Basel II Risk objectives:

Ensuring that capital allocation is more risk sensitive;

Enhance disclosure requirements which will allow market participants to assess the capital adequacy of an institution;
Ensuring that credit risk, operational risk and market risk are quantified based on data and formal techniques;
Attempting to align economic and regulatory capital more closely to reduce the scope for regulatory arbitrage.
-Pure risks vs Speculative risks
-Managing reputation risk involves managing expectations and perceptions emotional appeal, products and services, financial
performance, vision and leadership, workplace environment, social responsibility
The internal controls should achieve the objectives-Reporting, Operationscontrols (follow procedures;
includes safety controls), Compliancefood/medicine
(QCinternal control, trials on animals and humans)
Apply COSO 1control environment, control activities
(procedures), monitoring Must be able to enforce if not
no one will followongoing (supervision) & separate
evaluation (audit)
e.g of control activities: physical reconciliation/
verification, authorisation, segregation of duties
Limitations of internal control (evaluate the internal
controls):
1. Poor judgement
2. Human errorclassification error which leads to
wrong corrective action
3. Collusion-internal and external
4. Management overwritethe control might not
be effective in addressing the risk anymore; must
report such occurrence
5. Procedure operated well enough?
ERM Risk Objective Categories (see the cube)
Objective>Risk>Strategy to manage risk>Control
activities>Responsibility
Standard deviation:
68.26% of all outcomes fall within 1 std deviation.
the area that is between the 1 and 2 std deviation
above the mean contains 13.59% of all outcomes.
As shape is symmetric, as does the portion between 1
and 2 std deviations below the mean.
95.44% fall within 2 std deviations
99.74% fall within 3 std deviations

Risk assessment enables decision-makers and interested parties

to better understand risks that could threaten the achievement
of objectives, including the adequacy and effectiveness of
controls already in place.
Risk assessment three processes: risk identificationidentify
risks that might impact operations, with some level of
probability, within a reasonable time period, risk analysis, & risk
evaluation
Risk analysis:
-Risk assessment: identification, measurement, prioritization
-Risk management: control, share/transfer, diversify/avoid
-Risk control: process level, activity level, entity level
Benefits of Risk Assessment
The principal benefits of a performing risk assessment include:
Providing objective information for decision makers;
Understanding of the risk and its potential impact upon
objectives;
Identifying, analysing and evaluating risks and determining
the need for their treatment;
Quantification or ranking of risks;
Contributing to the understanding of risks, in order to assist
in selection of treatment options;
Identification of the important contributors to risks and
weak links in systems and
organisations;
Comparison of risks in alternative systems, technologies or
approaches;
Identification and communication of risks and uncertainties;
Assisting with establishing priorities for health and safety;
Rationalising a basis for preventive maintenance and
inspection;
Post-incident investigation and prevention;
Selecting different forms of risk treatment;
Meeting regulatory requirements; and
Providing information that will help evaluate the tolerability
of the risk when compared with pre-defined criteria.

Four types of risk response: Acceptance, Avoidance, Reduction, Sharing

MONITORING ACTIVITIES:
The internal and external environments of an entity changes over
time
-Risk responses that were once effective may become irrelevant
-Control activities may become less effective, or no longer
performed
-Entity objectives may change.
Hence, management needs to determine whether the functioning
of ERM continues to be effective.

Monitoring= Ongoing monitoring + Separate evaluations

Geographical concentration increases risk

Importance of reputation:
1. Maintain your market position and brand
2. Establish productive working relationships with your
partners
3. Maintain share price and ideally help increase it
4. Attract and retain talent

BCP= Disaster recovery + Business recovery + Business resumption

1. Crisis Anticipation:
-Crisis inventoryWhat Could Go Wrong (worst-case scenario);
How to Avoid It (Loss Prevention, safety measures in place? Place
check-mark and date, or action+date); If It Happens (Loss
Reduction)
What must we do and know to avoid the most damage?
What decisions must we make? Who else must make
decisions? Whom must we contact?
What will the public need to know immediately? How can we
get this information?
What resources will we require? Where can we get them?
What emergency supplies will we need? Do we have them
available? Where? What first-aid training do we have? Who
can do CPR and other life-saving procedures?
2. Crisis Prevention (monitoring):
-Ensure safety measures are maintained
-Help organization to identify a potential crisis and ward it off
before it escalates into a full-scale disaster.
-Media analysis and consumer surveys
3. Crisis Preparation:
i) Establish a Crisis Management Team (Core Team)
-The outcome of the crisis depends on the performance of the
people making the decisions.
-Determine who on your team will:
be involved in handling each aspect of the crisis
make what kinds of decisions
ii) Develop a Crisis Management Plan:
-Evaluate the inventory list of crisis, deliberate on the issues your
organization may be involved in for each worst-case scenario,
determine which component of plan accordingly. Some
questions:
Should employees stay at home?
When to evacuate a building?
-identify key stakeholders including the media, government
agencies, suppliers, customers, etc
Determine who should you inform in the event of a crisis
-Make sure everyone in the firm is aware of the plan and that
they need to follow it should the occasion arise.
-Plans should react properly to perils to which the organization is
particularly subjected to.
-Plans should include the setting up of a crisis center.
iii) Update and practice it regularly
-Play out a potential crisis to test your plan, revise it, and enable
people to practice in peace what they may need to do in chaos
iv) Make sure everyone in the firm is aware of the plan and that
they need to follow it should the occasion arise.
v) Establish strong relationship with the companys legal counsels
vi) Provide media training for the crisis response team. (know how
to deal with the news media)
vii) Establish communication protocols so that there are no weak
links in the system. Remember to test them!

4. Crisis Recognition:
-Ensure a threat is recognized before it becomes into a
full-blown crisis at hand
5. Crisis Containment (how to react to a crisis):
i) Operational response is essential
-The first hours following a crisis public will form its
own opinions. Tough decisions have to be made fast
ii) Ability to communicate
Companies thus should:
Communicate early and often.
Show compassion, and be sure the company is doing
everything possible to improve the situation.
Be honest and open.
Be consistent in the message.
Monitor public opinion using new technology (chat
rooms, message boards, discussion groups, surveys).
Follow up with public opinion surveys and employee
questionnaires to learn from mistakes.
6. Recovery and Rebuilding:
-Need to assess the damage (beyond economics)
-Determine how the crisis has affected the key
stakeholders of the company
Conduct dialogue sessions and meetings with them
-Try to turn the crisis into a positive experience:
Assess the effectiveness of the plan
Update and change it if necessary
-Need to deal with the media.
Heuristics: Judgmental Biases
1. Availability
2. Representativeness
3. Anchoring and Adjustment
4. Hindsight (to avoid this, conduct walkthrough)
5. Overconfidence
6. Out of sight, out of mind
7. It wont happen to me
Qualitative dimensions of risks:
Voluntariness
Immediacy of Effect
Knowledge about Risk (2 areas)
Control over Risk
Newness
Chronic Catastrophic
Common/Dread
Severity of Consequences
RISK = HAZARD + OUTRAGE
Strong culture:
Organizations with strong cultures generally achieve
higher results because employees sustain focus on both
what to do and how to do it. These same factors are
essential for building an effective RM culture.

Benefits of a well-defined RM philosophy:

A well-developed RM philosophy that is understood and
embraced by its personnel will position the entity to
effectively recognize and manage risk.
A written RM policy statement typically contains:
General description of RM and its importance to the organization
RM departments internal structure
Senior managements RM philosophy and goals
Decision rules for selecting RM techniques
Major principles of ethics:
Utilitarianthe greatest good for the greatest number
The Golden Ruleethics of reciprocity
Ends-Meansthe ends justify the means
Rights ethicsprotecting individual moral or legal rights
Justicewhich alternative promotes fair treatment for all people
Distributive: Distribution of benefits and burdens.
Compensatory: Compensation for victims of injury or past
injustice.
Procedural: fair decision-making procedures, practices, or
arguments.
Retributive: punishment to be evenhanded and proportionate to
transgressions.
Rawlsian: policy making policies that are fair, equal treatment
(Veil of ignorance)
Caringfocuses on a person as essentially relational (cooperative)
rather than individualistic
Virtue ethicsfocuses on characteristics rather than on rules for
correct behaviour
Servant leadershipfocuses on serving others first

Duties of Audit Committee:

Discuss with mgt the system of internal control and ensure mgt has
discharged its duty to have an effective internal control system
Consider findings of major investigations of internal control
matters and mgts response
Ensure coordination betwn internal & external auditors
Provide objective assurance to the board and mgt wrt the
adequacy and effectiveness of the companys risk mgt and internal
control framework
Asymmetry principle
Goal of building an effective risk mgt culture: Get employees at all
levels to consider potential risks associated with various decisions
COSOs ERM frameworkthe quality of info is ascertained by: accuracy,
accessibility, appropriateness, timeliness

Example of Objectives, Risk, Strategy to manage risk, and

Controls
Strategic objective:
To penetrate the C market in two years time
To achieve a market share of 5% in C market in 3 years time
Risk:
Over-estimate potential of C market
Lack of local knowledge
Strategy to manage risk:
Detailed market feasibility study; Seek joint venture partners,
particularly those with strong local knowledge
Control activities:
Tender to select best consultant for feasibility study
Due diligence review of potential JV partners
Responsibility:
Strategic Steering Committee (Chairman of the Board, Chief
Executive, Marketing Director)
Mission>Strategic Objectives>Plans
To ensure that all our toys are clearly identifiable to our
customers
To ensure that our brand remains relevant and
independent by avoiding any actions which could
potentially dilute Stikfass brand identity
To ensure our products appeal to people of all
generations and times through constant innovation and
development
To ensure that our customers feedback are promptly
heard and our responses are translated into actions
Evaluating internal control system:
-Culture of carelessness (poor control); conscientiousness (weak control
environment)
-Internal control didnt respond to the change in risks
-Not committed to competencelack skills (control environment)
e.g. of Limitations of internal control:
Speed limitpoor judgement
Confusionhuman error/weak communication/inadequate training
Loading errorhuman error
Exceed speed limitpoor judgement

Control Environment:
Culture of the companyis the organization taking internal
controls seriously; in the mind; tone from the topthey
must emphasize (Relied on trust, not enforcing control
weak control env, relied on safeguards in the system??)
When analysing an organisation:
Attitudebelief
Awarenessknowledge; do people know what to do;
control-conscientiousness + alertness
Actionimplementation (a solid internal control system
verification procedure to approve the disbursement of
funds, prevention/detection work such as random audit
checks to prevent and deter experienced employees from
exploring loop holes and outsmarting the processes and
systems in place
Control activities (procedures):
Actions established by policies and procedures to help
ensure that managements directives to mitigate risks to the
achievement of objectives are carried out.
Information:
Relevant, reliable, complete
Monitoring:
--Must be able to enforce if not no one will follow
--ongoing (supervision) & separate evaluation (audit)
--internal audit falls under monitoring
Disaster recoveryIT (restore loss of data, power loss,
telecom), have backup systems to store customer data
Business recoveryalternative suppliers for goods and/or
delivery trucks, keeping goods in separate warehouses
and stock up on goods
Business reputationcustomer relationship management
Crisis containmentinstall a fire alarm to draw attention to
the fire before it becomes a full-scale outbreak, and to
alert passers-by to call 911; fire sprinklers to reduce the
incidence or speed of the fire spreading
Emergency responsefirst aid equipment, trained in first
aid
Crisis communicationconstantly update contact list,
customer reassurance