Chapter 4

Risk Management

Faculty of Economics and Business - Accounting Undergraduate Program

Learning Objective I :
Concept of Risk Management

Faculty of Economics and Business - Accounting Undergraduate Program

 Risk Management: Definition

The possibility that an event will

occur and adversely affect the
achievement of an objective
( Committee of Sponsoring Organization of
the Treadway Commission(COSO))

Faculty of Economics and Business - Accounting Undergraduate Program

 Fundamental Aspects of Risk

Risk
Riskbegins
beginswith
withstrategy
strategyformulation
formulationand andobjective
objectivesetting
setting
Risk
Riskdoes
doesnotnotrepresent
representaasingle
singlepoint
pointestimate
estimate( (but
butaarange
range
ofofpossibility)
possibility)
Risks
Risksmay
mayrelate
relatetotopreventing
preventingbad badthings
thingsfrom
fromhappening
happening
(riskmitigation)
(risk mitigation)ororfailing
failingtotoensure
ensuregood
goodthings
thingshappen
happen
( pursuing opportunities)
( pursuing opportunities)
Risks
Risksare
areinherent
inherentininall
allaspects
aspectsofoflife
life

Faculty of Economics and Business - Accounting Undergraduate Program

Learning Objective II :
COSO Enterprise Risk Management

Faculty of Economics and Business - Accounting Undergraduate Program

 COSO Enterprise Risk Management (ERM)
Framework

ERM is a process, affected by an entitys boards of

directors, management and other personnel, applied in
strategy setting and across the enterprise, designed to
identify potential events that may affect the entity, and
manage risk to be within its risk appetite, to provide
reasonable assurance regarding the achievement of entity
objectives.

Faculty of Economics and Business - Accounting Undergraduate Program

 COSO Enterprise Risk Management
Cube
Objectives

Components
of ERM

Faculty of Economics and Business - Accounting Undergraduate Program

 COSO ERM : Type of Objectives

Strategic High level goals that are aligned with and

Objectives support the organizations mission

Operative Promoting the effective and efficient use

Objectives of resources

Reporting Reliability of reporting

Objectives

Compliance Enforcing compliance with applicable laws

objectives and regulations

Faculty of Economics and Business - Accounting Undergraduate Program

 Internal environment

Objective setting

Event identification
Components of
ERM Risk Assessment

Control Environment

Information and communications

Monitoring

Faculty of Economics and Business - Accounting Undergraduate Program

 Component of ERM : Internal Environment
Risk management A set of shared beliefs and attitudes characterizing how the
philosophy organization considers risk in everything it does

The amount of risk, on a broad level, an organization is willing to

Risk appetite accept

Provide the structure, experience, independence, and oversight role

Board of Directors played by the organizations primary governing body

Integrity and ethical value Reflect the preferences, standards of behavior and style

Commitment to The knowledge and skills needed to perform assigned tasks

competence

Organizational structure The framework to plan, execute, control and monitor activities

Assignment of authority and Authorizing and encouraging to use initiative to address issues and
responsibility solve problems

Hiring, orienting, training, evaluating, counseling, promoting,

Human resource standard compensating, taking remedial actions
Faculty of Economics and Business - Accounting Undergraduate Program
 Component of ERM : Objective Setting

Objectives are set at the strategic level, establishing a basis for

operations, reporting, and compliance objectives
Every entity faces a variety of risk from external and internal
sources, and precondition to effective event identification, risk
assessment and risk response is establishment of objectives
Objectives must be aligned with the organizations risk appetite,
which drives risk tolerance levels for the organization
Risk tolerances are the acceptable levels of size and variation
relative to the achievement of objectives, and must align with the
organizations risk appetite

Faculty of Economics and Business - Accounting Undergraduate Program

 Component of ERM : Event Identification

Management identifies potential events that, if they occurs, will

affect the entity's ability to successfully implement strategy and
achieve objectives
Events with positive impact represent risks
Events with positive impact represent opportunities
When identifying events, management considers a variety of internal
and external factors that may give rise to risks and opportunities

Faculty of Economics and Business - Accounting Undergraduate Program

Event Identification: External Factors

Price movements, capital availability,

Economic events barriers to entry
Natural Flood, fire, earthquake, weather-related
environment events
events
Election of government officials,
Political events enactment of new laws and regulations

Changing demographics, social mores,

Social events family structures, work/life priorities

Technological Ecommerce, cloud computing, Mobile

Events Technology
Faculty of Economics and Business - Accounting Undergraduate Program
Event Identification: Internal Factors

Infrastructur Such as increasing capital allocation to

preventive maintenance or call center
e Factors support

Personnel Workplace accidents, fraudulent

activities
Factors
Process Process modifications, process
execution errors, outsourcing decisions
Factors
Technology Such as increasing resources to handle
volume volatility, security breaches,
Factors systems downtime

Faculty of Economics and Business - Accounting Undergraduate Program

 Component of ERM : Risk Assessment
Risk assessment allows an entity to consider the extent to which
potential events have an impact on achievement of objectives
Management assesses events from two perspectives; Likelihood
and Impact
Inherent Risk Residual Risk
Inherent risk represents the gross Residual risk is the Net risk
risk the risk that remains after
the risk to an organization in the managements response to the risk
absence of any actions ( to reduce or transfer the risk)
management might to take to alter
either the risks likelihood or
Risk
impactassessment should be applied
first to inherent risks
Once risk responses have been developed, management then
considers residual risk
Faculty of Economics and Business - Accounting Undergraduate Program
Component of ERM : Risk Response
Exiting or divesting of the activities giving rise to the
risk
Avoidance Example: declining expansion, dropping business
segment

Reduction
Action is taken to reduce risk likelihood or impact, or
both

Reducing risk likelihood or impact by transferring or

Sharing otherwise sharing a portion of the risk
Example: Insurance, hedging, outsourcing

No action is taken to affect risk likelihood or impact

Acceptance Willing to accept the risk at the current level

Faculty of Economics and Business - Accounting Undergraduate Program

 Component of ERM : Control Activities

Policies and procedures that help ensure that managements risk

response are carried out
Control activities are most commonly associated with risk reduction
strategies
COSO Common control activities:
Top level review
Direct functional or activity management
Information processing controls
Physical controls
Performance indicators
Segregation of duties
Faculty of Economics and Business - Accounting Undergraduate Program
 COSO Control Activities
Top level reviews Controls that are typically executed at the entity level
Ex: Performance against budget reviews, update forecast,
monitoring of competitor actions
Directing Controls executed by managers running specific functions
functional or Ex: reviewing performance reports, overseeing the
Activity execution of detailed level controls
Management
Information Designed to check the accuracy, completeness and
Processing authorization of transaction
Controls Ex: physical and logical security, control over systems
implementation, Disaster Recovery, System operations
controls
Physical Ex: physical count of cash, securities, inventories,
Controls equipment, physical barriers or restrictions such as fences
and locks
Performance Involve analyzing and following up on deviations from
Indicators expected or targeted performance norms
Faculty of Economics and Business - Accounting Undergraduate Program
Segregation of Separating the duties of different people to reduce the risk
 Component of ERM : Information and
Communication

Information must be in sufficient consistent with an

organizations need to identify, assess, and response to risk and
remain within its various risk tolerance levels
Information must be of sufficient quality to support decision
making:
Appropriate
Timely and available when needed
Current
Accurate and reliable
Accessible
Faculty of Economics and Business - Accounting Undergraduate Program
 Component of ERM: Monitoring

ERM is monitored over time, the presence and functioning of its

component are assessed
Ongoing monitoring will generally occur in the normal course of
day to day management activities
Deficiencies that are noted from monitoring activities are
reported to senior management and the board ( if serous
matters only)
Internal auditors typically are part of the overall monitoring
system

Faculty of Economics and Business - Accounting Undergraduate Program

 ERM & Five Questions

1. What are we trying to accomplish ( what are our objectives)?

2. What could stop us from accomplishing them ( what are the risks,
how bad they could be, and how likely are they to occur)
3. What options do we have to make sure those things do not happen
(what are the risk management strategies, that is responses)?
4. Do we have the ability to execute those options (have we designed
and executed control activities to carry out the risk management
strategies)?
5. How will we know that we have accomplished what we wanted to
accomplish ( does information exist to evidence success and can we
monitor performance to verify that success)?
Faculty of Economics and Business - Accounting Undergraduate Program
 Roles and Responsibilities in ERM
Board of Provide oversight and direction to organizations
Directors management by:
Knowing the extent to which management has
established effective ERM in an Organization
Being aware of and concurring with the organizations
risk appetite
Reviewing the organizations portfolio view of risk and
considering it against the organizations risk appetite
Being apprised of the most significant risk and
whether management is responding appropriately
Managem Responsible for the effectiveness and success of ERM
ent Monitor the organizations overall risk activities in
relation to its risk appetite
Managing risk related to their specific units objectives

Faculty of Economics and Business - Accounting Undergraduate Program

 Roles and Responsibilities in ERM
Risk Monitoring risk management progress and assisting other
Officer managers in reporting relevant risk information

Chief Risk Officer (CRO) specific responsibilities:

Defining roles and responsibilities and participating in
setting goals for implementation
Framing authority and accountability for ERM in
business Units
Facilitating development of technical ERM expertise
Guiding integration of ERM with other business planning
and management Activities
Measuring likelihood and impact of the Risks
Facilitating quantitative and qualitative thresholds and
monitoring the reporting process
Reporting the CEO on progress and outliers and
recommending action as needed
Faculty of Economics and Business - Accounting Undergraduate Program
 Roles and Responsibilities in ERM
Financial Financial executives are involved in Developing
Executive organization-wide budgets and plans, and tracking and
s analyzing performance from operations, compliance and
reporting perspective.
Financial executives play an important role in preventing
and detecting fraudulent reporting, and influence the
design, implementation, and monitoring of the
organizations control over financial reporting and the
supporting systems
Internal The internal audit function plays an important role in
Auditor evaluating the effectiveness of ERM and recommending
improvements to ERM
Evaluating the reliability of reporting, effectiveness and
efficiency of operations, and compliance with law and
regulations
Assisting management and the board by examining,
evaluating, reporting on, and recommending
Faculty of Economics and Business - Accounting Undergraduate Program
 Ris Ris Ris Ris Ris Inherent Risk
k k k k k ( Gross Risk)

Governance control & Management

Oversight Control

Process Level Entity Level

Controls Control
Top Down Tran
View of ERM sacti
on
level
Cont
rols
Ris Inherent Risk
k ( Gross Risk)
Faculty of Economics and Business - Accounting Undergraduate Program
Top down of View ERM work Mechanism

Every organization faces a variety of risks, depending on their

business objectives
When the risk are standing individually may not serious, when
related risks are aggregated they become more serious
( Inherent Risk - Gross Risk)
The risks will be filtered by internal control systems:
Governance control: Filtering High impact risks
Process Level Control: Filtering moderate impact risks
Transaction Level control : Filtering low impact risks
Remaining risks after passing through the internal control
systems is Residual Risk ( Net Risk)
Faculty of Economics and Business - Accounting Undergraduate Program
Learning Objective III :
The Role of Internal Audit Function in ERM

Faculty of Economics and Business - Accounting Undergraduate Program

Internal Auditings Role
in ERM

Faculty of Economics and Business - Accounting Undergraduate Program

 Core IA Roles in ERM
Giving assurance on the risk management processes
Giving assurance that risks are correctly evaluated
Evaluating risk management processes
Evaluating the reporting of key risks
Reviewing the management of key risks

Faculty of Economics and Business - Accounting Undergraduate Program

 Legitimate IA Roles In ERM
Facilitating identification and evaluation of risks
Coaching management in responding to risks
Coordinating ERM activities
Consolidating the reporting on risks
Maintaining and developing the ERM framework
Championing establishment of ERM
Developing ERM strategy for board approval

Faculty of Economics and Business - Accounting Undergraduate Program

 Role IA Should not Undertake
Things that impair the IA independence and
objectivity:
Setting the risk appetite
Imposing risk management processes
Management assurance on risks
Taking decisions on risk responses
Implementing risk responses on managements
behalf
Faculty of Economics and Business - Accounting Undergraduate Program
 The Impact of ERM on IA Assurance

The Chief Audit Executive (CAE) must establish risk-

based plans to determine the priorities of the IA
activity, consistent with the organizations goals

Faculty of Economics and Business - Accounting Undergraduate Program