Chapter (2)

Risk Management

1. What is Risk?

Potential loss, failure, hazard, disaster.

Risk in Note → Hazard: anything that has the potential to cause harm, damage, or
Layman adverse effects. For example, a wet floor could be a hazard because it might
cause someone to slip and fall.
Risk Uncertainty
Risk Vs.
Something you worry might happen Something you never thought will
Uncertainty
happen
- Not getting the expected return (investment), outcome (success) or objective
(management)
- The chance that an outcome or investment's actual gains will differ from an
Risk in expected outcome or return. Risk includes the possibility of losing some or all
Business of an original investment.
- The effect of uncertainty on objectives (ISO 31000).
Note → ISO 31000: is a family of international standards relating to risk
management.
Risk Management
The identification, evaluation, and prioritization of risks followed by coordinated
Definition and economical application of resources to minimize, monitor, and control the
(1) probability or impact of unfortunate events or to maximize the realization of
opportunities.
The process of identifying, assessing and controlling financial, legal, strategic
Definition and security risks to an organization’s capital and earnings. These threats, or
(2) risks, could stem from a wide variety of sources, including financial uncertainty,
legal liabilities, strategic management errors, accidents and natural disasters.
Business or
Enterprise Happening that jeopardize the ability of a business entity to remain in business.
Risk
Enterprise Risk Management (ERM)
Definition Methods and processes used by organizations to manage risks and seize
(1) opportunities related to the achievement of their objectives.
Plan-based business strategy that aims to identify, assess, and prepare for any
Definition
dangers, hazards, and other potentials for disaster both physical and figurative
(2)
that may interfere with an organization's operations and objectives.
 2. COSO (2004) Enterprise Risk Management Cube.

What is the meaning of “Internal Control System”?

A system of internal control consists of policies and procedures designed to

Internal provide management with reasonable assurance that the company achieves its
Control objectives and goals.
System The objective is to guard against loss of assets because of theft (Safeguarding
Assets).

What is the meaning of “COSO Framework”?

- The Committee of Sponsoring Organizations of the Treadway Commission

(COSO) → was established in the mid-1980s, initially to sponsor research into
the causes of fraudulent financial reporting.
COSO
- Its current mission is to → help organizations improve performance by
developing thought leadership that enhances internal control, risk
management, governance, and fraud deterrence.
- Developed in 1992 and updated in 2013.
- COSO’s guidance (Framework) → is non-mandatory, it provides frameworks
against which risk management and internal control systems can be assessed
and improved.
- Corporate scandals, arising in companies where risk management and
internal control were deficient, and attempts to regulate corporate behavior
because of these scandals have resulted in an environment where guidance
on best practice in risk management and internal control has been
particularly welcome.

COSO
Framework
 What are the components of “COSO Framework”?

Components of COSO Framework

This component involves the organization's culture, values, and environment in which
1.Internal
it operates. It sets the foundation for how risk is viewed and addressed across the
Environment
organization. (TONE AT THE TOP).
Objectives must be set before management can identify potential events affecting
2. Objective
their achievement. Objectives need to be aligned with the organization’s risk appetite,
Setting
which is the amount of risk the organization is willing to accept.
This involves identifying internal and external events that could affect the
3. Event
achievement of objectives, distinguishing between risks (which can have negative
Identification
impacts) and opportunities (which can have positive impacts).
Risks are analyzed to determine their potential magnitude and likelihood. This
4.Risk
assessment helps prioritize risks based on their severity and the likelihood of
Assessment
occurrence.
The organization decides on how to respond to identified risks. Responses include
5. Risk
avoiding, accepting, reducing, or sharing the risk to align with the organization's risk
Response
appetite.
Consists of the actions, policies, and procedures that reflect the overall attitudes of
6.Control
top management, directors, and owners of an entity about internal control and its
Activities
importance to the entity.
Relevant information must be identified, captured, and communicated in a form and
7. Information
timeframe that enables people to carry out their responsibilities. Effective
and
communication occurs in a broader sense, flowing down, across, and up the
Communication
organization.
The entire ERM process is monitored, and modifications are made as necessary.
8. Monitoring Monitoring can be conducted through ongoing activities or separate evaluations.

3. Different types of Business Risk

1. Production: Risks related to the production process such as adverse weather, disease/pests
affecting raw materials, loss of fields (perhaps due to disasters), and spoilage of goods.
2. Price/Market: Financial risks such as fluctuations in market prices that could lead to reduced
income or increased costs, for example, high input prices for materials or reduced premiums for
products sold.
3. Casualty: Risks of damage or loss due to fires, extreme weather conditions, or theft.
4. Technology: Risks that arise from technology failure or becoming outdated, such as machinery
breaking down or becoming obsolete.
5. Relationship: Risks stemming from relationships with landlords, lenders, suppliers, and buyers.
This could involve disputes, contract issues, or reliability problems.
6. Legal/Regulatory: Risks related to non-compliance with laws, regulations, or contract rules which
could result in fines, penalties, or legal disputes.
7. Human: Risks associated with the people in the business, including underperformance by
managers or injuries to employees.

4. Classifications of Business Risk

5. From Risk Analysis to Risk Management
1. Identification: This stage involves recognizing potential risks through project documentation and
expert input. The process includes identifying risks, classifying them into categories, and using
various sources like workshops, databases, and previous experiences to understand and
categorize the risks properly.
2. Quantification: After risks are identified and classified, they are quantified. This involves
conducting probability analysis, assessing sensitivities, and understanding the criticalities
involved. Risks are then graded, leading to a prioritization of risks based on their quantified
impact and likelihood.
3. Management: The final stage is managing the identified and quantified risks. This involves
minimizing risks through risk reporting, analyzing historical risk data, and developing a risk
management plan. It also includes avoiding risks wherever possible.
4. Review: Throughout the process, there is a review mechanism to ensure that the project execution
strategy, risk limitation strategy, key performance indicators, control measures, and contingency
provisions are effective and updated as necessary.
- To identify strategic risk, you can use tools such as: SWOT Analysis.
- To identify operational risk, you can use tools such as:
A. Root-Cause Analysis:

B. Fishbone Diagram:
 What is the difference between sensitivity and scenario analysis?

- Sensitivity Analysis: Examines how changes in a single variable affect the outcome while
keeping all other variables constant. It's used to identify which variables have the most
impact on the outcome and to what extent. For example, how would the profit change
if the price of raw materials increases by 10%?
- Scenario Analysis: Considers the simultaneous change of multiple variables to assess the
impact of different broader scenarios on an outcome. It helps in understanding the
effects of various different conditions and combinations of variables occurring
together. For example, what happens to the business if there is an economic downturn
coupled with a supply chain disruption?