ENTERPRISE RISK MANAGEMENT

MODULE 2_4: RELEVANCE OF ENTERPRISE RISK MANAGEMENT TO CORPORATE

GOVERNANCE
TRANSCRIBED BY: RENZO DELA PENA

What is Corporate Governance?

International The combination of processes and structures implemented by the Board to inform, direct, manage
Professional Practices and monitor the activities of the organization toward the achievement of its objectives - IPPF
Framework

OECD Corporate governance involves a set of relationships between a company’s management, its board,
Organization for its stakeholders, and other stakeholders. Corporate governance also provides the structure through
Economic Cooperation which the objectives of the company are set, and the means of attaining those ob adjectives and
and Development monitoring performance are determined-OECD.
(OECD)

CONCEPT OF ● IPPF Glossary: The combination of processes and structures implemented by the Board to
GOVERNANCE? inform, direct, manage and monitor the activities of the organization toward the
achievement of its objectives - IPPF
● Being accountable to stakeholders for the success of the organizations, the board must
exercise oversight of senior management actions and their outcomes, and report
performance clearly to stakeholders.
● Risk management governance - refers to organizational processes and structures used to
oversee and implement risk management.

Related Regulations to Corporate Governance

Sarbanes-Oxley Act of ● Reporting requirements of Section 302 (quarter certification of financial reporting controls
2002 and disclosure controls and procedures), and 404 (development and monitoring of
procedures and controls on assertion to adequacy of internal controls over financial
reporting; external auditor’s assertion)
● Promotes risk management and governance process

RA 11232 REVISED ● Corporate Governance - the framework of rules, systems and processes in the corporation
CORPORATION CODE that governs the performance by the Board of Directors and Management of their
OF THE PHILIPPINES respective duties and responsibilities to the stockholders;

Related regulations to Code of Corporate Governance for Publicly-listed Companies

Corporate Governance Memorandum circular no. 19
Date: 22 November 2016

Corporate Governance - the system of stewardship and control to guide organizations in fulfilling their
long-term economic, moral, legal and social obligations towards their stakeholders.
● Board of directors
● Management
● Independent director
● Executive director
● Non-executive director

STRUCTURE OF RISK MANAGEMENT GOVERNANCE

ENTERPRISE RISK MANAGEMENT
MODULE 2_4: RELEVANCE OF ENTERPRISE RISK MANAGEMENT TO CORPORATE
GOVERNANCE
TRANSCRIBED BY: RENZO DELA PENA
Organizational Internal:
Stakeholders ● Employees
● Directors
● Managers
External:
● Customers
● Tax authorities
● Owners
● Regulators
● Investors
● Public
● Government
● Local Community
● Suppliers

Opposing Stakeholder Competing Stakeholder Interests

Interests ● High dividends
● Low prices
● Innovation
● Entrepreneurism
● Autonomy
● High profits
● High liquidity
● Rapid growth
● Large reserves
● High quality
● Stability
● Control
● Accountability
● Taxation
● Prompt payment
● Sustainability

Risk governance
ENTERPRISE RISK MANAGEMENT
MODULE 2_4: RELEVANCE OF ENTERPRISE RISK MANAGEMENT TO CORPORATE
GOVERNANCE
TRANSCRIBED BY: RENZO DELA PENA
Governance, Risk
Management, Control
Principles of the Three Lines Model
Principle 1: GOVERNANCE
Governance of an
organization requires
appropriate structures and
processes enable:
Principle 2: GOVERNING
BODY RULES
Principle 3: MANAGEMENT
AND FIRST AND SECOND
LINE ROLES
● Governance - The combination of processes and structures implemented by the Board to
inform, direct, manage and monitor the activities of the organization toward the
achievement of its objectives.
● Management - The process to identify, assess, manage, and controlling potential events or
situations to provide reasonable assurance regarding the achievement of the organization’s
objective.
● Control - Any action taken by management, the board, and other parties to manage risk
and increase the likelihood that established objectives and goals will be achieved.
● Control is part of Risk Management, and Risk Management is part of Governance.
1. Accountability - by a governing body to stakeholders for organizational oversight
through integrity, leadership, and transparency
Risk-based decision-making - a considered process that includes analysis,
planning, action, monitoring, and review, and takes account of potential impacts of
uncertainty on objectives.
2. Actions - (including managing risk) by management to achieve the objectives of the
organization through risk-based decision-making and the application of resources.
3. Assurance & Advice - By an independent internal audit function to provide clarity
and confidence and to promote and facilitate continuous improvement through
rigorous inquiry and insightful communication.
Assurance - independent confirmation and confidence.
The governing body ensures:
● Appropriate structures and processes are in place for effective governance
● Organizational objectives and activities are aligned with the prioritized interest of
stakeholders
The governing body:
● Delegates responsibility and provides resources to management to achieve the
objectives of the organization while ensuring legal, regulatory, and ethical expectation
are met.
● Establishes and oversees an independent, objective, and competent internal audit
function to provide clarity and confidence on progress toward the achievement of
objectives.
Management’s responsibility to achieve organizational objectives comprises both first and
second-line roles.
First-line roles are most directly aligned with the delivery of products and/or services to clients of
the organization and include the roles of support functions. Responsibility for managing risk
remains a part of first-line roles and within the scope of management.
Second-line roles provide assistance with managing risk. Second-line roles can focus on
specific objectives of risk management.
First and second-line roles may be blended or separated. Some second-line roles may be
ENTERPRISE RISK MANAGEMENT
MODULE 2_4: RELEVANCE OF ENTERPRISE RISK MANAGEMENT TO CORPORATE
GOVERNANCE
TRANSCRIBED BY: RENZO DELA PENA
assigned to specialists to provide complementary expertise, support, monitoring, and challenge
to those with first-line roles.

Principle 4: THIRD LINE Internal Audit provides an independent and objective assurance and advice on the adequacy
ROLES and effectiveness of governance and risk management. It achieves this through the competent
application of systematic and disciplined processes, expertise, and insight. It reports its findings
to management and the governing body to promote and facilitate continuous improvement. In
doing so, it may consider assurance from other internal and external providers.

Principle 5: THIRD LINE Internal audit’s independence from the responsibilities of management is critical to its objectivity,
INDEPENDENCE authority, and credibility. It is established through accountability to the governing body;
unfettered access to people, resources, and data needed to complete its work; and freedom
from bias or interference in the planning and delivery of audit services.

Principle 6: CREATING & All roles working together collectively contribute to the creation and protection of value when
PROTECTING VALUE they are aligned with each other and with the prioritized interests of stakeholders. Alignment of
activities is achieved through communication, cooperation, and collaboration. This ensures the
reliability, coherence, and transparency of information needed for risk-based decision-making.

Possible areas of Overlap

between Roles in the Three
Lines Model
ENTERPRISE RISK MANAGEMENT
MODULE 2_4: RELEVANCE OF ENTERPRISE RISK MANAGEMENT TO CORPORATE
GOVERNANCE
TRANSCRIBED BY: RENZO DELA PENA
Risk Culture

Conditions Opportunities, threats

Risk factors Trigger event, Intermediate events, Risk event

Controls to reduce likelihood

Preventive Controls: to reduce likelihood of trigger events, intermediate events, or
subsequent risk event
Detective controls: to identify when trigger, intermediate, and/or risk events have occurred or
conditions have arisen that make trigger events more likely; to prompt escalation
Directive Controls: to ensure better preparedness for when a trigger, intermediate, or risk
event occurs or conditions arise that make trigger events more likely

Estimated Consequences Consequences, Final Impact

Controls to reduce impact

Corrective controls: to put things right if risk event occurs
Directive Controls: to identify when impacts have occurred; to prompt escalation and
recording of incident
Directive controls: to ensure better preparedness for the risk event when it occurs, reducing
the consequences and/or final impact
ENTERPRISE RISK MANAGEMENT
MODULE 2_4: RELEVANCE OF ENTERPRISE RISK MANAGEMENT TO CORPORATE
GOVERNANCE
TRANSCRIBED BY: RENZO DELA PENA
ABC MODEL OF RISK
CULTURE

Culture: is the shared set of beliefs, customs, habits, values, and history. (organization-wide)
Behavior: includes all of the adopted actions, decisions, communications, processes, systems,
and so on. (makes risk attitude and risk culture visible)
Attitude: The position habitually taken by an organization and the individuals who comprise it,
based on a framework of beliefs built up over a period of time.

CULTURE &/ THE THREE LINE MODEL

COMPONENT CONTRIBUTION TO CULTURE

BOARD The board has the ultimate accountability to the stakeholders for all aspects of the
organization. It is common for the board to agree to a set of values capturing the characteristics
of the culture it wishes to establish.

MANAGEMENT Sets the “tone at the top’ by what they say and, more importantly, by what they do, and have
responsib ility for defining, communicating, and modeling desired behavior.

FIRST LINE ROLES Responsible for managing risk and are therefore able to lead by example by integrating risk
management within day-to-day activities.

SECOND LINE ROLES Assist by identifying and analyzing culture-related risks, defining expectations, developing
ethics programs, monitoring conformances, etc.

THIRD LINE ROLES Provides independent and objective assurance and advice to the board and management on
culture and the adequacy and effectiveness of controls designed to instill the desired values
and conduct.

IMPACT OF CULTURE ON INTERNAL CONTROL AND RISK MANAGEMENT

T ONE-AT THE TOP WELL-FUNCTIONING

- Clearly defined and well communicated vision, mission strategy, goals, and tactics
subject to systematic review.
- Strong collaboration and sense of contributing to a collective effort for managing risk.
Resulting in
- Greater consistency, efficiency and effectiveness of internal control and risk
management systems and processes.

POORLY FUNCTIONING
- Lack of sense of common purpose
- Failure to align risk management and internal control activities as well as business
decision-making with strategy.
Resulting in
- Emergence of multiple subcultures
ENTERPRISE RISK MANAGEMENT
MODULE 2_4: RELEVANCE OF ENTERPRISE RISK MANAGEMENT TO CORPORATE
GOVERNANCE
TRANSCRIBED BY: RENZO DELA PENA
- Poorly coordinated activities
- Duplicative, overlapping, or incomplete risk management and internal control.

ETHICAL VALUES AND WELL-FUNCTIONING

BEHAVIOR - Clearly defined expectations for personal and collective conduct
- Visible adherence to a code of conduct by members of the board and senior
management
- Visible and documented monitoring of behavior, rewarding desirable conduct and
addressing that which is unacceptable
Resulting in
- High levels of personal integrity at all levels
- Effective soft controls
POORLY FUNCTIONINGsubject to systematic review.
- Other motives (organizational and/or personal) are allowed to determine behavior
- Culture becomes toxic, fueled by short-tennism and individual goals.
- Adherence to policies and procedures for risk management and control is weakened.
Resulting in
- Unethical and illegal behavior is first, then seen as acceptable and finally becomes
the norm
- The organization becomes increasingly exposed to risks at all levels that senior
management and the board may believe are appropriately controlled.

INDICATORS OF SOUND RISK CULTURE

TOPIC DESCRIPTION INDICATORS

TONE FROM THE TOP Senior management and the board must
set the right expectations for risk culture
and this must be reflected in both their
pronouncements/policies and their
behavior. There should be an
expectation
The leadership of the institution
- Promotes, monitors, and
assesses the risk culture of
the financial institution.
- Considers the impact of
culture on safety and
soundness
- Makes changes where
necessary

ACCOUNTABILITY Responsibilities for risk-taking and risk
management need to be clearly
communicated and individuals held
accountable for them
Relevant employees at all levels
understand the core values of the
institution and its approach to risk are
capable of performing their prescribed
roles and are aware they are held
accountable for their actions in relation
to the institution’s risk taking behavior

EFFECTIVE COMMUNICATION AND Effective communication is essential for

CHALLENGE risk management, sharing information
escalating issues, and being responsive
to events in a timely fashion.

INCENTIVES How individuals are recognized and

rewarded drives behavior, and therefore
systems of remuneration need to serve
to model the desired conduct.

COSO ERM - INREGRATING WITH
STRATEGY AND PERFORMANCE.
2017
● Key concept: explicit recognition and understanding of enterprise risk as
part of the strategic planning process that will help guide and direct the
board and management to develop the most appropriate strategies.
● Strategies are not formulated first, and risks are considered thereafter.
● "Enterprise risk management is as much about understanding the
implications from the strategy and the possibility of strategy not aligning as
it is about managing risks to set objectives
● ERM helps enhance performance by more closely linking strategy and
ENTERPRISE RISK MANAGEMENT
MODULE 2_4: RELEVANCE OF ENTERPRISE RISK MANAGEMENT TO CORPORATE
GOVERNANCE
TRANSCRIBED BY: RENZO DELA PENA
business objectives to risk.
● The diligence required to integrate enterprise risk management provides
an entity with a clear path to creating, preserving, and realizing value.

VALUE IS CREATED value is created when the benefits derived from resources deployed exceed the cost
of those resources

VALUE IS PRSERVED Value is preserved when the value of resources deployed in day-to-day operations
sustain created benefits

VALUE IS REALIZED Value is realized when stakeholders derive benefits created by the entity.
Benefits may be monetary or non-monetary

VALUE IS ERODED Value is eroded when management implements a strategy that does not yield
expected outcomes or fails to execute day-to-day tasks

COMPONENTS OF COSO ERM SUMMARY PRINCIPLES

GOVERNANCE AND CULTURE
The board is responsible for establishing
an appropriate tone and culture to
ensure there is proper understanding
and attention given to risk management
and oversight.
1. Exercise board risk oversight
2. Establish operating structures
3. Defines desired culture
4. Demonstrate commitment to care
values
5. Attracts, develops, and retains
capable individuals

STRATEGY AND OBJECTIVE SETTING
Risk management, strategy
development, strategic planning, and
goal setting should all be part of the
same
process
6. Analyzes business context
7. Defines risk appetite
8. Evaluates alternative strategies
9. Formulates business objectives

PERFORMANCE Risk management requires identification; 10. Identifies risk

assessment; prioritization; treatment 11. Assesses severity of risk
aligned with risk appetites; aggregation 12. Prioritizes risks
for a holistic picture; and communication 13. Implements risk responses
14. Develops portfolio view

REVIEW AND REVISION Risk management components should 15. Assess substantial change
be kept under review by considering 16. Review risk and performance
performance in order to make 17. Pursues improvement in enterprise
adjustments as and when needed risk management

INFORMATION, COMMUNICATION,
AND REPORTING
Information flow should be continuous
for obtaining and sharing information
relating to risk management internally
and externally
18. Leverages information and
technology
19. Communicates risk information
20. Reports on risk culture, and
performance.

ERM FRAMEWORK COMPONENT CORRESPONDING INTERNAL CONTROL FRAMEWORK COMPONENT(s)

GOVERNANCE AND CULTURE Control Environment: The principles in the IC framework align closely with those in the
ERM framework with the primary difference being the different contexts of each
framework.

STRATEGY AND OBJECTIVE Risk Assessment: While most of this component relates to the ERM framework
ENTERPRISE RISK MANAGEMENT
MODULE 2_4: RELEVANCE OF ENTERPRISE RISK MANAGEMENT TO CORPORATE
GOVERNANCE
TRANSCRIBED BY: RENZO DELA PENA
SETTING performance component, the first principle related to this IC framework component
specifically addresses objective setting.

PERFORMANCE Risk Assessment and Control Activities: These two IC framework components are
embodied in the performance component, covering both the identification, assessment,
and prioritization of risks (risk assessment component) and the response to risks
(Control Activities component).

REVIEW AND REVISION Monitoring Activities: The principles related to this component in each framework are
similar, although the ERM framework includes a principle related to assessing changes
in the environment.

INFORMATION, COMMUNICATION, Information and communication: The principles related to this component in each
AND REPORTING framework are similar, although the ERM framework includes a principle related to
information systems.

COMPONENTS OF COSO ERM PRINCIPLES

GOVERNANCE AND CULTURE 1. Exercise board risk oversight

The board of directors provides oversight of the strategy and carries out governance
responsibilities to support management in achieving strategy and business objectives.
2. Establish operating structures
The organization establishes operating structures in pursuit of strategy and business
objectives
3. Defines desired culture
The organization defines the desired behaviors that characterize the entity’s desired
culture
4. Demonstrate commitment to care values
The organization demonstrates a commitment to the entity’s core values
5. Attracts, develops, and retains capable individuals
The organization is committed to building human capital in alignment with the strategy
and business objectives.

STRATEGY AND OBJECTIVE 6. Analyzes business context

SETTING The organization considers potential effects of business context on risk profile
7. Defines risk appetite
The organization defines risk appetite in the context of creating, preserving, and
realizing value
8. Evaluates alternative strategies
The organization evaluates alternative strategies and potential impact on risk profile
9. Formulates business objectives
The organization considered risk while establishing the business objectives at various
levels that align and support strategy.

PERFORMANCE 10. Identifies risk

The organization identifies risk that impact the performance of strategy and business
objectives
11. Assesses severity of risk
The organization assesses the severity of risk
12. Prioritizes risks
The organization prioritizes risks as a basis for selecting responses to risks
13. Implements risk responses
The organization identifies and selects risk responses
14. Develops portfolio view
The organization develops and evaluates a portfolio view of risk

REVIEW AND REVISION 15. Assess substantial change

The organization identifies and assesses changes that may substantially effect
strategy and business objectives
16. Review risk and performance
ENTERPRISE RISK MANAGEMENT
MODULE 2_4: RELEVANCE OF ENTERPRISE RISK MANAGEMENT TO CORPORATE
GOVERNANCE
TRANSCRIBED BY: RENZO DELA PENA
The organization reviews entity performance results and considers risk
17. Pursues improvement in enterprise risk management
The organization pursues improvement of enterprise risk management

INFORMATION, COMMUNICATION, 18. Leverages information and technology

AND REPORTING The organization leverages the entity’s information systems to support enterprise risk
management
19. Communicates risk information
The organization uses communication channels to support enterprise risk
management
20. Reports on risk culture, and performance.
The organization reports on risk, culture, and performance at multiple levels and
across the entity.

Elements Description

Integrated Risk management is an integral part of all organizational activities.

Structured & A structured and comprehensive approach to risk management contributes to consistent and
Comprehensive comparable results.

Customized The risk management framework and process are customized and proportionate to the
organization’s external and internal context related to its objectives.
ENTERPRISE RISK MANAGEMENT
MODULE 2_4: RELEVANCE OF ENTERPRISE RISK MANAGEMENT TO CORPORATE
GOVERNANCE
TRANSCRIBED BY: RENZO DELA PENA
Inclusive Appropriate and timely involvement of stakeholders enables their knowledge, views and
perceptions to be considered. This results in improved awareness and informed risk
management

Dynamic Risks can emerge, change or disappear as an organization’s external and internal context
changes. Risk management anticipates, detects, acknowledges and responds to those changes
and events in an appropriate and timely manner

Best Available Information The inputs to risk management are based on historical and current information, as well as on
future expectations. Risk management explicitly takes into account any limitations and
uncertainties associated with such information and expectations. Information should be timely,
clear and available to relevant stakeholders

Human & Cultural Factors Human behaviour and culture significantly influence all aspects of risk management at each
level and stage.

Continual Improvement Risk management is continually improved through learning and experience.

ELEMENTS DESCRIPTION

Integration Integrating risk management relies on an understanding of organizational structures and

context. Structures differ depending on the organization’s purpose, goals and complexity. Risk is
managed in every part of the organization’s structure. Everyone in an organization has
responsibility for managing risk.

Design ● Understanding the organization and its context

● Articulating risk management commitment
● Assigning organizational roles, authorities, responsibilities and accountabilities
● Allocating resources
● Establishing communication and consultation

Implementation The organization should implement the risk management framework by:
• developing an appropriate plan including time and resources;
• identifying where, when and how different types of decisions are made across the
organization, and by whom;
• modifying the applicable decision-making processes where necessary;
• ensuring that the organization’s arrangements for managing risk are clearly understood and
practised.

Evaluation In order to evaluate the effectiveness of the risk management framework, the organization
should:
• periodically measure risk management framework performance against its purpose,
implementation plans, indicators and expected behaviour;
• determine whether it remains suitable to support achieving the objectives of the organization.

Improvement Adapting - The organization should continually monitor and adapt the risk management
framework to address external and internal changes. In doing so, the organization can improve
its value.
Continually improving - The organization should continually improve the suitability, adequacy
and effectiveness of the risk management framework and the way the risk management process
is integrated
ENTERPRISE RISK MANAGEMENT
MODULE 2_4: RELEVANCE OF ENTERPRISE RISK MANAGEMENT TO CORPORATE
GOVERNANCE
TRANSCRIBED BY: RENZO DELA PENA
ASPECT
Underlying philosophy
Definition of Risk
Other terminology
Standards vs. guidance
Practical application
Risk management process
Adoption
Updates
NEW RISK
Adopts new goals or tactics
Changes systems and processes
COSO ERM ISO 31000
Both COSO and ISO emphasize the importance of a fully integrated approach to all of the
decision-making, even at the point of determining strategic goals. The goal of risk management
is to enable successful risk-taking, not to prevent it.
Both COSO and ISO recognize risk is a function of uncertainty, impacts our ability to determine
future events, and may result in either positive or negative variances in desired outcomes.
COSO provides extensive discussion on the topics ISO is less strongly aligned with the
and application of key concepts such as capacity, common terminology and makes no
appetite, and tolerance mention of appetite and only brief
mention of risk criteria
COSO takes a broader approach and offers ISO is more clearly designed and
guidance on risk management implementation presented as a set of standards for risk
management, and for this reason is very
concise.
Both COSO and ISO are oriented toward practical implementation and seek help senior
management and the board introduce and implement an effective risk management framework,
allowing for a tailored approach to suit the changing needs of the organization
COSO focuses more on a conceptual framework It can be argued ISO’s approach to risk
for risk management, linking it closely to strategic management is a more traditional,
planning, while providing a lesser focus on the stepwise process, outlining in detail how
practical steps or risk management itself. to go about identifying, assessing,
evaluating, and responding to risk.
COSO has a greater presence in the United States ISO is truly global standard, with the
but is less widely adopted outside North America exception of North America
Both COSO and ISO update their frameworks periodically. The most recent (2017 and 2018
respectively) saw significant changes very strongly welcomed by organizations and champion
of risk management.
EMERGING RISK
Relate to a new set of conditions previously unexperienced
High levels of uncertainty relating to likelihood, impact, trigger
events, etc.
ENTERPRISE RISK MANAGEMENT
MODULE 2_4: RELEVANCE OF ENTERPRISE RISK MANAGEMENT TO CORPORATE
GOVERNANCE
TRANSCRIBED BY: RENZO DELA PENA
Introduces new technology High volatility

Launches new products and services String interdependence with other risk

Moves into new markets Possible potential for significant negative impact

Terminates or recruits a staff member Features making it difficult to manage using regular risk
management techniques

Management of Emerging risk

Emerging risk
identification and analysis
Analyze available information, review the record of black swan events, and seek insights from
recent disruptions.
• Apply statistical analysis, extrapolation, regression, and other techniques to current trends.
•Think outside the box and adopt a mindset of "expect the unexpected."42
•Consider events that interrupt the normal predicted cycle, such as tipping points and cascade
effects, like the so-called butterfly effect found in chaos theory.
• Consider human psychology and motivation and how these impact decisions and events, as
found in game theory, the prisoner's dilemma, and Freakonomics.
Use systems analysis, systems thinking, feedback loops, and other methods to build predictive
models.
• Build multiple future scenarios of what could happen.
• Think as far into the future as possible.
• Consider various combinations of events and circumstances.

Emerging risk responses
• Establish agile, adaptive, predictive, and intelligent management
systems.
• Establish robust KRIs to alert the organization to changes in the internal and external
environments.
•Apply risk responses (treat, transfer, terminate, tolerate) as appropriate, where heightened
uncertainty is likely to favor erring on the side of caution, setting higher bars for controls, using
hedging and insurance to a greater extent, and consider terminating certain activities until greater
certainty regarding emerging risks can be established.
• Use stress testing on risk responses.

Step Explanation

1. Make sense of the present and explore the future. ● Maintain continuous monitoring of internal and
external environments.
● Identify changes to opportunities and threats.
● Analyze these as potential sources of future risk.
● Prioritize identified emerging risk.

2. Develop scenarios based on narratives and models. ● Generate multiple scenarios of future conditions
based on analysis and extension of available
information.
● Analyze impact of scenarios on the organization and
achievement of its strategic objectives.
● Update scenarios as new information becomes
available.

3. Generate risk management options and formulate ● Analyze a range of risk responses for a range of
strategy scenarios.
● Identify "thresholds of irreversibility," beyond which
point interventions will be rendered obsolete, and
reflect these in the strategy.
● Develop KRIs.
● Select a favored approach for each emerging risk.
ENTERPRISE RISK MANAGEMENT
MODULE 2_4: RELEVANCE OF ENTERPRISE RISK MANAGEMENT TO CORPORATE
GOVERNANCE
TRANSCRIBED BY: RENZO DELA PENA
4. Implement strategy • Establish effective communications linking all stakeholders in
the process.
• Assign resources.
• Set clear KPIs and responsibilities.
• Implement and monitor.

ASSESSMENT OF EMERGING RISK MANAGEMENT

1. Understand the strategy of the organization

2. Gather data and views of strategic risks

3. Prepare preliminary strategic risk profile

4. Validate and finalize the strategic risk profile

5. Develop Audit plan

6. Communicate strategic risk profile and audit plan

7. Execute audit plans and monitor strategic risks.

EMERGING RISK RESPONSES

IRGC EMERGING RISK RESPONSES COMPARED WITH CONVENTIONAL RESPONSES

1. Act on the factors that contribute to risk emergence Treat, applying measure to reduce likelihood
or amplification

2. Develop precautionary approaches Treat, creating contingency plans for dealing with impact and
recovery

3. Reduce vulnerability Treat, applying measures to reduce impact

4. Modify the organization’s risk appetite in line with a Align appetite in line with residual risk after other responses
new risk.

5. Use “conventional” risk governance instruments to Treat, transfer, terminate, and/or tolerate.
manage familiar risks.

6. Do nothing. Tolerate

RISK MANAGEMENT COMMUNICATION CYCLE

ENTERPRISE RISK MANAGEMENT
MODULE 2_4: RELEVANCE OF ENTERPRISE RISK MANAGEMENT TO CORPORATE
GOVERNANCE
TRANSCRIBED BY: RENZO DELA PENA