UNIVERSITY OF BOHOL

PROFESSIONAL STUDIES

CASE STUDY:
The Value Proposition of ERM:
From Intangible to Tangible
Appendix F

Submitted to
Dr. AMMON DENIS R. TIROL, DM, CPA

as partial fulfillment of the requirements in

BM 213 - RISK MANAGEMENT
2ND Semester S.Y. 2018-2019

Submitted by:
RAYMUNDA R.MORENO
PhD. HRM
INTRODUCTION

Integration and recognition of Enterprise Risk Management (ERM) with sustainability is a

primary need globalization. This will offer companies the insights, data and analysis they
need to administer & the affiliated risks they will face in this new eon.

Enterprise risk management (ERM) nowadays has been acquiring vagueness throughout
several companies especially in financial institutions like banks. Of all businesses, banks
are most susceptible and vulnerable to greater risk.

Globalization has changed the business world. Benefits of globalization is so remarkable.

Consolidation and integration of domestic markets with international financial markets has
been made possible by technology.

Fraud and scams in the banking industry has been a serious problem since immemorial.
In order to attain expanded reach, banks need to offer quick and efficient services to
clients through technology and digitalization.

As technology developed culprits of scams and frauds also are becoming more
innovatory, hence, exposing clients to various risks.

There are a lot of risks some financial institutions are facing. Credit risk, market risk, and
operational risk are some of them to name a few.
Credit risk is the possibility of a loss resulting from a borrower's failure to repay a loan or
meet contractual obligations. 

Market risk refers to the risk of losses in the bank’s trading book due to changes in equity
prices, interest rates, credit spreads, foreign-exchange rates, commodity prices, and other
indicators whose values are set in a public market.
Operational risk on the other hand, is the risk of loss due to errors, breaches, interruptions
or damages—either intentional or accidental—caused by people, internalprocesses,
systems or external events.
The graph hereunder shows which operation result is the greatest risk among financial
institution.

Bank customers and clients entrusted their money to the banks for safety and growth. If
the risk mentioned above cannot be addressed by these financial institutions these clients
will lose their trust and confidence to the services offered to them by the financial instiution

Company F is a financial institution that provides and accommodates the financial needs
of businesses, individuals, and families. It offers deposit, loan, investment products, trust,
and wealth management services to customers and the general clientele.

With its capitalization of between $1 billion to $15 billion, the company started as a
community savings bank and have grown into a midsize financial institution.
Overview of the ERM

Company F’s ERM framework has existed for over ten (10) years. Having fully grown and
developed for this long, the program is highly organized and structured, well documented,
and in compliance industry regulations.

This ERM was initiated by the Board of Directors and the Audit Committee but later on the
board created a separate Risk Committee to govern the ERM process.

The goal of program is to avoid intolerable, unsatisfactory and unacceptable business risk
that may prevent the bank business goals and objectives.

The main aim and objective is to operate in safe and sound manner that furnishes on the
level of confidence entrusted to them by the clients and customers.

The bank adopted the COSO ERM framework as the basis for its risk management
process.

Figure 1
The COSO ERM Framework 1.Inter-nal
Environ-
2.Objec-tive
ment Setting

8.Monitoring

THE COSO 3.Risk Indenti-

fication

7.Information & ERM FRAMEWORK

Communication

4.Risk Assess-ment

6.Control 5.Risk
Activities Response
The Committee of Sponsoring Organizations of the Tread way Commission COSO is a
joint initiative of the five private sector organizations namely: the American Accounting
Association (AAA), American Institute of Certified Public Accountant ( AIPA),
Financial Executives Professional (FEI), the Institute of Management Accountant
(IMA), and the Institute of Internal Auditors. The aim and objective of this committee is
to impart and provide leadership to all business managers and executives through the
development of frameworks and guidance on enterprise risk management, internal control
and fraud deterrence.

COSO Board at the outset published the Enterprise Risk Management – An Integrated
Framework in 2004. Since published, the Framework has acquiredwide-ranging
acceptance among business organizations in their efforts to manage risk.

Since business environment and processes has become more dynamic and complicated,
there was an update of this Framework was made in 2017. The originally named 2004
Enterprise Risk Management – An Integrated Framework has now a new title: Enterprise
Risk Management – Integrating with Strategy and Performance. The revised framework
highlighted in this update the relevance in considering risk in both strategy setting process
and in driving performance. It is presumed that with this update, business organizations
would be able to scale and adapt principles and relate them to its mission, vision, and
core values; its strategic goals and directions, and its approaches used in carrying out
these strategies.

As mentioned in the case, Company F’s Framework on Enterprise Risk Management was
able to capture the interrelationship of its values, mission, and strategic opportunities.
The ERM Process

Company F has five objectives or steps in its ERM Process:

1. Identification of key risks.

2. Formulation of a clearly communicated risk appetite.
3. Establishment of strategic objectives in accordance with the risk appetite.
4. Optimization of risk and reward decisions using an organized process.
5. Engagement of its workforce contributing towards an effective risk management
system.

Differentiating and comparing the company’s ERM process to the COSO Framework were
it was based, some process in the COSO Framework are incorporated in process.

The COSO Framework provided eight process and Company F has it incorportated into
five.

First process is aligned with process one in the COSO Framework.

The second and third processes were aligned with process two in the COSO.

Process four covered processes three until six of the framework, and process five covered
processes seven and eight of the framework.

Company F’s ERM processes are quite similar to the COS framework, only that it gives
prominence and value to certain risks peculiar to a banking industry.

Due to regulatory potency and vigor of banking industries compared with other business
industries, Company F expanded its categories. These include credit risk, market risk,
liquidity risk, operational risk, compliance risk, reputational risk, and strategic risk. These
risk categories are tied closely to FDIC regulation to provide effective corroboration to the
regulators of the company’s compliance with laws and regulations.
With the current research there are eleven (11) risks faced b bank in 2018 and beyond, to
wit;

1. Business Strategic Risks

This risk associates to a bank’s long term business strategies. With the rapid
development in technology, banks’ scenery has changed.

Falling through to meet with all these changes will make them left behind by their
competitors. Banks nowadays are no longer competing with co-banks. A lot of business
entities are now into providing financial services similar to the ones offered by banks.

Examples of which are Globe - it has now G cash, Mlhuiller, Palawan and other
Pawnshops are into money transfer activities which done by bank before.

There are also non-financial technology providers who are offering innovations to
customers, like Dragon Pay, Coins.ph, and the likes.

2. Compliance Risk

As claimed by, and according to the Bank of International Settlements (BIS), in the
banking context, compliance risk is defined as the risk of legal or regulatory sanctions,
material financial loss, or loss to reputation a bank may suffer as a result of its failure to
comply with laws, regulations, rules, related self-regulatory organization standards, and
codes of conduct applicable to its banking activities.
Figure 2. Cost of Misconduct of 20 Major Global Banks.
3. Credit Risk

A credit risk is the risk of default on a debt that may arise from a borrower failing to
make required payments. In the first resort, the risk is that of the lender and includes lost
principal and interest, disruption to cash flows, and increased collection costs.

Credit risk is a potential that a bank borrower, or counterparty, will fail to meet its
payment obligations regarding the terms agreed with the bank. It includes both uncertainty
involved in repayment of the bank’s dues, and repayment of dues on time.

It is must that bank should conduct a good background check or evaluation of

potential borrower. Inaccurate evaluation will result to great losses on the part of the
banking financial institution.

Usual reasons for credit risk to occur could be: inadequate income of borrowers,
inadequate underwriting frameworks, business failure of the borrowers, and the
unwillingness of the borrowers to repay.

4. Cybersecurity Risk

Cyber security in banking is one of the most essential and key thing in the finance
sector.
Most of Bank business transactions globally are done via internet. Banking institutions
should maintain measures that keep clients information private and safe.

Banks have been in the forefront of cyber security,hence, it is important that they
invest heavily in the protection of their clients’ most valuable and sensitive personal
information.
5. Liquidity Risk

Liquidity risk is the risk that a company or bank may be unable to meet short term
financial demands. This usually occurs due to the inability to convert a security or hard
asset to cash without a loss of capital and/or income in the process.
Liquidity risk is the risk that bank may not be able to finance its day to day operations.
When they get money from depositors banks and they were not able to sell them in the
form of new loan by other banks, depositors will be withdrawing their money and these will
result to liquidity problems.

6. Market Risk

Market risk is the possibility of an investor experiencing losses due to factors that
affect the overall performance of the financial markets in which he or she is involved.
Market risk, also called "systematic risk," cannot be eliminated through diversification,
though it can be hedged against
According to The Basel Committee on Banking Supervision, market risk can be
defined as the risk of losses in on- or off-balance sheet positions that arise from
movement in market prices.
Market risk may include potential losses due to changes in interest rates. We call it
interest risk. Equity risk is the risk that losses may occur due to changes in stock prices.
Potential losses in the prices of commodity which the bank hold them as part of their
investment, hence we all it commodity risks.
And the last one is foreign exchange risk. This due to the exchange rate fluctuations
which may affect bank as they transact customers involving foreign currencies.
7. Moral Hazard

It is a situation in which one party to an agreement engages in risky behavior or fails to

act in good faith because it knows the other party bears the consequences of that
behavior.
Moral hazard is the risk that a party has not entered into a contract in good faith or has
provided misleading information. Banks risked depositor’s money in risky transactions
because they know they know they do not bear the consequence of loss. Ultimately top
management will faced the consequence of moral hazard.

8. Open Banking Risk

This is a system risk. This is a system that presents and features a single platform for
all bank clients. Though the motive is to make clients to have a full experience in an open
infrastructure, and for banks to have customer data more accessible in order to build
superior product, the environment also will invite scam and fraudulent activities. If not
properly controlled, data privacy may be compromised.

9. Operational Risk

Operational risk (OR) is the risk of loss due to errors, breaches, interruptions or
damages—either intentional or accidental—caused by people, internal processes,
systems or external events.

The Basel Committee on Banking Supervision defines operational risk as the risk of
loss resulting from inadequate or failed internal processes, people, and systems or
external events. There are three main causes of this risk: human intervention &error,
failure of the IT/internal software & systems, and failure of internal processes to transmit
data & information accurately.
10. Reputational Risk

Defined as the risk of possible damage to the bank’s brand and reputation.
Reputational risk is the risk of losing public confidence due to negative reputation or
image that would be created by a wrong doing and actions of a bank.

Based on research, reputational risk can result from the inability of the bank to
honor government/regulatory commitments, nonobservance of the code of conduct
under corporate governance, mismanagement/Manipulation of customer records, and
ineffective customer service/after sales services.

11. Systematic Risk

In finance, systemic risk is the risk of collapse of an entire financial system or entire
market, as opposed to risk associated with any one individual entity, group or
component of a system, that can be contained therein without harming the entire
system.

This risk includes a possibility of bringing down the entire financial system to a
stoppage.

This is due to a domino effect where the failure of one bank could flow down the
failure of its counterparties/other stakeholders,which could, in turn, threaten the entire
financial services industry.

Based on the identified risks which was mentioned the case, some of the risk
enumerated above were addressed already by Company F, but there are some that need
to be included in the strategic planning.
The ERM Structure

Company F’s ERM Structure was regulated and organized into three (3) lines of Defense
Model. The first defense is management control. The second line is risk controls and
compliance oversight functions. The third one is independent assurances, for Company F,
it is the Internal Audit. The company also designed and created Management Level
Committees. This is composed the general risk committee, the senior risk committee

Figure 3. ERM Structure of Company F

The company keeps and maintains a formal documented policy for guidance on ERM
roles, responsibilities, and activities.

The company utilizes structured approach for the arrangement and designation of risk
management responsibilities.

The Board of Directors oversees the risk profile and approves the risk management
framework within the context of accepted concepts to help guide an organization's
approach to risk and risk management thresholds.

The Chief Risk Officer reports quarterly to the Risk Committee of the Board of Directors to
establish the correctness of what they are hearing from other committees and business
lines regarding risk exposures, and to provide a quarterly enterprise risk scorecard.

Executive management endorses and propose recommendations on the primary risk

limits and tolerances that are aligned with the goals, objectives, and risk appetites
established by the Board of Directors.

Business line managers are primarily responsible for managing business risks including
measuring risk exposures, implementing risk management strategies, and establishing
appropriate internal controls.
Figure. 4. Relationship Among Objectives, The Framework, and the Model (COSO )

The framework was provided by COSO. It presents the relationship among objectives,
framework, and the model. The organization’s Board of Directors lays and sets out
strategic direction of the company through setting up of organization’s objectives.

To make certain and ensure accomplishment of these objectives management sets

framework to serve as standards to follow in the performance of task.

The organizational structure is the last part of which organizations may follow as their
model in setting up their own. The model increases and enhances understanding of risk
management and control by clarifying roles and responsibilities.
As provided by COSO Framework, the three (3) lines of defense are:

1. Management Controls and Internal Measures

The duties and accountabilities of those in this line of defense is to administer and
manage risk and controls. They are the front line operating managers. These
responsibilities includes taking the right risks. Not only that they own the risk, it includes
the formulation and execution of the organization’s controls to respond to those risks.

2. Financial Control, Security, Risk Management, Quality, Inspection and

Compliance

The duties and responsibilities of the people under this line of defense is to monitor risk
and control. 2nd line defense will support management by bringing expertise, process
excellence, and management monitoring alongside the first line to help ensure that risk
and control are effectively managed. The second line of defense functions are self-
sustaining and independent from the first line of defense but are still under the control and
direction of senior management and perform some management functions. It is an
oversight function.

3. Internal Audit

Performing the full audit cycle including risk management and control management
over operations' effectiveness, financial reliability and compliance with all applicable
directives and regulations.
The responsibility of the Internal Audit is to provide independent assurance to the board
and management about the organization’s management of risks and controls. Determining
internal audit scope and developing annual plans.
The internal audit has a primary reporting line to the Board, but not permitted to
perform management functions. Another responsibility of the Internal Audit is to ensure
that1st and 2nd lines of defense efforts are consistent with the Board of Directors
expectation
CONCLUSION

In accordance with how I understood COSO Framework for ERM, I further comprehended
that COSO based ERM can be looked into several perspectives, it is a comprehensive
process which entails principles like the management and control of risks. With Company
F, they were able to standardize and structured their risk and control management system
in accordance with the way COSO recommended it.

The three lines of defense were sufficiently implemented, except that Company F had it
bizarre to a bank industry.

With ERM, the methods would be sufficient in managing risks, there will be significant
emergence of developments towards achievement of more comprehensive and inclusive
approach to management of risks in Company F. It gives value to the company in a clear
perspective.

Though the company already has a system of managing risk, it would be effortless and
trouble-free for Company F to respond to untoward risks that may come, having a good
system allows them to keep and store related data, hence, it will be very easy for
management for the identification and prioritization in terms of response to any kind of
risks there may be.

I give a very satisfactory overall assessment on Company F’s Enterprise Risk and
Management System, even if they are still using the typical and traditional means of data
management and storage, they are open to recommendations of inculcating the use of
updated technology system.
Sources:
https://www.easylab.com
https://www.investopedia.com
https://www.aicapa.org.com
https://www.coso.org
https://www.researchgate.net
https://gomedici.com
https://www.protiviti.com
https://www.bworldonline.com
https://www.mckinsey.com