RISK MANAGEMENT STRATEGY (ERM) (I) ● 4 objectives :

★ Strategic , high level goals,

Risk Management (RM)
aligned with & supporting its
Process of understanding and managing the
mission
risks that the organization is inevitably
★ Operations, effective &
(unavoidable) subject to in attempting to
efficient use of its resources
achieve its corporate objectives.
★ Reporting, reliability of
reporting
Conformance vs Performance
★ Compliance, compliance with
● Traditional view , protect organ from
applicable laws & regulations
loss through conformance & hedging.
● 4 orgn levels :
Avoid downside
★ Subsidiary
● New approach, taking advantage of
★ Business unit
opportunities to increase overall
★ Division
returns w/i business. Benefit from
★ Entity
upside risk

Components of ERM :
Enterprise Risk Management (ERM)
➔ Process affected by an entity’s board
1. Internal environment
of directors, mngmnt & other personnel
➔ Tone of organizations
➔ Applied in strategy setting & across
➔ Sets the basis for how risk is viewed 7
the enterprise
addressed by entity’s people
➔ To identify potential events tht may
➔ Eg : risk managmnt philosophy, risk
affect the entity
appetite, integrity, ethical values
➔ Manage risk to be within risk appetite
(level of risk orgn is prepared to 2. Objective setting
accept) ➔ Must exist bfore mngmnt can identify
potential events affect achievmnt
Key principles ERM :
➔ Consideration of RM 3. Event identification
➔ RM is every1 responsibility (set from ➔ Internal & external events affect
the top) achievement of entity’s objectives must
➔ Creation of risk aware culture be identified
➔ Comprehensive & holistic approach to
RM 4. Risk assessment
➔ Consideration of broad range of risks ➔ Risk are analyzed
➔ Focused RM strategy, led by the board ➔ Consider likelihood & impact
➔ As basis for determine how they should
COSO ERM Framework be managed
● 3 dimensional matrix :
★ Objectives 5. Risk response
★ Components ➔ Mngmnt select risk responses
★ Different orgn levels ➔ Avoiding, accepting, reducing, sharing
risk
 6. Control activities
➔ Policies & procedures are established
& implemented
➔ Help ensure risk responses are
effectively carried out
7. Information & communication
➔ Relevant inform identified, captured &
communicated in form & timeframe
➔ Enable people to carry out their
responsibilities
8. Monitoring
➔ Accomplished through ongoing
mngmnt activities, separate
evaluations / both
Risk management & shareholder value
Shareholder value = Static NPV of existing
business model + value of future growth
options
E & Y identify 4 stages :
● Establish what SH value about the
comp, (talking with investment
community & linking value creation
processes to KPI)
● Identify risks around key SH value
drives
● Determine preferred treatment for
risk, invesmnt community can give their
views on what actions they would like
mngmnt to take relation to risk
● Communication risk treatments to SH
5 interrelated components ERM :
1. Governance & Culture
➔ Governance set orgn’s tone,
reinforcing importance of establishing
oversight responsibilities for ERM
➔ Culture pertains to ethical values,
desired behaviors & understanding of
risk in entity
2. Strategy & objective-setting
➔ ERM and these work together in
strategic-planning process
➔ Risk appetite established & aligned w
strategy
3. Performance
➔ Risks that may impact the achievement
of strategy & business obj need to be
identify & assessed
➔ Risk prioritized by severity in context
of risk appetite
4. Review & revision
➔ Orgn can consider how well enterprise
RM components are functioning over
time by reviewing
5. Information, communication & reporting
➔ ERM requires continual process of
obtaining & sharing necessary
information
➔ From internal & external sources
Benefits of effective ERM :
● Focus of mngmnt attention on most
significant risks
● Reduce cost of finance through
effective mngmnt of risk
● Resultant improvemnt in investor
confidence
● Common language / RM which
understood throughout the orgn.
Limitations of effective ERM :
● Mgnmnt has ability to override ERM
decisions
● Human judgment in decision making can
be faulty
● Decision on responding to risk &
establishing controls still need to
consider the relative costs & benefits
RM STRATEGY (FORMULATION OF RISK ● Risk identified should be recorded in
STRATEGY) (II) risk register

RM capability should be sufficient to :

2. Quantifying of risk exposures
● Review its internal control system &
● Important in understanding the extent
adequacy (annually)
& significant of exposure
● Ensure controls properly implemented
● Risk identified measured & assessed.
● Monitor implementation & effectiveness
● Measurement & assessment of risk
of controls
depends on mngmnt judgement.

RM strategy Framework
Example of quantitative techniques :
● Risk Appetite (RA)
1. Expected values (EV)
➔ Amount of risk an orgn is willing
● EV = probability outcome
to accept in pursuit of value
➔ May be explicit & implicit
2. Volatility
(hidden)
● Comp might calculate EV based on
● RA determined by :
range of probabilities but also assess
➔ Risk capacity , amount of risk
potential variation from tht expected
orgn can bear
outcome
➔ Risk attitude , overall approach
to risk (risk averse(avoid) & risk
3. Value at Risk (VaR)
seeking(accept))
● Allows investor to assess the scale of
● Residual risk , risk business faces after
likely loss in their portfolio at defined
its controls have been considered.
level of probability
● May be calculated as standard
RM strategy Features
deviation x ZScore (in normal

The key features : distribution table)

● Risk appetite of orgn
● Objectives of RM strategy Other methods of measuring / assessing
severity of identified risk :
● Responsibilities of managers for
application of RM strategy
● Simulation analysis
● Reference should be made to RM
● Scenario planning
systems the company uses
● Computer simulations
● Decision trees
RM Process elements ;
● Sensitivity analysis

1. Risk Assessment
2. Risk Reporting Risk Mapping
3. Risk Treatment (TARA/SARA) ● Qualitative way of assessing
significance of risk
RM Cycle ● Identifies whether risk will have a
significance impact on the orgn
1. Risk Identification
● Link into likelihood of risk occurring
● Done by risk committee/RM specialist
 ● Risk with high significance impact &
high likelihood of occurrence need
more urgent attention.
Risk response strategy
Management of risk involves trying to ensure :
● Exposure to severe risk is minimized
● Unnecessary risks are avoided
● Appropriate measure of control are
taken
● Balance between risk & return is
appropriate
If risk greater than acceptable limit, next stage
is to consider how risk should be
managed/controlled
RM STRATEGY (REPORTING & EVALUATING)
Risk Treatment Methods :
(III)
5. Risk Reduction
● Reduce risk to more acceptable level
by forming of internal control
● Internal control would reduce the
likelihood of an adverse outcome
occurring / size of potential loss
6. Hedging Risk
● Reduce risk by entering into
transaction with opposite risk profiles
7. Risk Sharing
● Reduce risk in new business operation
by sharing it with another party

1. Avoid Risk
Risk Cube
● Comp may decide some activities are
➔ Fast track to manage market risk
risky that they should avoid
➔ Offering immediate business benefits
● Impossible to apply to all risks
w/o need for expensive
➔ Risk seen as combination of threat,
2. Transfer Risk
exploiting vulnerability tht could cause
● Can be transferred wholly / in part to
harm to asset
third party
● Example : insurance (reduce/eliminate
Residual risk is combined function of :
risk but premiums have to be paid)
● Threat less effect of threat reducing
safeguards
3. Pool Risk
● Vulnerability less effect of vulnerability
● Risk from many different transaction
reducing safeguards
can be pooled together
● Asset less effect of asset reducing
● Each individual item has its potential
safeguards.
upside & downside
● Risk tend to cancel each other out
The Risk Cube
➔ Managing the risk can be undertaken
4. Diversification
by :
● Similar to pooling
● Reducing the threat
● Relates to different
● Reducing the vulnerability
industries/countries
● Reducing the asset value
● Risk in 1 area can be reduced by
investing in another area where risks
are different / ideally opposite
 ➔ Examples : a comp sells machine parts
on credit to industrial customers
● Threat , customer doesn’t pay
for their machine parts
● Vulnerability, selling company
has low cash balance & needs
fund to pay it own suppliers
● Asset, is the receivable due in
(having reached date for
payment)
● Threat-reducing safeguards,
perform a credit check on all
customer
● Vulnerability-reducing
safeguards, holding minimum
cash balance at all times to
ensure sufficient cash is
available to pay suppliers
● Asset-reducing safeguards,
setting a limit on each
receivable balance, so once it
reached no further goods
would be supplied to customer
until payment was made
Risk Reporting
● Important disclosure requirement
● Managers of business & external SH
require information regarding the
risks facing the business
Risk reporting include :
➔ Systematic review of risk forecast
(annually at least)
➔ Review of risk strategy & response to
significance risk
➔ Monitoring & feedback loop on action
taken
To facilitate review of risk responses
effectiveness, risk reports should show :
● Gross risk, assessment of risk before
application of any controls, transfer /
management responses
● Net risk / residual risk , assessment of
risk (taking into account the controls,
transfer & management responses)
If residual risk considered too great, comp
need to :
➔ Not expose itself to risk situation
➔ Put in place better controls over the
risk
➔ Residual risk = portion of risk remaining
after security measure have been
applied.
Ability to bear risk
Approach to assessing it is to consider its
financial consequences in relation to :
● Organisation’s profit
● Return on capital employed
● Organization expenditure budget (not
for profit orgn)
Evaluating RM strategy
RM strategy objective should be :
● To minimize severe risk exposure
● To avoid unnecessary risks
● To take appropriate measure of
control
● Balance between risk & return is
appropriate
Has the strategy been successful ?
● Comp might set target for risk of faulty
products at set number of % level &
formulate risk strategy to achieve tht
level
● Set up control mechanism to assess it
● Comp compare actual result with
required target & assess whether
achieved/not
● If not, reason must be investigated &
action taken
Do benefits outweigh costs ?
● Such as internal controls can be
evaluated
● Benefits from risk controls should be
measured & quantifies
● Evaluation process should be based on
principle tht cost from control
measure should not exceed the
benefits tht provided

Interaction between risk

➔ Risk identification important bcause
risk often interrelated
➔ If 1 risk more likely / will have more
significant impact for orgn, it may be
more likely to be exposed to other risk