Enterprise Risk Management - 2023

Management Accounting &
Finance IV
ACCOUNTANCY
“Empowerment Solutions For Accountancy Professionals”
SCHOOL OF
Enterprise
Risk
Management
Presented by
Mr. T Lunga
Learning outcomes
 Explain the importance of integrating and standardising risk
ACCOUNTANCY
management processes across the organisation – taking into

SCHOOL OF
account the organisation’s risk management philosophy, risk
management strategy and risk management processes;
 Use innovative/best practice approaches to managing
signifcant business risks efectively and efciently, such as
an Enterprise Risk Management (ERM) framework;
 Identify the impact and likelihood of strategic, operational,
fnancial and informational risks to achieving business
objectives
 Explain the process to monitor changes in the organisation’s
risk environment to diagnose signifcant, unusual and
emerging risks to which the business is exposed (use metrics
such as key risk indicators);
Learning outcomes
 Identify efective controls or mitigation options for the
ACCOUNTANCY
organisation to manage risks,

SCHOOL OF
 Explain the possible consequences for the organisation of
having an inefective risk management programme and
advise on improvements to controls or mitigation options
 Use risk reporting systems to communicate to others the risk
management process and results, including
recommendations for improvement
Defnition of risk
ACCOUNTANCY
1. King IV
SCHOOL OF
Risk is about the uncertainty of events; including the likelihood of such
events occurring and their efect, both positive and negative, on the
achievement of the organisation’s objectives
2. Institute of Internal Audit (IIA)

Risk is the uncertainty of an event occurring that could have an impact
on the achievement of the objectives. Risk is measured in terms of
consequences and likelihood
3. CIMA
Risk is a condition in which there exists a quantifable dispersion in the
possible outcomes from any activity.
Business vs Audit risk
 What risk is an auditor concerned about
ACCOUNTANCY
versus the risk that a fnancial/business

SCHOOL OF
manager is concerned about?
Read the following scenario to answer this question:

 Company A operates a coal mine in Mpumalanga
and is being sued by the local community for
polluting a river. The court case could result in
liabilities of millions of Rand, in which case the
Company’s liabilities will exceed its assets.
Classifcation of risks
 Why it is important to have a formalised risk classifcation system?
ACCOUNTANCY
 Risk classifcation: timescale of their impact, nature of risk, source of risk,
SCHOOL OF
nature of impact, etc.
 E.g., the FIRM risk scorecard classifed risks according to their impact
(fnancial, infrastructure, reputational and marketplace).
 Common risk classifcations: Strategic, Operational, Financial, Information,
Compliance, Reporting (COSO, SAICA), Hazard.
 NB: adopt the classifcation system most suited to the organisation’s own
circumstances.
 PESTLE risk classifcation system (Political, Economic, Sociological,
Technological, Legal, Ethical/Environmental)
 What’s key for assessment purposes?
 Identify risks
 Explain why they are risks
 Explain the likely impact
 Develop appropriate risk responses
Risk Classifcation (Module)
ACCOUNTANCY
SCHOOL OF
Strategic
Complianc Operationa
e l
RISK
CATEGORIE
S
Hazard Reporting
Financial Informatio
n
Risk Classifcations - Explanation
ACCOUNTANCY
 Strategic Risks - Risks relating to the formulation, implementation and

SCHOOL OF
evaluation of a strategy of an organisation/ risks arising from the possible
consequences of strategic decisions taken by the organisation.
 Operational Risks - Risks relating to optimal allocation and efcient use
of resources to ensure uninterrupted and efcient operations
 Financial Risks - Risk of fnancial distress, liquidity, credit, infation,
interest rate, forex and refnancing.
 Information Risks - Risk of loss of critical data, theft of data, misuse of
customer data in contravention of privacy loss. Also includes risk of
management not having the necessary information to aid decision
making.
 Compliance Risks - Risk that the company will not comply with
applicable laws and regulations.
 Hazard Risks - Risk of business interruption due to preventable and
enforceable hazards
 Reporting Risks - Risks relating to the reliability, timeliness and
relevance of internal and external reporting
SCHOOL OF
ACCOUNTANCY
Risk Categories (CIMA)
Risk Classifcation- Explanations
 Political, legal & regulatory - These are the risks that businesses
ACCOUNTANCY
face because of the regulatory regime that they operate in (political;
legal/litigation; regulatory; compliance risk).
SCHOOL OF
 Business risk - is the risk businesses face owing to the nature of
their operations and products (strategic; product; commodity price;
product reputation; operational; contractual inadequacy; fraud &
employee malfeasance risk).
 Economic risk - is the risk that changes in the economy might
afect the business.
 Financial risk - is the risk of a change in a fnancial condition such
as an exchange rate, interest rate, credit rating of a customer, or
price of a good (credit; political; currency; interest rate; gearing risk).
 Technology risk - is the risk that technology changes will occur that
either present new opportunities to businesses, or on the down-side
make their existing processes obsolete or inefcient (Cyber Risk?).
Risk Classifcation - Explanations
 Environmental risk - is the risk that arises from changes in
ACCOUNTANCY
the environment such as climate change or natural disasters.

SCHOOL OF
 Fraud risk - (a type of operational business risk) is the
vulnerability of an organisation to fraud.
 Corporate reputation risk - is for many organisations a
down-side risk as the better the reputation of the business
the more risk there is of losing that reputation (sources of
reputational risk?)
 Employee malfeasance risk - Organisations might be
exposed to risks of actions by employees that result in an
ofence or crime (other than fraud). Examples?
 Risks in international operations - International businesses are
subject to all the risks above but also have to consider extra risk
factors (culture; litigation; credit; items in transit; fnancial risks)
Risk Examples
1. A company has performed a SWOT analysis and has identifed two main threats:
ACCOUNTANCY
 new legislation covering one of their products; and
SCHOOL OF
 the bank asking for their loan to be repaid immediately since the company failed to pay
their most recent instalment after the interest rate rose.
Which categories of risk are they best described by?
2. Historically, X Ltd has done business with several non-democratic or repressive

governments. In the light of this, what risks should the directors of X be
most concerned with?
3. Miney plc ("Miney") is a global company – incorporated in the USA – that extracts
valuable minerals from the earth. Mining is a risky business with a death toll
averaging 100 deaths per annum in the USA alone. Miney has recently had a coal
mine collapse killing two men and trapping four others for three days. The
accident made the national news each day and Miney became a household
name. Miney is fnanced purely by equity and has a large cash balance and no
debt. It has come to the attention of the Board that the future price of coal is
forecast to fall, as renewable energy sources becomes more reliable. What risks
are more critical for Miney to assess?
Risk Management
 Process which aims to help organisations understand,
ACCOUNTANCY
evaluate and take action on all their risks with a view to

SCHOOL OF
increasing the probability of success and reducing the
likelihood of failure (Institute of Risk Management (IRM)).
 Risk management is the set of activities within an
organization undertaken to deliver the most favourable
outcome and reduce the volatility or variability of that
outcome (Paul Hopkin)
 Why organisations manage risk?
 What are the dangers of uncontrolled risks?
 Evolution of risk management:
 Traditional Risk Management (TRM)
 Enterprise Risk Management (ERM)
What is ERM
“… a process, efected by an entity's board of
ACCOUNTANCY
directors, management and other personnel, applied
in strategy setting and across the enterprise,
SCHOOL OF
designed to identify potential events that may afect
the entity, and manage risks to be within its risk
appetite, to provide reasonable assurance regarding
the achievement of entity objectives.”
Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO.
Why implement ERM?

 Alignment of risk management goals with strategic objectives
 Preserve and enhance business value by:
 Establishing a sustainable competitive advantage
 Optimising the cost of managing risk
 Helping management improve business performance
 Etc – Refer to modules notes
Dangers of uncontrolled risks (Examples):
Type of risk Initial efect (Examples) Subseque
ACCOUNTANCY
nt efect
SCHOOL OF
Quality problem Product recall; customer Financial losses
defection/attrition/turnover
Environmental Bad publicity; customer disfavour & Financial losses
pollution defection; court action; fnes
Healthy & safety Bad publicity; worker compensation claims; Human sufering;
injury workforce dissatisfaction ; statutory fnes Financial losses
Fire Harm to humans; loss of production and Human sufering;
assets Financial losses
Computer failure Inability to take orders, process work or Financial losses
issue invoices; customer defection; loss of
production, etc.
Political risks Foreign government appropriates assets; Financial losses
prevents repatriation of profts
Traditional RM vs Enterprise RM
Traditional RM Enterprise RM
ACCOUNTANCY
Focuses solely on risks that can be Accounts for insurable hazards along with
insured, any other risk an organisation faces that
SCHOOL OF
no amount of money can remedy
Reactive and sporadic risk management Proactive and consistent risk management
that takes place only after an incident has that attempts to predict potential events
happened to prevent it from reoccurring before they happen
Risk-averse mindset, viewing risks only as Risk-taking mindset, where the downsides
something that can cause the organisation and upsides of risks are considered
to lose money
Fragmented or siloed approach where Integrated and holistic approach where
each department manages risk risk management is coordinated
independently throughout the business
Risks are mitigated based on each silo’s Risks are mitigated in line with an ironclad
expertise and decision-making skills with a multi-dimensional strategy on an
one-dimensional assessment enterprise-wide level
Disjointed activity with no connection to Risk is embedded as a culture and
strategic objectives and little awareness of ingrained as a valuable decision-making
risk across the organisation tool to ensure business success
General Concepts/Terminology
Risk Management Philosophy
ACCOUNTANCY
 Refects the culture, values culture and experience
SCHOOL OF
 Determines to a larger extend how risk is managed
 Refects willingness to take risk. (Risk appetite)
Risk Management Policy
 Statement of the overall intentions and direction of an organisation related to risk
management
 Informed by the entity's risk profle, appetite for risk, loss tolerance levels, regulatory
compliance expectations, safety and health demands, sustainability management,
corporate governance requirements etc.
Risk Maturity
 Quality of risk management framework
 Score the risk management process against best practices
 Diferent models with diferent levels
 Identify areas for improvement
Risk Management Plan
Risk Appetite
Risk Tolerance
Inherent vs Residual risk
Risk Governance – King IV
Principle 11: The governing body should govern risk in a way that
ACCOUNTANCY
supports the organisation in setting and achieving its strategic
objectives.
SCHOOL OF
Recommended practices - The governing body should:
 Assume responsibility for the governance of risk
 Treat risk as integral to the way it makes decisions and executes its duties
 Approve policy that articulates and gives efect to its set direction on risk
 Approve the organisation’ risk appetite and risk tolerance levels
 Delegate the responsibility to implement and execute efective risk
management to management
 Exercise ongoing oversight of risk management
 Consider the need to receive periodic independent assurance on the
efectiveness of risk management, etc.
Principle 8 [Committees of the governing body]
 The governing body should consider allocating the oversight of risk
governance to a dedicated committee, or adding it to the responsibilities
of another committee
Principles of Risk Management [ISO 31000]
Risk management:
ACCOUNTANCY
 Creates and protects value

SCHOOL OF
 Is an integral part of all organisational processes
 Is part of decision making
 Explicitly addresses uncertainty
 Is systematic, structured and timely
 Is based on the best available information
 Is tailored
 Takes human and cultural factors into account
 Is transparent and inclusive
 Is dynamic, iterative and responsive to change
 Facilitate continual improvement of the organisation
Principles of Risk Management [Paul Hopkin]
A successful risk management initiative should
ACCOUNTANCY
be:
SCHOOL OF
 Proportionate to the level of risk within the
organisation
 Aligned with other business activities
 Comprehensive, systematic and structured
 Embedded within business procedures and
protocols
 Dynamic, iterative and responsive to change
[This provides the acronym PACED]
Risk Management Process [ISO 31000:2018]
 The risk management process involves
ACCOUNTANCY
the systematic application of policies,

SCHOOL OF
procedures and practices to the activities
of communicating and consulting,
establishing the context and assessing,
treating, monitoring, reviewing, recording
and reporting risk.
SCHOOL OF IS0 31000
ACCOUNTANCY
Risk Management Process [ISO 31000:2018]
Risk Assessment
 Risk assessment is the overall process of risk identifcation, risk
ACCOUNTANCY
analysis and risk evaluation
SCHOOL OF
 Should be conducted systematically, iteratively and collaboratively
 Risk Identifcation purpose: to fnd, recognise and describe risks
that might help or prevent an entity from achieving its objectives
 Risk Analysis purpose – to comprehend the nature of risk and its
characteristics including, where appropriate, the level of risk. It
involves a detailed consideration of uncertainties, risk sources,
consequences, likelihood, events, scenarios, controls and their
efectiveness.
 Risk Evaluation purpose – to support decision making. Involves
comparing the results of the risk analysis with the established risk
criteria to determine where additional action is required
 Tools & techniques: Questionnaires and checklists, workshops and
brainstorming, inspections and audits, fow charts and
dependency analysis
 Models – SWOT, PESTLE, Porter’s Five Forces, etc
Risk Treatment
 Purpose – to select and implement options for addressing risks
ACCOUNTANCY
 Risk treatment involves an iterative process of:

SCHOOL OF
 Formulating and selecting risk treatment options
 Planning and implementing risk treatment
 Assessing the efectiveness of that risk treatment
 Deciding whether the residual risk is acceptable
 If not acceptable, taking further risk treatments
 4Ts of hazard risk response:

 Tolerate
 Treat
 Transfer
 Terminate (eliminate/avoid)
SCHOOL OF
ACCOUNTANCY
COSO-ERM Framework
Risk Register
What is a risk register?
ACCOUNTANCY
Construction of a risk register?

SCHOOL OF
Common components of a risk register?
SCHOOL OF
ACCOUNTANCY
Risk Assessment: Matrix
Risk Assessment: Matrix
Remote Unlikely Possible Probabl Certain
ACCOUNTANCY
0 – 10% 10 – 25 -50% e 90 –
25% 50 – 100%
SCHOOL OF
90%
Extreme
IMPACT
High
Medium
Low
Negligible
PROBABILITY or
LIKELIHOOD
Assessment Possibilities
 Exam\Test possibilities might include:
ACCOUNTANCY
SCHOOL OF
 Critically assess/evaluate an organisation’s risk
management programme or process
 Identify and describe risks and propose appropriate
mitigating/treatment plans
 Identify the risk trigger
 Explain the risk/concern (why risk?) Describing
 Explain the likely impact on the organisation a risk
 Compile/evaluate a risk register

CYBERSECURITY RISK – Home Work
ACCOUNTANCY
 What is cybersecurity risk?

SCHOOL OF
 Potential impact of cybersecurity on
organisations?
 Examples of recent cyber incidents?
 How can cybersecurity risk be managed?

Enterprise Risk Management - 2023

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Enterprise Risk Management - 2023

Uploaded by

Copyright:

Available Formats

Management Accounting &

management processes across the organisation – taking into

organisation to manage risks,

2. Institute of Internal Audit (IIA)

versus the risk that a fnancial/business

Read the following scenario to answer this question:

 Strategic Risks - Risks relating to the formulation, implementation and

the environment such as climate change or natural disasters.

2. Historically, X Ltd has done business with several non-democratic or repressive

evaluate and take action on all their risks with a view to

Why implement ERM?

 Creates and protects value

A successful risk management initiative should

 The risk management process involves

the systematic application of policies,

 Risk treatment involves an iterative process of:

 4Ts of hazard risk response:

Construction of a risk register?

 Compile/evaluate a risk register

 What is cybersecurity risk?

You might also like