PALAWAN STATE UNIVERSITY • Define enterprise risk management (ERM) and identify and describe key

COLLEGE OF BUSINESS AND ACCOUNTANCY objectives, components, and benefits of an ERM program.
PUERTO PRINCESA CITY • Identify event identification techniques and provide examples of event
identification within the context of an ERM approach.
• Explain how ERM practices are integrated with corporate governance,
risk analytics, portfolio management, performance management, and
ENTERPRISE RISK MANAGEMENT internal control practices.
PrE 4: ENTERPRISE RISK MANAGEMENT • Demonstrate an understanding of the COSO Enterprise Risk
2ND Semester | SY: 2023-2024 Management - Integrated Framework (2017).
TOPIC 2
TOPICS
OVERVIEW
Risk Management defined
No business is without risks, but the key to any business is understanding the
importance of preventing, minimizing, or eliminating risks whenever possible to ▪ Risk Management is the process of measuring, or assessing risk and then
prevent losses. After all, less risk should theoretically create more success for the developing strategies to manage the risk' – Wikipedia.
business.
When an entity makes an investment decision, it exposes itself to several
For any business, risk can be defined as an internal or external factor that may financial risks. The quantum of such risks
ultimately affect objectives by either lowering the projected profits or even depends on the type of financial
causing a loss. Whether the risk is due to economic issues, financial rates, instrument. These financial risks might be
industry regulations, business costs, breaches in the information, or political in the form of high inflation, volatility in
influences, risks can cause a business to lose money or ultimately go under. capital markets, recession, bankruptcy,
etc. Hence, to minimize and control the
That is where risk management comes in. Since our business ventures encounter exposure of investment to such risks, fund
many risks that can affect their survival and growth, this module will introduce managers and investors practice risk
you to the importance of the basic principles of risk management, its process, management. Not giving due importance to risk management while making
and how they can help mitigate the effects of risks on business entities. investment decisions, but risk arises due to change in an economy. Different
levels of risk come attached with different categories of asset classes.
Intended learning outcomes
For example:
This lesson discusses risk management. The COSO ERM conceptual framework A fixed deposit is considered a less risky
is reviewed along with risk-management techniques firms can use to manage investment. On the other hand, equity
their risk exposure. investment is regarded as a risky venture. While
practicing risk management, equity investors
Upon completion of this lesson, candidates should be able to: and fund managers tend to diversify their
portfolios to minimize the risk exposure.
• Identify and explain the benefits of risk management.
• Identify and describe the key steps in the risk management process.
• Explain how the attitude toward risk might affect the management of
risk.
ENTERPRISE RISK MANAGEMENT 1 ENTERPRISE RISK MANAGEMENT 2
The traditional view of risk management has protected the organization from
loss through conformance procedures and hedging techniques. This is about Step 1 Risk Identification
avoiding the downside. The new approach to risk management is about Step 2 Risk Assessment
'seeking the upside while managing the downside. Anytime there is a possibility Step 3 Risk Prioritization
of loss (risk), there should be an opportunity for profit. Step 4 Risk Response Formulation
Step 5 Risk Monitoring and Control
Risk management is an essential process because it empowers a business with
the necessary tools to identify and deal with potential risks adequately. Once
a risk has been identified, it is then easy to mitigate it. In addition, risk
Risk Identification
management provides a business with a basis upon which it can undertake
sound decision-making.
Risk identification seeks to identify as many threats as possible without
evaluating them. Risk identification will naturally drive the process to include as
For a business, assessment and management of risks is the best way to prepare
many individuals from the organization as possible, especially those with
for eventualities that may come in progress and growth. When a company
specific detailed information about the particular risk area being considered.
evaluates its plan for handling potential threats and then develops structures
For example, a strategic risk assessment would involve senior management,
to address them, it improves its odds of becoming a successful entity.
senior finance people, and the strategic planning area. An operational risk
assessment would include those from the operating units because they have
In addition, progressive risk management ensures that high-priority risks are
the insight into how the business processes actually work and, specifically, what
dealt with as aggressively as possible. Moreover, the management will have
threats would interrupt the accomplishment of operational objectives.
the necessary information that they can use to make informed decisions and
ensure that the business remains profitable.
A risk framework can be helpful to facilitate the risk identification process.

Risk Management Process

The framework provides guidance to the risk assessment participants and helps
them organize the identified threats. The framework can organize risks by
Risk management is the process of identifying, assessing, and controlling threats
categories and by structural element (e.g., strategy, people, process,
to an organization's capital and earnings. These threats, or risks, could stem
technology, data) or by business process (e.g., revenue cycle, disbursement
from a wide variety of sources, including financial uncertainty, legal liabilities,
cycle, cash management and treasury, financial reporting, operations).
strategic management errors, accidents, and natural disasters. IT security
threats and data-related risks and the risk management strategies to alleviate
The risk framework should consider both internal and external factors. Risk
them have become top priorities for digitized companies. As a result, a risk
assessment participants should be tasked and encouraged to identify threats
management plan increasingly includes companies' processes for identifying
from both factors. Examples of internal and external risk factors are listed next.
and controlling threats to its digital assets, including proprietary corporate
data, a customer's personally identifiable information, and intellectual property
Internal Risk Factors
Given the potential ramifications of mismanaging risk, companies should
• Communication methods
implement a risk management process that will enable them to avoid risks,
• Risk assessment activities
reduce the adverse effects of risks, prepare to accept some risks, and/or
• Appropriateness of internal control activities
transfer risks to another party (typically by purchasing insurance). As an
• Labor relations
example, an organization may purchase hazard insurance to transfer the loss
• Training and capability of the employees
from major catastrophes. Although the formality and specifics of the process
• Degree of supervision of employees
will vary across different organizations, the general steps of a risk management
• Operational risks
process are summarized below.
ENTERPRISE RISK MANAGEMENT 3 ENTERPRISE RISK MANAGEMENT 4
• Financial risks structure, compromise assets, or diminish the organization's financial viability. It
• Strategic risks is a creative process covering both risk identification and risk response. It
involves identifying as many potential threats as possible and evaluating them
External Risk Factors to deter. mine the proper response (i.e., which require action and the priority
• Regulatory changes for that action). The risk response process also should estimate the probability
• Industry competition of each threat occurring.
• Relationships with key suppliers
• Relationships with customers Assessing risks appears to be a quantitative and scientific process, but if risks
• Recruiting and hiring activities are assessed and prioritized improperly, unexpected losses can occur. There
• International risk exist a number of qualitative considerations in assessing risk, such as ranking the
• Hazard risks risks in order of importance and visualizing the risks with the use of a risk map. A
risk map enables an analysis of risks not only on an individual level but also in
Tools, diagnostics, and processes that may be used to support risk identification relation to one another. Additionally, as risk assessments are refreshed over
include: time, a risk map can allow analysis over time. Additionally, the maximum
possible loss should be computed and used subjectively in the assessment of
• Brainstorming risk.
• Interview
• Checklists Risk assessment is the process of analyzing the potential effects of identified
• Flowcharts risks. Risks are analyzed, considering likelihood and impact, as a basis for
• Scenario analysis determining how they should be managed.
• Value chain analysis
• Business process analysis 1. Impact. The effect the risk occurrence would have on the organization's
• Systems engineering objective if it were to occur. For example, what loss would happen if a
• Process mapping particular risk factor occurred and was not detected and corrected?
• Computed cash flow at risk 2. Likelihood. The probability or chance that the risk actually will occur.
• Projected earnings at risk Risk assessment is a function of the
• Projected earnings distributions organization's risk appetite and the
• Projected EPS distributions estimate of potential risk. Risk
appetite is the level of risk the
Once risks are identified, they can be prioritized by risk ranking or risk mapping. organization is willing to accept,
A risk map graphically illustrates the impact of risks. It is helpful for management given its mission and business model.
to periodically perform a hindsight evaluation to identify events that were not The organization's risk appetite
identified in the prior risk assessment. This allows management to refine and determines how management will
improve the risk assessment process. manage risks.

Risk Assessment For example, the more risk-averse an

organization is, the more management will be willing to spend on mitigating
Risk assessment is a forward-looking survey of the business environment to the risk.
identify anything that could prevent the accomplishment of organizational
objectives. Risk assessment involves the identification of internal and external Probabilistic or non-probabilistic models may be used to quantify risk.
means that could potentially defeat the organization's internal control Management uses qualitative techniques to assess risk when risks do not lend
ENTERPRISE RISK MANAGEMENT 5 ENTERPRISE RISK MANAGEMENT 6
themselves to quantification or when sufficient reliable data is not available to
use a quantitative model. Non-probabilistic models use subjective assumptions In the risk prioritization step, the overall set of identified risk events, their impact
to estimate the impact of events without quantifying an associated likelihood. assessments, and their probabilities of occurrences are "processed" to derive a
Examples of non-probabilistic models include sensitivity measures and stress most-to-least-critical rankorder of identified risks. A significant purpose of
tests. prioritizing risks is to form a basis for allocating resources.
An organization's risk attitude is made up of a combination of its risk appetite,
Probabilistic models associate a range of events and the resulting impact with risk tolerance, and risk threshold. These three attributes are defined as:
the likelihood of those events based on certain assumptions. Examples of
probabilistic models include VaR and the development of credit and a) Risk Appetite
operational loss distributions. Scenario analysis may be applied on a non-
probabilistic or probabilistic basis. As described previously, scenario analysis The degree of uncertainty an entity is prepared to accept in pursuit of its
involves identifying possible future outcomes, attaching probabilities to the objectives. b) Risk Tolerance
results, and mitigating the risks that exceed the organization's risk appetite. The degree, amount, or volume of risk impact that an organization or
individual will withstand
Ideally, risk assessment activities are performed continuously by all employees
within the organization. However, the process must be driven by those c) Risk Threshold
responsible for organization governance: the board of directors and the audit
The level of uncertainty or impact at which a stakeholder will have a
committee. Their commitment and involvement and attitude toward risk must
specific interest. Below the risk threshold, the stakeholder will accept the
be communicated down through the entire organization. As risks are identified,
risk. Above the risk threshold, the stakeholder will not accept the risk.
they are assigned to the appropriate level of management for consideration.
Suppose an organization has a high-risk appetite but low-risk tolerance. In that
The resulting risk assessment culture becomes an integral part of the
case, it will tend to prioritize its risk responses around the anticipated level of the
organization's control environment. In most instances, and typically for strategic
risk impacts rather than the level of uncertainty in risk event occurrence. This
risks, the risk assessment process is conducted at regular intervals, usually once
may be due to the fact that the organization's business strategy is to operate
a year.
in unstable or high threat environments, where they are constantly exposed to
the occurrence of risk events. In this case, the organization will develop its risk
Management should assess both the inherent risk and the residual risk for an
response plan to prioritize the neutralization (or optimization, in the case of
event.
opportunity risks) of risk impacts rather than control the occurrence of risk
events.
a) Inherent risk is the risk to achieving entity objectives in the absence of
any actions management might take to alter the risk's likelihood or
Conversely, an organization with a low-risk appetite but high-risk tolerance (a
impact.
very unusual case) will prioritize their risk responses by minimizing the probability
b) Residual risk is the risk to achieving objectives that remain after
of risk event occurrence and putting less effort into controlling the risk impacts.
management's responses have been developed.
The organizations' risk thresholds will be defined by their respective risk appetite
and risk tolerance levels in both cases. Risk attitude is also primarily determined
Assessing risk generally involves the use of probabilities. For example, if there is
by the industry sector in which an organization operates.
a 40% chance that a company will suffer a 1,000,000 loss and a 60% chance
that the company will suffer a 300,000 loss, the expected loss can be estimated
as 580,000 ((4 × 1,000,000) + (.6 x 300,000)]. Determining the estimated amounts Risk Response Formulation
and their probabilities involves experience, information, and judgment.
Risk response involves reducing risks to an acceptable level by employing the
Risk Prioritization following tactics:
ENTERPRISE RISK MANAGEMENT 7 ENTERPRISE RISK MANAGEMENT 8
Avoidance This is done when there are no more attractive alternatives. Involuntary risk
retention occurs when risks are unconsciously retained or cannot be avoided,
Risk is avoided when the organization refuses to accept it. The exposure is not transferred, or reduced.
permitted to come into existence. This step is accomplished by simply not
engaging in the action that gives rise to risk. If you do not want to risk losing your Risk-retention may be the best way. Everyone decides which risks to retain and
savings in a hazardous venture, then pick one where there is less risk. If you want which to avoid or transfer. A person may not be able to bear the loss. What
to avoid the risks associated with property ownership, do not purchase property may be a financial disaster for one may be handled by another. As a general
but lease or rent. If the use of a particular product is hazardous, then do not rule, the only risks that should be retained are those that can lead to relatively
manufacture or sell it. small certain losses.

This is a negative rather than a positive technique. It is sometimes an Transfer.

unsatisfactory approach to dealing with many risks. If risk avoidance were used
extensively, the business would be deprived of many profit opportunities and Risk may be transferred to someone more willing to bear the risk. The transfer
probably would not achieve its objectives. may be used to deal with both speculative and pure risk. One example is
hedging; hedging is a method of risk transfer accomplished by buying and
Reduction selling for future delivery so that dealers and processors protect themselves
against a decline or increase in market price between the time they buy a
This response involves taking action to reduce risk likelihood or impact, or both. product and sell it. Pure risks may be transferred through contracts, like a hold-
Risk can be reduced in 2 ways—through loss prevention and control. Examples harmless agreement where one individual assumes another's possibility of loss.
of risk reduction are medical care, fire departments, night security guards, Contractual agreements are common in the construction industry. They are
sprinkler systems, burglar alarms—attempts to deal with risk by preventing the also used between manufacturers and retailers about product liability
loss or reducing the chance that it will occur. Some techniques are used to exposure. Insurance is also a means of transferring risk. In consideration of
avoid the occurrence of the loss, and other methods like sprinkler systems are payment or premium by one party, the second party contracts to indemnify
intended to control the severity of the loss if it does happen. No matter how the first party up to a specific limit for the specified loss.
hard we try, it is impossible to prevent all losses. The loss prevention technique
cannot cost more than the losses. Sharing

Acceptance The following chart is useful in determining which response may be most
appropriate given the likelihood and impact of a certain risk. For example,
This step is sometimes called risk retention. It is the most common method of consider a manufacturer that contracts with a sole supplier for a particular
dealing with risk. Organizations and individuals face an almost unlimited product. Management might consider a scenario in which a natural disaster
number of risks, and in most cases, nothing is done about them. When some disrupts the supplier's processes. Let's assume the magnitude of such an event
positive action is not taken to avoid, reduce, or transfer the risk, the possibility would have a very high impact on the business. If the likelihood is low,
of loss involved in that risk is retained. Riskretention can be conscious or management might decide to transfer some of the risks to a third party by
unconscious. Conscious risk retention takes place when the risk is perceived purchasing business disruption insurance. If the likelihood is high, management
and not transferred or reduced. When the risk is not recognized, it is should consider finding alternate sources for needed supplies.
unconsciously retained—the person retains the financial risk without realizing
that he or she is doing so. Low Impact High Impact

Risk-retention may be voluntary or involuntary. Voluntary risk retention is when Low Likelihood Accept risk Purchase insurance to transfer risk to
the risk is recognized, and there is an agreement to assume the losses involved. another party

ENTERPRISE RISK MANAGEMENT 9 ENTERPRISE RISK MANAGEMENT 10

 High Likelihood Reduce risk with Avoid risk by changing where and management and an effective risk management plan, a business can operate
internal controls, etc. how business is conducted confidently, knowing that they are prepared for all potential circumstances
that could negatively impact the bottom line.

Financial risks may be lessened by adjusting the organization's capital structure

STUDY GUIDE
to minimize the cost of capital. The cost of capital is a function of the mixture
of debt, preferred stock, retained earnings, and common stock issued in the I. Enterprise Risk Management
organization's capital structure. The proper mix will reduce bankruptcy risk and A. Enterprise risk management (ERM) concerns the identification and
agency costs to an acceptable level. management of events and circumstances that can affect the ability of
a firm to achieve its objectives. ERM is the process of a coordinated,
It is vital to perform a cost-benefit analysis on all risk responses. For example, organization-wide risk management system. It is not a department or a
establishing controls costing 100,000 per year to mitigate a low risk of 500,000 function, but rather a holistic approach to a firm's culture, capabilities,
would probably not be a good business decision. and practices. ERM emphasizes cooperation among departments to
manage the organization's full range of risks as a whole instead of merely
Risk Monitoring and Control responding to each individual event on its own.

The final step in Risk Management Process is Risk Monitoring and Control. The B. Following the high-profile business scandals and failures in the early 2000s,
purpose of this is to address how risk will be monitored. This includes verifying in 2004 the COSO (Committee of Sponsoring Organizations of the
compliance with the risk response decisions by ensuring that the organization Treadway Commission) ERM model was developed to facilitate a
implements the risk response measures (and any information security broader understanding of an entity's overall strategies and goals and the
requirements), determines the ongoing effectiveness of risk response measures, threats to those strategies and goals. COSO issued an updated
and identifies any changes that would impact the risk posture. framework in 2017.

Risk monitoring activities at the various levels of the organization (or with other C. According to COSO ERM, the benefits of enterprise risk management
organizational entities) should be coordinated and communicated. This can include:
include sharing risk assessment results that would have an organization-wide
impact to risk responses being planned or implemented. The organization 1. Increasing the range of opportunities—By considering all
should also consider the tools and technologies needed to facilitate monitoring possibilities—both positive and negative aspects of risk—
and the frequency necessary for effectively monitoring risks, including the management can identify new opportunities and unique
changes that would impact responses to risks. challenges associated with current opportunities.

For the risk management plan to be helpful for a business, the plan needs to 2. Identifying and managing risk entity-wide—Every entity faces
clearly establish and define policies and procedures for staff members to follow myriad risks that can affect many parts of the organization.
and understand easily. This helps employees understand how their Sometimes a risk can originate in one part of the entity but impact
responsibilities and roles tie into the risk management plan. Having all a different part. Consequently, management identifies and
employees on the same page also will ensure they respond adequately when manages these entity-wide risks to sustain and improve
necessary. performance.

There is no guarantee which – or if any – risks will occur for a business. Still, the 3. Increasing positive outcomes and advantage while reducing
key is to be prepared for any possibilities and understand the importance of negative surprises—Enterprise risk management allows entities to
properly managing these potential risks. With the proper understanding of risk improve their ability to identify risks and establish appropriate
ENTERPRISE RISK MANAGEMENT 11 ENTERPRISE RISK MANAGEMENT 12
 responses, reducing surprises and related costs or losses, while for, enterprise risk management. Culture pertains to ethical values,
profiting from advantageous developments. desired behaviors, and understanding of risk in the entity.

4. Reducing performance variability—For some, the challenge is less 2. Strategy and Objective-Setting—Enterprise risk management, strategy,
with surprises and losses and more with variability in performance. and objective-setting work together in the strategic-planning process. A
Performing ahead of schedule or beyond expectations may risk appetite is established and aligned with strategy; business objectives
cause as much concern as performing short of scheduling and put strategy into practice while serving as a basis for identifying,
expectations. Enterprise risk management allows organizations to assessing, and responding to risk.
anticipate the risks that would affect performance and enable
them to put in place the actions needed to minimize disruption 3. Performance—Risks that may impact the achievement of strategy and
and maximize opportunity. business objectives need to be identified and assessed. Risks are
prioritized by severity in the context of risk appetite. The organization then
5. Improving resource deployment—Every risk could be considered selects risk responses and takes a portfolio view of the amount of risk it
a request for resources. Obtaining robust information on risk allows has assumed. The results of this process are reported to key risk
management, in the face of finite resources, to assess overall stakeholders.
resource needs, prioritize resource deployment, and enhance
resource allocation. 4. Review and Revision—By reviewing entity performance, an organization
can consider how well the enterprise risk management components are
6. Enhancing enterprise resilience—An entity's medium- and long- functioning over time and in light of substantial changes, and what
term viability depends on its ability to anticipate and respond to revisions are needed.
change, not only to survive but also to evolve and thrive. This is, in
part, enabled by effective enterprise risk management. It 5. Information, Communication, and Reporting—Enterprise risk
becomes increasingly important as the pace of change management requires a continual process of obtaining and sharing
accelerates and business complexity increases. necessary information, from both internal and external sources, which
flows up, down, and across the organization.
D. COSO ERM Framework
II. Risk Events

A. As part of an ERM development process, firms should identify specific

events that may occur and present risk to the firm.

B. The risks facing an organization can be external or internal in nature.

1. Examples of external risks

A. Natural disasters, particularly those common in the area of
operations
The COSO ERM framework has five interrelated components: B. External computer hacking
C. Technological change making current offerings obsolete
1. Governance and Culture—Governance sets the organization's tone, D. Competitive pressure
reinforcing the importance of, and establishing oversight responsibilities E. Relationships with key suppliers and/or customers
F. Risk of political issues disrupting operations

ENTERPRISE RISK MANAGEMENT 13 ENTERPRISE RISK MANAGEMENT 14

 2. Examples of internal risks
A. Fraud and collusion by employees
B. Management departures
C. Employee morale
D. Liquidity and solvency concerns

C. Firms can construct a portfolio of different activities, products, services,

and strategies to mitigate the impact of a single event on the overall risk
management program.
1. Diversification within an organization can take many different forms.
A. A manufacturing company may offer repair services with
products or serve customers in different industries to lessen the
impact of lower sales in one line of business.
B. A service organization may serve customers in different
industries or offer different services to protect itself in the event
of a slowdown in one particular area.
i. Accounting firms may offer audit and tax services,
which are needed in any economic climate, in
addition to technology and consulting services, which
may be more dependent on strong economic
conditions.
ii. A web design firm may also offer graphic design or
logo design to lessen the impact of businesses not
requiring web design services.
2. Firms with strong portfolios of different activities and risk management
tools can rely on the strength of their other areas to offset risks in riskier
areas.

Summary

The identification and management of events and circumstances that affect

the ability of a firm to achieve its objectives is called enterprise risk
management (ERM). The COSO ERM conceptual framework uses specific goals
and components to help manage risk. As part of risk management, firms should
also identify specific events that could present risk to the firm and construct a
portfolio of ways to mitigate the impact of a single event.

Further Reading
Enterprise Risk Management: Integrating with Strategy and Performance.
COSO. June 2017.
ENTERPRISE RISK MANAGEMENT 15 ENTERPRISE RISK MANAGEMENT 16