3

ENTERPRISE RISK
MANAGEMENT

Categories of Risks

1. Financial
2. Strategic
3. Operational
4. Reputational
5. Government and Compliance

Financial Risks
 Reduction in funding
 Failure to safeguard assets
 Poor cash flow management
 Lack of value of money
 Fraud or theft
 Poor budgeting

Strategic Risks
 Engages in activity at indifferent with its stated objectives
 Fails to engage in an activity that would support its stated objectives

Operational Risks
These risks result from failed or inappropriate policies, procedures, systems or activities,
such as:
 Failure of an IT system
 Poor quality of services delivered
 Lack of succession planning
 Health and safety risks
 Staff skill levels
 No process to track contractual commitments

Reputational Risks
 Organization engages in activities that could threaten its good name though
association with other bodies, or staff or members acting in a criminal or unethical
way.
 Poor stakeholder relations

Government and Compliance

 Segregation of duties not defined formally

Page | 1
  Ensuring compliance with funders’ terms and conditions
 Compliance with applicable legislation like taxation law, data protection, and health
and safety law

Furthermore, there are types of risks. They are:

 Compliance risks;
 Hazard risks;
 Control risks;
 Opportunity risks.

Example: Risks associated with owning a car

Opportunities of owning a car

(Events you hope will happen, but could fail to occur.)

 You can travel more easily than depending on others

 Enhanced job opportunities because you will be more mobile
 Save money on other forms of public transport

Uncertainties of owning a car

(Events that you know will happen, but impacts are variable.)

 Cost of borrowing money to buy the car could change

 Price of fuel (petrol or diesel) could go up or down
 Maintenance, breakdown and repair costs will vary

Hazards of owning a car

(Events that you do not want to happen and that can only be negative.)

 You pay too much for the car or it is in poor condition

 You are involved in a collision or road accident
 The car gets stolen or vindictively damaged

Compliance requirements of owning a car

(Events that could result in regulatory enforcement.)

 Insufficient and/or inadequate third-party car insurance

 Inattentive or aggressive driving results in traffic offense
 Tires in poor condition and other maintenance obligations

Risk Control

Page | 2
A control measure is something that is already existing. The purpose of control measure is to
reduce the risks via impact on likelihood, consequence, or magnitude. Examples of which may
include, but not limited to the following:
1. A prevailing management policy
2. Work procedures and practices
3. Technical system
4. Training program
5. Contract management planning guidelines

Control Values

Code Description
HE The control happens to be highly effective as it lowers the
Highly chances of the risk-taking place and/or it lessens the
Effective consequences if the risk does strike.
ME The control happens to be moderately effective as it only
Moderately partly decreases the odds of the risk transpiring and/or
Effective somewhat eases the magnitudes if the risk does occur.
IE The control happens to be ineffective as it does not lower
Ineffective the possibility of the risk occurring and/or it does not
diminish the consequences if the risk does take place.

Likelihood and Consequences

Likelihood

Rank Category Description

A Almost Certain The event is expected to occur in most
circumstances.
B Likely The event will probably occur in most
circumstances.
C Possible The event should occur at some time.
D Unlikely The event could occur at some time.
E Rare The event may occur only in exceptional
circumstances.

Consequences

Rank Category Description

1 Insignificant Slight financial deficit, effect of which may only
minor; may be considered as isolated case with
very minor impact that necessitates no adverse
external criticism or publicity.
2 Minor There is a small financial loss with corresponding
minimal impact on the overall program or
functional outcomes.

Page | 3
 3 Moderate There is considerable amount of financial loss
with significant bearing on overall program or
functional outcomes.
4 Major There is excessive financial loss resulting to
restrained commodities and services attributable
to failure to deliver .
5 Catastrophic May result in the closure of the company,
substantial irreversible impact due to
malpractice.

Enterprise Risk Management

Enterprise Risk Management is a new concept in risk management that takes a holistic view of
all of the possible risks an organization faces. It enables management’s proficiency to do
business for practical purposes with probable forthcoming occurrences that generate
uncertainty. It boosts the capacity to interconnect value formation.

Importance of Enterprise Risk Management

Value is fashioned by knowledgeable and motivated management choices and decisions in all
domains of an organization’s plan positioning to operation’s set-ups and controls. For
business organizations, shareholders comprehend value when they identify value creation
and gain to benefit from share-value progress. For law-making bodies, value is grasped when
citizens make out receipt of valued services at satisfactory and acceptable cost.

Essential Principles

Every single business, whether for profit-oriented or otherwise, subsists to achieve merit for
its stakeholders.

Created

Value is
…

Preserved Eroded

Framework
Page | 4
An organization’s objectives may be observed in the perspective of four categories. These are:

 Strategic
 Operations
 Reporting
 Compliance

Steps of the Risk Management Process

1. Identify the risks

2. Analyze the risks
3. Evaluate the risks
4. Treat the risks
5. Monitor and review

Components of Enterprise Risk Management

The COSO enterprise risk management framework identifies eight core components that
define how a company should approach creating its ERM practices.

Internal Environment
A company's internal environment is the atmosphere and corporate culture within the
company set by its employees. This sets the precedence of what the company's risk appetite
is and what management's philosophy is regarding incurring risk. The internal environment
may be set by upper management or the board and communicated throughout an
organization, though it is often reflected through the actions of all employees.

Objective Setting
As a company determines its purpose, it must set objectives that support the mission and
goals of a company. These objectives must then be aligned with a company's risk appetite. For
example, an ambitious company that has set far-reaching strategic plans must be aware there
may be internal risks or external risks associated with these lofty goals. In response, a
company can align the measures to be taken with what it wants to accomplish such as hiring
additional regulatory staff for expansion areas it is currently unfamiliar with

Risk Assessment
In addition to being aware of what may happen, the ERM framework details the step of
assessing risk by understanding the likelihood and financial impact of risks. This includes not
only the direct risk (i.e., a natural disaster yields an office unusable) but residual risks (i.e.,
employees may not feel safe returning to the office). Though difficult, the ERM framework
encourages companies to consider quantifying risks by assessing the percent change of
occurrence as well as the dollar impact.

Risk Response
A company can respond to risk in the following four ways:
1. The company can avoid risk. This results in the company leaving the activity that
causes the risk as the company would rather forgo the benefits of the activity than
Page | 5
 incur the risk. An example of risk avoidance is a company shutting down a product line
and discontinuing selling a specific good.

2. The company can reduce risk. This results in the company staying engaged in the
activity but putting forth effort in minimizing the likelihood or magnitude of the risk.
An example of risk reduction is a company keeping the product line above open but
investing more in quality control or consumer education on how to properly use the
product.

3. The company can share risk. This results in the company moving forward with the
current risk profile of the activity. However, the company leverages an independent
third party to share in the potential loss in exchange for a fee. An example of risk
sharing is purchasing an insurance policy.

4. The company can accept risk. This results in the company analyzing the potential
outcomes and determining whether it is financially worth pursuing mitigating
practices. An example of risk acceptance is the company keeping open the product
line with no changes to operations and risk sharing.

Measurement of Risk

Risk can be calculated by multiplying the likelihood that the risk will occur and the potential
severity of that risk. A formula that can be used to measure risk in any scenario is:

Risk = Likelihood x Consequences

Definition of Terms

Budget Risk – the likelihood for the approximations or estimations built into a budget to end
up being insufficient in numbers.

Business Risk – refers to the possibility that the company may experience loss in terms of
profit.

Currency Risk – arises due to uncertainty in exchange rates.

Credit Risk – the stake of loss attributable to a debtor’s non-payment on a loan or non-
compliance of contractual obligations.

Decision Theory – also known as theory of choice. It is concerned with distinguishing the
values, uncertainties and other pertinent matters that are significant and applicable in a given
decision, its rationality, and the consequential optimal decision.

Diversifiable Risk – also called non-systematic or particular risk; a risk that affects only some
individuals, businesses, or small groups.

Page | 6
Enterprise Risk Management – is a new concept in risk management that takes a holistic view
of all of the possible risks an organization faces.

Expected Value of Perfect Information (EVPI) – the cost or price that one would be willing to
shell out in order to acquire access to perfect information.

Event – one or more of the possible outcomes of doing something.

Frequency – the number of times losses have happened in a given time period.

Hazard – a condition that increases the possible frequency or severity of a loss.

Objective Risk – anything that is quantifiable and measurable either directly or indirectly; the
measurable variation in uncertain outcomes based on facts or data.

Opportunity Loss – also known as Regret, is the difference between the pay-off from the
chosen alternative given a state of nature.

Peril – the direct or immediate cause of a loss.

Political Risk – may include a change in government policy.

Probability – the rate of the possibility or chance that an incident will occur.

Pure Risk – also known as absolute risk; a chance of loss or no loss, but no chance of gain.

Risk – the potential of gaining or losing something of value. Values such as physical health,
social status, emotional well-being, or financial wealth can be gained or lost when taking risk
resulting from a given action or inaction, foreseen or unforeseen, planned or not planned.

Risk Avoidance – an advised decision is made to eradicate risk or to elect for a different level
of risk.

Risk Exposure – the enterprise, person, property, or activity facing a potential loss.

Risk Management – the appellation granted to a rational and logical process of identifying,
analyzing, treating and monitoring the risks implicated in any endeavor or procedure.

Risk Management Process – the systematic application of management policies, procedures,

and practices to the tasks of identifying, analyzing, evaluating, treating and monitoring risk.

Risk Reduction – the fitting practices and management standards are carefully operated to
mitigate either the likelihood and/or penalties of known risks.

Risk Retention – preferred term for self-insurance; a form of self-insurance employed by

organizations which have determined that the cost of transferring a risk to an insurance
company is greater over time than the cost of retaining the risk and paying for losses out of
their own reserve fund.
Page | 7
Risk Transfer – the accountability or problem for damage or loss is reallocated to another
party through contractual provisions, insurance or other means.

Sales Risk – potential events or conditions that result in the failure to meet a sales objective
or goal.

Severity – denotes how bad the loss has been in both human and monetary terms.

Strategic Risk – the process of identifying, assessing, and managing the risk in the
organization’s business strategy as well as obtaining immediate action when risks are
recognized.

Subjective Risk – refers to an individual’s mental perception or condition; the perceived

amount of risk based on an individual’s or organization’s opinion.

Page | 8