ENTERPRISE RISK

MANAGEMENT
First Semester
Sy 2020-2021
 DEFINITION
• A systematic process embedded in a company’s system of internal control (spanning all
business activity), to satisfy policies effected by its board of directors, aimed at fulfilling its
business objectives and safeguarding both the shareholder’s investment and the company’s
assets.
• ERM has to satisfy a series of parameters. It must be embedded in a business’s system of
internal control, while at the same time it must respect, reflect and respond to the other
internal controls. Enterprise risk management is about protecting and enhancing share value
to satisfy the primary business objective of shareholder wealth maximization. It must be
multifaceted, addressing all aspects of the business plan from the strategic plan through to
the business controls:
• strategic plan
• marketing plan
• operations plan
• research and development
• management and organisation
• forecasts and financial data
• financing
• risk management processes
• business controls
THE INTEGRATION OF ERM
 BENEFITS OF ERM
• Align risk appetite and strategy
• Minimise operational surprises and losses
• Enhance risk response decisions
• Resources
• Identify and manage cross-enterprise risks
• Link growth, risk and return
• Rationalise capital
• Seize opportunities:

There are three major benefits of ERM: improved business performance, increased
organizational effectiveness and better risk reporting.
THE ERM FRAMEWORK
 DISCUSSION
1. If Enterprise Risk Management was implemented before the pandemic, do you think it can
help businesses to increase their chances of survival? If yes, in what way?

2. Which business industry would most likely survive this pandemic? Least likely?Why?
 INTERNAL CONTROL AND RISK
MANAGEMENT
An internal control system encompasses the policies, processes, tasks, behaviors and other
aspects of a company that, taken together:

1.Facilitate its effective and efficient operation (operations audit)

2. Help ensure the quality of internal and external reporting (financial statement audit)
3. Help ensure compliance with applicable laws and regulations,(compliance audit)
 CONSIDERATIONS IN ASSESSING A
SOUND INTERNAL CONTROL
• the nature and extent of the risks facing the company
• the extent and categories of risk which it regards as acceptable for the company to bear
• the likelihood of the risks concerned materializing
• the company’s ability to reduce the incidence and impact on the business of risks that do
materialize
• costs of operating particular controls relative to the benefit thereby obtained in managing the
related risks
 RISK AS A SUBSET OF INTERNAL
CONTROL
Risk is an uncertain event that may have a positive or negative impact on the
business/project/undertaking

Risk may be viewed as:

• HIGHER REWARDS that potentially come with OPPORTUNITY and HIGHER RISKS
that have to be borne as a consequence of DANGER/THREAT.
• Therefore, the lesser the risk in a given investment, the lesser the opportunity for gain.
• It can also be said that, no risk, no reward.
• Therefore, Risk should not be totally avoided, instead we should understand risk in order
to manage them effectively.
 CONTINUATION
• A company’s system of internal control has a key role in the management of risks that are
significant to the fulfilment of its business objectives.

• A sound system of internal control contributes to safeguarding the shareholders’ investment

and the company assets (Turnball,2003)
 RISK MANAGEMENT
Risk management - the systematic process of managing an organization's risk exposure to
achieve its objectives.

It is a set of coordinated activities to direct and control an organization with regard to risk.

It deals with the identification, assessment and various strategies that help mitigate the adverse
effects of risk on the organization.
 PURPOSE OR RISK MANAGEMENT
• To mitigate the loss of property and increase the chance of success of the organization
• To identify potential events that may affect the entity and manage risks to be within its risk
appetite in order to provide reasonable assurance regarding the achievement of entity's
objectives.
• To achieve maximum sustainable value from all the activities of the organization.
• Enhances the understanding of the potential upside and downside of the factors that can
affect an organization.
• Increases the probability of success and reduces both the probability of failure and the level
of uncertainty associated with achieving the objectives of the organization.
 BENEFITS OF EFFECTIVE ERM
The briefing states the following potential benefits of effective risk management:
• Early mover into new business areas
• Greater likelihood of achieving business objectives
• Higher share prices over the longer term
• Reduction in management time spent “fire fighting”
• Increased likelihood of change initiatives being achieved
• More focus internally on doing the right things properly
• Lower cost of Achievement of competitive advantage
• Fewer sudden shocks and unwelcome surprises
 TYPES OR RISK
1. SYSTEMATIC/SYSTEMIC RISKS- Uncontrollable by an organization and MACRO in
nature. (Ex. Political risks)

2. UNSYSTEMATIC/UNSYSTEMIC RISKS - Controllable by an organization and MICRO

in nature. (Ex. Company specific-risks like liquidity risks.)
RISK MANAGEMENT PROCESS
 STAGE 1: ANALYZING THE BUSINESS
STAGE
(1) The background to the business as a whole, in general terms, and

(2) The specific business activity, process or project, forming the subject of the risk
management study.
 STAGE 2: RISK IDENTIFICATION

• Risk identification is a transformation process (commonly facilitated by a risk practitioner)

where experienced personnel generate a series of risks and opportunities, which are recorded
in a risk register.
 STAGE 3: RISK ASSESSMENT

• The purpose of the risk assessment stage is to provide a judgement of the likelihood and
impact of the risks and opportunities identified, should they materialise.
 STAGE 4: RISK EVALUATION

• Involves evaluation of the results of the assessment stage.

 STAGE 5: RISK PLANNING

• The plan stage uses all of the preceding risk management effort to produce responses and
specific action plans to address the risks and opportunities identified to secure the business
objectives.
 RISK RESPONSE STRATEGIES
• Risk reduction

• Risk removal

• Risk transfer or reassign

• Risk retention
 STAGE 6: RISK MANAGEMENT
Risk management requires undertaking four key activities:

1. Reacting
2. Registering
3. Reviewing
4. Reporting
 RISK MANAGEMENT PROCESS (A-T-M)

ASSESS TREAT MONITOR

1. Business
Analysis 6. Risk
5. Risk Planning
Management

2. Risk
Identification

3-4.Risk
Assessment and
Evaluation
 RISK ASSESSMENT PHASE
• Risk identification establishes the exposure of the organization to risk and uncertainty. This
requires an intimate knowledge of the following:
1. organization
2. the market in which it operates;
3. the legal, social, political and cultural environment in which it exists; and
4. an understanding of strategic and operational objectives.
• Risk analysis activity assists the effective and efficient operation of the organization by
identifying those risks that require attention by management
• The result of the risk analysis can be used to produce a risk profile. It provides a tool for
prioritizing risk treatment efforts.
 METHODS OF RISK
IDENTIFICATION
• Strengths, Weaknesses, Opportunities and Threats (SWOT) Analysis
• Political, Economic, Social, Technological, Environmental, Legal and Industial (PESTELI)
Analysis
• Flowcharts and dependency Analysis - analysis of processes and operations within the
organization to identify critical components that are key to success
• Questionnaires and checklists - Use structured questionnaires and checklists to collect
information to assist with the recognition of the significant risks
• Workshops and brainstorming - Collection and sharing of ideas and discussion of the
events that could impact the objectives, stakeholder expectations or key dependencies.
• Inspections and audits - Physical inspections of premises and activities and audits of
compliance with established systems and procedures
 RISK TREATMENT PHASE
• Risk treatment is presented in ISO 31000 as the activity of selecting and implementing
appropriate control measures to modify the risk.

• Risk treatment includes as its major element, risk control (or reduction), but extends further
to, for example, risk avoidance, risk retention, risk transfer and risk exploitation.

• Any system of risk treatment should provide efficient and effective internal controls.
 AVOID OR ACCEPT
• Divest by exiting a market or geographic area, or by
selling, liquidating or spinning-off a product group.
• Eliminate at the source by designing and
implementing internal preventive processes.
• Accept risk at its present level taking no further
action
• Re-price products/services by including a premium
(if market condition allows)
REDUCE/CONTROL/MITIGATION
• Control risk through internal processes or actions that • Expand business portfolio by investing in new
reduce the likelihood of undesirable events occurring
to an acceptable level
TRANSFER
• Insure through cost-effective contract with
independent, financially capable party under a well-
defined risk strategy
• Hedge risk by entering in to capital markets
• Share risks/rewards of investing in new markets and
products by entering into alliances or joint venture
EXPLOIT
industries and geographic areas
• Reorganize processes through restructuring, vertical
integration, outsourcing and re-engineering
• Redesign the company's business model
 RISK MONITORING PHASE

• Monitoring and review ensures that the organization monitors risk performance and learns
from experience.

• Monitoring and review as the final step involves understanding the impact of the control
mechanisms developed on the hazard and the risk it poses.
 SAMPLE RISK REGISTER
(SHOW RISK REGISTER OF CHINA BANK CORPORATION)