AC 1204 CORPORATE GOVERNANCE

I. Introduction

This research aims to widen the understanding of different risks encountered by a

company. Its definition, importance, and relevance with the subject. The researchers clearly

made this study for the readers to easily understand these types of risks.

II. Body

Part III: Risk Associated with Corporate Governance

A. Strategic Risk

Strategy is a plan of action or policy to achieve overall aim. A company uses a

different strategy approach for it to grow. Strategic Risk are risks that are most

consequential to the organization’s ability to execute its strategies and achieve the

company’s objectives. This is a type of risk exposure that can affect shareholder value or

the credibility of the company.

Why is it important?

This is very important in the company since one needs to strategize in taking

risks. A lot of factors will be considered for this, in terms of finance, resources and

manpower. Strategic risk management committee is formed to handle these cases. It is

very important to have calculated strategic risk for the risk not to be a loss but a gain to

the company. By the word itself “strategy”, it means that the risk the company is taking is

being measured and most likely will produce positive results.

 For boards to understand the company’s strategic risks and how the management

will deal with it, the first step the board will do is to monitor strategic risk assessment. A

strategic risk assessment is a systematic and continual process for assessing the most

significant risks facing an enterprise. The initial assessment is a valuable task that should

include the senior management and board of directors. The strategic risk assessment

process is planned to fit the organization’s needs. Certain steps are to be considered for

strategic risk assessment:

1. Achieve a deep understanding of the strategy

2. Gather data and views of strategic risk

3. Prepare preliminary strategic risk profile

4. Validate and finalize the strategic risk profile

5. Develop strategic risk management plan

6. Communicate strategic risk profile and action plan

7. Implement strategic risk management action plan

Examples:

In Ram Charan’s book, Owning Up: The 14 Questions Every Board Member

Needs to Ask, one of the questions posed is “Are we addressing the risks that could send

our company over the cliff?” According to Charan, boards need to focus on the risk that

is inherent in the strategy and strategy execution:

Risk is an integral part of every company’s strategy; when boards review strategy,

they have to be forceful in asking the CEO what risks are inherent in the strategy. They
need to explore ‘what ifs’ with management in order to stress-test against external

conditions such as recession or currency exchange movements.

Regarding risk culture, Charan provides the following insight: “Boards must also

watch for a toxic culture that enables ethical lapses throughout the organization.

Companies set rules—but the culture determines how employees follow them.” We

believe that corporate culture plays a significant role in how well strategic risk is

managed and must be considered as part of a strategic risk assessment.

B. Reputation Risk

Reputation was often equated to brand and it was all about brand management,

marketing, and image. This all changed with the advent of the age of hyper-transparency.

Reputation risk refers to the potential for negative publicity, public perception or

uncontrollable events to have an adverse impact on a company’s reputation.

Why is it important?

The name of the business is a valuable asset to the company because it has the

power to attract potential buyers and investors. A negative corporate reputation harms

client and investor trust, erodes your customer base and hinders sales. A poor reputation

also correlates with increased costs for hiring and retention which degrades operating

margins and prevents higher returns. There are three things that determine the extent to

which a company is exposed to reputational risk. The first is whether its reputation

exceeds its true character. The second is how much external beliefs and expectations

change, which can widen or (less likely) narrow this reputation-reality gap. The third is
the quality of internal coordination. A strong positive reputation among stakeholders

(investors, customers, suppliers, employees, regulators, politicians, nongovernmental

organizations, the communities in which the firm operates) will result in a strong positive

reputation for the company overall. Reputation is distinct from the actual character or

behavior of the company and may be better or worse. When the reputation of a company

is more positive than its underlying reality, this gap poses a substantial risk. Eventually,

the failure of a firm to live up to its billing will be revealed, and its reputation will decline

until it more closely matches the reality. Reputation risk starts at the board – at the most

elemental level with board members and board candidates who need to be properly

vetted. The company can suffer or benefit from the actions of the directors and

prospective directors In the more severe negative cases, personal reputations can suffer

significantly and it is in these cases that boards and those overseeing corporate

governance need to be vigilant and proactive. In a more open, transparent culture,

employees with concerns won’t go underground or become anonymous whistleblowers –

they will express concerns early and often, diffusing the potential for serious

deterioration in the issue or risk involved and its attendant reputational risk. Leadership

style and organizational culture have potentially huge consequences for how an entity

handles its risks and how amplified its reputational risk might become. Any strategic

planning and development should include consideration of attendant reputation risk. This

consideration should involve the company’s initiatives and objectives that contribute to

existing risks or potentially create new risks. It should also take into account the

consequences of negative events that might occur. The board is the ultimate protector and

guardian of organizational integrity and value. Reputation loss (and gain) can materially
affect integrity and value. What’s more, board members have their own personal integrity

and value to protect. Ultimately, reputation risk oversight is one of the intrinsic

governance roles of the board.

Examples:

Wells Fargo, for example, hurt its reputation by opening millions of unauthorized

customer accounts. Reputation is important to all businesses, but it is especially important

to banks. Negative publicity can cause depositors to rapidly withdraw their money. It can

lead to a bank run or panic, events that hurt the entire economy. At the same time, banks

have a hard time signaling they are trustworthy. Even a bank’s promise to return

customer money might be worthless. If customers rely on banks’ reputations alone, they

might never deposit money.

C. Compliance Risk

Compliance risk is exposure to legal penalties, financial forfeiture and material

loss an organization faces when it fails to act in accordance with industry laws and

regulations, internal policies or prescribed best practices. It is a type of risk big

companies will take since it is their submission.

Why is it important?

Compliance risks are the threat posed to a company’s license to operate and

which could impact the institution’s ability to achieve its strategic objectives. Managing

compliance risks has become more and more complex. To fully understand their

compliance risk exposure institutions must strengthen their compliance risk management
framework and methodologies. Core compliance fundamentals must be established first

before being able to transform to lean compliance. In general, a more dedicated and

holistic approach is required. Controlling compliance risks should help to become future

proof.

Although an improvement of managing compliance risks at financial institutions

is already clearly visible, there is still a gap to close. The following trends are closely

related to this:

1. Increased regulatory focus;

2. Poor line of sight of compliance risks to senior management;

3. Compliance is often bolt-on not built-into existing business processes and

controls;

4. Poor management of business requirements;

5. Too much silo approach; and

6. High cost of compliance.

Compliance risk management needs to become more efficient to meet future

demands from a regulator and customer, but also society perspective.

Examples:

In its Supervision Outlook 2018 the Dutch Central Bank (DNB) outlines the

priorities it has set and examinations it has planned to conduct as part of its supervisory

remit in 2018. Together with this Supervision Outlook the DNB has also published the

Supervisory Strategy for 2018-2022, which includes the following focus areas:
 1. Responding to technological innovation;

2. Emphasizing future orientation and sustainability; and

3. A hard stance against financial and economic crime.

D. Operational Risk

Operational risk is the risk of loss resulting from inadequate or failed internal

processes, people, and systems, or from external events. Operational risk exists in every

organization, regardless of size or complexity from the largest institutions to regional and

community banks. Breach of any of those functions or failure to execute effectively may

lead to an institution’s reputational loss. In other words, it is the risk of business

operations failing due to human error.

Why is it important?

Operational risks are generally within the control of the organization through risk

assessment and risk management practices, including internal control and insurance. It

focuses on how things are accomplished within an organization and not necessarily what

is produced or inherent within an industry. These risks are often associated with active

decisions relating to how the organization functions and what it prioritizes. While the

risks are not guaranteed to result in failure, lower production, or higher overall costs, they

are seen as higher or lower depending on various internal management decisions.

Operational risk is heavily dependent on the human factor: mistakes or failures due to

actions or decisions made by a company's employees.

Examples:
a. Computer hacking- Hackers entered the Target’s systems via vendor access,

stealing 70 million individual customers data. There was a 46% drop in net

income for 4Q13 and a loss of $4.5 billion market capitalization. The S&P ratings

downgrade and the CEO resigns.

b. Internal and external fraud - Bernard Lawrence "Bernie" Madoff is an American

financier who executed the largest Ponzi scheme in history, defrauding thousands

of investors out of tens of billions of dollars over the course of at least 17 years,

and possibly longer.

c. The failure to adhere to internal policies - Shareholder lawsuit alleging negligence

by the executives and directors during an acquisition of UK software company

Autonomy Corporation which resulted in an $8.8 billion write-down. HP's stock

price fell causing billions of dollars in lost market value. It is anticipated that HP

will payout $1 billion in losses depending on the number of shareholders who join

the lawsuit

d. If two maintenance activities are required, but it is determined that only one can

be afforded at the time, making the choice to perform one over the other alters the

operational risk depending on which system is left in disrepair. If a system fails,

the negative impact is associated directly with the operational risk.

e. Use of inadequately developed and implemented models- In JP Morgan, Traders

engaged in a hedging strategy causing mark-to-market losses of $6.2 billion and

cut more than $20 billion off the bank's market value in 2012. Regulatory

penalties totaled less than $1 billion.

PART IV. Risk Governance

A. Risk Culture

Risk culture binds all the elements of risk management infrastructures together.

These are the encouraged and acceptable behaviors, discussions, decisions, and attitudes

toward taking and managing risk within an institution. Such are shaped by the policies

and procedures of the company and its experiences of doing business. Also, it is shaped

on how the organization conforms to its values and standards. Engaging in a business

always entails a risk with it and it can never be avoided that it sometimes could lead a

company to certain failures. Such failures show that the company’s governance has also

failed and so there is a need to institutionalize an effective risk culture. An organization

which has an immature risk culture tends to fail when it comes to managing the future

while an organization that has a matured risk culture takes risk-adjusted decisions and

risks that are within their appetite levels, they are actually risk intelligent.

An example of a company with a matured risk culture is when they are faced with

new risk information in terms of their operations and they respond and react to it quickly

and appropriately. Another example is that they are willing and receptive to give and

receive some bad news or new risk information and such issues are openly raised,

questioned and highlighted so that they can be prepared for any challenges that may come

out of such risk. For a company to have an effective risk culture, they should improve

such in a way that they should incorporate risk and control culture as part of the

conversations at critical business meetings, include risk management into the

performance contracts of everyone throughout the organization, organize training or

awareness sessions, address areas of improvement, incorporate desired risk culture values

and behaviors into the overall corporate culture, recognize management risk, create

audience specific messages on risk management, ethics and risk and control culture and

many more.

Why is it important?

It is important for the company to have an effective risk culture to enable them to

have good corporate governance because they would then have communication,

transparency, integrity, honesty, accountability, ownership of risk and ethical values. This

then encourages the management to be open to communication, sharing of knowledge

and practices, and a strong commitment towards being responsible businessmen.

Employees should also be able to identify and manage certain risks in their own areas of

responsibilities or departments so as to assist the company in managing risks better. An

improvement in their risk culture could also help the company in a way they would be

better in identifying and responding to risks whether it is good or bad. This would

increase their level of return in capital, optimize risk-return trade-off, great levels of

economic profit and make a long-term value. In other words, this would contribute to

their effective risk management and good corporate governance.

B. Risk Appetite
 Risk appetite is an acceptable parameter for opportunities that requires risk

taking in which such opportunities are consistent throughout the company, and it reflects

a mutual understanding of the willingness of both management and the board to allow

risk exposure in pursuit of core strategic objectives. The level of risk that they are willing

to take on will define the risk response strategies that they will choose for any risks that

will come their way. Risk appetite is an important tool for effective decision-making and

project performance management. Every organization faces different kinds of risks that is

why it is important for them to understand such risks and be prepared for its

corresponding impacts. Also, organizations cannot tolerate these risks at the same level.

That is why it is important for each organization to know what kind risks they can

tolerate and what they cannot. There are organizations who are prepared to take on more

risks because the level of their risk appetite is high and provided that the return is

substantial. There are also organizations that would try their best to avoid high

probability and high impact risk because they have low risk appetite that is why risk

appetite levels vary among organizations.

For example, a company that produces smartphones will be prepared to tolerate a

high level of demand risk when bringing a new product on the market. At the same time,

the company is likely to have limited financial resources, and therefore, it will tolerate

only low financial risks and its project managers may elect to purchase an insurance for

every risk exposure above available funds. For an organization to be ready to face

existing and possible risks and consequences, they should be cautious of their actions and

implementations. Organizations sometimes express their risk appetite through the

creation of a risk appetite statement, a document that helps guide organizational risk
management activities. For example, a technology company with aggressive growth goals

determines that it should have a minimum of 25% of its operating budget allocated to

innovation. Another example of such is, ABC Transit’s reputation is crucial to the

success of our initiatives and services. Balancing risk with innovation, risk will be closely

scrutinized to ensure minimal negative impact while maximizing the achievement of our

objectives. This statement is composed of the three key elements which are the risks that

are on-strategy, the risks that are off-strategy, and the defined parameters that would

provide a framework within which risks are undertaken. The statement should be based

on a review of the perspectives and concerns of all stakeholders and address the

implications of current corporate strategies and practices.

Why is it important?

The risk appetite statement is important for corporate governance because it

enhances it in a way that it stimulates a conversation between the management and the

board and such statements should be assessed continuously. Corporate governance is a

continuous process between the management and the board in which they would create

and protect the value of the enterprise. To achieve a balance between creating and

protecting the enterprise value, the management and the board should consider an overall

risk profile so as to develop expectations that are established by the risk appetite of the

company. Risk appetite is long- term and dynamic because a company may tend to focus

more on the risk when it comes to the struggles of meeting their targets and achieving

their objectives but they also potentially inspect such risk in periods where the profits
have accelerated. The effect of risk appetite to governance is that when the statement has

been implemented and the management and the board have created a relationship in

where there is an on-going conversation about existing and potential risks, the company

will then have a discipline to address high-level risk even when they are exceeding the

expectations of their investors and such discipline is needed especially when there is

inconsistency in a competitive environment. Adapting a risk appetite due to the

inconsistency of the circumstances and opportunities in the business environment should

be mutually agreed upon and substantial enough to warrant altering the risk appetite

statement. However, if a company continuously changes the parameter of their risk

appetite it would cause instability, lack of consistency and short-term focus to the board

and investors.

C. Risk Management System

A risk management system is the way through which an organization manages

players, roles, relations and processes of its business in order to achieve its values and

objectives. Public risk management focuses also on the public domain (read society and

the natural environment). Unique is the establishment and connection of an open

approach of internal or external uncertainty, a value and performance driven attitude and

the will to mitigate risks (i.e. deviations from target).

Risk Management Systems are designed to do more than just identify the risk.

The system must also be able to quantify the risk and predict the impact of the risk on the

project. The outcome is therefore a risk that is either acceptable or unacceptable. The
acceptance or non-acceptance of a risk is usually dependent on the project manager’s

tolerance level for risk.

If risk management is set up as a continuous, disciplined process of problem

identification and resolution, then the system will easily supplement other systems. This

includes; organization, planning and budgeting, and cost control. Surprises will be

diminished because emphasis will now be on proactive rather than reactive management.

Main Components of Risk Management System

The model shows the generic constituent components of the risk management

system. The risk management system is a stepwise process consisting of the following

interrelated but distinct phases: risk assessment (analysis and evaluation) and risk

management. Each phase consists of a number of stages, steps and sub-steps that, in

principle, are sequential. However, in many situations, this may not necessarily be so.
Researches in the field of risk management are, in many cases, carried out on the ad-hoc

basis. Initiation of the process is triggered by combinations of different factors at any

given time, including the seriousness of accidents, threats, issues or concerns, the

availability of resources, the availability of additional and/or new data, and improvements

and/or developments of more advanced methods and tools. The process may start at any

point and involve any individual component of the system. The literature study shows

that each component of the system may be considered a specific field or branch of

science in its own right.

The wheel form of the risk management model represents a dynamic model. The

overall risk management process has a hierarchical structure form consisting of different

levels, in which the highest levels are further broken down into stages, steps and sub-

steps. The processes are interactive, where changes, re-evaluations and refinements may

often take place. Although shown in a sequential and seamless order – i.e. risk analysis,

risk evaluation and risk management – some stages and steps may be carried out and

accomplished simultaneously. Skipping processes and returning to the earlier processes

are also possible. This is due to a variety of factors, including the availability and

accessibility of additional and/or new risk-related data and information, the breadth and

depth of the analysis, results of the study, re-evaluations and redefinitions, and decision-

making alternatives.

In many situations, it may be considered unnecessary to go through all the phases

and stages shown in the model. The process may be suspended at any given phase/stage

and time. For example, the risk analysis process can be suspended, that is suspended from
going through into a more detailed analysis, if risks are found to be at a low or negligible

level and further study may be deemed unnecessary and cost inefficient.

Effective Risk Management System

Risk management should be tailored to the specific company, but, in general, an

effective risk management system will:

1. Adequately identify the material risks that the company faces in a timely

manner;

2. Implement appropriate risk management strategies that are responsive to

the company’s risk profile, business strategies, specific material risk

exposures and risk tolerance thresholds;

3. Integrate consideration of risk and risk management into strategy

development and business decision-making throughout the company; and

4. Adequately transmit necessary information with respect to material risks

to senior executives and, as appropriate, to the board or relevant

committees.

Why is it important?
 A specific and detailed risk management system is a vital investment for all

businesses. The following are to cover four reasons about why risk management is so

important:

- Risk assessments save your business money

- Risk assessments reduce the chance of injury in the workplace

- A risk management plan protects a company’s resources

- A risk management plan improves a company’s brand image

Businesses invest in risk management systems to mitigate the risk of spending

thousands of dollars in financial, legal and internal costs.

D. Risk and the Risk Management Process

Every business and organization faces the risk of unexpected, harmful events that

can cost the company money or cause it to permanently close. These threats, or risks,

could stem from a wide variety of sources, including financial uncertainty, legal

liabilities, strategic management errors, accidents and natural disasters.

A risk can be defined as an unrealized future loss arising from a present action or

inaction.

- Risks are the opportunities and dangers associated with uncertain future events.

- Risks can have an adverse ('downside exposure') or favorable impact ('upside

potential') on the organization's objectives.

Why Incur Risk?

- To generate higher returns a business may have to take more risk in order to be

competitive.

- Conversely, not accepting risk tends to make a business less dynamic, and implies

a 'follow the leader' strategy.

- In both cases, these will lead to the business being able to gain competitive

advantage.

Why Manage Risk?

In business, any new project comes with new risks lying in wait. While an

organization can’t entirely avoid risk, one can anticipate and mitigate risks through an

established risk management process. Risk management allows organizations to attempt

to prepare for the unexpected by minimizing risks and extra costs before they happen.

Risk Management is the process of reducing the possibility of adverse

consequences either by reducing the likelihood of an event or its impact, or taking

advantage of the upside risk. The management is responsible for establishing a risk

management system in an organization. The process of establishing a risk management

system is summarized in the following diagram:

1. Risk Identification

- Risks are identified by stakeholders. Anticipating possible pitfalls of a project

doesn’t have to feel like doom for the organization. Identifying risks is a

positive experience that the whole team can take part in and learn from.

Reviewing the lists of possible risk sources as well as the project team’s

experiences and knowledge, all potential risks are identified.

2. Risk Assessment

- Using an assessment instrument, risks are then categorized and prioritized.

The number of risks identified usually exceeds the time capacity of the project

team to analyze and develop contingencies. The process of prioritization helps

them to manage those risks that have both a high impact and a high

probability of occurrence.

- This provides a prioritized list of risks identifying those risks that need the

most urgent attention.

3. Risk Planning

- Planning involves establishing appropriate risk management policies. Policies

include ceasing risky activities to obtaining insurance against unfavorable

events. Contingency planning involves establishing procedures to recover

from adverse events, should they occur.

 - This also includes creating options and actions to increase opportunities and

reduce threats to project or business objectives.

4. Risk Monitoring

- Clear communication among the team and stakeholders is essential when it

comes to ongoing monitoring of potential threats.

- Risks are monitored on an ongoing basis. Where risks change or new risks are

identified then those risks are added to the assessment for appropriate

categorization and action.

How Does Risk Management Relate to Corporate Governance?

Risk-taking drives corporations to push ahead and make steep gains. When risks

pay off, profitability makes shareholders and stakeholders happy. Corporate governance

principles could take on many different forms. Most likely, changes will be fluid and

evolving for the foreseeable future. Despite vast changes, corporate governance

principles need to be structured, integrated and balanced. Corporations will continue to

look at the roles of existing reward structures and how they align with financial and non-

financial risk. Recent risk failures have taught us that all corporations are vulnerable and

that they need to prepare just as stringently for low chances of catastrophic risk as for

higher chances of major risks.

The future of corporate governance may move toward a broader perspective of

standards that are more practical and useful for all types of businesses, including banks

and other financial institutions. Additionally, corporate governance of the future may

place a heavier emphasis on catastrophic risk even when the risk is low. Just because the

probability of a catastrophic loss is low doesn’t mean a catastrophe won’t happen. Good
corporate governance principles may account for standing ready to manage any potential

catastrophe at any given time.

E. Identification, Assessment, and Measurement

I. Definition of Terms

1. Risk identification is the process of listing potential project risks and their

characteristics

2. Risk register includes a list of identified risks along with their sources,

potential risk responses, and risk categories.

3. Risk breakdown structure is a hierarchical structure used to categorize

potential project risks by source.

4. Risk assessment is the overall process of hazard identification, risk

analysis, and risk evaluation.

5. Hazard identification is the process of finding, listing, and characterizing

hazards.

6. Risk analysis is a process for comprehending the nature of hazards and

determining the level of risk.

7. Risk evaluation is the process of comparing an estimated risk against

given risk criteria to determine the significance of the risk.

8. Risk control is actions implementing risk evaluation decisions.

9. Risk measures are statistical measures that are historical predictors of

investment risk and volatility.

II. Relevance to Corporate Governance

Risk Identification

The objective of risk identification is to understand what is at risk within

the context of the institution’s explicit and implicit objectives and to generate a

comprehensive inventory of risks based on the threats and events that might

prevent, degrade, delay or enhance the achievement of the objectives. The

purposes of risk identification is to minimize the negative impact of project

threats, maximize the positive impact of project opportunities, improve the

chances of project success, and provide information for risk analysis, which in

turn informs risk response creation.

Risk identification is usually done at the beginning of the project. The

identification is necessary in order to create risk management guidelines for the

company. This process revolves around the brain storming of possible risks that

the company may face, the risk identification process should cover all risks,

regardless of whether or not such risks are within the direct control of the

Institution. Identification is an iterative process; new risks can be identified

throughout the project life cycle as the result of internal or external changes to a

project, therefore the company should adopt an on-going process of risk

identification.

Risk identification should be strengthened by supplementing

Management’s perceptions of risks, inter alia, with: Review of external and

internal audit reports; Review of the reports of the Standing Committee on Public

Accounts and the relevant Parliamentary Committees; Financial analyses; Historic

data analyses; Actual loss data; Interrogation of trends in key performance

indicators; Benchmarking against peer group or quasi peer group; Market and

sector information; Print this Guidebook scenario analyses; and Forecasting and

stress testing.

Three focus points of risk identification and it goes through a process:

1. Strategic risk identification is to identify risks emanating from the

strategic choices. These choices are to be finalized, documented, assessed,

managed, and formally reviewed concurrently with changes in strategy.

2. Operational risk identification is concerned with the institution's

operations. This should seek to establish vulnerabilities, should be an

embedded continuous process and should be repeated when changes

occur.

3. Project risk identification is inherent to particular projects. It should be

identified for all major projects, covering the whole life cycle and for long

term projects, the project risk register should be reviewed at least once a

year.

Before starting this process, it should be crucial that the person manning

the operation should have adequate knowledge about the business and is mindful
of past experiences in order to consider risk factors. Specific necessary steps are:

Understand what to consider when identifying risks; Gather information from

different sources to identify risks; Apply risk identification tools and techniques;

Document the risks; Document the risk identification process; and Assess the

effectiveness of the risk identification process.

Risk Assessment

The aim of the risk assessment process is to evaluate hazards, then remove

that hazard or minimize the level of its risk by adding control measures, as

necessary. By doing so, you have created a safer and healthier workplace.

Examination of all aspects of work considers: what could cause injury or harm;

whether the hazards could be eliminated and, if not; what preventive or protective

measures are, or should be, in place to control the risks.

After the identification of risk, the institution could conduct an assessment

in order for the continuing improvement of risk strategies. This is important in

order to create awareness, identify who may be at risk, determine what controls

and measures are needed, prevent injuries, and meet legal requirements where it is

applicable.

Assessment of risk could be done before the beginning of the project,

before changes are introduced or when hazards are identified. In preparation of a

risk assessment the scope should be identified, the resources needed, the measures

used, the people involved, and the laws or regulations applicable. The core

process of risk assessment is the identification of hazards. When a hazard is

identified, it would already be possible to start the assessment through analyzing

hazards with the given tasks and possible risks. A hazard control program consists

of all steps necessary to protect workers from exposure to a substance or system,

the training and the procedures required to monitor worker exposure and their

health to hazards. A written workplace hazard control program should outline

which methods are being used to control the exposure and how these controls will

be monitored for effectiveness. In choosing a control method, this may involve:

Evaluating and selecting temporary and permanent controls; Implementing

temporary measures until permanent (engineering) controls can be put in place;

and Implementing permanent controls when reasonably practicable.

It is important to know if your risk assessment was complete and accurate.

It is also essential to be sure that any changes in the workplace have not

introduced new hazards or changed hazards that were once ranked as lower

priority to a higher priority. It is good practice to review your assessment on a

regular basis to make sure your control methods are effective.

Risk Measurement

Depending on the characteristics of the given risk type and the level of its

significance. Risk is measured by specialized units. The risk unit in each company

is responsible for the development of tools and measurement of risk in terms of

risk appetite, risk profile and tolerance limits.

Risk measures are also major components in modern portfolio theory

(MPT), a standard financial methodology for assessing investment performance.

The five principal risk measures include the alpha, beta, R-squared, standard

deviation, and Sharpe ratio, etc.

Risk measures:

1. Alpha measures risk relative to the market or a selected benchmark index.

2. Beta measures the volatility or systemic risk of a fund in comparison to

the market or the selected benchmark index.

3. R-Squared measures the percentage of an investment's movement

attributable to movements in its benchmark index.

4. Standard deviation is a method of measuring data dispersion in regards to

the mean value of the data set and provides a measurement regarding an

investment’s volatility.

5. The Sharpe ratio measures performance as adjusted by the associated

risks.

6. Value at Risk (VaR) is a statistical measure used to assess the level of risk

associated with a portfolio or company.

7. Conditional value at risk (CVaR) is another risk measure used to assess

the tail risk of an investment.

Beyond the particular measures, risk management is divided into two

broad categories: systematic and unsystematic risk. Systematic risk is associated

with the market. This risk affects the overall market of the security. It is

unpredictable and undiversifiable; however, the risk can be mitigated through

hedging. The second category of risk, unsystematic risk, is associated with a

company or sector. It is also known as diversifiable risk and can be mitigated

through asset diversification. This risk is only inherent to a specific stock or

industry.

Identifying, assessing, and measuring

The cycle of identifying, assessing, and measuring all leads to

management of risk. The three is a lengthy process and it requires both continuing

evaluation and documentation. In the business world, risk may be foreseeable or

unforeseeable, it may be external or internal, it may be from past experiences or a

new future event, it may be identified at the beginning of the project or in the

duration of the project. Risk can be any of these but what’s important is that the

company is always ready to identify risks anytime and has a strategy for it. The

company continues the assessment of risk even after the project has begun and

can address the assessment properly. And lastly, the company knows what

measures to use in order to keep track of the identified risks.

Examples:

Suppose a risk manager believes the average loss on an investment is $10

million for the worst one percent of possible outcomes for a portfolio. Therefore,

the CVaR, or expected shortfall, is $10 million for the one percent tail.

1. Risk identified: loss on investment

2. Risk assessment: the average losses

3. Risk measurement: Conditional Value at Risk method

 F. Targeting and Monitoring Risks

Risks are identified through risk assessment or risk monitoring activities. Risk

monitoring is an activity that focuses on understanding the changes to the environment

and specific risks to the organization. It includes regular updates of risk information and

reporting to monitor the progress along the risk management process. The "environment"

is anything the risk is connected to, may it be internal or external environment. Internal

environment includes objectives, practices, and processes, while the external environment

includes regulations, competition, economic factors, geopolitical concerns, and vendors.

The company would need to monitor its risks to see what has changed and how it impacts

the business once they are identified, assessed, and a response is decided upon.

Monitoring a risk focuses on looking for how the risk is changing, the effect those

changes will have on the internal and external environment, and whether the organization

took enough risk to achieve its objectives.

What is the purpose of risk monitoring?

The purpose of risk monitoring is to address how risk will be monitored. This

includes verifying compliance with the risk response decisions by ensuring that the

organization implements the risk response measures, determines the ongoing

effectiveness of risk response measures, and identifies any changes that would impact the

risk posture.

Why is risk monitoring important?

 Risk monitoring is very important to all the businesses because risks need to be

monitored so that the management can act promptly if and when the nature, potential

impact, or likelihood of the risk goes outside acceptable levels. Additionally, risks and

other factors, both internally and externally, are constantly changing.

Main goals to risk monitoring

The main goals to risk monitoring are:

- To confirm risk responses are implemented as planned

- To determine if risk responses are effective or if new responses are needed

- To determine the validity of the project assumptions

- To determine if risk exposure has changed, evolved, or declined due to

trends in the project progression

- To confirm policies and procedures happen as planned

- To monitor the project for new risks

- To monitor risk triggers

G. Methods of Controlling and Reducing Risks

What is Risk Control and Risk Reduction?

Risk control is the set of methods by which firms evaluate potential losses and

take action to reduce or eliminate such threats. Risk reduction is a strategy of dealing

with risks that consists in taking some measure to reduce the level of risk.
 One of the purposes of controlling risks is to implement a continuous process for

identifying, qualifying, quantifying, and responding to new risks.

Risk control methods include:

1. Avoidance – avoiding an activity or position that may cause risk;

2. Loss prevention – accepts a risk but attempts to minimize the loss rather

than eliminate it;

3. Loss reduction – accepts the risk and seeks to limit losses when a threat

occurs;

4. Separation – involves dispersing key assets so that catastrophic events at

one location affect the business only at the location; and

5. Duplication – involves creating a backup plan, often by using technology.

Examples:

1. Avoidance – a business may decide that a new product strategy is too

risky to pursue;

2. Loss prevention – loss prevention program is put in place in a warehouse

to avoid theft;

3. Loss reduction – a company storing flammable material in a warehouse

installs state-of-the-art water sprinklers for minimizing damage in case of

fire;

4. Separation – a company utilizes a geographically diverse workforce so

that production may continue when issues arise at one warehouse; and
 5. Duplication – because information system server failure would stop a

company’s operations, a backup server is readily available in case the

primary server fails.

Risk reduction methods include:

1. Identifying the risk – who, what, which, where, when, whether, how, etc.;

2. Assessing the risk - who, what, which, where, when, how etc;

3. Reducing the risk – eliminating the cause of risk;

4. Reduce the risk by engineering – modification, redesigning, optimizing

the impact like balancing between risk and benefit, etc.;

H. Risk Avoidance, Retention, and Modelling

Risk Avoidance

Risk avoidance is the direct opposite of risk acceptance because the

former eliminates hazards, activities and exposures that can negatively affect an

organization, while the latter accepts the risks and does not take any further action

to reduce its risks as it cannot be effectively reduced. Let’s use an insurance

example for risk avoidance, cutting down a tree branch hanging on your driveway

rather than wait for it to fall, maybe on your car or a person. The insurance

company would be avoiding the risk that the tree branch would fall on your car,

on the house, or on a passerby. Most insurance companies, in this instance, would

accept the risk and wait for the limb to fall, knowing that they can likely avoid

incurring that cost. However, the point is that risk avoidance means taking steps

so that the risk is completely addressed and cannot occur. Furthermore, we

perform assessments regarding risk and risk impact on a daily basis. We then use

those assessments to determine our choice of action. A good example is wearing a

seat belt. We might observe that experienced drivers are more likely to understand

the risks inherent in car travel, and thus choose to wear seat belts to avoid the risk.

Another example, suppose an investor wants to buy stock in an oil company, but

oil prices have been falling significantly over the past few months. There is

political risk associated with the production of oil and credit risk associated with

the oil company. He assesses the risks associated with the oil industry and decides

to avoid taking a stake in the company. Risk is avoided when the organization

refuses to accept it. The exposure is not permitted to come into existence. This is

accomplished by simply not engaging in the action that gives rise to risk. If you

do not want to risk losing your savings in a hazardous venture, then pick one

where there is less risk. If you want to avoid the risks associated with the

ownership of property, do not purchase property but lease or rent instead. If the

use of a particular product is hazardous, then do not manufacture or sell it. This is

a negative rather than a positive technique. It is sometimes an unsatisfactory

approach to dealing with many risks. If risk avoidance were used extensively, the

business would be deprived of many opportunities for profit and probably would

not be able to achieve its objectives. Moreover, this technique is usually not the

best for financial institutions as it deprives them of the profits and opportunities of

doing business; so it is the most extreme decision to be taken when the risk level

of doing business is also extreme. Henceforth, risk avoidance becomes an option

when the extent of risk of a business is known. For example, during the
assessment of a client’s credit worthiness, the credit analyst would have observed

some high-risk concerns like- low level of turnover, high credit exposure of the

client to other institutions, low credit score and inadequate documentations. This

concern raises high level risk of default and the best option opened to a firm is to

avoid this business rather than employing another tool which might be costly to

the firm. Overall risk avoidance is the process by which a company takes

necessary action when the extent of risk is excessive to reduce the risk exposure

by avoiding or eliminating the risks. Risk avoidance is usually the most expensive

of all risk mitigation strategies, but it has the result of reducing the cost of

downtime and recovery significantly.

Risk Retention

Risk Retention technique is the intentional decision of organizations to

handle opposing risk of a firm internally rather than transferring them to insurance

or any other third party. By doing so, the risk of the organization is self-financed

and managed. In accounting perspective, this is done by setting an amount or

account aside called Provisioning. The provisioning account is used to service bad

debts (defaulting loans). The provision account is a loss financing, reserve funds,

account that pays for the potential losses arising from client’s loan defaults.

Organizations make decisions to retain risk when a cost analysis review shows

that it is cost effective to handle the risk internally as opposed to the cost of fully

or partially insuring against it. Companies choose to retain risk when the premium
of transferring them is substantially high. You could rename the risk retention

approach as self-insurance. Another example in an individual case, a person

decides to bear all the losses caused to his property by himself and never cares to

get his property insured means all the risk shall be retrained by that particular

individual and in case of any eventuality he shall only be paying from his own

pocket for the losses caused to his property. When an individual is consciously

aware of the risk and deliberately retains all or part of it is called active risk

retention. For example, a homeowner may retain a small part of the risk of

damage to the house by purchasing a Householders policy with substantial

voluntary excess. A business firm may purposely retain the risk of petty thefts by

employees, shoplifting, or the spoilage of perishable goods. Risk retention is used

for two reasons. First, it can save money. Insurance may not be purchased at all,

or it may be purchased with voluntary excess; either way, there is often a

substantial saving in the cost of insurance. Second, the risk may be deliberately

retained because commercial insurance is either unavailable or can be obtained

only by the payment of excessive premiums. Some physicians, for example,

practice medicine without professional liability insurance because they perceive

the premiums to be inordinately high. A situation may also arise when some risks

occur due to lack of pre-identification of the risk. In such circumstances the risk

has to be retained and met out within its own resources on the eventuality of the

occurrence of the event. In other words the retention of risk means one is liable to

bear the losses himself up to the amount retained. Generally most of the

companies maintain a contingency fund with a big role of retaining the risks.
Basically the more risk a company retains, the more needs to be set aside in the

contingency funds. But it is not the solution to covering the risks. At least most of

the companies by themselves or through the services of any consultant take the

shelter of one or the other insurance company to transfer their risk. However the

quantum of risk can be decided to be retained on the advice of such a consultant

which any company is ready to bear itself. In short, the loss which is born by any

individual or a company out of his or her own pocket is called retention of risk.

Risk Modelling

Risk modelling is about modelling and quantification of risk. It uses a

variety of techniques including market risk, value at risk (VaR), historical

simulation (HS), or extreme value theory (EVT) in order to analyze a portfolio

and make forecasts of the likely losses that would be incurred for a variety of

risks. Such risks are typically grouped into credit risk, market risk, model risk,

liquidity risk, and operational risk categories. For the financial industry, the cases

of credit-risk quantifying potential losses due, e.g., to bankruptcy of debtors, or

market-risks quantifying potential losses due to negative fluctuations of a

portfolio's market value are of particular relevance. Operational risk, quantifying

potential losses incurred due to failing processes is a relevant issue for any form

of organization. Good models capture the essential features of the real world and

help us to understand empirical relationships. Flawed models ignore essential

features of reality, leading potentially to wrong model outcomes and subsequently

to incorrect conclusions and decisions. In the specific context of calculating

economic capital, for which we have to estimate changes in the fair value of

assets and liabilities, model risk arises from the fact that for many assets and

liabilities the market values cannot be observed directly. For that reason, models

are used to estimate fair values. These valuation models aim to capture the

important factors and their interrelationships that influence the value of the assets

or liabilities for which no market values can be observed. Market prices of similar

assets or liabilities typically are used to estimate the parameters in the model. As a

model is an approximation of reality, it may result in wrong estimates of market

values, as well as wrong estimates of changes in value. Hence, economic capital

may be under- or overestimated. Models can be an indirect source of losses, for

example, in case a flawed model outcome results in wrong decisions being made.

The consequence of the wrong decision typically will manifest itself as a credit,

market, operational, insurance, or other type of loss. Risk Model implementation

involves large numbers of assumptions and judgement calls that have to be made

well before a result becomes visible. It is inevitable that at least some assumptions

and judgement calls will have to be revised. The fewer assumptions and

judgement calls are involved and the quicker you can get to the point where you

can check them against real results, the easier it will be to identify what needs to

be changed and to put the revisions into practice. Models are useful things to have

around, and many businesses have come to rely on them for certain applications –

some of which expose the bank to significant risks. Predictive models fall into this

category. In finance, examples include loan approval using credit scoring and
 hedging models using swaps and options to manage the balance sheet while

protecting liquidity and determining capital adequacy.

I. Risk Assessment Process

Risk assessment is a term used to describe the overall process or method where

you:

1. Identify hazards and risk factors that have the potential to cause harm

(hazard identification);

2. Analyze and evaluate the risk associated with that hazard (risk analysis,

and risk evaluation); and

3. Determine appropriate ways to eliminate the hazard or control the risk

when the hazard cannot be eliminated (risk control).

A risk assessment is a thorough look at your workplace to identify those things,

situations, processes, etc. that may cause harm, particularly to people. After identification

is made, you analyze and evaluate how likely and severe the risk is. When this
determination is made, you can next, decide what measures should be in place to

effectively eliminate or control the harm from happening.

Risk assessments are very important as they form an integral part of an

occupational health and safety management plan. They help to:

1. Create awareness of hazards and risk;

2. Identify who may be at risk (e.g., employees, cleaners, visitors, contractors, the

public, etc.);

3. Determine whether a control program is required for a particular hazard;

4. Determine if existing control measures are adequate or if more should be done;

5. Prevent injuries or illnesses, especially when done at the design or planning stage;

6. Prioritize hazards and control measures; and

7. Meet legal requirements where applicable.

J. Fraud Risk Management Guide: Executive Summary

I. History

In 1992 the Committee of Sponsoring Organizations of the Treadway

Commission (COSO) released its Internal Control- Integrated Framework, the

original framework, which was widely accepted and used. COSO revised the

original framework in 2013, which incorporates 17 principles. These 17 principles

are associated with the five internal control components.

II. Purpose of the guide

 This guide is for organizations desiring to establish a more comprehensive

approach to managing fraud risk. It also includes guidance on establishing an

overall Fraud Risk Management Program including: Establishing fraud risk

governance policies or a fraud risk management program; Performing

comprehensive fraud risk assessment; Designing and deploying fraud preventive

and detective control activities; Conducting investigations or an investigation

program; and Monitoring and evaluating the total fraud risk management program

or an ongoing evaluations and corrective action of the overall program.

III. What is Fraud

Fraud, in general, can be defined as any actions by which one person

aims to gain undue advantage over another. The Association of Certified Fraud

Examiners (ACFE, 2010) defines fraud as the use of one’s occupation for self-

enrichment through the deliberate abuse or misapplication of the employee

organization’s resources or assets. The World Bank Group (2006) stated that “a

fraudulent practice is any act or omission, including a misrepresentation, attempts

to mislead a party knowingly or recklessly to obtain a financial or other benefit or

to avoid an obligation.”

Fraud has three key elements namely: deception, enrichment or benefit,

and misconduct or abuse (ACFE, 2012). The Global Fraud Survey reported by

ACFE in 2016 revealed a total loss of $6.3 billion caused by 2,410 cases of

occupational fraud. According to the framework, fraud risk arises when

individuals or entities act outside of an organization's expected standards or

ethical conduct while other risks stem from individuals or entities act within the

organization expected standards. The continued importance of fraud risk

management in ensuring internal control effectiveness is evidenced with the

release of the Fraud Risk Management Guide in 2016 by COSO.

IV. What is Fraud Risk Management and its Guidelines

Fraud is any intentional act or omission designed to deceive others,

resulting in the victim suffering a loss and/or the perpetrator achieving a gain. It is

impossible to eliminate all fraud in an organization but it is possible to lessen the

risks of fraud. In order to do so, there are guidelines and principles that serve as

the basis for an organization. Issues are complex when it comes to fraud and the

board of directors and top management and personnel at all levels of the

organization have responsibility for managing fraud risk. These complex issues

are addressed through this Fraud Risk Management Guide.

Fraud deterrence is a process of eliminating factors that may cause fraud

to occur. Deterrence is achieved when an organization implements a fraud risk

management process that establishes a visible and rigorous fraud governance

process, creates a transparent and sound anti-fraud culture Includes a thorough

fraud risk assessment periodically, designs, implements, and maintains preventive

and detective fraud control processes and procedures, and takes swift action in

response to allegations of fraud, including, where appropriate, actions against

those involved in wrongdoing.

V. Fraud Risk Management Components and Principles

Principle 1: Fraud Risk Governance

Fraud risk governance is an integral component of corporate governance

and the internal control environment. Corporate governance addresses the manner

in which the board of directors and management meet their respective obligations

to achieve the organization’s goals, including its fiduciary, reporting, and legal

responsibilities to stakeholders. The internal control environment creates the

discipline that supports the assessment of risks to the achievement of the

organization’s goals. The board and senior management should be committed to

fraud risk management, have support towards fraud risk governance, establish a

comprehensive fraud risk management policy and the roles that come with it

throughout the organization, document and communicate the program results.

A documented and formal fraud risk management program is a document

addressing in detail all fraud control activities. It helps in the development of a

strategy and provides defined, proactive processes and control activities. This also

comes with a strategy on data analysis and a compilation of plans developed.

Analytic considerations include executive reporting, interactive

dashboards, and targeted analysis around metrics, compliance, and ratios.

Principle 2: Fraud Risk Assessment

A fraud risk assessment is a dynamic and iterative process for identifying

and assessing fraud risks relevant to the organization. Fraud risk assessment

addresses the risk of fraudulent financial reporting, fraudulent non-financial

reporting, asset misappropriation, and illegal acts (including corruption). It also

involves an appropriate level of management, analyzing internal and external

factors, the determination of response to risk, and uses data analytics techniques.

The principle takes into consideration various types of fraud and the assessment

of all aspects of the fraud triangle. This takes into consideration the existing fraud

control activities on which they have to assess based on effectiveness. There is

also periodic risk assessment and assessment of changes to fraud risk on which

everything will be documented.

Analytic considerations are survey and heat maps, media scans and

external sources such as industry news, and complaints database.

Principle 3: Fraud Control Activity

A fraud control activity is an action established through policies and

procedures that helps ensure that management’s directives to mitigate fraud risks

are carried out. A fraud control activity is a specific procedure or process intended

either to prevent fraud from occurring or to detect fraud quickly in the event that

it occurs. The promotion of fraud deterrence is done through preventive and

detective control activities. Preventive is designed to avoid a fraudulent event or

transaction at the time of initial occurrence and detective is designed to discover a

fraudulent event or transaction after the initial processing has occurred. This

principle integrates itself with fraud risk assessment and utilizes a combination of

fraud control activities. It takes into consideration the organization-specific

factors and relevant business processes, the application of control activities to

different levels of the organization, and the management override of controls.

Lastly, it deploys control activities through policies and procedures.

 This principle emphasizes the use of proactive data analytics procedures.

A comprehensive and methodical data analytics process is the key. For example,

adopting a framework that includes analytics design, data collection, data

organization and calculation, data analysis, and findings, observations and

remediation of the activity.

Analytics considerations include ABaC analytics, P2P, O2C, T&E, CRM

analysis, and general ledger transaction analysis.

Principle 4: Fraud Investigation and Corrective Action

Control activities cannot provide absolute assurance against fraud. As a

result, the organization’s governing board ensures that the organization develops

and implements a system for prompt, competent, and confidential review,

investigation, and resolution of instances of non-compliance and allegations

involving fraud and misconduct. An organization can improve its chances of loss

recovery, while minimizing exposure to litigation and damage to reputation, by

establishing and carefully preplanning investigation and corrective action

processes. The establishment of fraud investigations and response controls is

governed by confidentiality, urgency, evidence preservation, legal protections,

forensic support, investigation protocols, reporting process, root cause and

mitigating controls. After investigation, there is the communication of results,

taking corrective action, and its overall evaluation.

In this principle a formal investigation program is necessary due to the

increasing number of poorly performed investigations. There are frauds missed

due to inadequate technological resources, poor skills, and lack of experiences. As

a result the root causes would not be obtained and the internal controls would not

improve.

Analytics considerations are case management, escalation and triage, and

review of workflow management.

Principle 5: Fraud Risk Management Monitoring Activities

Organizations use fraud risk management monitoring activities to ensure

that each of the five principles of fraud risk management is present and

functioning as designed and that the organization identifies needed changes in a

timely manner. Organizations consider a mix of ongoing and separate evaluations,

and factors for setting the scope and frequency of evaluations. It keeps track of

known fraud schemes and new fraud cases. It establishes appropriate

measurement criteria. And lastly, it evaluates, communicates and remediates

deficiencies.

Analytics considerations include investigative procedures, deep dive

analysis, and email and communications review.

VI. The Cyclical Process of Fraud Risk Management

 This comprehensive approach recognizes and emphasizes the fundamental

difference between internal control weaknesses resulting in errors and weaknesses

resulting in fraud. This fundamental difference is intent. Implementing a specific

and more focused fraud risk assessment as a separate fraud risk management

process provides greater assurance that the assessment’s focus remains on

intentional acts.

VII. Used by Interested Parties

1. Board of directors and audit committee

- The board discusses with the senior management and provides

oversight. Senior management has overall responsibility for the design

and implementation of a Fraud Risk Management Program. The board

defines its expectations in relation to fraud and the program while the

senior management reports to the board its assessments.

2. Senior management

- Senior management assesses the entity’s Fraud Risk Management

Program in relation to this Fraud Risk Management Guide, focusing

 on how the organization applies the five principles in support of its

Fraud Risk Management Program.

3. Internal audit

- Internal auditors review their internal audit plans and how the plans

are applied to the entity’s Fraud Risk Management Programs in

connection with implementation of this guidance. Internal auditors will

review this guide and consider possible implications of changes to the

entity’s fraud risk program on audit plans, evaluations, and any

reporting on the entity’s fraud risk management and system of internal

control.

4. Independent auditors

- An independent auditor is engaged to audit or examine the

effectiveness of the client’s internal control over financial reporting in

addition to auditing the entity’s financial statements.

VIII. Importance

The importance of this fraud risk management program is to exceed

expectations garnering fraud. A formal fraud risk management program is the

expectation. Internal and external auditors are expected to assess anti fraud

processes and controls therefore this guide is useful especially for them. Without

this guide, organizations will have difficulty in starting their own anti-fraud

programs.

IX. Key Takeaways

 1. Determine your organization's adherence to COSO ERM Framework,

whether formal or informal or not at all.

2. Identify and formalize all anti-fraud activities under this program

3. Develop or enhance and deploy comprehensive preventive and detective

data analytics capabilities.

4. Integrate the fraud risk management components throughout the

organization.

III. CONCLUSION
 BIBLIOGRAPHY

Bugajenko, O. (n.d.). Risk Appetite: Definition, Importance & Benefits. Study. Retrieved from

https://study.com/academy/lesson/risk-appetite-definition-importance-benefits.html?

fbclid=IwAR2EY8o5aBk_79QgzezSwJ9wBMaNrnGFzxtSDesx1_9qMcJDvpG7LxZXV

DQ

Chapter 10: Risk and the risk management process. (n.d.). Kaplan Financial Knowledge Bank.

Retrieved from https://kfknowledgebank.kaplan.co.uk/acca/chapter-10-risk-and-the-risk-

management-process

Chen, J. (2020, March 30). Risk Measures. Investopedia. Retrieved from

https://www.investopedia.com/terms/r/riskmeasures.asp

COSO Fraud Risk Management Guidelines. (2016). Committee of Sponsoring Organizations of

the Treadway Commission. Retrieved from

https://na.eventscloud.com/file_uploads/92a257c28dbca2addab2e507d4f9c8dd_CS3-2-

COSO-RyanHubbsVincentWalden.pdf

Deloach, J. (2016, May 26). The Importance of Risk Culture. Corporate Compliance Insights.

Retrieved from https://www.corporatecomplianceinsights.com/the-importance-of-risk-

culture/?fbclid=IwAR3AdLjpeQLCRYAoGo-

hCOal7Mx81SBiTLTQmLyOJ55L1JV1N4cP43zyOH0

Eccles, R., Newquist, S., & Schatz, R. (2007, February). Reputation and Its Risks. Harvard

Business Review. Retrieved from https://hbr.org/2007/02/reputation-and-its-risks

Economic Capital. (2009). Risk Model. ScienceDirect. Retrieved from

https://www.sciencedirect.com/topics/economics-econometrics-and-finance/risk-model
Handling Risk. (n.d.). From This Matter. Retrieved from

https://thismatter.com/money/insurance/handling-risk.htm

Hayes, A. (2020, May 8). Bernie Madoff. Investopedia. Retrieved from

https://www.investopedia.com/terms/b/bernard-madoff.asp

Hill, J. A. (2019, June 13). Why We Shouldn’t Regulate Reputation Risk at Banks. Columbia Law

School. Retrieved from https://clsbluesky.law.columbia.edu/2019/06/13/why-we-

shouldnt-regulate-reputation-risk-at-banks/

Hussaini, U., & Bakar, A. A. (2017, January). Fraud Risk Management. ResearchGate. Retrieved

from https://www.researchgate.net/publication/331087397_Fraud_Risk_Management

Internal Control – Integrated Framework Executive Summary. (1992). Committee of Sponsoring

Organizations of the Treadway Commission. Retrieved from

https://www.coso.org/Documents/990025P-Executive-Summary-final-may20.pdf

Kenton, W. (2019, April 15). Reputational Risk. Investopedia. Retrieved from

https://www.investopedia.com/terms/r/reputational-risk.asp

Kenton, W. (2019, August 12). Risk Control. Investopedia. Retrieved from

https://www.investopedia.com/terms/r/risk-control.asp

Kolomiyets, T. (2017, January 10). Risk analysis and measurement. Statswiki. Retrieved from

https://statswiki.unece.org/display/GORM/3.2+Risk+analysis+and+measurement

Kwong, W., & Bugajenko, O. (n.d.). Risk Identification: Definition, Purpose & Examples. Study.

Retrieved from https://study.com/academy/lesson/risk-identification-definition-purpose-

examples.html#transcriptHeader

Lipton, M., Niles, S., & Miller, M. (2018, March 20). Risk Management and the Board of

Directors. Harvard Law School Forum on Corporate Governance. Retrieved from

 https://corpgov.law.harvard.edu/2018/03/20/risk-management-and-the-board-of-

directors-5/?fbclid=IwAR2P4yFunKI1G-CPSYHLt3AHtjZkqTxsJwpgJG1hiY5Ix-

x8pzMZ44njbug

Mark. (2020, April 14). Four benefits of risk management important for your business. Business

Basics. Retrieved from https://www.businessbasics.com.au/four-reasons-why-risk-

management-is-important-for-your-business/

Mullai, A. (2006). Risk Management System: Risk Assessment Frameworks and Techniques.

http://rop.lv/lv/media-lv/lejupielades/doc_download/42-risk-management-system-risk-

assessment-frameworks-and-techniques.html

NC State University. (2012, June 1). Risk Appetite: A Conversion of Governance. Enterprise

Risk Management Initiative. Retrieved from https://erm.ncsu.edu/library/article/risk-

appetite-a-conversation-of-governance?

fbclid=IwAR0PGrcK4FxjGXnwrkZvkH8lnpToNiEP3YXg9iTRaHFevAX_cksURzVKN

v8

Neary, B. (2014, June 9).

https://www.casact.org/education/infocus/2014/handouts/Paper_3357_handout_2180_0.p

df

Nyaba, T. (2018, July 10). How an effective risk culture creates good governance. Biz

Community. Retrieved from

https://www.bizcommunity.com/Article/196/511/179264.html?

fbclid=IwAR2mhN3Ury3xsQIovJ5ctxmfWI5yMfq5ADtC5OKa80JYpYVDHPPb1GdC3

hY
Oliveira, W. (2018, March 15). What is the risk management process? Heflo. Retrieved from

https://www.heflo.com/blog/risk-management/what-is-the-risk-management-process/

Operational Risk Management Training & Resources. (n.d.). The Risk Management Association.

Retrieved from https://www.rmahq.org/operational-risk/

Price, N. J. (2018, February 21). Relationship Between Risk Management and Corporate

Governance. Diligent Insights. Retrieved from https://insights.diligent.com/risk-

oversight/relationship-between-risk-management-and-corporate-governance

Risk Assessment. (2020, May 14). Candian Centre for Occupational Health and Safety. Retrieved

from https://www.ccohs.ca/oshanswers/hsprograms/risk_assessment.html

Risk Controlling the risks in the workplace. (n.d.). Health and Safety Executive. Retrieved from

https://www.hse.gov.uk/risk/controlling-risks.htm

Risk Modeling. (2020, June 1). https://nms.kcl.ac.uk/reimer.kuehn/riskmodeling.html

Risk Monitoring and Risk Control. (n.d.). Project Management Guide. Retrieved from

http://www.pmvista.com/risk-monitoring-and-risk-control/

Risk Reduction. (2018, February 3). Management Mania. Retrieved from

https://managementmania.com/en/risk-reduction

Risk Reduction Techniques. (2018, December 28). Safeopedia. Retrieved from

https://www.safeopedia.com/definition/732/risk-reduction-techniques-health-

environment-and-safety

Risk Retention in Insurance: Meaning and Types. (2016, August 10). Business Management

Ideas. Retrieved from https://www.businessmanagementideas.com/notes/insurance/risk-

retention-in-insurance-meaning-and-types/5490
Rouse, M. (2014, June). Compliance Risk. SearchCompliance. Retrieved from

https://searchcompliance.techtarget.com/definition/compliance-risk

Sickler, J. (2019, February 8). What is Reputational Risk and How to Manage It. Reputation

Management. Retrieved from https://www.reputationmanagement.com/blog/reputational-

risk/

Snedaker, S., & Rima, C. (2014). Risk Avoidance. ScienceDirect. Retrieved from

https://www.sciencedirect.com/topics/computer-science/risk-avoidance

Spacey, J. (2016, November 14). 4 Types of Risk Reduction. Simplicable. Retrieved from

https://simplicable.com/new/risk-reduction

Spacey, J. (2018, July 24). 8 Types of Risk Appetite. Simplicable. Retrieved from

https://simplicable.com/new/risk-appetite

Stanleigh, M. (2011, March 17). Risk Management: The What, Why, and How. Business

Improvement Architects. Retrieved from https://bia.ca/risk-management-the-what-why-

and-how/?fbclid=IwAR2cZk-5aSId1-

9EMmkYe7mBUw8T7zkOsVkhNiVurZuzL3AwbfUef5VkZ-s

The Dali Model in Risk Management Practice: The Case of Financial Services Firms. (2019,

November 14). https://www.primo-europe.eu/risk-management-systems/

Tonello, M., & The Conference Board. (2012, August 23). Strategic Risk Management: A

Primer for Directors. Harvard Law School Forum on Corporate Governance. Retrieved

from https://corpgov.law.harvard.edu/2012/08/23/strategic-risk-management-a-primer-

for-directors/

Web Actuaries. (n.d.). Risk Idenification. https://web.actuaries.ie/sites/default/files/erm-

resources/risk_identification.pdf
Williams, C. (2019, February 11). 7 Questions for Understanding the Fundamentals of Risk

Appetite. ERM Insights. Retrieved from https://www.erminsightsbycarol.com/risk-

appetite-fundamentals/?fbclid=IwAR2giQk7yGpSVp-p_i-JWxzK-

UkXsP0VbAfolO1o8flvY8QWlf8E-Ist7kM