IMAGE SOURCE: https://www.lucidchart.

com/blog/risk-management-process

MODULE CONTENT
COURSE TITLE: Governance, Business Ethics, Risk Management,

and Internal Control

MODULE TITLE: CONTROLLING AND MANAGING RISK

MODULE NO: GBER 323-4

NOMINAL DURATION: 6 HRS

SPECIFIC LEARNING OBJECTIVES:

At the end of this module you MUST be able to:

1. Explain and evaluate the role of the accountant in controlling and

mitigating risk

TOPICS:

 Targeting and monitoring risk

 Methods of controlling and reducing risk
 Risk avoidance, retention and modelling

ASSESSMENT METHOD/S:

 Online work and activity

REFERENCE/S:

 https://www.investopedia.com/
 https://survey.charteredaccountantsanz.com/risk_management/small-
firms/monitor.aspx

Bachelor of Science Bulacan Date Developed:

Aug 2020
in Accounting Polytechnic Page 1 of 9
Date Revised:
Information Systems College Sept 2020
Governance, Business Developed by:
Ethics, Risk Management, Document No. Ms. Rachael Louise
and Internal Control Revision No.:02
20-GBER 323
(GBER 323) De Guzman, LPT
 https://www.enisa.europa.eu/topics/threat-risk-management/risk-
management/current-risk/risk-management-inventory/rm-
process/monitor-review
 https://www.mha-it.com/2016/11/30/defining-risk-
avoidance/#:~:text=Risk%20avoidance%20is%20the%20elimination,to%2
0avoid%20compromising%20events%20entirely.

Bachelor of Science Bulacan Date Developed:

Aug 2020
in Accounting Polytechnic Page 2 of 9
Date Revised:
Information Systems College Sept 2020
Governance, Business Developed by:
Ethics, Risk Management, Document No. Ms. Rachael Louise
and Internal Control Revision No.:02
20-GBER 323
(GBER 323) De Guzman, LPT
 Information Sheet GBER 323-4

CONTROLLING AND MANAGING RISK

Learning Objectives:

After reading this INFORMATION SHEET, YOU MUST be able to:

1. Explain and evaluate the role of the accountant in controlling and

mitigating risk

Targeting and Monitoring Risk

“You can’t manage what you don’t measure”

One of the most critical factors affecting the efficiency and effectiveness of the
organization’s risk management process is the establishment of an ongoing
monitor and review process. This process makes sure that the specified
management action plans remain relevant and updated. In today’s continuously
changing business environment, factors affecting the likelihood and
consequences of a risk are very likely to change also. This is even truer for factors
affecting the cost of the risk management options. It is therefore necessary to
repeat the risk management cycle regularly.

To make Risk Management become a part of the organization’s culture and

philosophy, the organization must collect and document experience and
knowledge through a consistent monitoring and review of events, treatment
plans, results and all relevant records. This information, however, will be
pertinent to information risks. Technical details concerning operational issues of
the underlying technology have to be filtered out.

Each stage of the Risk Management process must be recorded appropriately.

Assumptions, methods, data sources, results and reasons for decisions must be
included in the recorded material.

Besides being an extremely valuable information asset for the organization, the
records of such processes are an important aspect of good corporate governance
provided of course that they are in line with:

Bachelor of Science Bulacan Date Developed:

Aug 2020
in Accounting Polytechnic Page 3 of 9
Date Revised:
Information Systems College Sept 2020
Governance, Business Developed by:
Ethics, Risk Management, Document No. Ms. Rachael Louise
and Internal Control Revision No.:02
20-GBER 323
(GBER 323) De Guzman, LPT
 • the legal, regulatory, and business needs for records,
• the cost of creating and maintaining such records,
• the benefits of re-using information.
Risk Monitoring

Continuous monitoring by the project risk manager and the project team ensures
that new and changing risks are detected and managed and that risk response
actions are implemented and effective. Risk monitoring continues for the life of
the project.

Risk monitoring and control keeps track of the identified risks, residual risks,
and new risks. It also monitors the execution of planned strategies for the
identified risks and evaluates their effectiveness.

Risk monitoring and control continues for the life of the project. The list of project
risks changes as the project matures, new risks develop, or anticipated risks
disappear. Risk ratings and prioritizations can also change during the project
lifecycle.

Typically, during project execution, risk meetings should be held regularly to

update the status of risks in the risk register and add new risks. This is not
necessary for minor level projects and may only be needed annually for moderate
level projects. Periodic project risk reviews repeat the process of identification,
analysis, and response planning.

Monitoring risk is a continuous activity that results in the awareness of

what is happening across different parts of the organization. Over time,
monitoring risk enables management to:

✓ identify critical trends

✓ respond in an appropriate and efficient manner
✓ spot business opportunities or process improvements that would
otherwise not have been apparent without effective monitoring in place

Bachelor of Science Bulacan Date Developed:

Aug 2020
in Accounting Polytechnic Page 4 of 9
Date Revised:
Information Systems College Sept 2020
Governance, Business Developed by:
Ethics, Risk Management, Document No. Ms. Rachael Louise
and Internal Control Revision No.:02
20-GBER 323
(GBER 323) De Guzman, LPT
Image Source: https://survey.charteredaccountantsanz.com/risk_management/small-firms/monitor.aspx

Monitoring and review should be a planned part of the risk management

process and involve regular checking or surveillance. The results should be
recorded and reported externally and internally, as appropriate. The results
should also be an input to the review and continuous improvement of the firm's
risk management framework.

Responsibilities for monitoring and review should be clearly defined. The firm's
monitoring and review processes should encompass all aspects of the risk
management process for the purposes of:

▪ Ensuring that controls are effective and efficient in both design and
operation
▪ Obtaining further information to improve risk assessment
▪ Analyzing and learning lessons from risk events, including near-misses,
changes, trends, successes, and failures
▪ Detecting changes in the external and internal context, including changes
to risk criteria and to the risks, which may require revision of risk
treatments and priorities
▪ Identifying emerging risks.

Methods of Controlling and Reducing Risk

What Is Risk Control?

Risk control is the set of methods by which firms evaluate potential losses and
take action to reduce or eliminate such threats. It is a technique that utilizes
findings from risk assessments, which involve identifying potential risk factors
in a company's operations, such as technical and non-technical aspects of the
business, financial policies and other issues that may affect the well-being of the
firm.

Risk control also implements proactive changes to reduce risk in these areas.
Risk control thus helps companies limit lost assets and income. Risk control is
a key component of a company's enterprise risk management protocol.

Bachelor of Science Bulacan Date Developed:

Aug 2020
in Accounting Polytechnic Page 5 of 9
Date Revised:
Information Systems College Sept 2020
Governance, Business Developed by:
Ethics, Risk Management, Document No. Ms. Rachael Louise
and Internal Control Revision No.:02
20-GBER 323
(GBER 323) De Guzman, LPT
How Risk Control Works

Modern businesses face a diverse collection of obstacles, competitors, and

potential dangers. Risk control is a plan-based business strategy that aims to
identify, assess, and prepare for any dangers, hazards, and other potentials for
disaster—both physical and figurative—that may interfere with an organization's
operations and objectives. The core concepts of risk control include:

• Avoidance is the best method of loss control. For example, after

discovering that a chemical used in manufacturing a company’s goods is
dangerous for the workers, a factory owner finds a safe substitute chemical
to protect the workers’ health.

• Loss prevention accepts a risk but attempts to minimize the loss rather
than eliminate it. For example, inventory stored in a warehouse is
susceptible to theft. Since there is no way to avoid it, a loss prevention
program is put in place. The program includes patrolling security guards,
video cameras and secured storage facilities. Insurance is another
example of risk prevention that is outsourced to a third party by contract.
• Loss reduction accepts the risk and seeks to limit losses when a threat
occurs. For example, a company storing flammable material in a
warehouse installs state-of-the-art water sprinklers for minimizing
damage in case of fire.

• Separation involves dispersing key assets so that catastrophic events at

one location affect the business only at that location. If all assets were in
the same place, the business would face more serious issues. For example,
a company utilizes a geographically diverse workforce so that production
may continue when issues arise at one warehouse.

• Duplication involves creating a backup plan, often by using technology.

For example, because information system server failure would stop a
company’s operations, a backup server is readily available in case the
primary server fails.

• Diversification allocates business resources for creating multiple lines of

business offering a variety of products or services in different industries.
A significant revenue loss from one line will not result in irreparable harm
to the company’s bottom line. For example, in addition to serving food, a
restaurant has grocery stores carry its line of salad dressings, marinades,
and sauces.

No one risk control technique will be a golden bullet to keep a company free from
potential harm. In practice, these techniques are used in tandem with one
another to varying degree and change as the corporation grows, as the economy
changes, and as the competitive landscape shifts.

Bachelor of Science Bulacan Date Developed:

Aug 2020
in Accounting Polytechnic Page 6 of 9
Date Revised:
Information Systems College Sept 2020
Governance, Business Developed by:
Ethics, Risk Management, Document No. Ms. Rachael Louise
and Internal Control Revision No.:02
20-GBER 323
(GBER 323) De Guzman, LPT
 KEY TAKEAWAYS
▪ Risk control is the set of methods by which firms evaluate potential
losses and take action to reduce or eliminate such threats. It is a
technique that utilizes findings from risk assessments.
▪ The goal is to identify and reduce potential risk factors in a company's
operations, such as technical and non-technical aspects of the
business, financial policies and other issues that may affect the well-
being of the firm.
▪ Risk control methods include avoidance, loss prevention, loss
reduction, separation, duplication, and diversification.

Example of Risk Control

As part of Sumitomo Electric’s risk management efforts, the company

developed Business Continuity Plans (BCPs) in fiscal 2008 as a means of
ensuring that core business activities could continue in the event of a disaster.
The BCPs played a role in responding to issues caused by the Great East Japan
earthquake that occurred in March 2011. Because the quake caused massive
damage on an unprecedented scale, far surpassing the damage assumed in the
BCPs, some areas of the plans did not reach their goals.

Based on lessons learned from the company’s response to the earthquake,

executives continue promoting practical drills and training programs, confirming
the effectiveness of the plans and improving them as needed. In addition,
Sumitomo continues setting up a system for coping with risks such as outbreaks
of infectious diseases, including the pandemic influenza virus.

Bachelor of Science Bulacan Date Developed:

Aug 2020
in Accounting Polytechnic Page 7 of 9
Date Revised:
Information Systems College Sept 2020
Governance, Business Developed by:
Ethics, Risk Management, Document No. Ms. Rachael Louise
and Internal Control Revision No.:02
20-GBER 323
(GBER 323) De Guzman, LPT
Image source: https://www.lynda.com/IT-tutorials/Risk-avoidance/2252221/2302012-4.html

RISK AVOIDANCE
Risk avoidance is the elimination of hazards, activities, and exposures that can
negatively affect an organization’s assets.

Whereas risk management aims to control the damages and financial

consequences of threatening events, risk avoidance seeks to avoid compromising
events entirely.

When determining your risk mitigation strategies, don’t confuse the strategies
of risk avoidance or risk acceptance with risk ignorance. Risk ignorance is a
situation where the knowledge about the risk (and any underlying phenomena
and processes) is poor. Just because there are no remediation strategies
currently in place does not mean that a conscious decision has been made to
accept the risk.

We perform assessments regarding risk and risk impact on a daily basis. We

then use those assessments to determine our choice of action. A good example
is wearing a seat belt. We might observe that experienced drivers are more likely
to understand the risks inherent in car travel, and thus choose to wear seat
belts, whereas the less experienced driver (think teenagers) may have to be
reminded constantly of those risks– at least in my house. These are contrasting
examples of risk avoidance (seat belt use) and risk ignorance (no seat belt use).
Neither should be confused with risk acceptance (car travel is dangerous, but I
don’t want to wrinkle my clothes, so I’m not going to wear my seat belt).

Take a moment and think about the type of organization you work with – are
your colleagues seat belt wearers or seat belt rejecters? How do we become a risk
avoidance-based organization, and is that a desirable state?

▪ Understand the risk and impacts. An assessment of how the risk will
impact only one area does not allow for good organizational decisions.

Bachelor of Science Bulacan Date Developed:

Aug 2020
in Accounting Polytechnic Page 8 of 9
Date Revised:
Information Systems College Sept 2020
Governance, Business Developed by:
Ethics, Risk Management, Document No. Ms. Rachael Louise
and Internal Control Revision No.:02
20-GBER 323
(GBER 323) De Guzman, LPT
▪ Ensure the risks and impacts are in business terms, not just technical
or BC terms. If there are no real business impacts, what is the actual risk?

▪ Update the risks and impacts. You should revisit your risk profile on a
regular basis, at least annually.

▪ Identify the risks that have remediation in place. Assess the

effectiveness of that remediation (is it appropriate to the risk impact, will
it work, etc.?).

▪ Identify the risks that have no remediation in place. Document those

risks and the reason why there is no remediation in place. This is where
you must distinguish between choosing to accept a risk or to ignore it.

➢ Conscious management decision based on impact, probability, cost,

etc. (management accepts the risk).

▪ Assess the criticality of the task. Consider why performing the task is
important or why a risk remediation solution is appropriate.

▪ Calculate the financial benefits of the task. Directors must decide when
the cost of the risk is greater than the cost of risk management and
manage their plans accordingly.

▪ Assess the availability of resources. If resources (budget, time, etc.) are

not available to fully remediate the risk, identify a solution that may reduce
risk, even if it does not reduce it to the appropriate level. Something is
better than nothing.

Risk avoidance does not mean remediation is in place to prevent any

potential issue. It does mean that proper evaluation has occurred,
and decisions have been made with the best information possible. A
risk cannot be ignored with the hope that it will not occur. Risk
avoidance is a desirable goal, even if remediation is implemented
incrementally.

Bachelor of Science Bulacan Date Developed:

Aug 2020
in Accounting Polytechnic Page 9 of 9
Date Revised:
Information Systems College Sept 2020
Governance, Business Developed by:
Ethics, Risk Management, Document No. Ms. Rachael Louise
and Internal Control Revision No.:02
20-GBER 323
(GBER 323) De Guzman, LPT