Professional Documents
Culture Documents
International The combination of processes and structures implemented by the Board to inform, direct, manage
Professional Practices and monitor the activities of the organization toward the achievement of its objectives - IPPF
Framework
OECD Corporate governance involves a set of relationships between a company’s management, its board,
Organization for its stakeholders, and other stakeholders. Corporate governance also provides the structure through
Economic Cooperation which the objectives of the company are set, and the means of attaining those ob adjectives and
and Development monitoring performance are determined-OECD.
(OECD)
CONCEPT OF ● IPPF Glossary: The combination of processes and structures implemented by the Board to
GOVERNANCE? inform, direct, manage and monitor the activities of the organization toward the
achievement of its objectives - IPPF
● Being accountable to stakeholders for the success of the organizations, the board must
exercise oversight of senior management actions and their outcomes, and report
performance clearly to stakeholders.
● Risk management governance - refers to organizational processes and structures used to
oversee and implement risk management.
Sarbanes-Oxley Act of ● Reporting requirements of Section 302 (quarter certification of financial reporting controls
2002 and disclosure controls and procedures), and 404 (development and monitoring of
procedures and controls on assertion to adequacy of internal controls over financial
reporting; external auditor’s assertion)
● Promotes risk management and governance process
RA 11232 REVISED ● Corporate Governance - the framework of rules, systems and processes in the corporation
CORPORATION CODE that governs the performance by the Board of Directors and Management of their
OF THE PHILIPPINES respective duties and responsibilities to the stockholders;
Corporate Governance - the system of stewardship and control to guide organizations in fulfilling their
long-term economic, moral, legal and social obligations towards their stakeholders.
● Board of directors
● Management
● Independent director
● Executive director
● Non-executive director
Risk governance
ENTERPRISE RISK MANAGEMENT
MODULE 2_4: RELEVANCE OF ENTERPRISE RISK MANAGEMENT TO CORPORATE
GOVERNANCE
TRANSCRIBED BY: RENZO DELA PENA
Governance, Risk
Management, Control
Principle 3: MANAGEMENT Management’s responsibility to achieve organizational objectives comprises both first and
AND FIRST AND SECOND second-line roles.
LINE ROLES First-line roles are most directly aligned with the delivery of products and/or services to clients of
the organization and include the roles of support functions. Responsibility for managing risk
remains a part of first-line roles and within the scope of management.
Second-line roles provide assistance with managing risk. Second-line roles can focus on
specific objectives of risk management.
First and second-line roles may be blended or separated. Some second-line roles may be
ENTERPRISE RISK MANAGEMENT
MODULE 2_4: RELEVANCE OF ENTERPRISE RISK MANAGEMENT TO CORPORATE
GOVERNANCE
TRANSCRIBED BY: RENZO DELA PENA
assigned to specialists to provide complementary expertise, support, monitoring, and challenge
to those with first-line roles.
Principle 4: THIRD LINE Internal Audit provides an independent and objective assurance and advice on the adequacy
ROLES and effectiveness of governance and risk management. It achieves this through the competent
application of systematic and disciplined processes, expertise, and insight. It reports its findings
to management and the governing body to promote and facilitate continuous improvement. In
doing so, it may consider assurance from other internal and external providers.
Principle 5: THIRD LINE Internal audit’s independence from the responsibilities of management is critical to its objectivity,
INDEPENDENCE authority, and credibility. It is established through accountability to the governing body;
unfettered access to people, resources, and data needed to complete its work; and freedom
from bias or interference in the planning and delivery of audit services.
Principle 6: CREATING & All roles working together collectively contribute to the creation and protection of value when
PROTECTING VALUE they are aligned with each other and with the prioritized interests of stakeholders. Alignment of
activities is achieved through communication, cooperation, and collaboration. This ensures the
reliability, coherence, and transparency of information needed for risk-based decision-making.
Culture: is the shared set of beliefs, customs, habits, values, and history. (organization-wide)
Behavior: includes all of the adopted actions, decisions, communications, processes, systems,
and so on. (makes risk attitude and risk culture visible)
Attitude: The position habitually taken by an organization and the individuals who comprise it,
based on a framework of beliefs built up over a period of time.
BOARD The board has the ultimate accountability to the stakeholders for all aspects of the
organization. It is common for the board to agree to a set of values capturing the characteristics
of the culture it wishes to establish.
MANAGEMENT Sets the “tone at the top’ by what they say and, more importantly, by what they do, and have
responsib ility for defining, communicating, and modeling desired behavior.
FIRST LINE ROLES Responsible for managing risk and are therefore able to lead by example by integrating risk
management within day-to-day activities.
SECOND LINE ROLES Assist by identifying and analyzing culture-related risks, defining expectations, developing
ethics programs, monitoring conformances, etc.
THIRD LINE ROLES Provides independent and objective assurance and advice to the board and management on
culture and the adequacy and effectiveness of controls designed to instill the desired values
and conduct.
POORLY FUNCTIONING
- Lack of sense of common purpose
- Failure to align risk management and internal control activities as well as business
decision-making with strategy.
Resulting in
- Emergence of multiple subcultures
ENTERPRISE RISK MANAGEMENT
MODULE 2_4: RELEVANCE OF ENTERPRISE RISK MANAGEMENT TO CORPORATE
GOVERNANCE
TRANSCRIBED BY: RENZO DELA PENA
- Poorly coordinated activities
- Duplicative, overlapping, or incomplete risk management and internal control.
TONE FROM THE TOP Senior management and the board must The leadership of the institution
set the right expectations for risk culture - Promotes, monitors, and
and this must be reflected in both their assesses the risk culture of
pronouncements/policies and their the financial institution.
behavior. There should be an - Considers the impact of
expectation culture on safety and
soundness
- Makes changes where
necessary
ACCOUNTABILITY Responsibilities for risk-taking and risk Relevant employees at all levels
management need to be clearly understand the core values of the
communicated and individuals held institution and its approach to risk are
accountable for them capable of performing their prescribed
roles and are aware they are held
accountable for their actions in relation
to the institution’s risk taking behavior
COSO ERM - INREGRATING WITH ● Key concept: explicit recognition and understanding of enterprise risk as
STRATEGY AND PERFORMANCE. part of the strategic planning process that will help guide and direct the
2017 board and management to develop the most appropriate strategies.
● Strategies are not formulated first, and risks are considered thereafter.
● "Enterprise risk management is as much about understanding the
implications from the strategy and the possibility of strategy not aligning as
it is about managing risks to set objectives
● ERM helps enhance performance by more closely linking strategy and
ENTERPRISE RISK MANAGEMENT
MODULE 2_4: RELEVANCE OF ENTERPRISE RISK MANAGEMENT TO CORPORATE
GOVERNANCE
TRANSCRIBED BY: RENZO DELA PENA
business objectives to risk.
● The diligence required to integrate enterprise risk management provides
an entity with a clear path to creating, preserving, and realizing value.
VALUE IS CREATED value is created when the benefits derived from resources deployed exceed the cost
of those resources
VALUE IS PRSERVED Value is preserved when the value of resources deployed in day-to-day operations
sustain created benefits
VALUE IS REALIZED Value is realized when stakeholders derive benefits created by the entity.
Benefits may be monetary or non-monetary
VALUE IS ERODED Value is eroded when management implements a strategy that does not yield
expected outcomes or fails to execute day-to-day tasks
GOVERNANCE AND CULTURE The board is responsible for establishing 1. Exercise board risk oversight
an appropriate tone and culture to 2. Establish operating structures
ensure there is proper understanding 3. Defines desired culture
and attention given to risk management 4. Demonstrate commitment to care
and oversight. values
5. Attracts, develops, and retains
capable individuals
STRATEGY AND OBJECTIVE SETTING Risk management, strategy 6. Analyzes business context
development, strategic planning, and 7. Defines risk appetite
goal setting should all be part of the 8. Evaluates alternative strategies
same 9. Formulates business objectives
process
REVIEW AND REVISION Risk management components should 15. Assess substantial change
be kept under review by considering 16. Review risk and performance
performance in order to make 17. Pursues improvement in enterprise
adjustments as and when needed risk management
INFORMATION, COMMUNICATION, Information flow should be continuous 18. Leverages information and
AND REPORTING for obtaining and sharing information technology
relating to risk management internally 19. Communicates risk information
and externally 20. Reports on risk culture, and
performance.
GOVERNANCE AND CULTURE Control Environment: The principles in the IC framework align closely with those in the
ERM framework with the primary difference being the different contexts of each
framework.
STRATEGY AND OBJECTIVE Risk Assessment: While most of this component relates to the ERM framework
ENTERPRISE RISK MANAGEMENT
MODULE 2_4: RELEVANCE OF ENTERPRISE RISK MANAGEMENT TO CORPORATE
GOVERNANCE
TRANSCRIBED BY: RENZO DELA PENA
SETTING performance component, the first principle related to this IC framework component
specifically addresses objective setting.
PERFORMANCE Risk Assessment and Control Activities: These two IC framework components are
embodied in the performance component, covering both the identification, assessment,
and prioritization of risks (risk assessment component) and the response to risks
(Control Activities component).
REVIEW AND REVISION Monitoring Activities: The principles related to this component in each framework are
similar, although the ERM framework includes a principle related to assessing changes
in the environment.
INFORMATION, COMMUNICATION, Information and communication: The principles related to this component in each
AND REPORTING framework are similar, although the ERM framework includes a principle related to
information systems.
Elements Description
Structured & A structured and comprehensive approach to risk management contributes to consistent and
Comprehensive comparable results.
Customized The risk management framework and process are customized and proportionate to the
organization’s external and internal context related to its objectives.
ENTERPRISE RISK MANAGEMENT
MODULE 2_4: RELEVANCE OF ENTERPRISE RISK MANAGEMENT TO CORPORATE
GOVERNANCE
TRANSCRIBED BY: RENZO DELA PENA
Inclusive Appropriate and timely involvement of stakeholders enables their knowledge, views and
perceptions to be considered. This results in improved awareness and informed risk
management
Dynamic Risks can emerge, change or disappear as an organization’s external and internal context
changes. Risk management anticipates, detects, acknowledges and responds to those changes
and events in an appropriate and timely manner
Best Available Information The inputs to risk management are based on historical and current information, as well as on
future expectations. Risk management explicitly takes into account any limitations and
uncertainties associated with such information and expectations. Information should be timely,
clear and available to relevant stakeholders
Human & Cultural Factors Human behaviour and culture significantly influence all aspects of risk management at each
level and stage.
Continual Improvement Risk management is continually improved through learning and experience.
ELEMENTS DESCRIPTION
Implementation The organization should implement the risk management framework by:
• developing an appropriate plan including time and resources;
• identifying where, when and how different types of decisions are made across the
organization, and by whom;
• modifying the applicable decision-making processes where necessary;
• ensuring that the organization’s arrangements for managing risk are clearly understood and
practised.
Evaluation In order to evaluate the effectiveness of the risk management framework, the organization
should:
• periodically measure risk management framework performance against its purpose,
implementation plans, indicators and expected behaviour;
• determine whether it remains suitable to support achieving the objectives of the organization.
Improvement Adapting - The organization should continually monitor and adapt the risk management
framework to address external and internal changes. In doing so, the organization can improve
its value.
Continually improving - The organization should continually improve the suitability, adequacy
and effectiveness of the risk management framework and the way the risk management process
is integrated
ENTERPRISE RISK MANAGEMENT
MODULE 2_4: RELEVANCE OF ENTERPRISE RISK MANAGEMENT TO CORPORATE
GOVERNANCE
TRANSCRIBED BY: RENZO DELA PENA
Underlying philosophy Both COSO and ISO emphasize the importance of a fully integrated approach to all of the
decision-making, even at the point of determining strategic goals. The goal of risk management
is to enable successful risk-taking, not to prevent it.
Definition of Risk Both COSO and ISO recognize risk is a function of uncertainty, impacts our ability to determine
future events, and may result in either positive or negative variances in desired outcomes.
Other terminology COSO provides extensive discussion on the topics ISO is less strongly aligned with the
and application of key concepts such as capacity, common terminology and makes no
appetite, and tolerance mention of appetite and only brief
mention of risk criteria
Standards vs. guidance COSO takes a broader approach and offers ISO is more clearly designed and
guidance on risk management implementation presented as a set of standards for risk
management, and for this reason is very
concise.
Practical application Both COSO and ISO are oriented toward practical implementation and seek help senior
management and the board introduce and implement an effective risk management framework,
allowing for a tailored approach to suit the changing needs of the organization
Risk management process COSO focuses more on a conceptual framework It can be argued ISO’s approach to risk
for risk management, linking it closely to strategic management is a more traditional,
planning, while providing a lesser focus on the stepwise process, outlining in detail how
practical steps or risk management itself. to go about identifying, assessing,
evaluating, and responding to risk.
Adoption COSO has a greater presence in the United States ISO is truly global standard, with the
but is less widely adopted outside North America exception of North America
Updates Both COSO and ISO update their frameworks periodically. The most recent (2017 and 2018
respectively) saw significant changes very strongly welcomed by organizations and champion
of risk management.
Adopts new goals or tactics Relate to a new set of conditions previously unexperienced
Changes systems and processes High levels of uncertainty relating to likelihood, impact, trigger
events, etc.
ENTERPRISE RISK MANAGEMENT
MODULE 2_4: RELEVANCE OF ENTERPRISE RISK MANAGEMENT TO CORPORATE
GOVERNANCE
TRANSCRIBED BY: RENZO DELA PENA
Introduces new technology High volatility
Launches new products and services String interdependence with other risk
Moves into new markets Possible potential for significant negative impact
Terminates or recruits a staff member Features making it difficult to manage using regular risk
management techniques
Emerging risk Analyze available information, review the record of black swan events, and seek insights from
identification and analysis recent disruptions.
• Apply statistical analysis, extrapolation, regression, and other techniques to current trends.
•Think outside the box and adopt a mindset of "expect the unexpected."42
•Consider events that interrupt the normal predicted cycle, such as tipping points and cascade
effects, like the so-called butterfly effect found in chaos theory.
• Consider human psychology and motivation and how these impact decisions and events, as
found in game theory, the prisoner's dilemma, and Freakonomics.
Use systems analysis, systems thinking, feedback loops, and other methods to build predictive
models.
• Build multiple future scenarios of what could happen.
• Think as far into the future as possible.
• Consider various combinations of events and circumstances.
Emerging risk responses • Establish agile, adaptive, predictive, and intelligent management
systems.
• Establish robust KRIs to alert the organization to changes in the internal and external
environments.
•Apply risk responses (treat, transfer, terminate, tolerate) as appropriate, where heightened
uncertainty is likely to favor erring on the side of caution, setting higher bars for controls, using
hedging and insurance to a greater extent, and consider terminating certain activities until greater
certainty regarding emerging risks can be established.
• Use stress testing on risk responses.
Step Explanation
1. Make sense of the present and explore the future. ● Maintain continuous monitoring of internal and
external environments.
● Identify changes to opportunities and threats.
● Analyze these as potential sources of future risk.
● Prioritize identified emerging risk.
2. Develop scenarios based on narratives and models. ● Generate multiple scenarios of future conditions
based on analysis and extension of available
information.
● Analyze impact of scenarios on the organization and
achievement of its strategic objectives.
● Update scenarios as new information becomes
available.
3. Generate risk management options and formulate ● Analyze a range of risk responses for a range of
strategy scenarios.
● Identify "thresholds of irreversibility," beyond which
point interventions will be rendered obsolete, and
reflect these in the strategy.
● Develop KRIs.
● Select a favored approach for each emerging risk.
ENTERPRISE RISK MANAGEMENT
MODULE 2_4: RELEVANCE OF ENTERPRISE RISK MANAGEMENT TO CORPORATE
GOVERNANCE
TRANSCRIBED BY: RENZO DELA PENA
4. Implement strategy • Establish effective communications linking all stakeholders in
the process.
• Assign resources.
• Set clear KPIs and responsibilities.
• Implement and monitor.
1. Act on the factors that contribute to risk emergence Treat, applying measure to reduce likelihood
or amplification
2. Develop precautionary approaches Treat, creating contingency plans for dealing with impact and
recovery
4. Modify the organization’s risk appetite in line with a Align appetite in line with residual risk after other responses
new risk.
5. Use “conventional” risk governance instruments to Treat, transfer, terminate, and/or tolerate.
manage familiar risks.
6. Do nothing. Tolerate