WEEK 2 -

ENTERPRISE RISK
MANAGEMENT (ERM)
mb.its.ac.id

RISK MANAGEMENT
TEAM TEACHING 2023
 OUTLINE

INTRODUCTION

WHAT IS ENTERPRISE

WHAT IS RISK

DEFINE ERM
 OUTLINE

BENEFITS Of ERM

ERM FRAMEWORK

ESTABLISH ERM

OTHER FRAMEWORKS

GROUP DISCUSSION
INTRODUCTION
 INTRODUCTION

In the financial world is not immune to systemic failure, as

demonstrated by many stories such as Barings Bank collapse in
1995, the failure of Long-Term Capital Management in 1998.

And Also, In late August 2005 Hurricane Katrina struck,

reportedly the costliest natural disaster in US history. Oil
production, importation and refining were interrupted.At least
20 offshore oil platforms went missing, sunk or adrift.

Businesses were suddenly exposed to a surge in energy prices,

continuity failures and shipping disruption. Costs of production
rose and sales fell
 INTRODUCTION

Failure to properly understand and manage risk has

been cited as the root cause for the global financial
crisis of 2007–2010.

There is no doubt that risk management is an important

and growing area in the uncertain world.
Before we are defining the term “Enterprise
Risk Management”, we should know the
definition of enterprise and risk .
Before, We Start..Please watch this video !!

https://youtu.be/P-O3NIie3ck
https://youtu.be/r1g8A--D4I0
What Is Enterprise ?
WHAT IS ENTERPRISE ?

Enterprise = Organization

Enterprise is A unit of
economic organization or
activity, especially a business
organization

Enterprise is a group of legal

vehicles, divisions, business
units and so forth that make up
an organization
What is Risk ?
WHAT IS RISK ?

Risk as a meaning “uncertainty“

(distribution of outcomes and
associated probabilities)
SO ENTERPRISE RISK
MANAGEMENT IS…
DEFINE ERM
 ERM Defined:
“… a process, effected by an entity's board of
directors, management and other personnel, applied
in strategy setting and across the enterprise, designed
to identify potential events that may affect the entity,
and manage risks to be within its risk appetite, to
provide reasonable assurance regarding the
achievement of entity objectives.”

Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO.

 DEFINE ERM

ERM satisfy a series of parameter

ERM must be embedded in a business’s system of internal

control, while at the same time it must respect, reflect and
respond to the other internal controls

ERM must be multifaceted and addressing all aspects of the

business plan from strategic plan through to business control.
(strategic plan, marketing plan, operation plan, research &
development, management & organisations, forecast &
financial data, financing, risk management processes, business
controls)
 DEFINE ERM

ERM defined as a comprehensive and integrated

framework for managing company wide risk in order to
maximise a company value

ERM = a process affected by an entities Board of

Directors, management and other personnel applied in as
tragic setting and across the enterprise designed to
identify potential events that may the entity and manage
risk to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity
objectives.
 DEFINE ERM

ERM is The Capability of Organization to understand,

control, and articulate the nature and level of risks taken
in pursuit of a risk adjusted return.

The Risk can be categorised as credit, liquidity,

Strategic/Business/Reputation, Market, Operational,
Compliance/Legal, Financial and Capital Adequacy.
BENEFITS OF ERM
 Why ERM Is Important
Underlying principles:

Every entity, whether for-profit

or not, exists to realize value for
its stakeholders.

Value is created, preserved, or eroded by

management decisions in all activities, from setting
strategy to operating the enterprise day-to-day.
 Why ERM Is Important

ERM supports value creation by enabling

management to:
• Deal effectively with potential future events that create
uncertainty.

• Respond in a manner that reduces the likelihood of

downside outcomes and increases the upside.
 BENEFITS of ERM

ERM providers enhances capability to such as ;

Increase the likelihood of a business realising its

objectives.

Build confidence in stakeholders and the investment

community.
 BENEFITS of ERM

Comply with relevant legal and regulatory

requirements.

Align risk appetite and strategy.

Improve organisational resilience.

 BENEFITS of ERM

ERM Enhance corporate governance.

Embed the risk process throughout the organisation.

Minimise operational surprises and losses.

 BENEFITS of ERM

Enhance risk response decisions.

Optimise allocation of resources.

Identify and manage cross-enterprise risks.

 BENEFITS of ERM

Link growth, risk and return.

Rationalise capital.

Seize opportunities.

Improve organisational learning.

 ERM
FRAMEWORK
 INTRO

Enterprise Risk Management (ERM) is defined by the

Committee of Sponsoring Organizations (COSO) as “a
process, effected by an entity’s board of directors,
management and other personnel, applied in strategy-
setting and across the enterprise, designed to identify
potential events that may affect the entity, and manage risk
to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives.”
Enterprise Risk Management — Integrated
Framework

This COSO ERM framework defines essential

components, suggests a common language,
and provides clear direction and guidance for
enterprise risk management.
 The ERM Framework

Entity objectives can be viewed in the

context of four categories:

• Strategic
• Operations
• Reporting
• Compliance
 The ERM Framework

ERM considers activities at all levels

of the organization:

• Enterprise-level
• Division or
subsidiary
• Business unit
processes
 The ERM Framework

Enterprise risk management

requires an entity to take a portfolio view
of risk.
 The ERM Framework

Management considers how individual

risks interrelate.

Management develops a portfolio view

from two perspectives:

- Business unit level

- Entity level
 The ERM Framework

The eight components of the

framework are interrelated …
 COSO ERM FRAMEWORK

To help assist with the implementation of the ERM

process, COSO developed the ERM Integrated
Framework (2004), also known as the COSO Cube.
This cube is an update to the initial COSO I framework
developed in 1992:
WHAT IS COSO ERM FRAMEWORK?

These are the high level goals that

are aligned with and support the
institution’s mission.
WHAT IS COSO ERM FRAMEWORK?
(CONT’D)

Relate to the ongoing management

process and daily activities of the
organization.
WHAT IS COSO ERM FRAMEWORK?
(CONT’D)

Relates to the protection of the

organization’s assets and quality of
financial reporting.
WHAT IS COSO ERM FRAMEWORK?
(CONT’D)

Relates to the organization’s

adherence to applicable laws and
regulations.
WHAT IS COSO ERM FRAMEWORK?
(CONT’D)

The Internal Environment

relates to the general culture,
values and environment in
which an organization or entity
operates (e.g. – Tone at the
top)
WHAT IS COSO ERM FRAMEWORK?
(CONT’D)

Objective Setting relates to the

process management uses to set its
strategic goals and objectives.
Establishes the organization’s risk
appetite and risk tolerance.
WHAT IS COSO ERM FRAMEWORK?
(CONT’D)

Event Identification is the

process by which an organization
identifies events that influence
strategy and objectives, or could
affect an organization’s ability to
achieve its objectives.
WHAT IS COSO ERM FRAMEWORK?
(CONT’D)

Risk Assessment relates to the

organization’s process of
evaluating the impact and
likelihood of events, and
prioritizing related risks.
WHAT IS COSO ERM FRAMEWORK?
(CONT’D)

Risk Response relates to

determining how management
will respond to the risks an
organization faces. Will they
avoid the risk, share the risk,
or mitigate the risk through
updated practices and policies.
WHAT IS COSO ERM FRAMEWORK?
(CONT’D)

Control Activities represent

policies and procedures that an
institution implements to
address the risks the
organization chooses to accept.
WHAT IS COSO ERM FRAMEWORK?
(CONT’D)

Information and
Communication relate to
those practices that ensure that
the right information is
communicated at the right time
to the right people.
WHAT IS COSO ERM FRAMEWORK?
(CONT’D)

Monitoring consists of
ongoing evaluations to ensure
controls are functioning as
designed, and taking corrective
action to enhance control
activities if needed.
ERM COSO FRAMEWORK

Each of these components are

considered at multiple levels of the
organization, rather than within a
single function, unit, or department.
 ERM LIFE CYCLE
Evaluate
Performance
Implement
Confirm
Evaluate next
Identify and options steps
Goal prioritize risks
Culture setting

Information &
Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Communication Monitoring
 Internal Environment
Establishes a philosophy regarding risk
management. It recognizes that unexpected as well
as expected events may occur.

Establishes the entity’s risk culture.

Considers all other aspects of how the organization’s

actions may affect its risk culture.
 Objective Setting
• Is applied when management considers
risks strategy in the setting of
objectives.

• Forms the risk appetite of the entity — a

high-level view of how much risk
management and the board are willing
to accept.

• Risk tolerance, the acceptable level of

variation around objectives, is aligned
with risk appetite.
 Event Identification

• Differentiates risks and opportunities.

• Events that may have a negative impact

represent risks.

• Events that may have a positive impact

represent natural offsets (opportunities),
which management channels back to
strategy setting.
 Event Identification

• Involves identifying those incidents,

occurring internally or externally, that could
affect strategy and achievement of
objectives.

• Addresses how internal and external factors

combine and interact to influence the risk
profile.
 Risk Assessment
• Allows an entity to understand the extent to which
potential events might impact objectives.

• Assesses risks from two perspectives:

- Likelihood
- Impact

• Is used to assess risks and is normally also used to

measure the related objectives.
 Risk Assessment

• Employs a combination of both qualitative

and quantitative risk assessment
methodologies.

• Relates time horizons to objective horizons.

• Assesses risk on both an inherent and a

residual basis.
 Risk Response
• Identifies and evaluates possible responses to risk.

• Evaluates options in relation to entity’s risk

appetite, cost vs. benefit of potential risk
responses, and degree to which a response will
reduce impact and/or likelihood.

• Selects and executes response based on evaluation

of the portfolio of risks and responses.
 Control Activities

• Policies and procedures that help ensure that the

risk responses, as well as other entity directives,
are carried out.

• Occur throughout the organization, at all levels

and in all functions.

• Include application and general information

technology controls.
 Information & Communication

Management identifies, captures, and communicates

pertinent information in a form and timeframe that
enables people to carry out their responsibilities.

Communication occurs in a broader sense, flowing

down, across, and up
the organization.
 Monitoring

Effectiveness of the other ERM components is

monitored through:

• Ongoing monitoring activities.

• Separate evaluations.

• A combination of the two.

 Internal Control

A strong system of internal

control is essential to effective

enterprise risk management.

 Relationship to Internal Control — Integrated
Framework
• Expands and elaborates on elements of internal control
as set out in COSO’s “control framework.”

• Includes objective setting as a separate component.

Objectives are a “prerequisite” for internal control.

• Expands the control framework’s “Financial Reporting”

and “Risk Assessment.”
 ERM Roles & Responsibilities

Management

The board of directors

Risk officers

Internal auditors
 Internal Auditors

Play an important role in monitoring ERM, but do NOT

have primary responsibility for its implementation or
maintenance.

Assist management and the board or audit committee in the

process by:

- Monitoring - Evaluating

- Examining - Reporting

- Recommending improvements
 Internal Auditors

Visit the guidance section of

The IIA’s Web site for The IIA’s
position paper, “Role of Internal Auditing’s in
Enterprise Risk Management.”
 Standards

2010.A1 – The internal audit activity’s plan of

engagements should be based on a risk assessment,
undertaken at least annually.

2120.A1 – Based on the results of the risk assessment, the

internal audit activity should evaluate the adequacy and
effectiveness of controls encompassing the organization’s
governance, operations, and information systems.

2210.A1 – When planning the engagement, the internal

auditor should identify and assess risks relevant to the
activity under review. The engagement objectives should
reflect the results of the risk assessment.
 Key Implementation Factors

1. Organizational design of business

2. Establishing an ERM organization
3. Performing risk assessments
4. Determining overall risk appetite
5. Identifying risk responses
6. Communication of risk results
7. Monitoring
8. Oversight & periodic review by management
 Organizational Design

Strategies of the business

Key business objectives
Related objectives that cascade down the
organization from key business objectives
Assignment of responsibilities to organizational
elements and leaders (linkage)
 Example: Linkage
Mission – To provide high-quality accessible and
affordable community-based health care

Strategic Objective – To be the first or second

largest, full-service health care provider in mid-size
metropolitan markets

Related Objective – To initiate dialogue with

leadership of 10 top under-performing hospitals and
negotiate agreements with two this year
ESTABLISH ERM
 Establish ERM

Determine a risk philosophy

Survey risk culture

Consider organizational integrity

and ethical values

Decide roles and responsibilities

 Example: ERM Organization
Vice President and
Chief Risk Officer

Insurance ERM Corporate Credit

Risk Manager Director Risk Manager

FES
ERM ERM Commodity
Manager Manager Risk Mg.
Director

Staff Staff Staff

 Assess Risk

Risk assessment is the identification and

analysis of risks to the achievement of
business objectives. It forms a basis for
determining how risks should be
managed.
 Example: Risk Model
Environmental Risks
• Capital Availability
• Regulatory, Political, and Legal
• Financial Markets and Shareholder Relations

Process Risks
• Operations Risk
• Empowerment Risk
• Information Processing / Technology Risk
• Integrity Risk
• Financial Risk
 Example: Risk Model

Information for Decision Making

• Operational Risk
• Financial Risk
• Strategic Risk
 Risk Analysis

Risk Risk Risk

Assessment Management Monitoring

Process
Identification Control It
Level

Share or Activity
Measurement
Transfer It Level

Diversify or
Prioritization Entity Level
Avoid It

Source: Business Risk Assessment. 1998 – The Institute of Internal Auditors

DETERMINE RISK APPETITE

Risk appetite is the amount of risk — on a broad

level — an entity is willing to accept in pursuit of
value.

Use quantitative or qualitative terms (e.g. earnings

at risk vs. reputation risk), and consider risk
tolerance (range of acceptable variation).
 DETERMINE RISK APPETITE

Key questions:
• What risks will the organization not accept?
(e.g. environmental or quality compromises)

• What risks will the organization take on new

initiatives?
(e.g. new product lines)

• What risks will the organization accept for competing

objectives?
(e.g. gross profit vs. market share?)
 IDENTIFY RISK RESPONSES

Quantification of risk exposure

Options available:

- Accept = monitor

- Avoid = eliminate (get out of situation)

- Reduce = institute controls

- Share = partner with someone (e.g. insurance)

Residual risk (unmitigated risk – e.g. shrinkage)

 Impact vs. Probability

High Medium Risk High Risk

I
M Share Mitigate & Control
P
A Low Risk Medium Risk
C
T
Accept Control

Low PROBABILITY High

 Example: Call Center Risk Assessment

High Medium Risk High Risk

•Loss of phones Credit risk
•

Loss of computers • Customer has a long wait

I
•

• Customer can’t get through

M • Customer can’t get answers
P
A Low Risk Medium Risk
C
Fraud Entry errors
•
T
•
• Equipment obsolescence
• Lost transactions
• Employee morale
• Repeat calls for same problem

Low PROBABILITY High

 Example: Accounts Payable Process

Control RiskControl
Objective Activity

Completeness Material Accrual of

transaction open liabilities
not recorded
Invoices accrued
after closing

Issue: Invoices go to field and AP is not aware of liability.

 Example: Accounts Payable Process

Control Risk Control

Objective Activity

Completeness Material Accrual of open

Transaction not liabilities
recorded
Invoices accrued
after closing

Issue: Invoices go to field and AP is not aware of liability.

 Communicate Results
Dashboard of risks and related responses (visual status of where
key risks stand relative to risk tolerances)

Flowcharts of processes with key controls noted

Narratives of business objectives linked to operational risks and

responses

List of key risks to be monitored or used

Management understanding of key business risk responsibility

and communication of assignments
 Monitor

Collect and display information

Perform analysis

- Risks are being properly addressed

- Controls are working to mitigate risks

Management Oversight & Periodic Review
Accountability for risks

Ownership

Updates

- Changes in business objectives

- Changes in systems

- Changes in processes
Internal auditors can add value by:

Reviewing critical control systems and risk

management processes.

Performing an effectiveness review of management's

risk assessments and the internal controls.

Providing advice in the design and improvement of

control systems and risk mitigation strategies.
Internal auditors can add value by:

Implementing a risk-based approach to planning

and executing the internal audit process.

Ensuring that internal auditing’s resources are

directed at those areas most important to the
organization.

Challenging the basis of management’s risk

assessments and evaluating the adequacy and
effectiveness of risk treatment strategies.
Internal auditors can add value by:

Facilitating ERM workshops.

Defining risk tolerances where none have been

identified, based on internal auditing's experience,
judgment, and consultation with management.
 ERM…
Provides a comprehensive and systematic approach to
more proactive and holistic risk management

Provides a common lexicon of risk terminology, and

provides direction and guidance for implementing ERM

Requires that organizations examine their complete

portfolio of risks, consider how those risks interrelate,
and that management develops an appropriate risk
mitigation approach to address these risks in a manner
that is consistent with the organization’s strategy and
risk appetite
 ERM IS NOT…

A silver bullet to prevent risks from occurring

A methodology or a checklist of items that need to be

completed that guarantee results

The only way organizations can take a more proactive

approach to managing risk
 ERM
FRAMEWORK &
OTHER
FRAMEWORKS
 OTHER FRAMEWORKS

CoCo – Stands for “Criteria of Control” and is a risk

management tool developed by the Canadian Institute of
Chartered Accountants to assist managers and internal
auditors in designing, assessing, and reporting on control
systems of an organization
 OTHER FRAMEWORKS (CONT’D)
Cadbury Report – Published in 1992, this report sets out
recommendations on the arrangement of company boards
and accounting systems to mitigate corporate governance
risks and failures.

Recommendations focus primarily on practices related to

transparency and accountability at the top levels of an
organization, (e.g. – Board of Directors members) rather
than in throughout organization as a whole.
 OTHER FRAMEWORKS (CONT’D)
Australian and New Zealand Standard on Risk
Management (AS/NZS 4360:2004, or ASNZS) –
Considered by some to be the gold standard for all other
risk management standards.

The ASNZS is widely used internationally, and is

desirable for its simplicity. (Where the original draft of
the COSO ERM Model ran about 154 pages, the ASNZS
is only 23 pages.)
OTHER FRAMEWORKS (CONT’D)
Below is a diagram of the ASNZS framework:
 OTHER FRAMEWORKS (CONT’D)
ISO 31000:2009 – Developed by the International
Organization for Standardization (ISO) and based off the
AS/NZS, ISO 31000 provides principles and generic
guidelines on risk management. Provides a universally
recognized paradigm for practitioners and companies
employing risk management processes across different
industries, subject matters and regions.

ISO 31000 is defined as “a process that provides

confidence that planned objectives will be achieved within
an acceptable degree of residual risk.”
ISO 31000 FRAMEWORK OVERVIEW
 WHERE’S THE VALUE???

The biggest value in each of these

frameworks lay in their promotion
of continuous improvement,
diligent management practices and
ongoing monitoring.
 RELEVANCE (CONT’D)
Organizations are increasingly looking to expand their
risk management functions to help reduce potential
future losses through:

Improved monitoring and reporting

Better risk identification and response

More risk-based decision making

 Relevance (cont’d)
Based on a recent survey conducted by Towers Watson, the table
below illustrates motivating factors to improving various risk
management activities in the near term
Questions?
 GROUP
DISCUSSION
 Lululemon Recall

Shares in Lululemon Athletic Inc. fell more than three per cent
Tuesday, a day after the yoga clothing maker said it was recalling
some its black pants because they were too see-through.

By mid-afternoon, Lululemon shares were down $2.12 to $65.38

on the Toronto Stock Exchange.

The Vancouver-based company announced it was pulling its

popular black Luon yoga pants from store shelves because the
material used to make them was too sheer, showing off too much
of their customers' assets. The pants have also been yanked from
showrooms and the company website
 LuluLemon Recall

Assignment :

Please watch the "https://youtu.be/BXcXVjfI_y0

1. is there anything related to the risk management

procedure? if yes, what was the risk management failure?

2. if you can turn back time and avoid this bankruptcy, how
to prevent this problem to be appeared ( acted as a
Lululemon CEO)?
 REFERENCE

Chapman,Robert J, (2011). Simple Tools and

Techniques for Enterprise Risk Management, John
Willey & Sons,Ltd.

Duckert,Gregory H, (2011). Practical Enterprise Risk

Management : A Business Approach, John Willey &
Sons,Ltd.