement
digital transformation
resulting in reduced
customer experience
and loss of revenue.
Likely Major High IT strategy includes
identification, review
and implementation of
new technology.
Possible Minor Low
© 2021 Chartered Accountants Australia and New Zealand ABN 50 084 642 571. All rights reserved.
Page 10
Risk and Technology Case Study Part (a) V3.0
Appendix 3 – Risk Matrix
| Almost certain 5 |
|||
| Likely 4 | |||
| Possible 3 | A G |
B | C D F H |
| Unlikely 2 | E | ||
| Rare 1 1 Minimal |
|||
| 2 Minor |
3 Medium |
4 Major |
5 Catastrophic |
Likelihood
Consequence Level
Very high
High
Moderate
Low
Very low
I J
