See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/355978926

Risk Management Framework

Presentation · November 2021

DOI: 10.13140/RG.2.2.12695.91049

CITATIONS READS

0 5,373

1 author:

Sonjai Kumar
Fortune Institute of International Business New Delhi India
114 PUBLICATIONS 20 CITATIONS

SEE PROFILE

All content following this page was uploaded by Sonjai Kumar on 07 November 2021.

The user has requested enhancement of the downloaded file.

 SONJAI KUMAR,
Certified Risk Management Professional
(Institute of Risk Management, London)
Post Graduate Diploma in Actuarial Management, City
University, London,
MA (Mathematics),
Senior Management Program , IIM Calcutta
J
1
 Overview of Risk Management
Standards
 The first risk management standard was
developed in Australia way back in 1995.
 Subsequently, the standards were developed in
US, UK, Japan, Canada etc.
 Institute of Risk Management (IRM) published
its first standard in 2002.
 COSO ERM Standard was published in 2004 and
revised in 2017. COSO ERM standard cover both
internal control and ERM framework.
 The ISO 31000 standard was first published in
2009 and later revised in 2018.
2
 COSO Standard 2004-ERM Advantage
 Aligning risk appetite and strategy

 Enhancing risk response decisions

 Reducing operational surprises and losses

 Identifying and managing multiple and cross

enterprise risks

 Seizing opportunities

 Improving deployment of capital

3
 COSO Cube- One Side
COSO has covered objectives under four
categories
 Strategic – high-level goals, aligned with and
supporting its mission
 Operations – effective and efficient use of its
resources
 Reporting – reliability of reporting
 Compliance – compliance with applicable laws and
regulations.
 Reporting and Compliance objectives are within
the control of the management
 Strategy and Operations exposed to external
events and not in the control of management
4
 Second Side of the Cube
Under COSO eight components of ERM
1. Internal Environment: Tone of an organization, and how
risk is viewed and addressed by the organization, including risk
management philosophy and risk appetite
2. Objective Setting
3. Event identification-Internal and external events affecting
achievement of objectives must be identified, distinguishing
between risks and opportunities
4. Risk Assessment Risks are analyzed, considering likelihood
and impact,
5. Risk Response-avoiding, accepting, reducing, or sharing risk
6. Control Activities: Policies and procedures are established
and implemented
7. Information and Communication- Relevant information is
identified, captured, and communicated in a form and timeframe
8. Monitoring
5
 Third side of Cube
ERM Consider activities at all level of
organization
 Enterprise Level
 Division
 Business Unit Level
 Subsidiary level

6
 Limitation of Risk Management
 COSO mention that risk management has limitations result from
human judgment in decision making, decisions on responding to
risk, simple errors or mistakes, controls can be circumvented and
management has the ability to override enterprise risk management
decisions.
 ”Barring in the countries where Covid-19 reached in January and
February, the world was waiting to spread the fire further and it
did,” commented Sonjai Kumar, CMIRM, Global Ambassador, IRM
India. “Why don’t our risk management frameworks have buttons
which prompt taking immediate actions rather than leaving the
actions for the decision makers?”
 ”It’s like having an immediate sprinkler system as soon as a fire is
visible or smoke is there. If we need to protect the world for the next
disaster that may come anytime in the presence of global warming,
we need to tighten up the risk management framework that
everyone must agree as a part of national constitution. The losses to
human life and economic cost are enormous, we have to have a
sprinkler system and decision making cannot be left to choice.”

7
 Closing Remark on COSO 2004
 It can be seen that the various components of
risk management that we have covered in first
three modules have rearrangement in the
COSO 2004 framework. It is important to
know what is covered in different framework
so that lack of awareness should not cause any
knowledge discomfort.

8
 COSO 2017 Framework-1
 The new COSO 2017 version is now called Enterprise Risk Management—Integrating with
Strategy and Performance, highlights the importance of strategy-setting and performance.
 The Framework, is organized into five easy-to-understand components replacing the Cube

1. Governance and Culture: Governance sets the tone, reinforcing importance

of, oversight, enterprise risk management. Culture pertains to ethical values,
desired behaviors, and understanding of risk in the entity.
In 2004 Cube, this principle was covered under the Internal Environment.

9
 COSO 2017 Framework-2

2. Strategy and Objective-Setting: Strategy and objective-setting work together

in the strategic-planning process.
➢Risk appetite is aligned with strategy; business objectives
In 2004, this principle was covered under Objective Setting
3. Performance: Risks impacting achievement of strategy and objectives need
to be identified.
➢Risks are prioritized by severity.
➢Selects risk responses
➢Risks Reported to key risk stakeholders.
In 2004, this principle was covered under two heads, Event Identification
and Risk Assessment

10
 COSO 2017 Framework-3

4. Review and Revision: Assess how well the enterprise risk management
components are functioning over time and in light of substantial changes, and
what revisions are needed.
This principle in 2004 Cube was covered under Risk Response and Control
Activities
5. Information, Communication, and Reporting: Enterprise risk
management requires sharing necessary information, from both internal and
external sources, which flows up, down, and across the organization.

This principle is a combination of Event identification and Information

and Communication in 2004 Cube

11
 COSO 2017 Framework-4

The five components in the Framework are split into manageable 20 principles.
Most of these principles are derived from the descriptions given in the previous
slide. Adhering to these principles can provide management and the board with
a reasonable expectation that the organization will able to manage the risks
associated with its strategy and business objectives.

12
13
 ISO 31000 2009
 Definition of risk in ISO 31000 “effect of uncertainty on
objectives of organization”
 ISO 31000 risk management framework provides the guidance
to perform the risk management in an effective and efficient
manner.
 ISO 31000 International Standard can be used by any public,
private or community enterprise, association, group or
individual.
 This International Standard can be applied throughout the
life of an organization,
 There are three key building blocks of ISO 31000 standards;
they are
 Principles,
 Framework and
 Process

14
 ISO 31000 Components
 There three building blocks are

15
 ISO 31000- 11 Principles
1. Risk management creates and protects value;
2. Risk management is an integral part of all organizational
processes;
3. Risk management is part of decision making;
4. Risk management explicitly addresses uncertainty;
5. Risk management is systematic, structured and timely;
6. Risk management is based on the best available information;
7. Risk management is tailored;
8. Risk management takes human and cultural factors into account;
9. Risk management is transparent and inclusive;
10. Risk management is dynamic, iterative and responsive to change;
11. Risk management facilitates continual improvement of the
organization.
16
 ISO 31000- 5 Framework
1. Mandate and commitment: The first component of framework talks
the organization is to give mandate for adoption and implementation of
risk management within the organization.
2. Design of framework for managing risk: the company need to ensure
that the Company understand the risk, set up risk management policies,
set accountability etc
3. Implementing risk management: where the company is to actually
implement the risk management process within the Company
4. Monitoring and review of the framework: This is a mechanism to
create monitoring performance to perform the feedback look.
5. Continual improvement of the framework: to complete the feedback
loop of monitoring exercise.

17
 ISO 31000 Process
 Risk management process is similar to risk identification, measurement, management,
monitoring and reporting. Different nomenclature identification, analysis, evaluation,
treatment, and in the side is the monitoring and communication.
 Under Establishing the context: the organization articulates its objectives, defines the
external and internal parameters to be taken into account when managing risk, and sets the
scope and risk criteria for the remaining process.

18
 ISO 31000 2018-Principles
1. The definition of risk is retained as “effect of uncertainty on objective”
2. Some of the principles of risk management have been changed, while
many are retained. Now 8 principles and one principle of creating and
protecting value has come in the center.
ISO 2009 Principles Changed to Red One in 2018
 Risk management creates and protects value; Centre
 Risk management is an integral part of all organizational processes;
 Risk management is part of decision making;
 Risk management explicitly addresses uncertainty;
 Risk management is systematic, structured and timely; Tweaked to
Structured and Comprehensive
 Risk management is based on the best available information;
 Risk management is tailored; - Renamed as Customised
 Risk management takes human and cultural factors into account;
 Risk management is transparent and inclusive;
 Risk management is dynamic, iterative and responsive to change;
 Risk management facilitates continual improvement of the organization.

19
ISO 31000 2018-Principles

20
 ISO 31000 2018-Framework
Leadership and Commitment
 In ISO 31000 2009, the framework started with
Mandate and Commitment. In 2018, this is changed
to Leadership and Commitment. This is a very
important change as it needs to ensure that the
management takes the buy-in on the development
of risk management.
Integration
 Integration of risk management within the
organization is a necessary condition for ERM.
Design
 During 2009, this was design of risk management
framework, in 2018; this item is divided into five
parts as
 Understanding the organization and its context
 Articulating risk management commitment
 Assigning organizational roles, authorities,
responsibilities and accountabilities
 Allocating resources
 Establishing communication and consultation
Implementation
 This is same as in 2009 about the implementation
of risk management
Evaluation& Improvement
 During 2009 this was under one category of review
and monitor
21
 ISO 31000 2018-Process
 Process has remained the
same except addition of
recording and reporting
which was inherently
assumed under
communication.

22
Summary

23
24
 Risk Appetite in the Context of Business
The COSO defines risk appetite as:

1. The types and amount of risk, on a broad

level, an organization is willing to accept in
pursuit of value.
2. How much risk to take to innovate and which
strategy to follow to achieve the vision
3. Which strategy to follow that optimizes the
return on capital and deliver output
4. Risk appetite should be framed in such as
way that have the flexibility to adjust based
on emerging condition
25
 How to Set Risk Appetite
1. There are various ways to setting risk appetite,
but how to approach systematically
2. COSO’s Thought Leadership paper on risk
appetite ‘Risk Appetite- Critical to Success”
3. Objective based focused on setting Risk
Appetite
1. Objective based: create value through innovation
4. Risk based focus
1. Risk Based: volatile market, the risk is Company’s profit
may swing very adversely
5. Combination of objective based and risk based
26
 Choice of Setting Risk Appetite
COSO has discussed five ways through with the Board
and management can apply the risk appetite, they are
1. Approach of objective-focused or a risk based or
combined
2. Monitoring performance and Decision-making.
3. Not to avoid risk but also to take on to enhance
value
4. Natural tensions needed for appetite to add depth
in discussions on analysis in support of decisions.
5. Different Stakeholder views to incorporate into
appetite.
27
 Decision Making or Monitoring
Monitoring
 Setting risk appetite by creating various boundaries
around the parameters such as profitability, capital,
customer satisfaction score and monitor them against the
appetite as time roll by
 This is a backward looking risk appetite.
Decision Making Approach
 Another approach is to set the risk appetite which is more
futuristic and use it in decision making such as the
Company will not launch any new product if it does not
meet the profit criteria and meeting customer
satisfaction score.
 You may notice that both the approaches have same
example of profit and customer satisfaction score

28
 Enhance Value and Natural Tension
Enhancing Values
 The third approach the COSO has recommended is
developing the appetite not only for downside risk but
also for upside risk to enhance the value.
Natural Tension
 COSO has defined Natural tension in risk appetite in
such a situation where one appetite statement appears to
support a decision while conflicting with another
statement.
 For example if a company is willing to accept more risk to
grow its customer base, but wants to keep the same gross
margin while maintaining the current amount of risk to
its profit margin
29
 Stakeholders
 Setting risk appetite in the context of different
stakeholders such as shareholder, customers,
regulator, environment, health hazard etc.
 For example, in the pursuit of industrial
development, the Companies may have added
shareholder’s value but destroyed the environmental
value.
 Customer’s risk appetite to be in center
 Nokia’s example of not considering customer’s
demand

30
 Validating Risk Appetite
COSO have discussed following validating appetite approaches
 Back testing the assumptions
 Comparing with peer companies and industries data
 Looking at emerging trend
 What if analysis
 These approach is quite similar to approach used in actuarial to test the
assumptions taken in pricing or setting assumption for new products where data is
very scanty.
 Risk appetite is how much risk that you will take to fulfill you objective. That is,
how much deviation that you can bear from your central assumption.
 If Long term interest rate assumption (say 15 years) is 6%, then what is your risk
appetite ?
 This could be say 0.75% up or down.
 When you price the product you test the sensitivity of the results such as profit
margin of interest rate is to be 6.75% or 5.25% and see whether the margin is still
within the profit margin appetite or not. If not, then re-design the product.
 How you set 6% interest rate assumption and risk apppetite?

31
 Scanty Data, Emerging trend and What if
analysis
 If you Company does not have own company experience where you want to enter
into a new market, then you look at the industry data or data of those companies
who already have these products
 Looking at emerging trend is very important because past data may or may not be
relevance, so a credibility factor is used to give amount of weightage to current and
past data.
 Initially, more weight is assigned to the past data and slowly the reliance on
emerging experience is increased as new information start coming
 Life insurance is a long term business and lots of risk management techniques are
used in setting different assumptions. To price a product, you need, interest rate,
mortality, expense, lapses, taxes assumptions etc,
 What if, is another strong risk management tool to check whether you can stay
within your risk appetite or not. For example, the company want to test that how
much interest rate to fall, so that there margin will turn out to be zero.
 So you know that for next 15 years time, when today’s interest rate is 7% and you
have priced at 6% and 0% margin will be at 4.5% interest rate, then you know when
to take a decision on your product.

32
 Risk Tolerance
 Risk appetite is a broad-based description of the desired level of risk that an
entity will take in pursuit of its mission.
 Risk tolerance reflects the acceptable variation in outcomes related to specific
performance measures linked to objectives the entity seeks to achieve.
 Risk tolerance is the level of risk that an organization can accept per individual
risk,
 For example, you will take a risk up to the risk appetite of Rs.200 Cr, say for five
total risks of the Company, however, for each individual risk the tolerance range is
plus and minus 10%, but overall risk should remain within Rs.200 Cr.
 If for each of the five risks, the individual capital allocated is Rs.40 Cr, then the
tolerance range is between Rs. 36 Cr to 44 Cr, however, the total risk should not
breach the overall risk appetite limit of Rs.200 Cr.

33
34
 Three Lines of Defense
 The goal for any organization is to achieve its business objectives.
 Need to create a right structure that can facilitate taking appropriate risks and
managing them. Such structure is three lines of defense model.
 Three lines of defense model help in segregating the roles and responsibilities
 Everyone in an organization has some responsibility for internal control, but to
help assure that essential duties are performed as intended, the Model brings
clarity to specific roles and responsibilities.
 Three lines of defense help in effective operation, reduction in gaps and avoid
unnecessary duplication of effort.

35
 Three Lines of Defense Structure

 Management control is the first line of defense,

 Risk management, risk control and compliance functions are the second line of
defense,
 Audit independent assurance is the third line.
 Governing bodies and Senior management are not part of three “lines” of defense.

36
 First Line of Defense

 The first line of defence is the business and process owners who facilitate
achievement of business objectives by managing risks.
 The first line owns the risk, design and execution of the organization’s controls to
respond to those risks.
 The first line is responsible for
 Day-to-day risk management decision making
 Risk identification, assessment, mitigation, monitoring and management
 Effective implementation of risk management framework including reporting and escalation
 Examples of first line of defence are Sales, Marketing, Finance, Operations,
Investments, Strategy, HR, etc.
37
 Second Line of Defense
 The second line of defence help the
management through expertise, process
excellence, and management monitoring
alongside the first line to help ensure that
risk and control are effectively managed.
 The second line of defence functions
are separate from the first line of
defence but are still under the control
and direction of senior management
 The second line an oversight function
Typical role of second line of defence are:
➢Review and challenge first line work
➢Oversight of risk and its appetite
➢Develop risk management framework
➢Independent reporting and escalation
➢Provide specialist advice and training
Examples of Second Line of defense are
➢Risk Management
➢Information Security
➢Physical Security
➢Quality
➢Health and Safety
➢Compliance etc
38
 Third Line of Defense

 Third line of defence Role of third line are

provides assurance to ➢Independent assurance that risk
senior management and management framework has been
the board complied with
➢Review appropriateness, effectiveness
 Do not perform
and adequacy
management functions ➢Audit Team -Third Line
 Report to the board
 Assurance not a
management function,
39
Role of Senior Management and Board
 Senior management is responsible for the
selection, development, and evaluation of the
system of internal control with oversight given by
the board of directors.
 Senior management and the board of directors are
not part of three lines of defense
 Senior management must fully support strong
governance, risk management and control
 They have ultimate responsibility for the activities
of the first and second lines of defense.

40
41
Importance of Risk Management Policies
 Reactive mindset: In many organizations, risk
management is a reactive exercise process where
the company acts when crisis happen and then
they start formulating risk management practices
 Policies are not useful: Company believes that
policies and procedures are merely for
documentation purpose
 Defining policies: Risk Management Policies are
high level document that define principles and
objectives on what is covered under the given
document
42
Importance of Risk Management
Policies-2
 Advantages of risk management policies are
giving direction to the Company as how to handle
each of the risks
 Risk Management Framework Policy- Overall way
to manage the risk
 Individual policies are based upon the line of
business
 Written down content help implementing risk
management practices

43
View publication stats