Recent Question/Assignment

Risk and Technology Assignment. You must read the attached risk appetite statement and other supporting documents.
Assessment 2
Case study
Emerging risks board paper
Background information
A small hotel chain, Clean Hotels Limited (Clean Hotels), operates in Australia, New Zealand, and the United Kingdom in the following locations:
• Sydney, Australia
• Melbourne, Australia
• Auckland, New Zealand
• Edinburgh, Scotland
• Glasgow, Scotland
• Liverpool, England
• Brighton, England.
Clean Hotels operates mid-tier hotels that cater to families, couples, friends, and some business travellers. The business directly invests in good quality, freehold properties in key locations in the cities in which it operates.
Clean Hotels has experienced strong revenue growth and has expanded over the last few years. Recent events have caused a reduction in revenue and, therefore, profitability; however, it has managed to remain sustainable. Clean Hotels’ strategy of acquiring hotels and freehold land has ensured it maintains control over all aspects of the hotel operation; however, it does mean the business is highly leveraged.
The hotel industry generally operates on tight margins, therefore changes in cost structure can have a major impact on hotel operations and services; when fixed costs change, only variable costs linked to customer service can be adjusted.
Clean Hotels is considered a niche hotel chain; its focus market is non-business travellers looking to stay in major cities. The business competes with similar niche hotels, as well as larger hotel chains. Many customers are price- sensitive, but are still looking for a personalised touch and a high standard of customer service. Competitors use automated processes and have introduced emerging technologies to enable higher levels of service to be provided, while still maintaining cost control to ensure rates remain competitive.
Additional information
Clean Hotels believes that, since it has introduced change effectively in recent times, by integrating hotels into the group, any introduction of new technology could also be implemented effectively.
However, where new technology has been introduced in the past, implementation has generally been late and over budget. At times, it has not met the needs of the business. The IT department has no clear policy on how new technology should be implemented, or what direction the business should take with technology, apart from the strategic priority identified by the board (see below).

Reputation management
As a niche hotel chain, Clean Hotels values its reputation and seeks to maintain this reputation by delivering on its strategy, while still operating its business within broader societal expectations.
1. Clean Hotels aims to be carbon neutral through the acquisition of renewable energy products and considering its carbon footprint in all decisions. The business believes this is a key element when creating authentic customer experiences and relationships, which is one of the strategic objectives noted by the board (see below).
2. Clean Hotels also understands its reputation is reliant on employee satisfaction and engagement, and that a key driver of employee engagement is wellbeing, health and safety. The business considers itself to be compliant with all key requirements; unfortunately, a recent increase in incidents has caused concern. Following investigations of incidents resulting in injury, it has become clear that many were avoidable as similar near miss events had occurred in the past. Near misses are reported to supervisors, and each supervisor has their own process for tracking and reporting near misses and incidents; they are rarely shared between departments.
3. The board believes a strong risk culture is required to deliver on its strategies and that risk culture starts at the top, ie the board. The board includes experienced professionals, however a board gap analysis identified that the CFO manages legal risks, as opposed to a general counsel, and uses several legal firms for ad hoc matters.
4. The board believes introducing a whistleblowing policy and improving risk management systems are key to improving the risk culture and delivering on its strategies.
The board
The board consists of the Chairperson, Chief Executive Officer (CEO), Chief Financial Officer (CFO (and Board Secretary)) and four independent non-executive directors. The board members are responsible for strategy, performance, people and risk. Their top strategic objectives are:
1. to innovate and grow the Clean Hotels brand through the acquisition of additional hotels in current markets
2. to create authentic customer experiences and relationships
3. to integrate emerging technologies to improve value for Clean Hotels and improve the overall customer experience.
The Board has recently implemented a risk and audit committee, which includes three independent non-executive directors, one of which is the chairperson.
The board has prepared its risk appetite statement (RAS), which has been communicated through the Annual Report:
The board is responsible for setting the risk appetite for achieving Clean Hotels’ strategic objectives. The risk appetite is cascaded down through business goals and objectives, the employee code of conduct, and the formal delegation of authority policy, including the governance structure of approval committees, decisions made and the allocation of resources.
Risk and audit committee
At the first risk and audit committee meeting, there were two agenda items:
1. The CFO was asked to present the RAS, risk register and risk matrix of the key business risks for the committee’s consideration at the next meeting.
2. At a recent board meeting, it was noted that one of the board members attended a presentation from an internet of things (IoT) vendor (software supplier). The vendor, Biz4intellia (see is planning to expand into Australia, Asia and the United Kingdom. The presentation was impressive, and the board member believes that the software could help the Clean Hotels chain achieve its three strategic objectives and manage principal risks. The other board members are not convinced and have asked the risk and audit committee to consider the benefits of introducing Biz4intellia and the impacts on Clean Hotels’ risk management process.

At the second risk and audit committee meeting, the following was noted:
1. The CFO presented the work to date to the risk and audit committee in a paper. An extract from the paper is attached and shows the current RAS and risk register.
2. The risk and audit committee reviewed the paper; while it is a good start, it appears the risk management process requires some further work. The CFO advised that he does not have time to complete the requirements.
3. The CFO agreed to consider how the introduction of Biz4intellia would impact Clean Hotels, as well as its risk management process, at the next risk and audit committee meeting.
4. Committee members discussed several articles relating to technology implementation and the importance of cyber security they had come across recently and asked that these be considered.
• these-pitfalls/?sh=669fecb05b1f
• implement-them-properly-02376009
The following was recorded in the committee minutes:
That the risk and audit committee receive the paper and engage an external consultant to:
• review the risk register and make any recommendations to ensure the risk register aligns with the RAS and that both include all key business risks
• assess the Biz4intellia solution as proposed by the Board and how the introduction of Biz4intellia would impact the existing risk management process.
Both are to be presented at the next risk and audit committee meeting in the form of a board paper. The motion was unanimously agreed.’

The CFO requires you to focus on the following items in your report:
1. Evaluate the current risk management for Clean Hotels (excluding Biz4intellia):
a) Identify where the RAS is misaligned with the risk register and make relevant recommendations to the risk and audit committee.
b) Considering Clean Hotels strategic objectives, assess which risk category is missing from the RAS and risk register. Recommend four steps management should take to include the identified risk in the risk management process.
2. For the proposed Biz4intellia solution:
a) Evaluate how introducing the Biz4intellia IoT solution will increase or decrease the residual risk rating for one relevant risk listed in the risk register.
b) Previous Clean Hotels projects have not been well managed due to poor risk identification and management.
For each of the following project risk categories, evaluate one key risk and one potential mitigation strategy (for the selected risk) that Clean Hotels should consider for the project implementation of the Biz4intellia IoT solution:
i. project scope - what needs to be achieved to deliver the project
ii. project schedule - what needs to be done, which resources must be utilised, and when the project is due
iii. project cost - total funds needed to monetarily cover and complete the project scope
iv. customer acceptance - the extent to which a consumer will use a certain innovation
v. staff acceptance - employee acceptance of the strategic objectives and goals
vi. information technology (IT) - management of increased cyber security risks and ensuring access to appropriate technology.
c) Continuing on from the customer acceptance section in b) above, evaluate one relevant ethical issue to be considered, and explain why this issue is important to Clean Hotels.