Professional Documents
Culture Documents
ENTERPRISE RISK
MANAGEMENT
Categories of Risks
1. Financial
2. Strategic
3. Operational
4. Reputational
5. Government and Compliance
Financial Risks
Reduction in funding
Failure to safeguard assets
Poor cash flow management
Lack of value of money
Fraud or theft
Poor budgeting
Strategic Risks
Engages in activity at indifferent with its stated objectives
Fails to engage in an activity that would support its stated objectives
Operational Risks
These risks result from failed or inappropriate policies, procedures, systems or activities,
such as:
Failure of an IT system
Poor quality of services delivered
Lack of succession planning
Health and safety risks
Staff skill levels
No process to track contractual commitments
Reputational Risks
Organization engages in activities that could threaten its good name though
association with other bodies, or staff or members acting in a criminal or unethical
way.
Poor stakeholder relations
Page | 1
Ensuring compliance with funders’ terms and conditions
Compliance with applicable legislation like taxation law, data protection, and health
and safety law
Risk Control
Page | 2
A control measure is something that is already existing. The purpose of control measure is to
reduce the risks via impact on likelihood, consequence, or magnitude. Examples of which may
include, but not limited to the following:
1. A prevailing management policy
2. Work procedures and practices
3. Technical system
4. Training program
5. Contract management planning guidelines
Control Values
Code Description
HE The control happens to be highly effective as it lowers the
Highly chances of the risk-taking place and/or it lessens the
Effective consequences if the risk does strike.
ME The control happens to be moderately effective as it only
Moderately partly decreases the odds of the risk transpiring and/or
Effective somewhat eases the magnitudes if the risk does occur.
IE The control happens to be ineffective as it does not lower
Ineffective the possibility of the risk occurring and/or it does not
diminish the consequences if the risk does take place.
Likelihood
Consequences
Page | 3
3 Moderate There is considerable amount of financial loss
with significant bearing on overall program or
functional outcomes.
4 Major There is excessive financial loss resulting to
restrained commodities and services attributable
to failure to deliver .
5 Catastrophic May result in the closure of the company,
substantial irreversible impact due to
malpractice.
Enterprise Risk Management is a new concept in risk management that takes a holistic view of
all of the possible risks an organization faces. It enables management’s proficiency to do
business for practical purposes with probable forthcoming occurrences that generate
uncertainty. It boosts the capacity to interconnect value formation.
Value is fashioned by knowledgeable and motivated management choices and decisions in all
domains of an organization’s plan positioning to operation’s set-ups and controls. For
business organizations, shareholders comprehend value when they identify value creation
and gain to benefit from share-value progress. For law-making bodies, value is grasped when
citizens make out receipt of valued services at satisfactory and acceptable cost.
Essential Principles
Every single business, whether for profit-oriented or otherwise, subsists to achieve merit for
its stakeholders.
Created
Value is
…
Preserved Eroded
Framework
Page | 4
An organization’s objectives may be observed in the perspective of four categories. These are:
Strategic
Operations
Reporting
Compliance
Internal Environment
A company's internal environment is the atmosphere and corporate culture within the
company set by its employees. This sets the precedence of what the company's risk appetite
is and what management's philosophy is regarding incurring risk. The internal environment
may be set by upper management or the board and communicated throughout an
organization, though it is often reflected through the actions of all employees.
Objective Setting
As a company determines its purpose, it must set objectives that support the mission and
goals of a company. These objectives must then be aligned with a company's risk appetite. For
example, an ambitious company that has set far-reaching strategic plans must be aware there
may be internal risks or external risks associated with these lofty goals. In response, a
company can align the measures to be taken with what it wants to accomplish such as hiring
additional regulatory staff for expansion areas it is currently unfamiliar with
Risk Assessment
In addition to being aware of what may happen, the ERM framework details the step of
assessing risk by understanding the likelihood and financial impact of risks. This includes not
only the direct risk (i.e., a natural disaster yields an office unusable) but residual risks (i.e.,
employees may not feel safe returning to the office). Though difficult, the ERM framework
encourages companies to consider quantifying risks by assessing the percent change of
occurrence as well as the dollar impact.
Risk Response
A company can respond to risk in the following four ways:
1. The company can avoid risk. This results in the company leaving the activity that
causes the risk as the company would rather forgo the benefits of the activity than
Page | 5
incur the risk. An example of risk avoidance is a company shutting down a product line
and discontinuing selling a specific good.
2. The company can reduce risk. This results in the company staying engaged in the
activity but putting forth effort in minimizing the likelihood or magnitude of the risk.
An example of risk reduction is a company keeping the product line above open but
investing more in quality control or consumer education on how to properly use the
product.
3. The company can share risk. This results in the company moving forward with the
current risk profile of the activity. However, the company leverages an independent
third party to share in the potential loss in exchange for a fee. An example of risk
sharing is purchasing an insurance policy.
4. The company can accept risk. This results in the company analyzing the potential
outcomes and determining whether it is financially worth pursuing mitigating
practices. An example of risk acceptance is the company keeping open the product
line with no changes to operations and risk sharing.
Measurement of Risk
Risk can be calculated by multiplying the likelihood that the risk will occur and the potential
severity of that risk. A formula that can be used to measure risk in any scenario is:
Definition of Terms
Budget Risk – the likelihood for the approximations or estimations built into a budget to end
up being insufficient in numbers.
Business Risk – refers to the possibility that the company may experience loss in terms of
profit.
Credit Risk – the stake of loss attributable to a debtor’s non-payment on a loan or non-
compliance of contractual obligations.
Decision Theory – also known as theory of choice. It is concerned with distinguishing the
values, uncertainties and other pertinent matters that are significant and applicable in a given
decision, its rationality, and the consequential optimal decision.
Diversifiable Risk – also called non-systematic or particular risk; a risk that affects only some
individuals, businesses, or small groups.
Page | 6
Enterprise Risk Management – is a new concept in risk management that takes a holistic view
of all of the possible risks an organization faces.
Expected Value of Perfect Information (EVPI) – the cost or price that one would be willing to
shell out in order to acquire access to perfect information.
Frequency – the number of times losses have happened in a given time period.
Objective Risk – anything that is quantifiable and measurable either directly or indirectly; the
measurable variation in uncertain outcomes based on facts or data.
Opportunity Loss – also known as Regret, is the difference between the pay-off from the
chosen alternative given a state of nature.
Probability – the rate of the possibility or chance that an incident will occur.
Pure Risk – also known as absolute risk; a chance of loss or no loss, but no chance of gain.
Risk – the potential of gaining or losing something of value. Values such as physical health,
social status, emotional well-being, or financial wealth can be gained or lost when taking risk
resulting from a given action or inaction, foreseen or unforeseen, planned or not planned.
Risk Avoidance – an advised decision is made to eradicate risk or to elect for a different level
of risk.
Risk Exposure – the enterprise, person, property, or activity facing a potential loss.
Risk Management – the appellation granted to a rational and logical process of identifying,
analyzing, treating and monitoring the risks implicated in any endeavor or procedure.
Risk Reduction – the fitting practices and management standards are carefully operated to
mitigate either the likelihood and/or penalties of known risks.
Sales Risk – potential events or conditions that result in the failure to meet a sales objective
or goal.
Severity – denotes how bad the loss has been in both human and monetary terms.
Strategic Risk – the process of identifying, assessing, and managing the risk in the
organization’s business strategy as well as obtaining immediate action when risks are
recognized.
Page | 8