Audit and Internal Control

Week 8
Risk Management Fundamental
 LEARNING OUTCOMES
• LO 5: Analyze implementation and importance of Enterprise Risk
Management (ERM), strong governance, and Compliance Issues Today
 OUTLINE
• Risk Management Fundamentals
• Risk Identification
• Risk Assessment
Risk Management Fundamentals
 Risk Management Fundamentals

Risk management had primarily been viewed

as an insurance related concept for many
Key decision factors here are the perceived
years. Based on this broad concept, an
risks of these threats and the insurance costs
individual or an enterprise will envision some
to cover that risks; these have always entered
type of threat, such as the danger of a
into the decision to purchase insurance, and
residential fire or casualty loss and will
both risks and insurance costs also change
decide to purchase insurance using a risk
over time.
based approach to decide what type and
how much insurance coverage to purchase.
 Fundamentals: Risk Management
Phases

Risk Management should be considered a four

step Processes :

• Risk identification
• Quantitative or qualitative assessment of the documented risk
• Risk prioritization and response planning
• Risk monitoring
Fundamentals: Risk Management
Phases

This four step risk

management process
should be implemented at
all levels of the enterprise
and with the participation
of many different people,
Whether a smaller
enterprise with few
facilities within limited
geographic area or a large
global enterprise.
Risk Identification
 Risk Identification

Management should endeavor to identify all possible risks

that may impact the success of their enterprise, ranging
from the larger or more significant risks to the overall
business down to less major risks associated with
individual project or smaller business units.
Risk Identification

Sample Types of Business Risk

Moeller (2011)
Risk Assessment

Having identified the
significant risks impacting
the enterprise at various
level, a next step is to
assess them for their
likelihood and relative
significant.
Key Risk Assessment
A simple but often effective
approach here is to take the
list of identified risks and
circulate them back to all
brainstorm session
participants or others with a
questionnaire asking for
each risk
 Probability and Uncertainty
Particularly when a large number of risks have been
identified, the assessment teams should think of the
individual risks likelihood and occurrences in terms of two-
digit probabilities ranging from almost 0.00 to 0.99.

The joint probability of two independent events is the

product of the two separate probabilities that is :

• Pr(Event#1) x Pr(Event#2) = Pr(Both Events)

 Period of analysis

When estimating occurrences and likelihoods,

the ERM team should take care to assure that all
estimates are made over the same period of
time. Usually, a one year interval or at least until
the end of the next fiscal year is a reasonable
interval of time. There is typically not enough
information to make reasonably accurate
estimates much beyond those enterprise.
Risk Interdependencies

We have discussed risks at

an individual enterprise
unit level, but risk
independencies must
always be considered.
Exhibit 3.4 shows a simple
enterprise arrangement
with activities A, B, C, and D
all operating in parallel and
reporting to activity or unit
G and then to I ending in J.
 Risk Interdependencies

Risk Interdependencies Heirarchy

Moeller (2011)
 Risk Ranking
While the examples used in this chapter have had a relatively short list of
identified risks, a typical enterprise that goes through a risk ranking and
assessment process will end up with a very long lasting of potential risks. A
next step is to take the established significance and likelihood estimate,
calculate risk rankings and identify the most significant risks across the entity
reviewed.
 Quantitative Risk Analysis :
Expected Values and Response
Planning
There is little value in publishing detailed lists of significant risks unless the
enterprise has at least taken some preliminary action steps when they incur
a risk.

This idea is to estimate the cost impact of incurring some identified risk and
then apply that cost to the risk factor probability of the risk to derive an
expected value of the risk.
 Quantitative Risk Analysis :
Expected Values and Response
Planning

Risk Response Ranking Example

Moeller (2011)
 Other Risk Assessment Technique

There are
three other The Delphi Method
risk
assessment
technique:
Monte Carlo Simulation

Decision Tree Analysis

 REFERENCES
• Hunziker, S. (2019). Enterprise Risk Management Modern
Approach to Balancing Risk and Reward. Springer Gabler.
Wiesbaden, Germany 
• Manurung, A.H. (2020). Enterprise Risk Management. PT Adler
Manurung Press. Jakarta. ISBN 9789793439211
• Moeller, R.R. (2011). COSO Enterprise Risk Management:
Establishing Effective Governance, Risk, and Compliance (GRC)
Processes. 2nd edition. John Wiley & Sons Inc. New Jersey. ISBN:
9780470912881.