RISK MANAGEMENT

Republic of the Philippines

President Ramon Magsaysay State University
(Formerly Ramon Magsaysay Technological University)
College of Accountancy and Business Administration
Iba, Zambales, Philippines
Tel/Fax No.: (047) 811-1683

College/Department College of Accountancy and Business Administration

Course Code Major Elec 2
Course Title RISK MANAGEMENT
Place of the Course in the
Major Subject
Program
Semester & Academic
First Semester AY 2021-2022
Year
Author JOHN REY MERCURIO

Chapter 1
INTRODUCTION TO RISK MANAGEMENT

Intended Learning Outcomes

After studying this chapter, student should be able to:
 provide a range of definition of risk and risk management and describe the usefulness
of the various definition;
 list the characteristics of a risk that need to be identified in order to provide a full risk
description;
 describe options for classifying risks according to the nature, source and timescale of
impact;
 outline the options for the attachment of risks to various attributes of an organization
and describe advantages of each approach; • use a risk matrix to represent the likely
impact of a risk materializing in terms of likelihood and magnitude;
 outline the principles (PACED) and aims of risk management and its importance to
operations, projects and strategy;
 describe the nature of hazard, control and opportunity risks and how organizations
should respond to each type;
 outline the development of the discipline of risk management, including the various
specialist areas and approaches;

MARWENA M. DIAZ 1
 RISK MANAGEMENT

DISCUSSION:
Introduction:
Approaches to defining the risk
 The Oxford English Dictionary definition of risk is as follows: ‘a chance or possibility
of danger, loss, injury or other adverse consequences’ and the definition of at risk is
‘exposed to danger’. In this context, risk is used to signify negative consequences.
However, taking a risk can also result in a positive outcome. A third possibility is that
risk is related to uncertainty of outcome.

Table 1.1 Definitions of risk

Organization Definition
ISO Guide 73 Effect of uncertainty on objectives. Note that an effect may be
ISO 31000 positive, negative, or a deviation from the expected. Also, risk
is often described by an event, a change in circumstances or a
consequence.
Institute of Risk Risk is the combination of the probability of an event and its
Management (IRM) consequence. Consequences can range from positive to
negative.
“Orange Book” from Uncertainty of outcome, within a range of exposure, arising
HM Treasury from a combination of the impact and the probability of
potential events.
Institute of Internal The uncertainty of an event occurring that could have an
Auditors impact on the achievement of the objectives. Risk is measured
in terms of consequences and likelihood.
Alternative Definition Event with the ability to impact (inhibit, enhance or cause
by doubt about) the mission, strategy, projects, routine operations,
the author objectives, core processes, key dependencies and/or the
delivery of stakeholder expectations
Risk in an organizational context is usually defined as anything that can impact the
fulfilment of corporate objectives. However, corporate objectives are usually not fully stated
by most organizations. Where the objectives have been established, they tend to be stated as
internal, annual, change objectives. This is particularly true of the personal objectives set for
members of staff in the organization, where objectives usually refer to change or
developments, rather than the continuing or routine operations of the organization.

MARWENA M. DIAZ 2
 RISK MANAGEMENT

Impact of Risk on Organization

Risk importance
Following the events in the world financial system during 2008, all organizations are
taking a greater interest in risk and risk management. It is increasingly understood that the
explicit management of risks brings benefits. By taking a proactive approach to risk and risk
management, organizations will be able to achieve the following three areas of improvement:
 Operations will become more efficient because events that can cause disruption will
be identified in advance and actions taken to reduce the likelihood of these events
occurring, reducing the damage caused by these events and containing the cost of the
events that can cause disruption to normal efficient production operations.
 Processes will be more effective, because consideration will have been given to
selection of the processes and the risks involved in the alternatives that may be
available. Also, process changes that are delivered by way of projects will be more
effectively and reliably delivered.
 Strategy will be more efficacious in that the risks associated with different strategic
options will be fully analyzed and better strategic decisions will be reached.
Eficacious refers to the fact that the strategy that will be developed will be fully
capable of delivering the required outcomes.
It is no longer acceptable for organizations to find themselves in a position whereby
unexpected events cause financial loss, disruption to normal operations, damage to reputation
and loss of market presence. Stakeholders now expect that organizations will take full
account of the risks that may cause disruption within operations, late delivery of projects or
failure to deliver strategy.

Types of Risk
Risks can be classified in many ways. Hazard risks can be divided into many types of
risks, including risks to property, risks to people and risks to the continuity of the business.
Although it should not be considered to be a formal risk classification system, this part
considers the value of classifying risks according to the timeframe for the impact of the risk.

Classification of risk
 Long-term Risk

MARWENA M. DIAZ 3
 RISK MANAGEMENT

o will impact several years, perhaps up to five years, after the event occurs or
the decision is taken.
o Long-term risks therefore relate to strategic decisions. When a decision is
taken to launch a new product, the impact of that decision (and the success of
the product itself) may not be fully apparent for some time.
 Medium-term Risk
o have their impact some-time after the event occurs or the decision is taken,
and typically this will be about a year later.
o Medium-term risks are often associated with projects or programs of work.
o decisions regarding the project to implement the new software will be
medium-term decisions with medium-term risk attached.
 Short-term Risk
o have their impact immediately after the event occurs
o Accidents at work, traffic accidents, fi re and theft are all short-term risks that
have an immediate impact and immediate consequences as soon as the event
has occurred.
o These short-term risks cause immediate disruption to normal efficiency
operations and are probably the easiest types of risks to identify and manage.
 Insurable Risk
o are quite often short-term risks, although the exact timing and magnitude/
impact of the insured events is uncertain
o In other words, insurance is designed to provide protection against risks that
have immediate consequences
o In the case of insurable risks, the nature and consequences of the event may be
understood, but the timing of the event is unpredictable.

Three types of Risk

 Hazard Risk
o Hazard risks are the risks that can only inhibit achievement of the corporate
mission.
o Typically, these are insurable type risks or perils, and will include fi re, storm,
flood, injury and so on.

MARWENA M. DIAZ 4
 RISK MANAGEMENT

Category Example of Disruption

People Lack of people skills and / or resources Unexpected absence of key
personnel Ill-health, accident or injury to people
Premises Inadequate or insufficient premises
Denial of access to premises
Damage to or contamination of premises
Assets Accidental damage to physical assets Breakdown of plant or
equipment
Theft or loss of physical assets
Supplier Disruption caused by failure of supplier
Delivery of defective goods or components
Failure of outsourced services and facilities
Information and Failure of IT hardware systems
Technology Disruption by hacker or computer virus
Inefficient operation of computer software
Communication Inadequate management of information
Failure of internal or external communications
Transport failure or disruption

 Control Risk
o are risks that cause doubt about the ability to achieve the mission of the
organization.
o are associated with uncertainty, and examples include the potential for legal
non-compliance and losses caused by fraud.
o They are usually dependent on the successful management of people and
successful implementation of control protocols
o are the most difficult type of risk to describe
Internal financial control protocols are a good example of a response to a control risk. If
the control protocols are removed, there is no way of being certain about what will happen.
 Opportunity Risk
o are the risks that are (usually) deliberately sought by the organization
o These risks arise because the organization is seeking to enhance the
achievement of the mission, although they might inhibit the organization if the
outcome is adverse.

MARWENA M. DIAZ 5
 RISK MANAGEMENT

o This is the most important type of risk for the future long-term success of any
organization.
Principles and Aims of Risk Management
Risk management operates on a set of principles, and there have been several attempts
to define these principles. It is suggested that a successful risk management initiative will be:
 Proportionate to the level of risk within the organization;
 Aligned with other business activities;
 Comprehensive, systematic and structured;
 Embedded within business processes;
 Dynamic, iterative and responsive to change.
This provides the acronym PACED and provides a very good set of principles that are
the foundations of a successful approach to risk management within any organization. A
more detailed description of the PACED principles of risk management is set out in Table
5.1. The approach to risk management is based on the idea that risk is something that can be
identified and controlled.
PRINCIPLE DESCRIPTION
Proportionate Risk management activities must be proportionate to the level of
risk faced by the organization.
Aligned Risk management activities need to be aligned with the other
activities in the organization.
Comprehensive In order to be fully effective, the risk management approach must
be comprehensive.
Embedded Risk management activities need to be embedded within the
organization.
Dynamic Risk management activities must be dynamic and responsive to
emerging and changing risks.

Learning Activities
Part I
Identify the following.
__________1. Risk is the combination of the probability of an event and its consequence.
Consequences can range from positive to negative.

MARWENA M. DIAZ 6
 RISK MANAGEMENT

__________2. Lack of people skills and / or resources Unexpected absence of key personnel
Ill-health, accident or injury to people
__________3. Accidental damage to physical assets Breakdown of plant or equipment

__________4. Accidents at work, traffic accidents, fi re and theft are all short-term risks that
have an immediate impact and immediate consequences as soon as the event has occurred.
__________5. Inadequate or insufficient premises

Part II
Define the following:
 Long-term Risk
 Medium-term Risk
 Hazard Risk
 Opportunity Risk
 PACED
Part III
Essay:
1. In your own understanding, what is Risk Management?
2. In your own words, what is the difference between hazard risk, control risk and
opportunity risk?

Chapter 2
APPROACHES TO RISK MANAGEMENT
Intended Learning Outcomes:
 Particularly at the end of this chapter, the students should be able to:

MARWENA M. DIAZ 7
 RISK MANAGEMENT

 Perform environmental scanning;

 Employ SWOT analysis using a company;
 Analyze and evaluate the social, political, economic, technological, and
environmental forces affecting the country; and
 Identify external forces that may prove beneficial or detrimental to an organization.

DISCUSSION:
Risk Management Standard

Risk Management Standards set out a specific set of strategic processes which start
with the overall aspirations and objectives of an organization, and intend to help to identify
risks and promote the mitigation of risks through best practice. 
Standards are often designed and created by a number of agencies who are working
together to promote common goals, to help to ensure that organizations carry out high-quality
risk management processes.

What are Risk management standards like?

Risk management standards are like a guide to help ensure that risk management is
carried out in a proper way. Standards usually include checkpoints and examples, to make it
really easy for organizations to comply.

What is the purpose of Risk management standards?

Risk management standards have been designed so that those who must carry out risk
management processes have a guide to help them to work. These standards help to provide an
international consensus on how to deal with certain risks, and they offer best practice advice
on how to deal with others. Risk management standards help organizations to implement
strategies which are tried and tested, and proven to work.

What are the different types of Risk management standards?

The ISO 31000 risk management standards framework includes:

MARWENA M. DIAZ 8
 RISK MANAGEMENT

 ISO 31000:2009 – Principles and Guidelines on Implementation

 ISO/IEC 31010:2009 – Risk Management – Risk Assessment Techniques
 ISO Guide 73:2009 – Risk Management – Vocabulary

ISO 31000:2009 – Principles and Guidelines on Implementation

There are two elements of the process that can be considered as continually acting. These
are:

 Communication and consultation with internal and external stakeholders, where

practicable, to gain their input to the process and their ownership of the outputs. It is
also important to understand stakeholders’ objectives, so that their involvement can be
planned and their views can be considered in setting risk criteria.

 Monitoring and review, so that appropriate action occurs as new risks emerge and
existing risks change as a result of changes in either the organization’s objectives or
the internal and external environment in which they are pursued. This involves
environmental scanning by risk owners, control assurance, taking on board new

MARWENA M. DIAZ 9
 RISK MANAGEMENT

information that becomes available, and learning lessons about risks and controls
from the analysis of successes and failures.

The central spine of the risk management process is concerned with preparing for
and then conducting risk assessment leading, as necessary, to risk treatment. The process
starts through defining what the organization wants to achieve and the external and internal
factors that may influence success in achieving those objectives. This step is called
establishing the context and is an essential precursor to risk identification.
Risk assessment under ISO 31000 comprises the three steps of risk identification,
risk analysis, and risk evaluation.
Risk identification requires the application of a systematic process to understand
what could happen, how, when, and why.
In ISO 31000, risk analysis is concerned with developing an understanding of each
risk, its consequences, and the likelihood of those consequences. Whether the end result is
expressed as a qualitative, semiquantitative, or quantitative manner, gaining this
understanding requires consideration of the effect and reliability of existing controls and any
control gaps. Risk analysis can be undertaken with varying degrees of detail, depending on
the risk, the purpose of the analysis, and the information, data, and resources available.
Analysis can be qualitative, semiquantitative, quantitative, or a combination of these,
depending on the circumstances.
Risk evaluation then involves deciding about the level of risk and the priority for
attention through the application of the criteria developed when the context was established.
Risk treatment is the process by which existing controls are improved or new
controls are developed and implemented. It involves evaluation of and selection from options,
including analysis of costs and benefits and assessment of new risks that might be generated
by each option, and then prioritizing and implementing the selected treatment through a
planned process. If this process is followed, the systematic way in which the risks have been
assessed means that risk treatment can proceed with confidence.
How do Risk management standards impact on managing organizational risk?
Risk Management standards impact on the ways which risk management processes
are created and implemented. They offer guidance on setting the context of the strategies, as
well as providing ideas about what should and should not be implemented as part of the risk

MARWENA M. DIAZ 10
 RISK MANAGEMENT

management strategy. Many standards provide advice on how to best to quantify and classify
risk.
What terms are used in Risk management standards?
Standard – a rule or principle which is used as the basis for judgment of the risk
management process, a series of checkpoints which an organization should strive to achieve.
Risk – a potential consequence of an action. In recent developments in risk management, a
risk can now be considered to be a negative or a positive consequence. A risk may or may not
occur.
Management – the strategies which are implemented in an attempt to combat potential risk.

ENTERPRISE RISK MANAGEMENT

What Is Enterprise Risk Management (ERM)?
Enterprise risk management (ERM) is a plan-based business strategy that aims to
identify, assess, and prepare for any dangers, hazards, and other potentials for disaster—both
physical and figurative—that may interfere with an organization's operations and objectives.
The discipline not only calls for corporations to identify all the risks they face and to decide
which risks to manage actively, but it also involves making that plan of action available to all
stakeholders, shareholders and potential investors, as part of their annual reports. Industries
as varied as aviation, construction, public health, international development, energy, finance,
and insurance all utilize ERM.
Companies have been managing risk for years. Historically, they've done this by
buying insurance: property insurance for literal, detrimental losses due to fires, thefts, and
natural disasters; and liability insurance and malpractice insurance to deal with lawsuits and
claims of damage, loss, or injury. But another key element in ERM is a business risk—that is,
obstacles associated with technology (particularly technological failures), company supply
chains, and expansion—and the costs and financing of the same.

Advantages of ERM
In creating ERM initiatives, companies should focus not only on the downside of risk
but on the upside as well. The traditional approach was to concentrate on negatives—the
losses from currency or interest rate trades in financial markets, for instance, or financial

MARWENA M. DIAZ 11
 RISK MANAGEMENT

losses that might be caused by a disruption in a supply chain or a cyber-attack that impairs a
company's information technology.
In thinking about the upside, companies now are supposed to consider competitive
opportunities and strategic advantages that might arise out of the deft management of risk.
Some of these "better decisions" involve items like where to locate a plant or office abroad
based on a risk analysis that would examine the political environment in a country.
The "upside" also includes focusing on preventive measures that help a company
avoid potential disasters down the road. For example, some of these actions may include
determining when and how physical assets need to be maintained and replaced.
This way, the company can avoid unexpected and costly plant and equipment failure
that might result in shutdowns, explosions or other events that put a company's employees,
communities and public profile at risk. Understanding that their most important and valuable
asset is their image, some companies work proactively when dealing with man-made or
natural disasters.
Example of Enterprise Risk Management
One of the most model reputation risk management stories in corporate history
involves Johnson & Johnson. The pharmaceutical giant found its reputation and its stock
price severely bruised in 1982 over revelations that someone had tampered with and poisoned
bottles of its pain reliever Tylenol, resulting in several deaths.
The company reacted quickly, removing and replacing its products at retail outlets,
cooperating fully with law enforcement authorities, and keeping the media (and, hence, the
public) informed throughout. Its decisive actions and honest open communication during the
crisis helped in the recovery of share value within a few months.
From 2006 to 2008, the recent push for companies is to prove they are "going green,"
hoping that aggressive environmental risk management will position their products, plants,
supply chain, and other operations positively with current and future customers.

MARWENA M. DIAZ 12
 RISK MANAGEMENT

To enable you to achieve these capabilities, we can work with you to:
 Identify and assess the current risks facing your organization - at an enterprise-wide
level and at business unit or activity levels - using qualitative and quantitative
measurement techniques
 Assist you to understand the different stages of evolution and sophistication of ERM
and to determine what attributes you want your risk management program to have
 Assess the current state of risk management throughout your organization and make
recommendations for improvement
 Design an ERM program - including the desired risk culture, risk appetite and
tolerances, risk management process, structure, methodologies and systems - and
implementation plan -that will achieve the program you envision
 Implement ERM pilots and assist with a full organization wide implementation
 Help establish Risk Management functions and/or Committee
 Design and conduct tailored risk management training and awareness sessions for
directors, management and staff
 Automate the risk assessment process

MARWENA M. DIAZ 13
 RISK MANAGEMENT

Learning Activities
Part I
Identification:
__________1. set out a specific set of strategic processes which start with the overall
aspirations and objectives of an organization, and intend to help to identify risks and promote
the mitigation of risks through best practice.
__________2. is concerned with preparing for and then conducting risk assessment leading,
as necessary, to risk treatment.
__________3. requires the application of a systematic process to understand what could
happen, how, when, and why.
__________4. the process by which existing controls are improved or new controls are
developed and implemented.
__________5. is a plan-based business strategy that aims to identify, assess, and prepare for
any dangers, hazards, and other potentials for disaster—both physical and figurative—that
may interfere with an organization's operations and objectives.
Part II
Enumeration:
Three (3) types of risk management standards
1.
2.
3.
Three (3) types of Risk Assessment
1.
2.
3.
Six (6) steps to achieve ERM
1.
2.
3.
4.
5.
6.

MARWENA M. DIAZ 14
 RISK MANAGEMENT

Part III
Essay:
1. How important Enterprise Risk Management in business? Elucidate your answer.
2. In your own words, how do Risk management standards impact on managing
organizational risk?

MARWENA M. DIAZ 15
 RISK MANAGEMENT

Chapter 2
APPROACHES TO RISK MANAGEMENT

Learning Objectives:
 describe the importance of risk assessment as a critically important stage
in the risk management process;
 outline the range of risk assessment techniques that are available and the
advantages/disadvantages of each technique;
 describe the importance of risk classification systems and describe the
key features of the best-established systems;
 provide examples of the use of a risk matrix, including using it to indicate
the dominant risk response in each quadrant;
 use a risk matrix to indicate the risk appetite of an organization and
whether the organization is risk averse or risk aggressive;
 describe the main components of loss control as loss prevention, damage
limitation and cost containment and provide practical examples;
 demonstrate the use of loss-control actions to reduce the impact of an
event that has a large magnitude before mitigation;
DISCUSSION:
Risk assessment considerations
Importance of risk assessment
Risk assessment involves the recognition of risks and the rating of them
to determine the significant risks facing the organization, project or strategy.
Because the risk management input into strategy focuses on improved decision
making, risk assessment is the main risk management input into strategy
formulation. Risks may be attached to corporate objectives, stakeholder
expectations, core processes and key dependencies. Whichever of these features
is selected as the starting point, risk assessment can be undertaken. The purpose

MARWENA M. DIAZ 16
 RISK MANAGEMENT

of risk assessment is to identify the significant risks that could impact the
selected feature.
Although risk assessment is vitally important, it is only useful if the
conclusions of the assessment are used to inform decisions and/or to identify the
appropriate risk responses for the type of risk under consideration. It should be
considered as the starting point of the risk management process and it is
certainly not an end in itself.
An important feature of undertaking a risk assessment is to decide
whether the identified risk is going to be evaluated at the inherent level or at the
current (or residual) level. Assessment of inherent risk is undertaken without
taking account of the controls that are currently in place.

Approaches to risk assessment

There are several approaches that can be taken when planning how to
undertake risk assessment. One of the key decisions will be who to involve in
the risk assessment exercise. Sometimes risk assessments are undertaken by the
board of directors as a top-down exercise. Risk assessments can also be
undertaken by involving individual members of staff and local departmental
management. This bottom-up approach is also valuable.

Risk assessment techniques

There are a wide range of risk assessment techniques available and a

Final Draft International Standard (FDIS) has recently been published providing
detailed information on the full range of risk assessments techniques that can be
used.

Table 1.1 Technique of risk assessment

MARWENA M. DIAZ 17
 RISK MANAGEMENT

TECHNIQUE BRIEF DISCUSSION

Questionnaires and checklists Use of structured questionnaires and
checklists to collect information that
will assist with the recognition of the
significant risks
Workshops and brainstorming Collection and sharing of ideas at
workshops to discuss the events that
could impact the objectives, core
processes or key dependencies
Inspections and audits Physical inspections of premises and
activities and audits of compliance
with established systems and
procedures
Flowcharts and dependency
analysis
HAZOP and FMEA
approaches
SWOT and PESTLE analysis

References:
Hopkin, Paul, 2017. Fundamentals of Risk Management (Understanding, evaluating and
implementing effective risk management) 4th Edition
https://www.skillmaker.edu.au/risk-management-standards
https://www.pwc.com/la/en/risk-assurance/enterprise-risk-management.html

MARWENA M. DIAZ 18
 RISK MANAGEMENT

Prepared by:
JOHN REY MERCURIO
Instructor

MARWENA M. DIAZ 19