Sample 1

Risk Management & Internal Control

Prepared by: Rochelle Maloles

 Gospel Reflection
How to really find everlasting joy?
Matthew 6:19-21
19Lay not up for yourselves treasures upon earth, where moth
and rust doth corrupt, and where thieves break through and
steal:

But lay up for yourselves treasures in heaven, where neither

20 

moth nor rust doth corrupt, and where thieves do not break
through nor steal:
21 
For where your treasure is, there will your heart be also.
Learning Outcomes
Risk Management
1. Describe the relationship between Internal Control & Risk
Management.
2. Define Risk Management
3. Discuss the principles of risk management.
4. Describe samples ERM System software
5. Discuss the components of an ERM System
6. Discuss the benefits of Risk Management in General and ERM
System
7. Describe the elements of risk management
8. Enumerate the risks associated with investments, manufacturing,
trading and service concern, and financial institutions.
9. Briefly discuss SEC requirement to ERM of Publicly Listed
Companies
10. Discuss the potential risk treatment
11. Discuss the risk management process.
Internal Control
1. Define Internal Control
2. Discuss each elements/components of Internal Control
3. Describe the main objectives of Internal Control
4. Enumerate the types of controls
 Internal Control & Risk Management:
Strong Relationship
Internal Control is designed and
implemented to address identified business
risks that threaten the achievement of
reliability of financial reporting, effectiveness
& efficiency of operations and compliance
with applicable laws & regulations.
 Internal Control & Risk Management:
Strong Relationship
Risk management is the ongoing
process of designing & operating internal
controls that mitigate the risks identified
in the organization’s risk assessment.
(CMA, Gleim 2018)
 The Risk and the Control Environment
Every organization faces risks, that is, unforeseen
obstacles to the pursuit of its objectives. Risks take
many forms and can originate from inside or outside the
organization.
All systems of internal control involve tradeoffs between
cost and benefit and for this reason, no system of
internal control can be said to be “100% effective”
Organization’s accept the fact that risk can only be
mitigated, not eliminated.

CMA, Gleim 2018

Risk Management
 Risk Management
A process of measuring or assessing risk and developing
strategies to manage it.
A systematic approach in identifying, analyzing and controlling
areas or events with a potential for causing unwanted change.
An act or practice of controlling risk which includes risk
planning, assessing risk areas, developing risk handling
options, monitoring risks to determine how risks have changed
and documenting overall risk management program.
Identification, assessment, and prioritization of risks followed by
coordinated and economical application of resources to
minimize, monitor and control the probability and/or impact of
unfortunate events and to maximize the realization of
opportunities. (ISO 31000).
 Principles of Risk Management
1. Create value
2. Address uncertainty & assumptions
3. An integral part of the organizational processes
and decision-making
4. Should be dynamic, iterative, transparent,
tailorable and responsive to change
5. Create capability of conditional improvement and
enhancement considering the best available
information & human factors.
6. Be systematic, structured and continually or
periodically reassessed.
Sample ERM Software

Adobe Acrobat

Source:https://PWaiqicn2RxNz4WhoCpOAQAvD Document
Components of an ERM System
Components of an ERM System
1. Internal environment
2. Objective Setting
3. Event Identification
4. Risk Assessment
5. Risk Response
6. Control Activities
7. Information & Communication
8. Monitoring
Sample ERM Software

Adobe Acrobat

Source:https:https://www.softwareadvice.com/risk-management/erm-comparison /
Document
 Benefits of ERM
Benefits of ERM
1. Alignment of entity’s strategy
2. Improvement in risk response
decisions
3. Reduction in the number & impact of
operational surprises & losses
4. Identification & Management of
multiple & cross-enterprise risks
5. Improved ability to seize (act ) on
opportunities that arise
6. Improved utilization of capital and
resources of the company
 Elements of Risk Management
1. Identification, characterization, and
assessment of threats.
2. Assessment of the vulnerability of critical
assets to specific threats
3. Determination of the risk (i.e. the expected
likelihood and consequences of specific types
of attacks on specific assets)
4. Identification of ways to reduce those risks
5. Prioritization of risk reduction measures based
on a strategy
 Risk Management

Main Types of Risks

1. Strategic Risks
2. Operational Risks
3. Financial Risks
4. Hazard Risks
 Risk Associated with Investments

Business risk
Financial risk
Liquidity risk
Default risk
Interest rate risk
Management risk
Purchasing power risk
 Risk Associated with Manufacturing, Trading & Service
Concerns
A. Market Risk
A. 1 Product Risk
– Complexity, obsolescence, research & development, packaging, delivery of
warranties
A.2. Competitor Risk
– Pricing strategy, market share, market strategy
B Operational Risk
process stoppage, health & daety, after sales service failure,
environmental, technological obsolescence, integrity
C. Financial Risk
-interest rates volatility, foreign currency, liquidity, derivative, viability
D. Business Risk
-regulatory change, reputation, political, regulatory and legal, shareholder
relations, credit rating, capital availability, business interruptions
 Risk Associated with Financial Institutions
A. Financial Risks
-Liquidity Risk, Market Risk, Credit Risk, Market Liquidity Risk, Hedged
Positions Risk, Portfolio Exposure Risk, Derivative Risk, Accounting
Information Risk (completeness & accuracy), Financial Reporting Risk
B. Non-Financial Risk
-Operational Risk (systems, customer satisfaction, human resources,
fraud & illegal acts, bankruptcy)
-Regulatory Risk (capital adequacy, compliance, taxation, changing laws
& policies)
C. Environment Risk
-politics, natural disasters, war, terrorism
D. Integrity Risk
-reputation
E. Leadership Risk
 Risk Associated with Financial Institutions
A. Financial Risks
-Liquidity Risk, Market Risk, Credit Risk, Market Liquidity Risk, Hedged
Positions Risk, Portfolio Exposure Risk, Derivative Risk, Accounting
Information Risk (completeness & accuracy), Financial Reporting Risk
B. Non-Financial Risk
-Operational Risk (systems, customer satisfaction, human resources,
fraud & illegal acts, bankruptcy)
-Regulatory Risk (capital adequacy, compliance, taxation, changing laws
& policies)
C. Environment Risk
-politics, natural disasters, war, terrorism
D. Integrity Risk
-reputation
E. Leadership Risk
 SEC requirement to Enterprise Risk Management of
Publicly-Listed Corporation
SEC Code of Governance Recommendations 2.11 & corresponding
explanation provide the ff:
“The Board should oversee that a spund enterprise risk management (ERM)
framework is in place to effectively identify, monitor, assess and manage key
business risks. The risk management framework should guide the Board in
identifying units/business lines and enterprise-level risk exposures, as well as
the effectiveness of risk management strategies.

Risk Management policy is part and parcel of a corporation’s corporate

strategy. The Board is responsible for defining the company’s level of risk
tolerance and providing oversight over its risk management policies and
procedures.
Principle 12
“ To ensure the integrity, transparency and proper governance in conduct of its
affairs, the company should have a strong and effective internal control system
and enterprise risk management framework”.
https://
www.sminvestments
.com/about-us/
governance/
enterprise-risk-
management /
SM Investments
https://www.sminvestments.com/wp-
content/uploads/2022/05/ERM-website-
20212.pdf
 Potential Risk Treatments
1. Risk Avoidance –includes performing an activity that could carry risk.
However, avoiding means also losing out on the potential gain that
accepting or retaining the risk may have allowed or avoiding the risk
of loss may avoid the possibil earning profits.
2. Risk Reduction- also called optimization involves reducing the
severity of the loss or the likelihood of the loss occurring . This is also
finding the tolerance between the negative risk and the benefit of the
operation or activity; and between risk reduction& effort applied.
3. Risk Sharing- sharing with another party the burden of loss or the
benefit of gain, from a risk and the measures to reduce the risk.
4. Risk Retention- involves accepting the loss or benefit of gain from a
risk when it occurs. All risks that are not avoided are transferred or
retained by default. This is acceptable if the chance of a very large
loss is small or if the cost to insure for greater coverage involves a
substantial amount that could hinder the goals of the organization.
 Risk Management Process
1.Risk Identification
2.Risk Assessment
3. Risk Prioritization (Ranking)
4. Response Planning
5. Risk Monitoring
 Practical Considerations in Managing & Reducing Financial
Risk
1. Improve Profitability
a. variance analysis
b. assessment of market entry and exit barriers,
c. break-even analysis
d. Controlling costs
Internal Control
 Internal Control
Internal Control System is the whole system of
controls(financial & otherwise) established by
management to carry on the business of the enterprise
in an orderly & efficient manner, to ensure adherence to
management policies, safeguard the assets, and ensure
as far as possible the completeness and accuracy of the
records. (CMA, Gleim 2018)
Internal Control is a process, effected by an entity’s
board of directors, management and other personnel ,
designed to provide reasonable assurance regarding
the achievement of objectives relating to operations,
reporting & compliance. (COSO Framework
 Objectives of an Internal Control System
1. Reporting
Reliability of the entity’s financial
reporting
2. Operations
Effectiveness & efficiency of operations
3. Compliance
Compliances with applicable laws &
regulations
 Element /Components of Internal Control

1. Control environment
2. Risk Assessment
3. Control Activities
4. Information & Communication
5. Monitoring Activities
 1. Control Environment
Control Environment is a set of standards, processes and
structures that pervasively affects the system of internal control.
What are the 5 principles related to control environment
1. Commitment to integrity & ethical values
2. The Board demonstrates independence from management &
exercises oversight for internal control
3. Management establishes (with board oversight) the structures,
reporting lines, and appropriate authorities and responsibilities.
4. The organization demonstrates commitment to attract, develop,
and retain competent individuals in alignment with objectives.
5. The organization holds individuals accountable for their internal
control responsibilities in pursuit of objectives.
 2. Risk Assessment
This process encompasses an assessment of the risks
themselves and the need to manage organizational change.
This is the basis for determining how the risks should be
managed.
4 Principles related to risk assessment:
1. The organization specifies objectives with sufficient clarity to
enable the identification & assessment of risk relating to the
this objectives.
2. The organization identifies the risks to the achievement of its
objectives across the entity and analyzes risks to determine
how the risks should be managed.
3. The organization considers the potential for fraud in
assessing fraud risks to the achievement of objectives.
4. The organization identifies and assesses changes that could
 3. Control Activities
These policies and procedures help ensure that management
directives are carried out. Whether automated or manual, they
are supplied at various levels of the entity and stages of
processes. They maybe preventive or detective, and
segregation of duties is usually present.
Principles:
1. The organization selects & develops control activities that
contribute to the mitigation of risks to the achievement of
objective to acceptable levels.
2. The organization develops general control activities through
policies that establish what is expected and procedures that
put policies into action.
3. The organization deploys control activities through policies
that establish what is expected and procedures that put
 4. Information & Communication
Information systems enable the organization to obtain,
generate, use, and communicate information to 1)maintain
accountability and 2) measure & review performance.
Principles:
1. The organization obtains or generates and uses relevant,
quality information to support the functioning of internal
control.
2. The organization internally communicates information,
including objectives and responsibilities for internal control
necessary to support the function of internal control.
3. The organization communicates with external parties
regarding matters affecting the functioning of internal
control.
 5. Monitoring Activities
Control systems and the way control are applied
change over time. Monitoring is a process that
assesses the quality of internal control performance
over time to ensure that controls continue to meet the
needs of the organization.
Principles:
1. The organization selects, develops, and performs
ongoing or separate evaluation (or both) to
determine whether the components of internal
control are present & functioning.
2. The organization evaluates and communicates
control deficiencies in a timely manner.
 Controls
The costs of internal control must not be greater than its benefits.
Types of Controls:
1. Primary Controls
2. Secondary Controls
3. Time-Based Classification
4. Financial vs Operating (Admin Controls)
5. People Based vs System Based Controls
6. Control Activities
7. Segregation of Duties (ARCR- Authorization, Recordkeeping,
Custody, Reconciliation)
8. Independent Checks & Verification
9. Safeguarding Controls
10. Prenumbered Forms
11. Compensating Controls
12. Fraud
Call To Action Slide
Thank
You