Professional Documents
Culture Documents
Components of ERM :
Enterprise Risk Management (ERM)
➔ Process affected by an entity’s board
1. Internal environment
of directors, mngmnt & other personnel
➔ Tone of organizations
➔ Applied in strategy setting & across
➔ Sets the basis for how risk is viewed 7
the enterprise
addressed by entity’s people
➔ To identify potential events tht may
➔ Eg : risk managmnt philosophy, risk
affect the entity
appetite, integrity, ethical values
➔ Manage risk to be within risk appetite
(level of risk orgn is prepared to 2. Objective setting
accept) ➔ Must exist bfore mngmnt can identify
potential events affect achievmnt
Key principles ERM :
➔ Consideration of RM 3. Event identification
➔ RM is every1 responsibility (set from ➔ Internal & external events affect
the top) achievement of entity’s objectives must
➔ Creation of risk aware culture be identified
➔ Comprehensive & holistic approach to
RM 4. Risk assessment
➔ Consideration of broad range of risks ➔ Risk are analyzed
➔ Focused RM strategy, led by the board ➔ Consider likelihood & impact
➔ As basis for determine how they should
COSO ERM Framework be managed
● 3 dimensional matrix :
★ Objectives 5. Risk response
★ Components ➔ Mngmnt select risk responses
★ Different orgn levels ➔ Avoiding, accepting, reducing, sharing
risk
6. Control activities 2. Strategy & objective-setting
➔ Policies & procedures are established ➔ ERM and these work together in
& implemented strategic-planning process
➔ Help ensure risk responses are ➔ Risk appetite established & aligned w
effectively carried out strategy
RM strategy Framework
Example of quantitative techniques :
● Risk Appetite (RA)
1. Expected values (EV)
➔ Amount of risk an orgn is willing
● EV = probability outcome
to accept in pursuit of value
➔ May be explicit & implicit
2. Volatility
(hidden)
● Comp might calculate EV based on
● RA determined by :
range of probabilities but also assess
➔ Risk capacity , amount of risk
potential variation from tht expected
orgn can bear
outcome
➔ Risk attitude , overall approach
to risk (risk averse(avoid) & risk
3. Value at Risk (VaR)
seeking(accept))
● Allows investor to assess the scale of
● Residual risk , risk business faces after
likely loss in their portfolio at defined
its controls have been considered.
level of probability
● May be calculated as standard
RM strategy Features
deviation x ZScore (in normal
1. Risk Assessment
2. Risk Reporting Risk Mapping
3. Risk Treatment (TARA/SARA) ● Qualitative way of assessing
significance of risk
RM Cycle ● Identifies whether risk will have a
significance impact on the orgn
1. Risk Identification
● Link into likelihood of risk occurring
● Done by risk committee/RM specialist
● Risk with high significance impact & 5. Risk Reduction
high likelihood of occurrence need ● Reduce risk to more acceptable level
more urgent attention. by forming of internal control
● Internal control would reduce the
Risk response strategy likelihood of an adverse outcome
occurring / size of potential loss
Management of risk involves trying to ensure :
● Exposure to severe risk is minimized 6. Hedging Risk
● Unnecessary risks are avoided ● Reduce risk by entering into
● Appropriate measure of control are transaction with opposite risk profiles
taken
● Balance between risk & return is 7. Risk Sharing
appropriate ● Reduce risk in new business operation
by sharing it with another party
If risk greater than acceptable limit, next stage
is to consider how risk should be
managed/controlled
RM STRATEGY (REPORTING & EVALUATING)
Risk Treatment Methods :
(III)
1. Avoid Risk
Risk Cube
● Comp may decide some activities are
➔ Fast track to manage market risk
risky that they should avoid
➔ Offering immediate business benefits
● Impossible to apply to all risks
w/o need for expensive
➔ Risk seen as combination of threat,
2. Transfer Risk
exploiting vulnerability tht could cause
● Can be transferred wholly / in part to
harm to asset
third party
● Example : insurance (reduce/eliminate
Residual risk is combined function of :
risk but premiums have to be paid)
● Threat less effect of threat reducing
safeguards
3. Pool Risk
● Vulnerability less effect of vulnerability
● Risk from many different transaction
reducing safeguards
can be pooled together
● Asset less effect of asset reducing
● Each individual item has its potential
safeguards.
upside & downside
● Risk tend to cancel each other out
The Risk Cube
➔ Managing the risk can be undertaken
4. Diversification
by :
● Similar to pooling
● Reducing the threat
● Relates to different
● Reducing the vulnerability
industries/countries
● Reducing the asset value
● Risk in 1 area can be reduced by
investing in another area where risks
are different / ideally opposite
➔ Examples : a comp sells machine parts ● Net risk / residual risk , assessment of
on credit to industrial customers risk (taking into account the controls,
● Threat , customer doesn’t pay transfer & management responses)
for their machine parts
● Vulnerability, selling company If residual risk considered too great, comp
has low cash balance & needs need to :