Professional Documents
Culture Documents
I. Introduction
company. Its definition, importance, and relevance with the subject. The researchers clearly
made this study for the readers to easily understand these types of risks.
II. Body
A. Strategic Risk
different strategy approach for it to grow. Strategic Risk are risks that are most
consequential to the organization’s ability to execute its strategies and achieve the
company’s objectives. This is a type of risk exposure that can affect shareholder value or
Why is it important?
This is very important in the company since one needs to strategize in taking
risks. A lot of factors will be considered for this, in terms of finance, resources and
very important to have calculated strategic risk for the risk not to be a loss but a gain to
the company. By the word itself “strategy”, it means that the risk the company is taking is
will deal with it, the first step the board will do is to monitor strategic risk assessment. A
strategic risk assessment is a systematic and continual process for assessing the most
significant risks facing an enterprise. The initial assessment is a valuable task that should
include the senior management and board of directors. The strategic risk assessment
process is planned to fit the organization’s needs. Certain steps are to be considered for
In Ram Charan’s book, Owning Up: The 14 Questions Every Board Member
Needs to Ask, one of the questions posed is “Are we addressing the risks that could send
our company over the cliff?” According to Charan, boards need to focus on the risk that
Risk is an integral part of every company’s strategy; when boards review strategy,
they have to be forceful in asking the CEO what risks are inherent in the strategy. They
need to explore ‘what ifs’ with management in order to stress-test against external
Regarding risk culture, Charan provides the following insight: “Boards must also
watch for a toxic culture that enables ethical lapses throughout the organization.
Companies set rules—but the culture determines how employees follow them.” We
believe that corporate culture plays a significant role in how well strategic risk is
B. Reputation Risk
Reputation was often equated to brand and it was all about brand management,
marketing, and image. This all changed with the advent of the age of hyper-transparency.
Reputation risk refers to the potential for negative publicity, public perception or
Why is it important?
The name of the business is a valuable asset to the company because it has the
power to attract potential buyers and investors. A negative corporate reputation harms
client and investor trust, erodes your customer base and hinders sales. A poor reputation
also correlates with increased costs for hiring and retention which degrades operating
margins and prevents higher returns. There are three things that determine the extent to
which a company is exposed to reputational risk. The first is whether its reputation
exceeds its true character. The second is how much external beliefs and expectations
change, which can widen or (less likely) narrow this reputation-reality gap. The third is
the quality of internal coordination. A strong positive reputation among stakeholders
organizations, the communities in which the firm operates) will result in a strong positive
reputation for the company overall. Reputation is distinct from the actual character or
behavior of the company and may be better or worse. When the reputation of a company
is more positive than its underlying reality, this gap poses a substantial risk. Eventually,
the failure of a firm to live up to its billing will be revealed, and its reputation will decline
until it more closely matches the reality. Reputation risk starts at the board – at the most
elemental level with board members and board candidates who need to be properly
vetted. The company can suffer or benefit from the actions of the directors and
prospective directors In the more severe negative cases, personal reputations can suffer
significantly and it is in these cases that boards and those overseeing corporate
they will express concerns early and often, diffusing the potential for serious
deterioration in the issue or risk involved and its attendant reputational risk. Leadership
style and organizational culture have potentially huge consequences for how an entity
handles its risks and how amplified its reputational risk might become. Any strategic
planning and development should include consideration of attendant reputation risk. This
consideration should involve the company’s initiatives and objectives that contribute to
existing risks or potentially create new risks. It should also take into account the
consequences of negative events that might occur. The board is the ultimate protector and
guardian of organizational integrity and value. Reputation loss (and gain) can materially
affect integrity and value. What’s more, board members have their own personal integrity
and value to protect. Ultimately, reputation risk oversight is one of the intrinsic
Examples:
Wells Fargo, for example, hurt its reputation by opening millions of unauthorized
to banks. Negative publicity can cause depositors to rapidly withdraw their money. It can
lead to a bank run or panic, events that hurt the entire economy. At the same time, banks
have a hard time signaling they are trustworthy. Even a bank’s promise to return
customer money might be worthless. If customers rely on banks’ reputations alone, they
C. Compliance Risk
loss an organization faces when it fails to act in accordance with industry laws and
Why is it important?
Compliance risks are the threat posed to a company’s license to operate and
which could impact the institution’s ability to achieve its strategic objectives. Managing
compliance risks has become more and more complex. To fully understand their
compliance risk exposure institutions must strengthen their compliance risk management
framework and methodologies. Core compliance fundamentals must be established first
before being able to transform to lean compliance. In general, a more dedicated and
holistic approach is required. Controlling compliance risks should help to become future
proof.
is already clearly visible, there is still a gap to close. The following trends are closely
related to this:
controls;
Examples:
In its Supervision Outlook 2018 the Dutch Central Bank (DNB) outlines the
priorities it has set and examinations it has planned to conduct as part of its supervisory
remit in 2018. Together with this Supervision Outlook the DNB has also published the
Supervisory Strategy for 2018-2022, which includes the following focus areas:
1. Responding to technological innovation;
D. Operational Risk
Operational risk is the risk of loss resulting from inadequate or failed internal
processes, people, and systems, or from external events. Operational risk exists in every
organization, regardless of size or complexity from the largest institutions to regional and
community banks. Breach of any of those functions or failure to execute effectively may
Why is it important?
Operational risks are generally within the control of the organization through risk
assessment and risk management practices, including internal control and insurance. It
focuses on how things are accomplished within an organization and not necessarily what
is produced or inherent within an industry. These risks are often associated with active
decisions relating to how the organization functions and what it prioritizes. While the
risks are not guaranteed to result in failure, lower production, or higher overall costs, they
Operational risk is heavily dependent on the human factor: mistakes or failures due to
Examples:
a. Computer hacking- Hackers entered the Target’s systems via vendor access,
stealing 70 million individual customers data. There was a 46% drop in net
income for 4Q13 and a loss of $4.5 billion market capitalization. The S&P ratings
financier who executed the largest Ponzi scheme in history, defrauding thousands
of investors out of tens of billions of dollars over the course of at least 17 years,
price fell causing billions of dollars in lost market value. It is anticipated that HP
will payout $1 billion in losses depending on the number of shareholders who join
the lawsuit
d. If two maintenance activities are required, but it is determined that only one can
be afforded at the time, making the choice to perform one over the other alters the
cut more than $20 billion off the bank's market value in 2012. Regulatory
A. Risk Culture
Risk culture binds all the elements of risk management infrastructures together.
These are the encouraged and acceptable behaviors, discussions, decisions, and attitudes
toward taking and managing risk within an institution. Such are shaped by the policies
and procedures of the company and its experiences of doing business. Also, it is shaped
on how the organization conforms to its values and standards. Engaging in a business
always entails a risk with it and it can never be avoided that it sometimes could lead a
company to certain failures. Such failures show that the company’s governance has also
which has an immature risk culture tends to fail when it comes to managing the future
while an organization that has a matured risk culture takes risk-adjusted decisions and
risks that are within their appetite levels, they are actually risk intelligent.
An example of a company with a matured risk culture is when they are faced with
new risk information in terms of their operations and they respond and react to it quickly
and appropriately. Another example is that they are willing and receptive to give and
receive some bad news or new risk information and such issues are openly raised,
questioned and highlighted so that they can be prepared for any challenges that may come
out of such risk. For a company to have an effective risk culture, they should improve
such in a way that they should incorporate risk and control culture as part of the
awareness sessions, address areas of improvement, incorporate desired risk culture values
and behaviors into the overall corporate culture, recognize management risk, create
audience specific messages on risk management, ethics and risk and control culture and
many more.
Why is it important?
It is important for the company to have an effective risk culture to enable them to
have good corporate governance because they would then have communication,
transparency, integrity, honesty, accountability, ownership of risk and ethical values. This
Employees should also be able to identify and manage certain risks in their own areas of
improvement in their risk culture could also help the company in a way they would be
better in identifying and responding to risks whether it is good or bad. This would
increase their level of return in capital, optimize risk-return trade-off, great levels of
economic profit and make a long-term value. In other words, this would contribute to
B. Risk Appetite
Risk appetite is an acceptable parameter for opportunities that requires risk
taking in which such opportunities are consistent throughout the company, and it reflects
a mutual understanding of the willingness of both management and the board to allow
risk exposure in pursuit of core strategic objectives. The level of risk that they are willing
to take on will define the risk response strategies that they will choose for any risks that
will come their way. Risk appetite is an important tool for effective decision-making and
project performance management. Every organization faces different kinds of risks that is
why it is important for them to understand such risks and be prepared for its
corresponding impacts. Also, organizations cannot tolerate these risks at the same level.
That is why it is important for each organization to know what kind risks they can
tolerate and what they cannot. There are organizations who are prepared to take on more
risks because the level of their risk appetite is high and provided that the return is
substantial. There are also organizations that would try their best to avoid high
probability and high impact risk because they have low risk appetite that is why risk
high level of demand risk when bringing a new product on the market. At the same time,
the company is likely to have limited financial resources, and therefore, it will tolerate
only low financial risks and its project managers may elect to purchase an insurance for
every risk exposure above available funds. For an organization to be ready to face
existing and possible risks and consequences, they should be cautious of their actions and
creation of a risk appetite statement, a document that helps guide organizational risk
management activities. For example, a technology company with aggressive growth goals
determines that it should have a minimum of 25% of its operating budget allocated to
innovation. Another example of such is, ABC Transit’s reputation is crucial to the
success of our initiatives and services. Balancing risk with innovation, risk will be closely
scrutinized to ensure minimal negative impact while maximizing the achievement of our
objectives. This statement is composed of the three key elements which are the risks that
are on-strategy, the risks that are off-strategy, and the defined parameters that would
provide a framework within which risks are undertaken. The statement should be based
on a review of the perspectives and concerns of all stakeholders and address the
Why is it important?
enhances it in a way that it stimulates a conversation between the management and the
continuous process between the management and the board in which they would create
and protect the value of the enterprise. To achieve a balance between creating and
protecting the enterprise value, the management and the board should consider an overall
risk profile so as to develop expectations that are established by the risk appetite of the
company. Risk appetite is long- term and dynamic because a company may tend to focus
more on the risk when it comes to the struggles of meeting their targets and achieving
their objectives but they also potentially inspect such risk in periods where the profits
have accelerated. The effect of risk appetite to governance is that when the statement has
been implemented and the management and the board have created a relationship in
where there is an on-going conversation about existing and potential risks, the company
will then have a discipline to address high-level risk even when they are exceeding the
expectations of their investors and such discipline is needed especially when there is
be mutually agreed upon and substantial enough to warrant altering the risk appetite
appetite it would cause instability, lack of consistency and short-term focus to the board
and investors.
players, roles, relations and processes of its business in order to achieve its values and
objectives. Public risk management focuses also on the public domain (read society and
approach of internal or external uncertainty, a value and performance driven attitude and
Risk Management Systems are designed to do more than just identify the risk.
The system must also be able to quantify the risk and predict the impact of the risk on the
project. The outcome is therefore a risk that is either acceptable or unacceptable. The
acceptance or non-acceptance of a risk is usually dependent on the project manager’s
identification and resolution, then the system will easily supplement other systems. This
includes; organization, planning and budgeting, and cost control. Surprises will be
diminished because emphasis will now be on proactive rather than reactive management.
The model shows the generic constituent components of the risk management
system. The risk management system is a stepwise process consisting of the following
interrelated but distinct phases: risk assessment (analysis and evaluation) and risk
management. Each phase consists of a number of stages, steps and sub-steps that, in
principle, are sequential. However, in many situations, this may not necessarily be so.
Researches in the field of risk management are, in many cases, carried out on the ad-hoc
given time, including the seriousness of accidents, threats, issues or concerns, the
availability of resources, the availability of additional and/or new data, and improvements
and/or developments of more advanced methods and tools. The process may start at any
point and involve any individual component of the system. The literature study shows
that each component of the system may be considered a specific field or branch of
The wheel form of the risk management model represents a dynamic model. The
overall risk management process has a hierarchical structure form consisting of different
levels, in which the highest levels are further broken down into stages, steps and sub-
steps. The processes are interactive, where changes, re-evaluations and refinements may
often take place. Although shown in a sequential and seamless order – i.e. risk analysis,
risk evaluation and risk management – some stages and steps may be carried out and
are also possible. This is due to a variety of factors, including the availability and
accessibility of additional and/or new risk-related data and information, the breadth and
depth of the analysis, results of the study, re-evaluations and redefinitions, and decision-
making alternatives.
and stages shown in the model. The process may be suspended at any given phase/stage
and time. For example, the risk analysis process can be suspended, that is suspended from
going through into a more detailed analysis, if risks are found to be at a low or negligible
level and further study may be deemed unnecessary and cost inefficient.
1. Adequately identify the material risks that the company faces in a timely
manner;
committees.
Why is it important?
A specific and detailed risk management system is a vital investment for all
businesses. The following are to cover four reasons about why risk management is so
important:
Every business and organization faces the risk of unexpected, harmful events that
can cost the company money or cause it to permanently close. These threats, or risks,
could stem from a wide variety of sources, including financial uncertainty, legal
A risk can be defined as an unrealized future loss arising from a present action or
inaction.
- Risks are the opportunities and dangers associated with uncertain future events.
- To generate higher returns a business may have to take more risk in order to be
competitive.
- Conversely, not accepting risk tends to make a business less dynamic, and implies
- In both cases, these will lead to the business being able to gain competitive
advantage.
In business, any new project comes with new risks lying in wait. While an
organization can’t entirely avoid risk, one can anticipate and mitigate risks through an
to prepare for the unexpected by minimizing risks and extra costs before they happen.
1. Risk Identification
doesn’t have to feel like doom for the organization. Identifying risks is a
positive experience that the whole team can take part in and learn from.
Reviewing the lists of possible risk sources as well as the project team’s
2. Risk Assessment
The number of risks identified usually exceeds the time capacity of the project
them to manage those risks that have both a high impact and a high
probability of occurrence.
- This provides a prioritized list of risks identifying those risks that need the
3. Risk Planning
4. Risk Monitoring
- Risks are monitored on an ongoing basis. Where risks change or new risks are
identified then those risks are added to the assessment for appropriate
Risk-taking drives corporations to push ahead and make steep gains. When risks
pay off, profitability makes shareholders and stakeholders happy. Corporate governance
principles could take on many different forms. Most likely, changes will be fluid and
evolving for the foreseeable future. Despite vast changes, corporate governance
look at the roles of existing reward structures and how they align with financial and non-
financial risk. Recent risk failures have taught us that all corporations are vulnerable and
that they need to prepare just as stringently for low chances of catastrophic risk as for
standards that are more practical and useful for all types of businesses, including banks
and other financial institutions. Additionally, corporate governance of the future may
place a heavier emphasis on catastrophic risk even when the risk is low. Just because the
probability of a catastrophic loss is low doesn’t mean a catastrophe won’t happen. Good
corporate governance principles may account for standing ready to manage any potential
I. Definition of Terms
1. Risk identification is the process of listing potential project risks and their
characteristics
2. Risk register includes a list of identified risks along with their sources,
hazards.
Risk Identification
the context of the institution’s explicit and implicit objectives and to generate a
comprehensive inventory of risks based on the threats and events that might
chances of project success, and provide information for risk analysis, which in
company. This process revolves around the brain storming of possible risks that
the company may face, the risk identification process should cover all risks,
regardless of whether or not such risks are within the direct control of the
throughout the project life cycle as the result of internal or external changes to a
identification.
internal audit reports; Review of the reports of the Standing Committee on Public
indicators; Benchmarking against peer group or quasi peer group; Market and
sector information; Print this Guidebook scenario analyses; and Forecasting and
stress testing.
occur.
identified for all major projects, covering the whole life cycle and for long
term projects, the project risk register should be reviewed at least once a
year.
Before starting this process, it should be crucial that the person manning
the operation should have adequate knowledge about the business and is mindful
of past experiences in order to consider risk factors. Specific necessary steps are:
different sources to identify risks; Apply risk identification tools and techniques;
Document the risks; Document the risk identification process; and Assess the
Risk Assessment
The aim of the risk assessment process is to evaluate hazards, then remove
that hazard or minimize the level of its risk by adding control measures, as
necessary. By doing so, you have created a safer and healthier workplace.
Examination of all aspects of work considers: what could cause injury or harm;
whether the hazards could be eliminated and, if not; what preventive or protective
order to create awareness, identify who may be at risk, determine what controls
and measures are needed, prevent injuries, and meet legal requirements where it is
applicable.
risk assessment the scope should be identified, the resources needed, the measures
used, the people involved, and the laws or regulations applicable. The core
hazards with the given tasks and possible risks. A hazard control program consists
the training and the procedures required to monitor worker exposure and their
which methods are being used to control the exposure and how these controls will
It is also essential to be sure that any changes in the workplace have not
introduced new hazards or changed hazards that were once ranked as lower
Risk Measurement
Depending on the characteristics of the given risk type and the level of its
significance. Risk is measured by specialized units. The risk unit in each company
Risk measures:
the mean value of the data set and provides a measurement regarding an
investment’s volatility.
risks.
6. Value at Risk (VaR) is a statistical measure used to assess the level of risk
with the market. This risk affects the overall market of the security. It is
industry.
management of risk. The three is a lengthy process and it requires both continuing
new future event, it may be identified at the beginning of the project or in the
duration of the project. Risk can be any of these but what’s important is that the
company is always ready to identify risks anytime and has a strategy for it. The
company continues the assessment of risk even after the project has begun and
can address the assessment properly. And lastly, the company knows what
Examples:
million for the worst one percent of possible outcomes for a portfolio. Therefore,
the CVaR, or expected shortfall, is $10 million for the one percent tail.
Risks are identified through risk assessment or risk monitoring activities. Risk
and specific risks to the organization. It includes regular updates of risk information and
reporting to monitor the progress along the risk management process. The "environment"
is anything the risk is connected to, may it be internal or external environment. Internal
environment includes objectives, practices, and processes, while the external environment
The company would need to monitor its risks to see what has changed and how it impacts
the business once they are identified, assessed, and a response is decided upon.
Monitoring a risk focuses on looking for how the risk is changing, the effect those
changes will have on the internal and external environment, and whether the organization
The purpose of risk monitoring is to address how risk will be monitored. This
includes verifying compliance with the risk response decisions by ensuring that the
effectiveness of risk response measures, and identifies any changes that would impact the
risk posture.
monitored so that the management can act promptly if and when the nature, potential
impact, or likelihood of the risk goes outside acceptable levels. Additionally, risks and
Risk control is the set of methods by which firms evaluate potential losses and
take action to reduce or eliminate such threats. Risk reduction is a strategy of dealing
with risks that consists in taking some measure to reduce the level of risk.
One of the purposes of controlling risks is to implement a continuous process for
2. Loss prevention – accepts a risk but attempts to minimize the loss rather
3. Loss reduction – accepts the risk and seeks to limit losses when a threat
occurs;
Examples:
risky to pursue;
to avoid theft;
fire;
that production may continue when issues arise at one warehouse; and
5. Duplication – because information system server failure would stop a
1. Identifying the risk – who, what, which, where, when, whether, how, etc.;
2. Assessing the risk - who, what, which, where, when, how etc;
Risk Avoidance
former eliminates hazards, activities and exposures that can negatively affect an
organization, while the latter accepts the risks and does not take any further action
example for risk avoidance, cutting down a tree branch hanging on your driveway
rather than wait for it to fall, maybe on your car or a person. The insurance
company would be avoiding the risk that the tree branch would fall on your car,
accept the risk and wait for the limb to fall, knowing that they can likely avoid
incurring that cost. However, the point is that risk avoidance means taking steps
seat belt. We might observe that experienced drivers are more likely to understand
the risks inherent in car travel, and thus choose to wear seat belts to avoid the risk.
Another example, suppose an investor wants to buy stock in an oil company, but
oil prices have been falling significantly over the past few months. There is
political risk associated with the production of oil and credit risk associated with
the oil company. He assesses the risks associated with the oil industry and decides
to avoid taking a stake in the company. Risk is avoided when the organization
refuses to accept it. The exposure is not permitted to come into existence. This is
accomplished by simply not engaging in the action that gives rise to risk. If you
do not want to risk losing your savings in a hazardous venture, then pick one
where there is less risk. If you want to avoid the risks associated with the
ownership of property, do not purchase property but lease or rent instead. If the
use of a particular product is hazardous, then do not manufacture or sell it. This is
approach to dealing with many risks. If risk avoidance were used extensively, the
business would be deprived of many opportunities for profit and probably would
not be able to achieve its objectives. Moreover, this technique is usually not the
best for financial institutions as it deprives them of the profits and opportunities of
doing business; so it is the most extreme decision to be taken when the risk level
when the extent of risk of a business is known. For example, during the
assessment of a client’s credit worthiness, the credit analyst would have observed
some high-risk concerns like- low level of turnover, high credit exposure of the
client to other institutions, low credit score and inadequate documentations. This
concern raises high level risk of default and the best option opened to a firm is to
avoid this business rather than employing another tool which might be costly to
the firm. Overall risk avoidance is the process by which a company takes
necessary action when the extent of risk is excessive to reduce the risk exposure
by avoiding or eliminating the risks. Risk avoidance is usually the most expensive
of all risk mitigation strategies, but it has the result of reducing the cost of
Risk Retention
handle opposing risk of a firm internally rather than transferring them to insurance
or any other third party. By doing so, the risk of the organization is self-financed
account aside called Provisioning. The provisioning account is used to service bad
debts (defaulting loans). The provision account is a loss financing, reserve funds,
account that pays for the potential losses arising from client’s loan defaults.
Organizations make decisions to retain risk when a cost analysis review shows
that it is cost effective to handle the risk internally as opposed to the cost of fully
or partially insuring against it. Companies choose to retain risk when the premium
of transferring them is substantially high. You could rename the risk retention
decides to bear all the losses caused to his property by himself and never cares to
get his property insured means all the risk shall be retrained by that particular
individual and in case of any eventuality he shall only be paying from his own
pocket for the losses caused to his property. When an individual is consciously
aware of the risk and deliberately retains all or part of it is called active risk
retention. For example, a homeowner may retain a small part of the risk of
voluntary excess. A business firm may purposely retain the risk of petty thefts by
for two reasons. First, it can save money. Insurance may not be purchased at all,
substantial saving in the cost of insurance. Second, the risk may be deliberately
the premiums to be inordinately high. A situation may also arise when some risks
occur due to lack of pre-identification of the risk. In such circumstances the risk
has to be retained and met out within its own resources on the eventuality of the
occurrence of the event. In other words the retention of risk means one is liable to
bear the losses himself up to the amount retained. Generally most of the
companies maintain a contingency fund with a big role of retaining the risks.
Basically the more risk a company retains, the more needs to be set aside in the
contingency funds. But it is not the solution to covering the risks. At least most of
the companies by themselves or through the services of any consultant take the
shelter of one or the other insurance company to transfer their risk. However the
which any company is ready to bear itself. In short, the loss which is born by any
individual or a company out of his or her own pocket is called retention of risk.
Risk Modelling
and make forecasts of the likely losses that would be incurred for a variety of
risks. Such risks are typically grouped into credit risk, market risk, model risk,
liquidity risk, and operational risk categories. For the financial industry, the cases
potential losses incurred due to failing processes is a relevant issue for any form
of organization. Good models capture the essential features of the real world and
economic capital, for which we have to estimate changes in the fair value of
assets and liabilities, model risk arises from the fact that for many assets and
liabilities the market values cannot be observed directly. For that reason, models
are used to estimate fair values. These valuation models aim to capture the
important factors and their interrelationships that influence the value of the assets
or liabilities for which no market values can be observed. Market prices of similar
assets or liabilities typically are used to estimate the parameters in the model. As a
example, in case a flawed model outcome results in wrong decisions being made.
The consequence of the wrong decision typically will manifest itself as a credit,
involves large numbers of assumptions and judgement calls that have to be made
well before a result becomes visible. It is inevitable that at least some assumptions
and judgement calls will have to be revised. The fewer assumptions and
judgement calls are involved and the quicker you can get to the point where you
can check them against real results, the easier it will be to identify what needs to
be changed and to put the revisions into practice. Models are useful things to have
around, and many businesses have come to rely on them for certain applications –
some of which expose the bank to significant risks. Predictive models fall into this
category. In finance, examples include loan approval using credit scoring and
hedging models using swaps and options to manage the balance sheet while
Risk assessment is a term used to describe the overall process or method where
you:
1. Identify hazards and risk factors that have the potential to cause harm
(hazard identification);
2. Analyze and evaluate the risk associated with that hazard (risk analysis,
situations, processes, etc. that may cause harm, particularly to people. After identification
is made, you analyze and evaluate how likely and severe the risk is. When this
determination is made, you can next, decide what measures should be in place to
2. Identify who may be at risk (e.g., employees, cleaners, visitors, contractors, the
public, etc.);
5. Prevent injuries or illnesses, especially when done at the design or planning stage;
I. History
original framework, which was widely accepted and used. COSO revised the
program; and Monitoring and evaluating the total fraud risk management program
aims to gain undue advantage over another. The Association of Certified Fraud
Examiners (ACFE, 2010) defines fraud as the use of one’s occupation for self-
organization’s resources or assets. The World Bank Group (2006) stated that “a
to avoid an obligation.”
and misconduct or abuse (ACFE, 2012). The Global Fraud Survey reported by
ACFE in 2016 revealed a total loss of $6.3 billion caused by 2,410 cases of
resulting in the victim suffering a loss and/or the perpetrator achieving a gain. It is
risks of fraud. In order to do so, there are guidelines and principles that serve as
the basis for an organization. Issues are complex when it comes to fraud and the
board of directors and top management and personnel at all levels of the
organization have responsibility for managing fraud risk. These complex issues
and the internal control environment. Corporate governance addresses the manner
in which the board of directors and management meet their respective obligations
to achieve the organization’s goals, including its fiduciary, reporting, and legal
fraud risk management, have support towards fraud risk governance, establish a
comprehensive fraud risk management policy and the roles that come with it
strategy and provides defined, proactive processes and control activities. This also
and assessing fraud risks relevant to the organization. Fraud risk assessment
factors, the determination of response to risk, and uses data analytics techniques.
The principle takes into consideration various types of fraud and the assessment
of all aspects of the fraud triangle. This takes into consideration the existing fraud
also periodic risk assessment and assessment of changes to fraud risk on which
Analytic considerations are survey and heat maps, media scans and
procedures that helps ensure that management’s directives to mitigate fraud risks
are carried out. A fraud control activity is a specific procedure or process intended
either to prevent fraud from occurring or to detect fraud quickly in the event that
fraudulent event or transaction after the initial processing has occurred. This
principle integrates itself with fraud risk assessment and utilizes a combination of
A comprehensive and methodical data analytics process is the key. For example,
result, the organization’s governing board ensures that the organization develops
involving fraud and misconduct. An organization can improve its chances of loss
improve.
that each of the five principles of fraud risk management is present and
and factors for setting the scope and frequency of evaluations. It keeps track of
deficiencies.
and more focused fraud risk assessment as a separate fraud risk management
intentional acts.
defines its expectations in relation to fraud and the program while the
2. Senior management
3. Internal audit
- Internal auditors review their internal audit plans and how the plans
control.
4. Independent auditors
VIII. Importance
expectation. Internal and external auditors are expected to assess anti fraud
processes and controls therefore this guide is useful especially for them. Without
this guide, organizations will have difficulty in starting their own anti-fraud
programs.
organization.
III. CONCLUSION
BIBLIOGRAPHY
Bugajenko, O. (n.d.). Risk Appetite: Definition, Importance & Benefits. Study. Retrieved from
https://study.com/academy/lesson/risk-appetite-definition-importance-benefits.html?
fbclid=IwAR2EY8o5aBk_79QgzezSwJ9wBMaNrnGFzxtSDesx1_9qMcJDvpG7LxZXV
DQ
Chapter 10: Risk and the risk management process. (n.d.). Kaplan Financial Knowledge Bank.
management-process
https://www.investopedia.com/terms/r/riskmeasures.asp
https://na.eventscloud.com/file_uploads/92a257c28dbca2addab2e507d4f9c8dd_CS3-2-
COSO-RyanHubbsVincentWalden.pdf
Deloach, J. (2016, May 26). The Importance of Risk Culture. Corporate Compliance Insights.
culture/?fbclid=IwAR3AdLjpeQLCRYAoGo-
hCOal7Mx81SBiTLTQmLyOJ55L1JV1N4cP43zyOH0
Eccles, R., Newquist, S., & Schatz, R. (2007, February). Reputation and Its Risks. Harvard
https://www.sciencedirect.com/topics/economics-econometrics-and-finance/risk-model
Handling Risk. (n.d.). From This Matter. Retrieved from
https://thismatter.com/money/insurance/handling-risk.htm
https://www.investopedia.com/terms/b/bernard-madoff.asp
Hill, J. A. (2019, June 13). Why We Shouldn’t Regulate Reputation Risk at Banks. Columbia Law
shouldnt-regulate-reputation-risk-at-banks/
Hussaini, U., & Bakar, A. A. (2017, January). Fraud Risk Management. ResearchGate. Retrieved
from https://www.researchgate.net/publication/331087397_Fraud_Risk_Management
https://www.coso.org/Documents/990025P-Executive-Summary-final-may20.pdf
https://www.investopedia.com/terms/r/reputational-risk.asp
https://www.investopedia.com/terms/r/risk-control.asp
Kolomiyets, T. (2017, January 10). Risk analysis and measurement. Statswiki. Retrieved from
https://statswiki.unece.org/display/GORM/3.2+Risk+analysis+and+measurement
Kwong, W., & Bugajenko, O. (n.d.). Risk Identification: Definition, Purpose & Examples. Study.
examples.html#transcriptHeader
Lipton, M., Niles, S., & Miller, M. (2018, March 20). Risk Management and the Board of
directors-5/?fbclid=IwAR2P4yFunKI1G-CPSYHLt3AHtjZkqTxsJwpgJG1hiY5Ix-
x8pzMZ44njbug
Mark. (2020, April 14). Four benefits of risk management important for your business. Business
management-is-important-for-your-business/
Mullai, A. (2006). Risk Management System: Risk Assessment Frameworks and Techniques.
http://rop.lv/lv/media-lv/lejupielades/doc_download/42-risk-management-system-risk-
assessment-frameworks-and-techniques.html
NC State University. (2012, June 1). Risk Appetite: A Conversion of Governance. Enterprise
appetite-a-conversation-of-governance?
fbclid=IwAR0PGrcK4FxjGXnwrkZvkH8lnpToNiEP3YXg9iTRaHFevAX_cksURzVKN
v8
https://www.casact.org/education/infocus/2014/handouts/Paper_3357_handout_2180_0.p
df
Nyaba, T. (2018, July 10). How an effective risk culture creates good governance. Biz
https://www.bizcommunity.com/Article/196/511/179264.html?
fbclid=IwAR2mhN3Ury3xsQIovJ5ctxmfWI5yMfq5ADtC5OKa80JYpYVDHPPb1GdC3
hY
Oliveira, W. (2018, March 15). What is the risk management process? Heflo. Retrieved from
https://www.heflo.com/blog/risk-management/what-is-the-risk-management-process/
Operational Risk Management Training & Resources. (n.d.). The Risk Management Association.
Price, N. J. (2018, February 21). Relationship Between Risk Management and Corporate
oversight/relationship-between-risk-management-and-corporate-governance
Risk Assessment. (2020, May 14). Candian Centre for Occupational Health and Safety. Retrieved
from https://www.ccohs.ca/oshanswers/hsprograms/risk_assessment.html
Risk Controlling the risks in the workplace. (n.d.). Health and Safety Executive. Retrieved from
https://www.hse.gov.uk/risk/controlling-risks.htm
Risk Monitoring and Risk Control. (n.d.). Project Management Guide. Retrieved from
http://www.pmvista.com/risk-monitoring-and-risk-control/
https://managementmania.com/en/risk-reduction
https://www.safeopedia.com/definition/732/risk-reduction-techniques-health-
environment-and-safety
Risk Retention in Insurance: Meaning and Types. (2016, August 10). Business Management
retention-in-insurance-meaning-and-types/5490
Rouse, M. (2014, June). Compliance Risk. SearchCompliance. Retrieved from
https://searchcompliance.techtarget.com/definition/compliance-risk
Sickler, J. (2019, February 8). What is Reputational Risk and How to Manage It. Reputation
risk/
Snedaker, S., & Rima, C. (2014). Risk Avoidance. ScienceDirect. Retrieved from
https://www.sciencedirect.com/topics/computer-science/risk-avoidance
Spacey, J. (2016, November 14). 4 Types of Risk Reduction. Simplicable. Retrieved from
https://simplicable.com/new/risk-reduction
Spacey, J. (2018, July 24). 8 Types of Risk Appetite. Simplicable. Retrieved from
https://simplicable.com/new/risk-appetite
Stanleigh, M. (2011, March 17). Risk Management: The What, Why, and How. Business
and-how/?fbclid=IwAR2cZk-5aSId1-
9EMmkYe7mBUw8T7zkOsVkhNiVurZuzL3AwbfUef5VkZ-s
The Dali Model in Risk Management Practice: The Case of Financial Services Firms. (2019,
Tonello, M., & The Conference Board. (2012, August 23). Strategic Risk Management: A
Primer for Directors. Harvard Law School Forum on Corporate Governance. Retrieved
from https://corpgov.law.harvard.edu/2012/08/23/strategic-risk-management-a-primer-
for-directors/
resources/risk_identification.pdf
Williams, C. (2019, February 11). 7 Questions for Understanding the Fundamentals of Risk
appetite-fundamentals/?fbclid=IwAR2giQk7yGpSVp-p_i-JWxzK-
UkXsP0VbAfolO1o8flvY8QWlf8E-Ist7kM