EKRP 211 Notes

1.1 The Risk Management Model

Definition: Risk management
Risk management is a managerial function aimed at protecting the organization and
its people, assets and profits against the physical and financial consequences of risk.
It Involves planning, coordinating and directing the risk-control and the risk-financing
activities in the organization.

Why is risk management important?

The substantial cost if risk management fails, and the equally large benefits that accrue
from managing the ratio of reward to risk, highlights the importance of risk management
for the business.

Approach to risk management is:

1. Comprehensive;
2. Inclusive;
3. Proactive;

1. Comprehensive:
– Considers all levels in business, namely:
 Environment and Culture – approach the organization uses to manage risk;
 Strategy – setting a clear risk framework and action plan;
 Process – management implements strategy step by step;
 Structure – involvement / responsibility of staff in the process.

2. Inclusive:
– Risk management must involve all the levels of the organization;
– It requires that the risk-to-reward ratio for all types of risk to be considered;
– The Company’s directors must play a leading role in setting a clear risk
framework…
 – Risk framework:
 Guide for management that relates investor’s expectations to the risk-reward
ratio;
 Guidelines for acceptable levels of risk, what risks will have to be transferred
and which risks should be insured;
 At management level this requires a full understanding of the risk
management principles in order to embed a risk management culture;
 The interaction between strategic and operational activities is essential for
implementation;
 Reward systems must be designed to encourage risk awareness and reward
behavior that is consistent with the day to day risk management culture;

3. Proactive:
– Risks must be anticipated in advance;
– Risks must be properly catered for through both risk control and financing
arrangements;
– In this way risk management becomes an integral part of general management,
as opposed to a set of isolated functions compromising risk control and risk
financing;
ELEMENTS IN THE RISK MANAGEMENT PROCESS (MODEL)
1. Determining the objectives of the risk management function;
2. Risk identification;
3. Risk evaluation and assessment;
4. Risk control;
5. Risk financing;
6. Program monitoring and administration;

1.Determining the objectives of the risk management function

– Risk management goals and objectives
• Are critical;
• should be aligned with the mission of the organization and;
• provide the yardstick against which the success or failure of the program is
measured;

2.Risk Identification
– (1) identify risks that are inherent to the business type:
• Hazard risks
• Improperly maintained machinery / equipment;
• Exposure risks
– (2) Identification is followed by risk analysis;
• The risk manager must understand the nature of those hazards, risk
factors and exposures; how they come to exist and how they interact to
produce a loss or gain;

3.Risk evaluation and assessment (Most important step)

– Together with identification, it represents the foundation for planning, organizing
and managing the risk to reduce the impact of possible losses;
– Risk evaluation - how frequent and how severe accidents are likely to be and
how they may interfere with the organizations success - entails quantifying the
risk and determining its possible impact on an organization;
– The process is continuous since the frequency and severity of losses are
constantly changing;
4.Risk control
– Minimize risk practically;
– By Implementing a physical risk management program with the following goals:
 Reduce the magnitude of the exposure;
 Reduce the frequency of the loss- producing events;
 Dealing physically with loss-producing events;
 Recovering physically from loss-producing events;
– Risk control programs is practical because they are conducted at the source of
the risk;
– Three different responses to risk:
 Avoidance: risks can be avoided by not carrying out specific activities;
 Acceptance: certain risks are inherent to a specific business;
 Mitigation: after acceptance, is aimed at lessening the impact of the risk;

5.Risk financing
– Entails the financial provision for losses that may occur;
– Provide the means of reimbursing losses that occur;
– Funding other programs to reduce uncertainty and risk, or to increase positive
outcomes;
– The financing of losses that do occur can for instance be done by one of the
following:
 Insurance coverage;
 Registering bonds on fixed property;
 Recognition of debt / providing security
(Eg: Funding of highway safety through toll gates…)
– Most effective method of financing risks:
 The retention of risk under a deliberate self-funding plan like keeping capital
or liquid assets to absorb losses;
 The combination of risks (diversifying or hedging) to obtain the benefit of
greater certainty in predicting the loss occurrences;
 Transfer risks cost to other third parties through techniques such as
insurance;

6.Program monitoring and administration

– Monitoring establishes procedures for the day-to-day operations of the risk
management program;
– Despite the fact that the listing of these elements is a sequence, risk
management is not a sequential process and the elements can also overlap;
What is the relationship between risk and return:
– Risk is an inherent part of investing.
– In order to get a reasonable return on an investment, risk has to be present.
– A riskless asset will produce little or no return.
– The intelligent investor manages risk by recognizing its existence, measuring its
degree in any given investment and realistically assessing his or her capacity to take
risk.

 Example (1): R 100 gain vir 50% risk VS R 80 gain with 40% risk
 R 100 gain vir 50% risk
 Example (2): R 100 gain vir 80% risk VS R 80 gain with 40% risk
 R 80 gain vir 40% risk

– The questions to ask are:

 Can I afford the loss if it occurs?
 Am I emotionally prepared to deal with the uncertainties of high-risk investments?
 Do I need to take this kind of risk to achieve my investment goals?
 EKRP 211 Notes
1.2 The Concept of Risk
The elements of risk:
1. Environmental factors;
2. Sources;
3. Events;
4. Outcomes;

1. ENVIRONMENTAL FACTORS:
– May be anticipated that two project could produce similar outcomes but from a
risk perspective it does not mean they are the same.
– For example:
• Two factories with the same capital investment;
• Both exposed to the risk of fire;
• One manufactures steel products other wood products;
• In terms of the peril of fire, the wood factory is more hazardous than the
other.

2. SOURCES(Peril):
– The source of an outcome can often be traced back to specific sources of loss;
– For example:
• A fire may be the cause of damage to a building, resulting in financial
loss;

3. EVENTS:
– Most of the time, outcomes can be traced back to specific time and place;
– THUS: an event took place.
– Positive outcomes – not necessarily traced back to specific event:
• Profits will accrue over a period of time and not confined to specific event.
– Events can also be recorded, E.g. the number of motor accidents or fires.
– Since events can be recorded, data can be subjected to statistical analysis.
4. OUTCOMES:
– Outcomes can either be positive (favorable) or negative (unfavorable);
– At least five different forms of unfavorable outcomes:
• Damage to property: fire or floods;
• Consequential losses (arise from property damage): loss of income, cost of repair;
• Death or injury: employees killed/injured during fire/flood;
• Legal Liability: claims against company – compensation;
• Purely financial: employees that strike;
– Positive outcomes are usually expressed in monetary values:
• Profit on an investment;
– Outcomes may be anticipatory rather than actual:
• Building designed to resist an earthquake that may take place;
– Past outcomes can be recorded and measured suggesting that risk management
requires data to be collected and analyzed.

Risk
Risk is defined as the variation of the actual outcome from the expected outcome.
Thus the standard deviation is an appropriate measure of risk.
Risk therefore implies the presence of uncertainty.

Risk and Uncertainty:

– Uncertainty prevails because outcomes of situations are not known in advance;
– Such situations display risk;
– The extend to which probabilities are assigned to possible outcomes, indicate
that risk can be mathematically described;
– In situations where the probabilities cannot be assigned/associated, risk cannot
be quantified and whether one regards these situations as uncertain, as opposed
to risky, becomes immaterial;
Thus: The degree of uncertainty surrounding the event determines the extent of
the risk;

Implication of this definition:

– Uncertainty surrounds the outcome of the event:
 The decision maker is uncertain about the outcome, but predicts an expected
outcome;
 The actual outcome may deviate from the expected outcome;
 If the outcome was certain, there would be no deviation from the expected
outcome and thus no risk;
– The extent of the uncertainty / deviation between the actual outcome and the
expected outcome determines the level of risk:
 The greater the possible deviation, the greater the risk;
– From a risk management perspective, uncertainty exists concerning:
 Whether the event or occurrence will take place; and
 If it does, what the outcome (financial) of the event will be;
– Risk management implies not only the financial provision for the consequences of an
event, but the effort to:
 Minimize the likelihood of the loss-producing event;
 Minimize the adverse effects once the event has occurred;

Definition: Risk
Risk can be defined as a deviation from the expected value. It implies the presence of
uncertainty. There may be uncertainty as to the occurrence of an event producing a
loss, and uncertainty as regards the outcome of the event. The degree of risk is
interpreted with reference to the degree of variability and not with reference to the
probability that it will display a particular outcome. The standard deviation becomes a
good measure of risk;

Basic Classification

Peril:
– The source of loss;
– Gives rise to risk, but are not defined as the risks themselves;
– For Example:
• Fires;
• explosions;
• storms;
• earthquakes;

Hazard:
– Relates to the circumstances surrounding the cause of loss;
– The material or physical aspects in the circumstances surrounding the cause of
loss is called the “physical hazards”;
– For Example:
• The power-line was struck by lightning and consequently, the building
burnt down.

– The personal aspects or characteristics are called “moral hazards”

– It is the lack of incentive to guard against risk where one is protected from its
consequence, e.g. insurance industry.
– A moral hazard occurs when one party in a transaction has the opportunity to
assume additional risks that negatively affect the other party. The decision is
based not on what is considered right, but what provides the highest level of
benefit
Pure (or event) risks:
– Risks that have only the possibility of a loss;
– E.g. Risk of destruction of a building due to fire.

Speculative risks:
– Risks that have the possibility of either a profit or a loss;
– E.g. Entering into a profit-making venture.

Fundamental risks (Uninsurable):

– Arise from losses that are impersonal in origin and in consequence, and originate
in the economic, political or social interdependency of society;
– E.g. war, recession.

Particular risks (Insurable):

– Arise from losses that have their own origin in discrete events that are essentially
personal in cause;
– E.g. fire damage to a building or the explosion of a pressure tank;

Systematic risk:
– Is a market related risk;
– E.g. the case of changes in the value of the rand against the dollar;

Unsystematic risk:
– Events could take place within a particular company affecting the share value of
the specific company;
– E.g. assume the authorities decide not to register a drug that a pharmaceutical
firm has spent huge amounts on developing;

Systemic Risk
– The risk of the system collapsing.
– E.g. in South Africa the banking system was exposed to systemic risk when
Regal Bank and Saambou Bank collapsed; or Eskom;
Managerial Classification

Incidental Risks:
– Risks that arise naturally from the activities of a business, but are incidental in
the sense that they do not form part of the main business of the organization, yet
are necessary to ensure the continuation of the main business of the entity;
– The principle subcategory of incidental risks is financial risk i.e.:
1. Interest rate risk;
2. Liquidity risk;
3. Investment (capital) risk;
4. Credit risk;
5. Currency risk;
6. Market risk

1. Interest rate risk:

Refers to the changes to the net interest income / expenses due to adverse variations in
interest rates;

2. Liquidity risk:
Risk that operations cannot be funded and financial commitments cannot be met
timeously and cost effectively;

3. Investment (capital) risk:

Refers to the possibility that investments may be adversely affected by losses stemming
from risks to which they are exposed;

4. Credit risk:
The risk that a financial contract will not be concluded according to the original set of
terms. The risk that the counter party to the contract will default;

5. Currency risk:
Currency (foreign exchange) risk concerns the possible impact that changes in
exchange rates may have on the foreign exchange holdings or the commitments
payable in foreign currencies by business organizations;

6. Market Risk:
The day-to-day potential for an investor to experience losses from fluctuations in
securities prices.

Operational risks
Refers to risks of a non-speculative nature that have no potential for showing a profit.
Traditionally, many of these can be insured.
E.g. destruction of an asset by a fire. If the fire does not occur, then no loss occurs;
Inherent risks:
 All the activities, decisions and events that impact on the operating profit of an
organization;
 They cause fluctuations on the operating profit of the company and
eventually also in the earnings of the ordinary shareholder;
 Two different types:
 Specific risk or unsystematic risks
 which result from variations affecting an individual company and is
uncorrelated with the rest of the economy;
 Systematic risk or market risk
 which stems from occurrences that affect the economy as a whole;

 Specific business risk, or the volatility of operating income, can be segregated

further into the following:
 Sales variability:
measured by the standard deviation of sales over time and is dependent
on consumer demand;
 Operating leverage:
dependent on the production function and specifically the mix of fixed and
variable input costs of producing goods:
• Fixed costs: costs that remain the same regardless of the level of
sales volumes;
• Variable costs: vary directly in relation to sales volumes;
 Resource risks:
in the production process, the firm brings together a number of specific
resources such as labor, material, capital and technology;
Changes in productivity of these resources bring about changes in the
profits and therefore cause risk to shareholders;
 Profit Margin and turnover:
Affects the operating profit;
Increases in competition that may result in lower profit margins and/or a
smaller turnover, therefore causing risk to shareholders;
The required return increases with increasing levels of systematic or
market risk.
 EKRP 211 Notes
2.1 Operational Risk
Operational risk
Operational risk is the risk of loss resulting from inadequate or failed internal processes,
people, and systems or from external events.
Operational risk does not include reputational, strategic and systemic risk

Four levels at which operational risk can appear:

1. People;
2. Processes;
3. Technical
4. Technology Risk

1. People Risk
• Due to a human (employee) error, a lack of expertise and fraud, including a lack
of compliance with existing procedures and policies;
– Employee errors:
• Cause disruption in business process resulting from:
• Employee mistakes:
o Documentation and keying-in errors;
o Teller mistake at the bank;
o Trading “finger mistake”
– Employee misdeeds:
• Cause disruption in business process resulting from:
• Employee dishonest, fraudulent or malicious activities:
o Benefitting from tender inside information;
o Causing damage to company car;
o Stealing from company by generating invoices for own
income;
– Employee not available:
• Cause disruption in business process resulting from:
• Personnel not available at critical times;
• Key personnel leave the institution:
o Understaffed, overworked, underpaid, overstressed
personnel;
 – Employer practices:
• Cause losses for a firm due to:
o Discrimination;
o Harassment;
o Employee or civil rights abuses;
o Wrongful termination of employment;
o Employee health and safety issues;

2. Process Risk:
The risk emerges as a result of a malfunction in the information system and can
be external or internal.
– Inadequate procedures and controls for reporting, monitoring and
decision-making;
– Inadequate procedures for processing information such as errors in
booking transactions and failure to scrutinize legal documentation;
– Organizational deficiencies;
– Errors in the recording process of transactions;
– The technical deficiencies of the information system or the risk measures;
– Risk surveillance and excess limits:
• Managing deficiencies in risk monitoring, such as:
• not providing the right incentive to report risks, or
• not abiding by the procedures and policies in place;

3. Technical Risk
– Relates to model errors, implementation and the absence of adequate
knowledge/expertise to measuring risk;
 Can also be the risk of:
o Incorrect instalment of certain software;
o Outdated computer;

4. Technology Risks (external party)

– Relates to deficiencies of the information system and system failure;
– Examples of specific loss scenarios:
• External disruption in the business process due to outside system
failure or maintenance e.g. failures of exchanges (commodities or
equities)
• Software problems, outdated system unable to handle institutions
needs;
• Loss of electricity at critical time (Third party system failure);
 5. Physical risk (fifth category of operational risk, but not included in the four levels)
– This risk level is the risk to an institution’s business processes and key
facilities due to unavailable or improper maintenance of physical assets
– All these can cause a temporal or permanent disruption in the work
environment
– Examples include:
• Crime
• Natural disasters – earthquakes, tornado’s
• Unnatural disasters – bombs, fires, explosions
• product/facility damage – dame of physical plant, product recalls

Internal operational risk (Failure risk)

– The risk encountered in pursuit of a particular strategy due to:
• People
• Processes
• Technology

External operational risk (Strategic risk)

– The risk of choosing an inappropriate strategy in response to environmental factors,
such as:
• Political
• Taxation
• Regulation
• Government
• Societal

Internal operational risk (operational failure risk)

– Arise from the potential for failure in the course of operating the business;
– DEF: the risk that there will be a failure of people, processes or technology
within the business unit.
– A proportion of these failures may be anticipated, and these risks should be built
into the business plan;
– Due it can by anticipated, it is therefore uncertain failures that give rise to
operational risks;
 Failures can be expected to occur periodically, although the impact and
frequency may be uncertain;
External Operational Risk (Operational strategic risk)
– Arises from environmental factors, such as:
– a new competitor / increased competition;
– a major political and regulatory regime change,
– earthquakes and other such factors that are outside the control of the institution;
– NB: Businesses rely on people, processes, and technology outside their
business unit: potential for failure referred to as an external dependency risk;
– NB: Failure to address an operational strategic risk can translate into an
operational failure (internal) risk: fail to comply with new tax law;

THE BASEL II COMMITTEE

The four key elements of operational risk management

1. Development of an appropriate risk management environment:

2. Risk identification, measuring, monitoring and control
3. The role of disclosure
4. The role of supervisors

1. Development of an appropriate risk management environment:

– Senior management should be aware of the major aspects of the bank's
operational risk;
– Senior management should have the responsibility of implementing the
operational risk strategy approved by the board;
– Information flows within the banking organisation play a key role in
establishing and maintaining an effective operational risk management
framework;

2. Risk identification, measuring, monitoring and control:

– Managers should identify the operational risk inherent in all types of products,
activities, processes and systems;
– Managers should establish the necessary process to measure operational
risk;
– Managers should implement a system to monitor on-going operational risk
exposure and loss events by major business lines;
– Managers should have policies, procedures and processes to control or
mitigate operational risk;
 – Basel Committee identified six processes that could assist managers in
identifying risks, which include the following:
1. Risk assessment: a bank assesses its operations and activities against a menu
of operational risk events (checklists, workshops to identify weaknesses and
strengths);
2. Risk mapping: process where various business units, organisational functions
or process flows are mapped by risk type;
3. Key Risk Indicators: risk indicators are statistics and/or metrics, often financial
which can provide insight into the banks risk position (e.g. failed trades, staff
turnover);
4. Thresholds / limits: tied to the key risk indicators and alert management when
there are changes in the key risk indicators;
5. Scorecards: provide means of translating qualitative assessments into
quantitative metrics
6. Control activities:
1. Designed and implemented to address the risk that the bank has
identified;
2. For controllable risk the bank must decide the extent of control procedures
and other appropriate techniques or accept the risk;
3. Banks should have a system in place for ensuring compliance with a
documented set of internal policies concerning the risk management
system;
4. Control activities should form integral part of regular activities of the bank
for it to be affective and involve all levels of personnel;
5. Appropriate segregation of duties and important that responsibilities
assigned does not create conflicts of interest;

3. The role of supervisors:

– Banking supervisors should require banks to have an effective system in place
to identify, measure, monitor and control operational risk as part of the
overall approach to ORM;
– Supervisors should conduct, directly or indirectly, regular independent
evaluations of bank strategies, policies, procedures and practices related to
operational risk.

4. The role of disclosure:

– Basel Committee states one basic principles:
– Banks should make sufficient public disclosure to allow market participants to
assess their operational risk exposure and quality of ORM.
 EKRP 211 Notes
2.2 KRI and KPI
KRI
(Key Risk Indicators)

– Risk indicators are important tools within operational risk management, facilitating
the monitoring and control of risk;
– Used to support a range of operational risk management activities and
processes, including:
– risk identification,
– risk and control assessments,
– the implementation of effective risk appetite, risk management and governance
frameworks.

KRIs Definition:
– metrics that provide information on exposure level to given operational risks
which the organisation has at a certain time.
– It serves as an “early warning system”
– Risk indicator must have an explicit relationship to the specific risk whose
exposure it represents. e.g.
– number of customer complaints likely to be linked to risk of process errors ;
– as customer complaints increase, probability that there are underlying + non-
systemic mistakes + errors of judgement being made is likely to rise.
– Rationale for thinking: changes in the value of this indicator are likely to be
associated with changes in operational risk exposure or operational loss
experience.
– Further examples of risk indicators include:
– staff turnover (which may be linked to risks such as fraud, staff shortages and
process errors),
– the number of data capture errors (process errors) and,
– the number of virus or phishing attacks (IT systems failure)
– To evaluate trends/levels, KRIs are tracked against policy limits:
– e.g., market and credit risk exposure limits or performance standards (e.g.
non-payment of loans, tolerance for error rates or system downtime);
– External data should also be integrated to provide additional context for
internal KRIs:
– External data can include interest rate trends, industry credit default rates, or
competitive or industry benchmark data.
KPIs have three classifications:
1. Firm wide vs business specific
2. Risk indicator by class
3. Risk indicator by type

1. Firm-wide vs. Business-specific

– Business specific
• Business-specific KRIs are units that define an individual business type.
• E.g. Trading business – tracking transactions, settlements, and failed trades.
Vs.
• Retail banking – tracking customer accounts, complaints, and teller
shortages.
– Firm-wide a (broader definition):
• Risk indicators that can be applied to any type of business line.
• Comparable across the institution.
• E.g. Employee error rates, training costs (R/$) spent
•
2. Risk Indicator by Type:
– Inherent risk indicators
• Monitoring the business’ descriptive data.
• This provides a dimension of the inherent risk exposure.
• This data is relatively accessible and inexpensive.
• Used by operational risk managers to make risk financing and/or insurance
purchasing decisions.
• Trade Volumes, Transaction Values, Number of Transactions.
– Control risk indicators
• Represents management’s actions or inactions.
• May already be included in the processes or processes need to be modified.
• Data must represent the entire institution and all risk classes.

•Example of individual risk indicator: Technology applications

•An introduction of new technology requires training to maintain productivity
levels, - important measure to assess risk
• These risk indicators capture valuable information, . e.g. employeer hours
(also overtime worked), employee numbers
– Composite indicators
• Complex Risk Indicator
• These combinations of risk indicators provide an opportunity to measure
multiple dimensions of risk associated with a specific class of risk,
behaviour, or business activity.
3. Model risk factors.
– Subset of the previously mentioned risk indicators.
– Risk managers do not use all the data in the operational risk measurement
model.
– Risk managers will select certain risk drivers from the previous categories in
order to apply the most effective ones for modelling purposes.
– Factor models will be derived from various underlining risk indicators.

4. Risk Indicator by Risk Class:

– Mapping the KRI into risk classes.
– E.g. People, relationships, technology…

Identifying Key risk indicators

– It’s important to capture both quantitative and qualitative data.
– Risk indicators must be present in the best institutions to be successful in their
performance. Different indicators are used in different levels/areas. E.g. sales
department= customer complaints rates, production department = employee
error rates
– Composite risk indicators are useful management tools. (e.g. tracking a variety of
issues in a survey and scoring the results in a weighted average
– When identifying KRIs, the best risk indicator must be forward looking/predictive
to useful as a modelling
– Keep risk indicators relevant to the business. Staff and managers must be
involved in KRIs
– Risk indicators used for modelling should be simplified. Numerous risk
indicators in modelling can be confusing to use.
– Score cards are an effective way of combining qualitative and quantitative risk
indicators as their primary basis of operational risk
Good sources for KRIs

1. POLICIES AND REGULATIONS: Regulations that govern the business activities

of the company, as well as the corporate policies and limits established by
management and the board.

2. STRATEGIES AND OBJECTIVES: Strategies established by senior

management, and their associated performance metrics, are another good
source. Note: performance metrics are designed to measure expected
performance, whereas KRIs should be designed to measure downside risk
or volatility of performance.

3. PREVIOUS LOSSES AND INCIDENTS: Many companies have compiled

loss/event databases that capture historical losses and incidents

4. STAKEHOLDER REQUIREMENTS: Beyond regulators, the expectations and

requirements of other stakeholders –customers, rating agencies, stock analysts,
business partners
5. RISK ASSESSMENTS: Risk assessments performed by the company –
including audit assessments, control self-assessments.

Good KRI Qualities

– Based on consistent methodologies and standards
– Incorporate risk drivers: exposure, probability, severity, and correlation
– Be quantifiable: $, %, or #
– Track in time series against standards or limits
– Tie to objectives, risk owners, and standard risk categories
– Balance of leading and lagging indicators
– Be useful in supporting management decisions and actions
– Can be benchmarked internally and externally
– Timely and cost effective
– Simplify risk, without being simplistic

KRI thresholds and limits

• Helps establish boundaries that, when exceeded, alert organisation to
potentially significant changes in risk exposure.
• Limit indicators should have a set of thresholds or limits with an escalation
structure attached to each threshold level.
• The key is to have the intervals between thresholds broad enough to allow
responsible individual or business entity/area to act before escalation kicks in,
but narrow enough to ensure that critical issues are addressed within an
appropriate time frame.
 KPI
(Key Performance Indicators)
Definitions:
– Performance indicators are metrics that measure performance or the
achievement of targets
– KPIs are high-level snapshots of a business or institution based on specific
predefined measures
– KPIs consist of combinations of reports, Spreadsheets/charts and may include
regional sales figures and trends over time, staff statistics and supply chain
information
– KPI give real time view of the health of the organization by visually displaying
vital statistical information about the organization
– Applicable to operational risk in regard to:
– achieving specific targets set for exposure reduction, minimisation or mitigation
and,
– in establishing how well a business entity is doing in managing its operational
risks
– KPI application can display the health of an institution
Examples:
– Statutory KPIs, (e.g. GAAP or Legal Regulatory requirements)
– Profitability per business unit/customer/product
– Exception reporting (e.g. how many times report failed)
– Employee performance (e.g. assets under management or profit per customer)
– Competitiveness (e.g. market share)
– Credit management (e.g. time to settlement or credit exposure, loan losses)
– Risk/Return framework (e.g. Return on equity (ROE)
– Cost management (e.g. ROA)

RISK vs. RETURN

– E.g. risk adjusted loan pricing (alignment of loan pricing with expected risk)
– Borrowers credit risk used to determine whether a loan will be accepted or
declined
– Thus: charging a higher interest rate for a higher-risk transaction and a lower rate
for a lower-risk transaction.
– The components of the risk-based pricing equations include:
– cost of funds
– cost of transactions
– cost of account maintenance
– cost of collections
– cost of unexpected and expected risk (expected is the reserve capital and
unexpected is the cost of capital set aside for each credit exposure)
Risk-based capital requirements
– Banks should have sufficient capital at hand to face risks
– Risk-based capital requirements & CAMEL Ratings
– The Camels Rating is a supervisory rating system originally developed in the
U.S. to classify a banks overall condition
– C = capital adequacy
– A = asset quality
– M = management
– E = earnings
– L = liquidity
– S = sensitivity to market risk

How many indicators are enough?

– No right or wrong answer
– Too few may not deliver a clear picture
– Too many may overcomplicate
– The following should be considered:
– Number and nature of the key risks identified
– Availability of data necessary for key indicators
– Cost needed to extract data for key indicators and
– Intended audience (local management, executive, board, etc.)
– And are operational risk losses really operational? Can some be classified as
other types of risk? LTCM…credit crisis…

Difference between KPI and KRI?

• KRI – indicator of the possibility of future adverse impact
• KPI – measure how well something is being done.
 EKRP 211 Notes
3.1 King I
Traditional risk management practices tended to focus on:
– management of insurable risks;
– responsibility of buying of insurance;
– occasional health and safety programs;

There has actually been a marked trend towards the expansion of risk
management to include the management of other risks in the organization;

The trend seems to be largely driven by the following factors:

• The restructuring of organizations has broadened and restructured
the responsibilities of all managers;
• Increasing competition has forced organizations to scrutinize on
costs structures;
• Practices like Total Quality Management (TQM) and Just-in Time
(JIT) all stressed the need of integrated risk control;
• The consolidation of financial services has resulted in the
integration of insurance, banking and other financial services led to
broader thinking about risk financing;

What is corporate governance?

– It refers to the relationship among the management of a corporation,

its board, its shareholders and other relevant stakeholders and also
to the specific responsibilities of boards of directors and management
to ensure and maintain these relationships by means of integrated
risk management practices;
– It entails the pursuit of objectives by the board and management that
represent the interests of an organization and its shareholders,
including effective monitoring and efficient use of resources.
1. Board and management of a company are firstly accountable to the
shareholders as the owners and suppliers of risk capital;
• Managers and directors must focus on maximizing the long term
benefits to shareholders in terms of profits and cash flows and on
minimizing the risk;
• Wealth creation for shareholders means maintaining and
expanding the net earning capacity of the company over the long
term rather than trying to make short-term profits on risky projects
that may jeopardize the continued existence of the company;

2. Board and management secondly have the responsibility to other

stakeholders to maximize wealth and to ensure sustained prosperity in
order to build long term relationships for employees, customers,
suppliers and the local community;

Guidelines and rules on corporate governance spell out the principles

that directors and boards must apply in governing and managing the
business to fulfill its responsibility towards the shareholders and other
stakeholders;
Several of these guidelines and rules have been formulated for
corporations operating in different parts of the world
 EKRP 211 Notes
3.2 King II

KING II was published in March 2002 and consists mainly of 6 sections:

1. Board and directors;

2. Risk management;
3. Internal audit;
4. Integrated sustainability reporting;
5. Accounting and auditing;
6. Compliance and enforcement;

Unlike King I, which covered only one element – internal control,

the King II report addresses risk management as a core element of corporate
governance;

The King Commission points out that corporate governance can be viewed as:
– a company’s strategic response to the need to assume prudent risks,
appropriately mitigated, in exchange for measurable rewards.

The following are the most important recommendations in the section on risk
management:
• The responsibility for risk management resides in the board of directors.
Various people and functions within companies can assist, but the ultimate
responsibility rests with the board;
• Directors need to oversee the total process and at the end form their own opinion
on its effectiveness;
• The Code acknowledges the accountability of management towards the board for
designing, implementing and monitoring the process of risk management.
• In practice, the board, in liaison with senior management, will set risk strategy
policies.
• The risk management process will be effective only if it is integrated with day-to-
day activities of the company, and if the risk strategy is incorporated into the
language and culture of the company.
Companies should develop a system of risk management and internal control that
builds more robust business operations and delivers:
• A risk identification system;
• A commitment by management to the process;
• A demonstrable system of risk mitigation activities;
• A system of documented risk communications;
• A system of documenting the cost of non-compliance and losses;
• A documented system of internal control and risk management;
• An alignment of assurance of efforts to the risk profile
• A register of key risks that could affect shareowner and relevant stakeholder
interests;

Identifying key risks will entail a systematic, documented assessment of the process
and outcomes surrounding these risks and should address the company’s exposure
to at least the following:
• Physical and operational risks;
• Technology risks;
• Business continuity and disaster recovery;
• Credit and market risks;
• Compliance risks;

In the company’s annual report, directors must, at a minimum, disclose that they are
accountable for the process of risk management and that an effective process, which
is regularly reviewed, has been instituted.
The effectiveness of the company’s overall system of internal control needs to be
disclosed;
The compliance with corporate governance principles therefore places greater
emphasis on an integrated risk management function that covers all the risks in an
organization than ever before.

Who is responsible for risk management?

• The responsibility for risk management resides in the board of directors.
• The board is responsible for ensuring that the company has implemented an
effective ongoing process to identify risk, measure its potential impact against a
set of assumptions, and then activate what it believes is necessary to proactively
manage these risks.
• The risk management process requires an inclusive “team based” approach
which is effective across the company.
Risk assessment should address the company's exposure to the following –
• physical and operational risks;
• human resource risks;
• technical risks;
• business continuity and disaster recovery;
• credit and market risks;
• compliance risks;

The role of the internal audit function in risk management:

• The internal audit function should be used to provide independent assurance in
relation to the board's assertion surrounding the effectiveness of risk
management and internal control.

How is risk management applied?

• The board is responsible for setting risk tolerance and related strategies and
policies.
• It is also the board's responsibility to review the effectiveness of these policies on
a regular basis and in a manner in which its objectives are clearly defined for the
benefit of management to guide them in carrying out their responsibilities.
• In reviewing the reports on risk management and internal control in the course of
a financial year, the board should -
• consider what the company's risks are and how they have been
identified, evaluated and controlled;
• assess the effectiveness of the related process of risk management, and
particularly reports of significant failings or weaknesses in the process;
• consider if the necessary action is being taken timeously to rectify any
significant failings or weaknesses;
• consider whether the results obtained from the review process indicate
that more extensive monitoring is required.
Where should a company’s policy on risk management be reported?
• The board should disclose how the company has dealt with risk and control in its
annual report.
• At a minimum, the board should disclose that
– it is accountable for the process of risk management and the system of
internal control, which is regularly reviewed for effectiveness and for
establishing appropriate risk and control policies and communicating these
throughout the company;
– that there is an ongoing process for identifying, evaluating and managing
the significant risks faced by the company, which has been in place for the
year under review and up to the date of approval of the annual report and
financial statements;
– that there is an adequate and effective system of internal control in place
to mitigate the significant risks faced by the company to an acceptable
level;
– that there is a documented and tested process in place that will allow the
company to continue its critical business processes in the event of a
disastrous incident impacting on its activities;
– where material joint ventures and associates have not been dealt with as
part of the group for the purposes of applying these recommendations;
– that any additional information in the annual report to assist in the
understanding of the company's risk management processes and system
of internal control.
– Where the board cannot make any of the disclosures set out above, it
should state this fact and provide a suitable explanation.

The seven characteristics of good corporate governance:

• Discipline
– a commitment to adhere to 'proper' behavior;
• Transparency
– ease with which an outsider can analyze a company;
• Independence
– use of mechanisms to prevent conflicts of interest;
• Accountability
– decision-makers must be accountable for decisions;
• Responsibility
– allowing for corrective action and penalizing mismanagement;
• Fairness
– systems must be balanced to take all stakeholders into account;
• Social responsibility
– awareness and response to social issues; ethical;
 3.3 King III
The general background of King III
• A Draft of the King III report was released in February 2009;
• It was introduced on 1 September 2009 and
• It became effective on 1 March 2010.
• King III applies to all entities regardless of the manner and form of
incorporation or establishment.
• The principles, if adhered to, will result in any entity practicing good governance.
• For that reason, the Code does not address the application of its principles and
each entity will have to consider the approach that best suits its size and
complexity.

The main difference between King II and King III is:

• King III applies to all entities and not only to business corporations;
• King III also moves away from the principle of ‘comply or explain’ to ‘apply or
explain’
– Example: the board should be led by an independent non-executive and if
not an explanation needs to be given;
• King III introduces new Chapters,
– Example: IT Governance

Key changes from King II

contained in King III are
• An accepted and appropriate methodology should be adopted to identify,
respond to and monitor risks. The risk assessment should include a framework to
anticipate unpredictable risks, the framework should have the following
characteristics:
• Insight:
– the ability to identify the cause of the risk,
– where there are multiple causes or root causes that are not immediately
obvious.
• Information:
– comprehensive information about all aspects of risks and risk sources,
especially of financial risks.
• Incentives:
– the ability to separate risk origination and risk ownership ensuring proper
due diligence and accountability.
• Instinct:
– the ability to avoid ‘following the herd’ when there are systemic and
pervasive risks.
 • Independence:
– the ability to view the company independently from its environment.
• Interconnectivity:
– the ability to identify and understand how risks are related, especially
when their relatedness might exacerbate the risk
• Each year, internal audit should provide a written assessment on the
effectiveness of the company’s system of internal control and risk management
to the board.
– This provides the board with independent assurance on the integrity and
robustness of the risk management process.

Rational for changes

from King II
• King III focuses on defining roles and responsibilities for risk management
which is crucial in the successful embedding of risk management within
organizations.
• Supporting this is the concept that risk must not reside with one person or
function, (i.e. The risk management function) but requires an inclusive approach
across the company in order to be successful.

The need for King III

• The issuance of King III was necessitated by the new Companies Act of South
Africa and changes in international governance trends since the release of the
second King Report on Corporate Governance for South Africa (King II) in 2002.
• The Companies Act, 2008 (which constitutes the redraft of the Companies
Act,1973) was assented to and signed by the President on 8 April 2009.

The report describes risk management

“as the practice of identifying and analyzing the risks associated with the
business and, where appropriate, taking adequate steps to manage these risks.”

King III – The Governance of Risk

 Principles
1. Risk management is inseparable from the company’s strategic and
business process – Risk management is intrusive and should not be viewed
only as a reporting process to satisfy governance expectations;
2. Die management should be responsible for the risk management process.
They are accountable to the board for designing, implementing and monitoring to
the process of risk management and integrating into the day-to-day activities of
the company
3. All staff should practice risk management in their day-to-day activities
4. The board should be responsible to the risk management process- They are
responsible for the development and monitoring of the risk management process
 5. The board should approve the company’s chosen risk philosophy
6. The board should adopt a documented risk management plan
7. The board may delegate the responsibility of risk management to a
dedicated risk committee
8. Risk assessment should be performed on an ongoing basis
9. The board should approve key risk indicators for each risk, as well as
tolerance levels
10. Risk identification should be directed in the context of the company’s
purpose – It should not be limited to a fixed list of risks. Operational risk
management must form part of the risk management plan
11. The board should ensure that key risks are quantified and are responded to
appropriately
12. Internal audit should provide independent assurance on the risk
management process
13. The board should report on the effectiveness of risk management
14. The board should ensure that the company’s reputational risk is protected

KING III – Key Aspects

• Good governance is essentially about effective leadership. Leaders should
rise to the challenges of modern governance.
• Such leadership is characterized by the ethical values of responsibility,
accountability, fairness and transparency and based on moral duties that
find expression in the concept of Ubuntu.
• Responsible leaders direct company strategies and operations with a view to
achieving sustainable economic, social and environmental performance.
• Sustainability is the primary moral and economic imperative of the 21st
century. It is one of the most important sources of both opportunities and risks
for businesses.
• Nature, society, and business are interconnected in complex ways that
should be understood by decision-makers.
• Most importantly, current incremental changes towards sustainability are
not sufficient – we need a fundamental shift in the way companies and
directors act and organize themselves.
• Inclusivity of stakeholders is essential to achieving sustainability and the
legitimate interests and expectations of stakeholders must be taken into account
in decision-making and strategy.
• Innovation, fairness, and collaboration are key aspects of any transition to
sustainability –
• innovation provides new ways of doing things, including profitable
responses to sustainability;
• fairness is vital because social injustices is unsustainable; and
• collaboration is often a prerequisite for large scale change. Collaboration
should not, however, amount to anti competitiveness.
 • King II explicitly required companies to implement the practice of sustainability
reporting as a core aspect of corporate governance.
• Since 2002, sustainability reporting has become a widely accepted
practice and South Africa is an emerging market leader in the field
(partially due to King II and the emergence of initiatives such as the JSE’s
Socially Responsible Investment (SRI) index which was the first of its kind
in an emerging market).
• King III supports the notion of sustainability reporting, but makes the
case that whereas in the past it was done in addition to financial
reporting it now should be integrated with financial reporting.

King III – The Governance of Risk

 The board’s responsibility to risk governance:
1. The board should be responsible for the governance of risk
2. The board should determine the levels of risk tolerance
3. The risk committee or audit committee should assist the board in carrying out its
risk responsibilities
4. The board should delegate to management the responsibility to design,
implement and monitor the risk management plan
5. The board should ensure that risk assessments are performed on a continual
basis
6. The board should ensure that frameworks and methodologies are implemented
to increase the probability of anticipating unpredictable risks
7. The board should ensure that management considers and implements
appropriate risk responses
8. The board should ensure continual risk monitoring by management
9. The board should receive assurance regarding the effectiveness of the risk
management process
10. The board should ensure that there are processes in place enabling complete,
timely, relevant, accurate and accessible risk disclosure to stakeholders
 3.4 King IV
General background of King IV:
• Published on 1 November 2016
• King IV aims to establish a balance between conformance and performance.
• If King IV has to be summarized in one word it would be “transparency”
• It is in line with current international sentiment and promotes greater
accountability and transparency
• The 75 King III principles have been consolidated into 16 principles (plus one)
• King IV is universal applicable
• Universal applicability – The King Committee was requested to draft
King IV in such a way as to make it more easily applicable to any
organization and encourage a focus on qualitative factors rather than
engaging in a checklist approach to governance.
• Transparency – Good corporate governance does not operate in a
vacuum, but is an integral part of society and therefor has accountability
towards current and future stakeholders.
• Concepts introduced in King III, e.g. sustainable development, integrated annual
reports, etc. have remained, but have been refined in King IV.
• King IV advocated integrated thinking and support the following:
 The organization is an integral part of society and as a corporate citizen
 Stakeholder inclusivity (not only shareholders)
 Sustainable development (economic, society and environment)
 Integrated reporting

Integrated thinking
- Integrated thinking takes in account of the connectivity and interdependencies that
affect an organization’s ability to create value. Integrated thinking leads to integrated
decision making and actions that consider the creation of value over the short, medium
and long term.
Benefit of integrated reporting for e.g. Some businesses found that effective
management of natural capital through a conservative and wise use of water and
electricity leads to cost reductions and therefore enhanced financial capital

The organization is an integral part of society

- Organizations and society are interdependent. Organizations provide goods, services,
employment, etc. But organizations should take responsibility for environmental
outcomes of their activities and outputs, as those affect society as a whole
 Corporate citizen
– An organization is licensed to operate by its internal and external stakeholders. The
Companies Act also reflects the company having obligations to the society.

Stakeholder inclusivity
- King IV now specifically recognizes the role responsibilities of stakeholders - active
stakeholders are required to hold the Board and the company accountable for their
actions and disclosures. The Governing body must take stakeholder’s needs, interest
and expectations into account

Integrated reporting
- First there was financial reporting, then came sustainability reporting, and now it’s the
turn of integrated reporting. And integrated reporting is set to become the way
companies around the world report their performance.
- The aim of the integrated report is to clearly and concisely tell the story of the
company, who it is and what it does and how it creates value, its strategy, opportunities
and risks, its business model and governance, and relating them to social,
environmental, economic and financial issues.
- Financial reporting tells only a part of the story of any organization. Integrated
reporting aims to give a holistic view of the organization by putting its performance,
business model and strategy in the context of its material social and environmental
issues – in other words, the business in its true reality!
- Importantly, integrated reporting includes forward-looking information to allow
stakeholders to make a more informed assessment of the future value creation ability of
the organization.
- How does the integrated report fit with other reports? It can be seen as the main report
from which all other detailed information flows. A useful analogy is the octopus … the
head is the integrated report and each arm is a detailed report or detailed information
set (e.g. annual financial statements, sustainability report, governance report etc.).

Sustainable development
– Development that meets the needs of the present without compromising the ability of
future generations to meet their needs
Why the need of King IV?
• It has been revised to bring it up to date with international governance codes and
best practice.
• New global changes are testing the leadership of organizations on issues such
political and social tensions, populations growth, climate change, regulation that
change, rapid technology advancements, radical transparency, etc.
• Adopting good corporate governance, contribute to sustainable value creation
on the economy, society and the environment (also known as the “triple
context”

Climate change
– The world has experienced extreme weather conditions that pose new risks to
companies. The pressure on natural assets will increase as they are finite; continuing
business as usual is no longer an option

Transparency
– Social media platforms are creating a world characterized by radical transparency.
Corporations can no longer conceal their actions or secrets.

Technology
- 3D printing, advances in robotics, nanotechnology and biotechnology are accelerating
the transformation of production and supply chains, and forcing professions like law and
accounting to reinvent themselves.

Regulation that change

- Creates for e.g. a shortage of skills

Triple context
– These three dimensions (people, planet and profit) are intertwined and should be
viewed as an integrated whole with the aim to achieve the creation of value over the
long term
Definition of corporate governance
For the purpose of King IV, it is defined as:
The exercise of ethical and effective leadership by the governing body towards the
achievement of the following governing outcomes: culture, good performance, effective
control and legitimacy
• Ethical and effective leadership should complement each other:
 Ethical leadership: it must demonstrate integrity, responsibility,
accountability, fairness and transparency.
 Effective leadership: Focus on effective and efficient execution. It is
about achieving strategic objectives and positive outcomes.

How does King IV differ from King III?

1. Outcomes based vs rule based
2. Apply AND Explain
3. Structure of King IV
4. Broader forms of address
5. Sector supplements

1. Outcomes based vs rule based

• King IV applies a principle-and-outcomes based approach, and moves
away form a tick-box (rule based) approach.
• The application of the principles achieves specifically identified outcomes,
including ethical culture, good performance, effective control and
legitimacy (with stakeholders)
• Each principle is supported by a limited number of recommended
practices1, and requires specific disclosures2

1. The intention is for the recommended practices to be adapted based on the

size, resources and complexity of strategic objectives and operations of
the company in question.

2. In addition, specific disclosures are required under each of the 16

principles, and companies should ensure that they address these disclosures
adequately. All disclosures should be updated annually at least, approved by
the Board and published on accessible media and communication
 2. Apply AND Explain
• King IV requires an “Apply AND Explain”1 approach to disclosure. (as
opposed to apply or explain2 in King III)
• The application of the principles is assumed and that an explanation is
disclosed on the practices that have been implemented and how these
achieve to the related King IV principle.

Why should an organization apply and explain King IV (Class discussion – answer)
• Good corporate governance is beneficial for stakeholders – it encourages the
confidence of its stakeholders and lowers the cost of its capitals.
• Inclusive and integrated governance that aspires to sustainability is good for
society, the economy and the environment.
• Whilst King IV™ is not law, the governance outcomes achieved and the practices
adopted and implemented will likely become the criteria by which the required
standard of care and appropriate standards of conduct of the governing body and
its members are measured

3. Structure of King IV
• King IV is more brief than King III
• It contains 16 principles with recommended practices and are applicable to all
organizations,
• The 17th principle is applicable to institutional investors with recommended
practices

Institutional investors - King IV™ sets out in principle 17 that the governing body of an
institutional investor organization should ensure that responsible investment is practiced
by the organization to promote good governance and the creation of value by the
companies in which it invests.
 3. Structure of principles and outcomes
3.2 Principles and recommended practices
• Principles: It guide what organizations should strive to achieve and hold true
across all organizations.
• Practices: The practices associated with a particular principle should be applied
to give effect to the aspiration as expressed in that principle.
• Practices may be scaled in accordance with proportionally considerations 1 (i.e.
according to a company’s size of turnover, resources, activities, etc.
• The practices as recommended in the Code may not be suitable and appropriate
for all organizations.

1. Practices with proportionally considerations: For e.g. where the Code

recommend technology and information as a function, this can be then outsourced with
affiliated organizations.
4. Broader forms of address
“Companies or board” are changed to “organizations and its governing board”
5. Sector supplements
• King IV also provides ‘sector’ supplements1 to guide different types of
organizations on how to apply the King IV Code within their contexts.
There are five sector supplements covering:
 Municipalities
 Non-Profit Organizations (NPOs)
 Retirement Funds
 Small and Medium Enterprises (SMEs)
 State-owned Entities
Sector supplements
The sector supplements provide terminology in the context of King IV (e.g. how certain
definitions are translated into a particular environment) and guidance on the
interpretation of specific principles considered most relevant, and possibly challenging,
to the sector.
See page 79 – 116 (IoDSA). The examples in the supplements illustrate how the King
IV Code should be interpreted and applied in each sector named above.
Note that the King Report does not include supplements for all sectors but the
supplements issued are representative of a wide range of sectors and categories of
organizations. Sectors for which specific supplements are not provided should consider
a particular supplement that is most closely aligned to their organizational structure.
Where should King IV disclosure be made?
• The governing body has the choice where the King IV disclosures will be made:
for e.g. in the integrated report, sustainability report, social and ethics committee
report, etc.
• The King IV disclosure should be updated at least annually and be publically
accessible

The objectives of king IV

King IV’s objectives are to:
1. Promote corporate governance as integral to running an organization and
delivering governance outcomes1
2. Broaden the acceptance of King IV by making it accessible and fit for
implementation2
3. Reinforce corporate governance as a holistic and interrelated set of
arrangements to be understood and implemented in an integrated manner
4. Encourage transparent and meaningful reporting to stakeholders
5. Present corporate governance as concerned with not only structure and process,
but also with an ethical consciousness and conduct

1. Outcomes - ethical culture, good performance, effective control and legitimacy

2. It accessible and fit for implementation: corporate governance’s application must

fit by all organizations of a variety of sizes, resources, etc.
 Study Unit 4.1
Introduction to ISO 31000
Introduction and Background

Organizations of all types and sizes face external and internal factors which creates
uncertainty of achieving objectives

These factors include:

 Volatile markets and globalization of customers, suppliers and products.

 Increased competition in the marketplace and greater customer expectations.
 Product innovation and rapid changes in product technology.
 Threats to national economies and restricted freedom of world trade.
 Potential for international organized crime and increased political risks.
 Extreme weather events resulting in destruction and/or population shift.

Managing risk:

 Managing risk is iterative and assists in setting strategy, achieving objectives.

 Managing risk is part of governance and leadership. It is fundamental to how the
organization is managed at all levels.
 Managing risk includes interaction with stakeholders.

Why manage risks using a framework such as ISO31000 or COSO for ERM?
Because it helps to:

 Provide certainty and confidence for stakeholders.

 Give the organization a competitive advantage.
 Create and protect value.

Why manage risks?

 It provides greater certainty and confidence for our shareholders, employees,

customers and suppliers, and for the communities in which we operate.
 It provides certainty relating to no financial loss, disruption in operations, damage
to reputation and so on and so forth.
 Successful risk management can be a source of competitive advantage, for
example: market presence.
 ENTERPISE RISK MANAGEMENT

ISO 31000 – ERM International Standards

COSO – ERM Framework

What is the ISO 31000 (2018)?

 ISO – The International Organization for Standardization.

 ISO is a worldwide federation of national standards bodies (ISO member bodies).
 ISO 31000, a family of codified standards relating to risk management
 ISO 31000 provides principles and generic guidelines on risk management
 ISO 31000 (2009) was revised…
 ISO 31000 (2018) is applicable to all organizations, regardless of type, size,
activities and location, and covers all types of risk.
 It was developed by a range of stakeholders and is intended for use by anyone
who manages risks, not just professional risk managers.

 Overall, ISO 31000 provides detailed guidelines on the plan, implement,

measure and learn features of a risk management system, but less explicit
information on the context, leadership and support features required of a
management system standard.

Why was it revised?

 Risk is changing for organizations.

 Disruptive competitive business landscape.
 2008 GFC – Emphasis on RM.
 Greater transparency.
 Increased volatility, uncertainty, complexity in markets.
Risk: (According to ISO 31000)
Risk is “The effect of uncertainty on objectives.”

Components:

“Effect” => Deviation from the expected. Can be positive or negative.

“Uncertainty” => The internal and external factors and influences that determine
whether or not your objectives will be achieved.
“Objectives” => Organizational goals, can have different aspects and can apply
at different levels.

Risk if often expressed in terms of risk sources, potential events, consequences

of and the likelihood of an occurrence.

Why implement ISO when my business is already adhering to COSO standards??

 ISO 31000 is an update to COSO that reflects current risk management thinking
internationally.
 The most significant difference is in the definition of risk for ISO 31000 and
COSO ERM.
 ISO 31000 defines risk as “the effect of uncertainty on objectives”,
highlighting the consequences of uncertainty
 COSO ERM defines risk as “the possibility that an event will occur and
adversely affect the achievement of objectives.”
COSO concentrates the effort on the analysis of events rather than the
consequences of these events for the organization.
 As a consequence, ISO appears better in considering the ‘flow on’ consequences
of an event occurring.
 ISO 31000 also provides advantages compared to COSO.

1. It is more practical;
2. It provides more details;
3. It explicitly defines the terms;
4. It is more clearly written, and easier to understand for CXOs, and risk
professionals;
5. The information in the standard can be adapted to develop guidelines to
assess existing risk management methodologies;
6. It provides a foundation for implementing other ISO risk management
standards and guidelines.
The Key strengths of ISO 31000

 Creates and protects value

 Explicitly addresses uncertainty
 Its systematic, structured and timely
 Its tailored to organisation risk
 Dynamic, iterative and responsive to change
 Takes human and cultural factors into account
 Transparent and facilitates continual improvement

Benefits for implementing ISO 31000?

 Assist development of effective RM strategies

 Assist the development of effective RM culture
 Identify positive opportunities and negative threats
 More effective decision making- resource allocation
 Improve organisational governance and performance

“I think we need to take another “That’s better.

look at your risk-management Now you can go back to
strategy.” work.”
 Study Unit 4.2
Principles, framework and process
Organizations should implement the ISO 31000 principles and components best
suited to their particular circumstances and modify other principles and
components, as necessary.

ISO 31000 contains high-level guidelines for the management of risk.

No step-by-step checklist to implementation of the risk management initiative.

Risk professionals must rearrange the guidance in ISO 31000 to align with their
own approach to implementing a risk management initiative

Eight Principles
1. Integrated
2. Structured & comprehensive 1 - 5 provide guidance on how a risk
3. Customized management initiative should be
4. Inclusive designed.
5. Dynamic
6. Best information 6 - 8 relate to the operation of the risk
7. Human & cultural factors management initiative
8. Continual improvement
Integrated
 Risk management is an integral part of all organizational activities.
Structured and comprehensive
 This approach contributes to consistent and comparable results in managing risk.
Customized
 Risk management framework and processes are tailored and proportionate the
organization’s external and internal context.
Inclusive
 Appropriate and timely involvement of stakeholders’ knowledge and perceptions
to be considered. This improve awareness and risk management.
Dynamic
 Risk management anticipates, detects and responds to changes and events in a
timely and appropriate manner.
Best available information
 Information (based on historical, current and future expectations) must be timely,
clear and available to relevant stakeholders.
Human and cultural factors
 These factors influence all aspects of risk management.
Continual improvement
 Risk management is constantly improved through learning and experience.

Framework
1. Leadership and Commitment
2. Integration
3. Design (Plan)
4. Implementation (Do)
5. Evaluation (Check)
6. Improvement (Act)

Principles vs Framework:
 Principles outlines what must be achieved.
 Framework provides info. on how to achieve the specific principle.

The purpose is to assist with integrating risk management into all activities and
functions.
The effectiveness of risk management will depend on integration into governance and
all other activities of the organization, including decision-making.
1. Leadership and Commitment
Customizing and implementing all components of the framework;
Issuing a statement or policy that establishes a risk management approach, plan
or course of action;
Ensuring that the necessary resources are allocated to managing risk;
Assigning authority, responsibility and accountability at appropriate levels within
the organization.

2. Integration
Determining management accountability and oversight roles and responsibilities;
Ensuring risk management is part of, and not separate from, all aspects of the
organization and culture.

3. Design (Plan)
Understanding the organization and its internal (vision, mission, strategy, policy,
culture) and external context (social, cultural, legal, regulatory, economic).
Articulating risk management commitment (through policy, statements and other
forms).
Assigning organizational roles, authorities, responsibilities and accountabilities
(risk owners, RM core responsibility).
Allocating resources (people, skills, experience, information, development and
training).
Establishing communication and consultation arrangements (sharing information,
provide feedback, reflect stakeholder expectations).

4. Implementation (Do)
Successful implementation of the framework requires the engagement and
awareness of stakeholders.
Developing an appropriate plan including time and resources;
Identifying where, when and how different types of decisions are made across
the organization, and by whom;
Modifying the applicable decision-making processes where necessary;
Ensuring that the organization's arrangements for managing risk are clearly
understood and practiced.

5. Evaluation (Check)
Periodically measure risk management framework performance against its
purpose, implementation plans, indicators and expected behavior;
Determine whether it remains suitable to support achieving the objectives of the
organization.

6. Improvement (Act)
Adapting: continuously adapt risk management framework, improve value.
Continually improving: suitability, adequacy, effectiveness, identify new gaps.
Process
1. Information, communication and consultation
2. Scope, context and criteria
3. Risk assessment
4. Risk treatment
5. Monitor and review
6. Recording and reporting

 The risk management process involves the systematic application of policies,

procedures and practices to the activities of:
- Communicating and consulting,
- Establishing the context and assessing,
- Treating, monitoring, reviewing,
- Recording and reporting risk.
 Human behavior and culture should be considered throughout the process.
 ISO RM is an integrated process throughout an organization.

1. Information, communication and consultation

Bring different areas of expertise together for each step of the risk management
process;
Ensure that different views are appropriately considered when defining risk
criteria and when evaluating risks;
Provide sufficient information to facilitate risk oversight and decision-making;
Build a sense of inclusiveness and ownership among those affected by risk.

2. Scope, context and criteria

Defining the purpose and scope of risk management activities;

Identifying the external and internal context for the organisation;
Defining risk criteria by specifying the acceptable amount and type of risk; and
Defining criteria to evaluate the significance of risk and to support decision-
making;
3. Risk assessment

Risk identification to find, recognize and describe risks that might help or prevent
achievement of objectives and the variety of tangible or intangible consequences;
Risk analysis of the nature and characteristics of risk, including the level of risk,
risk sources, consequences,
Likelihood, events, scenarios, controls and their effectiveness; and
Risk evaluation to support decisions by comparing the results of the risk analysis
with the established risk criteria to determine the significance of risk.

4. Risk treatment

Selecting the most appropriate risk treatment option(s); and

Designing risk treatment plans specifying how the treatment options will be
implemented.
Types:
 Accept
 Mitigate
 Share
 Avoidance

5. Monitor and review

Improving the quality and effectiveness of process design, implementation and

outcomes.
Monitoring the RM process and its outcomes, with responsibilities clearly defined
Planning, gathering and analyzing information, recording results and providing
feedback.
Incorporating the results in performance management, measurement and
reporting activities.

6. Recording and reporting

Communicating risk management activities and outcomes across the

organization.
Providing information for decision-making.
Improving risk management activities.
Providing risk information and interacting with stakeholders.
 Road map for the application of
ERM ISO OR COSO

OBJECTIVE 1 - DRIVE RISK CULTURE

Evaluate to what extent the company's strategy is exposed to risk

Help set the tone at the top
Document the risk management roles and responsibilities
Create a network of “risk-champions”
Conduct risk management training
Keep it simple

OBJECTIVE 2 - HELP INTEGRATE RISK MANAGEMENT INTO BUSINESS

Help employees integrate risk analysis into their work

Risk-based strategic planning, budgeting and performance management
Promote open discussions about risks

OBJECTIVE 3 - BECOME A TRUSTED ADVISOR

Validate management assumptions

Inform management about emerging risks
Promote risk management as a service
Take ownership over some risk assessments
Build your own network of risk advisors
Continuously improve your risk management skills
 EKRP 211 Notes
5.1 COSO

COSO - Committee of Sponsoring Organisations of the Tredway Commission

Outcome:
• What is the COSO-ERM framework, its purpose and fundamental principle
• The relevance of ERM for an entity and its stakeholders
• The importance applying ERM
• COSO’s © (2017) definition for ERM
• The benefits applying ERM
• Clearing up misconceptions of ERM
• Understanding how the framework integrates – components and principles
1. Introduction
Background
• Managements of companies have developed processes to identify and manage
risk across the enterprise;
• There are few widely accepted principles that can be used by management as a
guide for effective ERM;
• But, the need for definitive guidance on ERM was recognised, thus the
Committee of Sponsoring Organisations of the Treadway Commission (COSO)
develop a sound framework (components) with integrated principles.
• About COSO
• Originally formed in 1985
• Is a joint initiative of five private sector organisations?
• Is a generic ERM framework for entities of all sizes
• COSO’S purpose:
Provide guidance on
• Enterprise risk management (ERM)
• Internal control
• Fraud prevention
• COSO’S fundamental principle
• Good risk management are necessary for long term success

Why update (2017) of the original COSO 2004 publication?

1. The risk landscape has evolved dramatically - organisations need to be more
adaptive to changes
• Business and operating environments are more complex, technologically
driven, and global in scale

2. Stakeholders more engaged, seeking greater transparency and accountability

3. Help entities to improve protection and enhance stakeholder value
4. Risk discussions increasingly prominent at the board level
5. Bar is raised with respect to ERM
2. Relevance of ERM
• Underlying premise of ERM: every entity, whether for-profit, not-for-profit or a
governmental body, exists to provide value for its stakeholders.
• Applied in strategy setting and across an entity’s activities.
• All entities face uncertainty and ERM provides a framework for management to
effectively deal with uncertainty, associated risk (in the pursuit of value) and
opportunity.
• ERM helps an entity to enhance its capacity to create, preserve and realize value

ERM AFFECTS VALUE…

• Value is (1) created, (2) preserved, (3) eroded or (4) realized by management
decisions in overall decisions, from strategy setting to operating the enterprise
day-to-day.
1. Value creation: When the benefits derived from resources deployed exceed the
cost of those resources used. Resources include people, financial capital,
technology, processes, and brand.
• Example: A new product is successfully designed and launched and its profit
margin is positive
2. Value preservation: Focusing on resources (people, processes and systems
used in day-to-day operations) to create sustained value.
• Example: The delivery of superior products, services and production capacity,
which results in loyal and satisfied customers and stakeholders.
3. Value erosion: Management implements a strategy not yielding expected
outcomes. Thus, a poor strategy or fails to execute day-to-day activities.
• Example: Extensive resources are consumed to develop a new product that is
consequently abandoned
4. Value realization (Achieved): When stakeholders receive benefits (monetary or
non-monetary) created by the entity.
ERM is linked to:
• Governance - refers to the allocation of roles, authorities, and responsibilities and
management of risks among stakeholders, the board, and management.
• Performance management – Measuring those actions and tasks against set
targets to determine whether those targets are achieved.
• Measures include financial measures, operating measures, project
measures.
• Internal control - is the process (identify, analyse and manage risks)
carried out by an entity to provide reasonable assurance that objectives
will be achieved. Includes fraud risk relating to financial reporting
objectives; and compliance objectives – adhering to laws and regulations.

3. Understanding the terms

Defining ERM
COSO © (2017) defines Enterprise Risk Management as:
“The culture, capabilities, and practices, integrated with strategy-setting and
performance, that organizations rely on to manage risk in creating, preserving, and
realizing value.”

“Recognizing Culture”
Culture is developed and shaped by the people at all levels of an entity by what they
say and do.
Each person has a unique point of reference, which influences how he/she put ERM
practices in place, i.e. identifies, assesses, and responds to risk.
ERM helps people to understand that culture plays an important role in shaping their
decisions.

“Developing Capabilities”
• An organization that has the capacity to adapt to change is more resilient and
better able to evolve in the face of marketplace and resource constraints and
opportunities
• ERM adds to the skills needed to carry out the entity's mission and vision and to
anticipate the challenges that may hinder organizational success.
“Applying Practices”
• ERM is not static, nor is it an adjunct to a business.
• It is continually applied to the entire scope of activities. It is part of management
decisions at all levels of the entity.
• The practices used in ERM are applied from the highest levels of an entity and
flow down through divisions, business units, and functions.
• The practices assist people within the entity to understand its strategy,
objectives, what risks exist, the acceptable amount of risk, how risk impacts
performance, and how to manage risk.

“Integrating with Strategy-Setting and Performance”

• An organization sets strategy that aligns with and supports its mission and vision.
• It also sets business objectives that flow from the strategy, flowing to the entity's
business units, divisions, and functions.
• An organization that integrates ERM into daily tasks is more likely to have lower
costs and is likely to identify new opportunities

“Managing Risk to Strategy and Business Objectives”

• ERM is fundamental to achieving strategy and business objectives.
• ERM practices provide management and the board of directors with a reasonable
expectation that they can achieve the overall strategy and business objectives of
the entity.
• But even with reasonable expectations in place no one can predict risk with
absolute precision.
• Regularly reviewing ERM practices is important to respond to the unexpected
and achieve its strategy and business objectives.

“Linking to Value”
• An organization must manage risk to strategy and business objectives in relation
to its risk appetite
• Risk appetite sets the range of appropriate practices and guides risk-based
decisions - not specifying a limit.
• Risk appetite is not static; it may change between products or business units and
over time
• Risk appetite must be flexible enough to adapt to changing business conditions
as needed without waiting for periodic management reviews and approvals.
• Managing risk within risk appetite enhances an organization's ability to create,
preserve, and realize value.

Risk appetite
Types and amount of risk an entity is willing to
accept in its pursuit of value
4. Benefits of ERM
1. Increasing the range of opportunities
• An entity must consider all reasonable possibilities – both positive &
negative currently and in the future
2. Increasing positive outcomes while reducing losses
• To identify risks and establish appropriate responses, increasing positive
outcomes while reducing negative surprises and related costs or losses
3. Identifying and managing risk entity-wide
• Management must understand that risk can originate in one part of the
entity but can impact many parts of the entity
4. Reducing performance variability
• For some entities, the challenge is less about negative surprises and
losses, and more about performance variability
5. Improving resource deployment
• Identifying risks allows assessing resource needs and to optimize
resource allocation
6. Enhancing enterprise resilience (flexibility)
• Ability to anticipate and respond to changes (risks) whether internal or
external

5. Clearing up misconceptions
• ERM is not a function or department
• It does not operate in isolation in an entity
• It is the culture, capabilities and practices integrated and applied with
strategy- setting
• EMR is more than risk listing
• Is includes practises that management applies to actively manage risk
• ERM is not a checklist
• It is a ongoing/continuous system/process of monitoring, learning and
improving performance. It’s a facilitator to a goal, not an end or goal itself.
• ERM can by applied by organisations of any size, type or sector
• ERM can be used from small businesses, to government agencies, etc. as
long the organisation has a mission, strategy and objectives
 6. Framework - Components
Components
The COSO framework for ERM consists of five interrelated
components:

7. Framework - Principles
Principles
• Within these five components there are 20 principles.
• Each principle represent the fundamental concepts associated with each
component

• What is the COSO-ERM framework, as well as its purpose and fundamental principle?
• Why is ERM relevant for an entity and its stakeholders?
• Why is it important for an entity to apply ERM?
• What is COSO’s © (2017) definition for ERM
• Explain the benefits applying ERM
• What is the misconceptions of ERM?

• Understanding the integration of the framework – components and principles

 Study Section 5.2
Strategy, business objectives and performance
&
Integrating ERM
Outcome:
• Discuss how ERM affects strategy and its relevance for an entity
• Explain how ERM helps an organization better understand:
• That strategy and business objectives may not align with the mission,
vision, and core values
• The implication from the strategy chosen
• Risk to executing the strategy
• Understand the relationship between risk and performance (risk profile)
• Discuss the importance of integrating ERM and the benefits
• Explain how organizations can adopt full integration of ERM throughout the
culture, capabilities, and practices

ERM and Strategy

ERM affects strategy

• Strategy refers to an organization's plan to achieve its mission and vision, and to
apply its core values.
• A well-defined strategy drives the efficient allocation of resources and effective
decision-making.
Relevance
• It also provides a road map for establishing business objectives.
• ERM does not create the entity's strategy, but it influences its development.
ERM aids an organization better understand:
1. The possibility that strategy and business objectives may not align with the
mission, vision, and core values
2. The implication from the strategy chosen
3. Risk to executing the strategy

Mission
The entity’s main purpose, which establishes why it exists.

Vision
What the entity aims to achieve over time.

Core values
The entity’s belief of what is acceptable or unacceptable, which
influence the behaviour of the organisation
1. The possibility that strategy and business objectives may not align with the mission,
vision, and core values.
• A chosen strategy must support the entity’s mission and vision. If not, it will
cause value destruction
• Mission and vision help the organization to establish boundaries and focus on
how decisions may affect strategy.
• Once an organization understands its mission and vision it can formalise
strategies that will yield the desired risk profile

2. The implication from the strategy chosen

• Strategy selection is about making choices and accepting trade-off. (e.g. time
versus quality; efficiency versus cost; risk versus reward.)
• Each strategy has its own risk profile – implication arising from the strategy
• Board and management must determine if the strategy works together with the
risk appetite
Evaluating the chosen strategy
• ERM does not create the entity's strategy.
• It informs the organization on risks associated with alternative strategies
considered and, ultimately, with the adopted strategy
• The entity must evaluate how the chosen strategy with potential risks that may
arise from the strategy could affect the entity's risk profile
• The entity must revisit its strategy and consider revising it or selecting one with a
more suitable risk profile.

3. Consider what risks may result from the strategy chosen.

Risks may result from the strategy chosen:
The entity must decide if it will achieve its mission and vision with the strategy,
or
there is a high risk achieving the chosen strategy.
Strategy, Business objectives and Performance
• Assessing risk to the strategy and business objectives requires an organization
to understand the relationship between risk and performance - referred as the
risk profile (composite view)
• This risk profile allows management to consider the type, severity, and
interdependencies of risks, and how they may affect performance.
• When evaluating alternative strategies the focus shifts to understanding the
current risk profile for that chosen strategy and related business objectives

Risk profile
Composite view of the risk at a particular level of the entity
e.g. overall entity level, business unit level, functional level)

• The relationship between risk and performance is rarely linear.

• An increase in changes in performance targets do not always result in
corresponding changes in risk (or vice versa).
• Figure A illustrates the aggregate amount of risk associated with different levels
of performance.
Integrating ERM
The Importance of Integration
• ERM It is not a function or department within an entity
• Instead, culture, practices, and capabilities are, together, integrated and applied
throughout the entity

The Importance of Integration (continue)

Benefits of integrating ERM with business activities:
1. Anticipate risks earlier.
• This opens up more options for managing the risks, minimizing potential
deviations in performance, losses, or failures.
2. Identify and pursue existing and new opportunities
• Opportunities must be in accordance with the entity's risk appetite and
strategy.
3. Respond to deviations in performance quickly and consistently.
4. Develop and report a more comprehensive and consistent portfolio view of risk
• This report allows the organization to better allocate finite resources.
5. Improve collaboration, trust, and information sharing across the organization.

How organizations can encourage full integration ERM into

1. Culture
Encouraging transparency and risk awareness into culture, an entity must:
• Implementing forums for sharing information (e.g. risks, opportunities)
without fear.
• Clarifying and communicating roles and responsibilities for the
achievement of strategy, business objectives and risk management
• Aligning core values and behaviors with incentives and remuneration
models.
• Sharing a strong understanding of the drivers of value creation

2. Capabilities
• Management is able to make decisions given its risk appetite and risk profile that
can change over time.
• The organization routinely hires and has access to capable individuals with
relevant experience or other relevant resources to support decision-making.
• Vendors, contractors, and other third parties are considered in discussions of risk
and performance.
3. Practices
• Setting strategy clearly considers risk when evaluating options.
• Management actively addresses risk in pursuit of its performance targets.
• Regular and consistent monitoring performance results and changes in the risk
profile.
• Management is able to make decisions that are in line with the speed and scope
of changes in the entity.

• Define strategy, its relevance and discuss how ERM affects strategy
• Explain how ERM helps an organization better understand:
• That strategy and business objectives may not align with the mission,
vision, and core values
• The implication from the strategy chosen
• Risk to executing the strategy
• What is the relationship between risk and performance (risk profile)?
• Discuss the importance of integrating ERM and the benefits
• Explain how organizations can adopt full integration of ERM throughout the
culture, capabilities, and practices
 SU 5.3_1
COSO – ERM
Framework - Components and Principles
Outcome:
• Understand the framework which consist of five interrelated components and principles. This include a
brief discussion of each component :
 Governance and culture
 Strategy and Objective-Setting
 Performance
 Review and Revision
 Information, Communication, and Reporting
• Assessing Enterprise Risk Management

The Framework consists of the five interrelated components of enterprise risk

management.
When enterprise risk management is integrated across A ) strategy development, B)
business objective formulation, and C) implementation and performance, it can enhance
value.
1. Governance and Culture
• Basis for all other components
• Governance sets entity’s tone and establishes responsibilities
• Culture is reflected in decision-making
2. Strategy and Objective-Setting
• ERM integrated into strategy through objectives
• Understanding the business context an entity can gain insight into internal-
and external factors of risk
• Set risk appetite in conjunction to strategy
3. Performance
• Identify and assess risks that may affect achievement of objectives
• Categorise risks according to severity and probability
• Select an appropriate response and monitors performance
• In this way, it develops a portfolio view of risk levels in the pursuit of the
strategy and business objectives
4. Review and Revision
• Review performance relative to targets – determine effectiveness/value of
ERM
5. Information, Communication, and Reporting
• Communication – continual process to obtain information and sharing it
• ERM supported by internal- and external information
• Organisation reports on risk, culture, and performance
 Assessing ERM
• Entity should assure stakeholders with it is able to manage risk to an acceptable
level
• It does this by assessing ERM – voluntary or required by law
• ERM cannot provide absolute assurance on achieving objectives – reasonable
assurance is not absolute assurance
• Assessing ERM will determine if ERM culture, capabilities, and practices manage
risks
• During assessment consider:
1. Components and principles are present and functioning
2. Components are operating together in an integrated manner
3. Relevant controls to apply principles are present

In these three considerations, being "present" means the components, principles, and
controls exist in the design and implementation of enterprise risk management to
achieve strategy and business objectives.
Being "functioning" means they continue to operate to achieve strategy and business
objectives.
And "operating together" refers to the interdependencies of components and how they
function cohesively. Organizations may place different emphasis on specific principles
and apply them differently, depending on the benefits an organization seeks to attain
through enterprise risk management
When these components, principles, and supporting controls are present and
functioning, the organization can reasonably expect that enterprise risk management is
helping the entity create, preserve, and realize value.

• Different approaches to assess ERM

• When assessment is performed to communicate to external stakeholders – use
principles set out by COSO
• When assessing ERM internally with a maturity model this model must be
tailored for entity's complexity
• Complexity is increased by:
• Geography, industry, nature, technology, regulatory oversight, etc.

Self-evaluation:
• Name and discuss the five interrelated components representing the COSO framework for ERM . This include a
brief discussion of each component :
 Governance and culture
 Strategy and Objective-Setting
 Performance
 Review and Revision
 Information, Communication, and Reporting
• What must an organisation keep in mind during the assessment of ERM?
 SU 5.3_2
COSO – ERM
Component 1
Governance and Culture
Outcome:
Understand the five principles relating to Governance and Culture, including:
1. Board risk oversight
2. Establishing an operating structure
3. Desired culture
4. Commitment to core values
5. Attract and retain capable individuals

Introduction
• Entity’s BOD (board of directors) plays important role in governance and
influences ERM
• BOD include - supervisory board, trustees, partners, or owner
• Culture represent core values – beliefs, attitudes, desired behaviours, importance
of understanding risk
• Culture supports mission and vision
• Culture of risk-awareness encourages transparency and managing risks

Where the board is independent from management and generally comprises members who are
experienced, skilled, and highly talented , it can offer an appropriate degree of industry,
business, and technical input while performing its oversight responsibilities. This input includes
scrutinizing management's activities when necessary, presenting alternative views, challenging
organizational biases, and acting in the face of wrongdoing. Most important, in fulfilling its role
of providing risk oversight, the board challenges management without stepping into the role of
management.
 Principle 1: Exercises board risk oversight
BOD provides oversight of strategy and carries out governance responsibilities to
support management in achieving strategy and objectives
a) Accountability and Responsibility
• BOD has primary responsibility for risk oversight
• But, management is responsible for day-to-day risk management
• Board can delegate responsibilities to risk committee
• Develop statement that defines BOD and management’s respective
responsibilities
b) Skills, Experience, and Business Knowledge
• BOD provides expertise through skills and knowledge. Include for e.g. to
ask appropriate questions to challenge management about strategy,
objectives, and performance
• BOD must understand entity’s strategy and industry to be informed on
relevant issues
• As risks change so must the BOD adjust (i.e. qualifications etc.)
• BOD determines and review periodically if it has necessary skills,
experience, e.g. Cyber risk exposure – Entities need to have board
members with expertise in IT or access expertise through independent
advisors.
c) Independence
• BOD should be independent. This enhances to be objective and evaluate
performance and well-being without conflict of interest
• BOD serves as check and balance on management ensuring best interest
of stakeholders rather than a select number of board members.
 d) Suitability of ERM
• BOD must understand complexity of entity
• BOD must understand how integrated ERM can create value
e) Organisational Bias (favouritism)
• Bias in decision-making has always existed and always will
• Dominant personalities, over-reliance (excessive dependence) on
numbers, disregard of contrary information, tendency for risk
avoidance or risk taking
• BOD should understand organisational biases and challenge management
to overcome and or managed them

Bias
Unbalanced weight in favour of or against one thing/person compared
with another – usually unfair

Principle 2: Establishes operating structures

The organisation establishes operating structures in the pursuit of strategy- and
business objectives
a) Operating Structure and Reporting Lines
• Operating structure describes how the entity organises and carries out
day-to-day operations
• Operating structure allows personnel to develop and implement practices
to manage risk and align with core values
• Operating structure is aligned with legal- and management structure
a) Legal structure influences how an entity operates
b) Management structure sets out the reporting lines, roles,
responsibilities for management
• Important to define responsibilities when designing reporting lines
• External parties may influence reporting lines (e.g. outsourcing, joint
business ventures)
• Different operating structures result in different risk profiles, affecting ERM
practices
a) E.g: Assessing risk within a decentralized operating structure may
indicate few risks, vs a centralized model may indicate a concentra-
tion of risk-perhaps relating to certain customer types, foreign
exchange, or tax exposure.
Different legal structures may be more or less suitable depending on the size of the
entity and any relevant regulatory, taxation, or shareholder structures. A small entity is
likely to operate as a single legal entity. Large entities may consist of several distinct
legal entities, in which case decisions may become segregated if risk information is not
aggregated across legal structures.

Factors to consider when establishing operating structures:

1. Strategy and objectives
2. Nature, size, and geographical distribution of entity’s business
3. Risk related to strategy and objectives
4. Assignment of authority, accountability, and responsibility
5. Type of reporting lines (e.g. direct vs secondary reporting)
6. Financial, tax, and regulatory

b) ERM Structures
• Management plans and carries out the strategy and objectives designed
based on mission, vision, and values. Consequently information is needed
on how risks affecting the strategy.
• A method used gathering information is to delegate this responsibility to a
committee. (Example of committee members executives and senior
leaders)
• Complex organisation may have several committees that align with
reporting lines and operating structure
• In small entities ERM oversight is less formal and management more
involved in day-to-day decisions.

c) Authority and Responsibilities

• In a single BOD – the board delegates to management the authority to
design and implement practices to support strategy and business
objectives
• Management defines roles, responsibilities, and accountabilities to
individuals, teams, etc.
• In Dual-board structure – supervisory board focus on long-term decisions
and strategies
• Management board is charged with overseeing day-to-day
operations, including oversight of authority among senior
management
• Defining authority is important. It empowers people to act as needed in a
given role but with limits on authority.
 •Risk-based decisions are enhanced when management:
• Delegates responsibility to the extent required. (e.g., the review and
approval of new products involves the business and support
functions, separate from the sales team)
• Specifies transaction requiring review and approval. (e.g. authority
to approve acquisitions
• Considers new and emerging risks as part of decision-making (e.g.,
a new business partner is not taken on without exercising
appropriate diligence (carefulness).
d) ERM within Evolving Entity
• As entity changes so should ERM
• ERM must be tailored to the capabilities of the entity, considering both
what the organisation is seeking to attain and the way it manages risk.
• Management must regularly evaluate operating structure and reporting
lines.
• Management must understand how changes in innovation will influence
ERM practices
• E.g. Evolving IT information technology leads to virtual operating
structure.

Principles 3: Defines desired culture

The organisation defines the desired behaviours that characterise the entity’s desired
culture
a) Culture and Desired Behaviours
• Culture reflects core values, behaviours, and decisions
• Decisions are based on available information, judgement, capabilities, and
experience
• Culture determines how ERM is implemented:
• Culture identify risk, types of risks, management of risks
• BOD defines the desired culture of the entity
• Core values drive the culture in day-to-day activities
• Culture embraced by all personnel is critical – do the right thing at the right
time
• Many factors shape and affect the culture.
• Internal factors include:
• Judgement and autonomy provided to personnel,
• Interaction between personnel,
• Standards and rules,
• Physical layout of workplace,
• Reward system
 • External factors affecting culture:
• Regulatory requirements,
• Expectations of customers and investors
• Internal- and external factors determine if entity will be risk averse or risk
aggressive
• Culture is not one size fits all – some managers are prepared to take more
risks than others
• Culture spectrum ranges from risk aggressive to risk averse
(e.g. private equity vs nuclear power plant.)

Example 6.2: Two Ends of the Culture Spectrum

• A nuclear power plant will likely have a risk averse culture in its day-to-day
operations. Both management and external stakeholders expect decisions
regarding new technologies and systems to be made carefully and with great
attention to detail and safety in order to provide reasonable expectation of the
plant's reliability. It is not desirable for nuclear power plants to invest heavily
heavily in innovative and unproven technologies critical to managing the
operations.
• In contrast, a private equity manager is more likely a risk-aggressive entity.
Management and external investors will have high expectations of performance
that require taking on potentially severe risks, while still falling within the defined
risk appetite of the entity.

b) Applying Judgement
• Judgement defines culture and management of risks
• Judgement is relied upon when information is limited to support decision
• when changes in strategy, objectives, and performance are present
• during times of disruption
• Judgement is a function of experience, risk appetite, capabilities,
information available, and bias
• Judgement is open/vulnerable to bias when over- or under confidence
abilities exist. Example: assumptions are based on limited information
• Good judgement enables entity to navigate periods of crisis
• Actions taken by the organization to steer the entity out of a crisis depend
on the accountability, behaviors, and actions of personnel

Group dynamics in meetings, communication styles of management, and recognition

and acknowledgment of personnel may
affect the ability of management to exercise good judgment
 c) Effect of Culture
• Culture determines how risk is identified, assessed, and responded to
• Examples:
1. Scoping of strategy and business objective-setting – culture affects
types of strategic alternatives considered.
2. Applying rigor(thoroughness) to the risk identification and
assessment process – An entity's nature and types of risk and
opportunities may differ, depending on the culture spectrum – risk
averse vs risk aggressive.
• Examples:
1. Selecting risk responses and allocating finite resources – risk
averse entity may allocate additional resources to gain confidence
vs, cost/benefits of gradual responses viewed less favourable for
risk aggressive entities
2. Reviewing performance – a risk averse entity - make changes
quickly vs a risk aggressive entity wait longer before making
changes
1, Scoping of strategy and business objective-setting For example, despite promising
feasibility studies, a risk-averse organization may choose not to expand mining and
drilling operations into new geographies .
2.Applying rigor to the risk identification and assessment process – Potential risk for a
risk averse entity may be considered opportunities by another
For example, increasing demand for online ordering may be seen as a risk for a
traditional retail manufacturer but as an opportunity to increase sales by a retailer
looking to grow sales and market share.
3. Selecting risk responses and allocating finite resources . For example: purchasing
additional insurance may be favored by risk-averse entities, but may be viewed as an
inefficient use of financial resources by another.
4. Reviewing performance For example, airlines may adjust flight schedules more
quickly in response to adverse changes in weather conditions than train or bus
companies, which may be able to continue operating without disruption for longer
d) Aligning Core Values, Decision-Making, and Behaviours
• Success depends on alignment of behaviour and decision with core
values
• Misalignment can result in a loss of confidence from stakeholders,
inconsistent approaches, and lower than targeted performance.
• Reasons when core values not adhered to:
• Tone at the top does not effectively convey expectations
• BOD does not provide oversight of management’s adherence to
standards
• Risk is an afterthought to strategy
• Performance targets create incentives or pressures (unrealistic in
targets) that instil behaviour contrary to core values
 e) Shifting Culture
• Internal- and external changes may cause culture to shift
• New leadership may have different attitude and philosophy about ERM
• Mergers and acquisitions can also shift culture and alter the entity’s
mission and vision

Principle 4: Demonstrates commitment to

core values
The organisation demonstrates a commitment to the entity’s core values
a) Reflecting Core Values throughout the Organisation
• Core values are reflected in actions and decisions applied
• A consistent tone establishes understanding of core values, business
drivers, and desired behaviour of staff and business partners
• Consistent tone - not easy. Different markets require different approaches
to motivation, evaluation and customer service
• Align culture and tone – provides confidence to stakeholders that the
entity is adhering to core values

“Tone” of the organisation

The manner in which values are communicated across the organisation

Align culture and tone – provides confidence to stakeholders

For example, in an entity where "safety first" is a core value, management demonstrates
its commitment by actively encouraging everyone at every level to identify and escalate
safety practices regardless of their role in the organization. External stakeholders such
as safety inspectors who observe the content and tone of training materials, internal
communications, and reporting will consequently have the confidence that the
organization is embracing its culture and core values.

b) Embrace a Risk-Aware Culture

• Management defines characteristics need to achieve desired culture
• Embrace risk-aware culture by:
1. Maintaining strong leadership – leadership (BOD and management)
drives risk awareness and culture, not from department functions
or second-line teams alone
2. Employing a participative management style – Management
encourages personnel to participate in decision-making
3. Enforcing accountability for all actions – lack of accountability not
tolerated
4. Aligning risk-aware behaviours and decision-making performance –
Remuneration and incentives are aligned with core values.
Including behaviours and adhering to codes of conduct
 5. Embedding risk in decision-making – address risk when making
decisions. Includes: review risk scenarios that help everyone
understand the impact of risk
6. Having open and honest discussions about risk facing the entity –
Management does not view risk as being negative, but managing
risk is critical to achieve objectives
7. Encouraging risk awareness across the entity – Management
continually remind staff of managing risk as part of their daily
responsibilities

c) Enforcing Accountability
• BOD holds CEO accountable for managing risks
• Accountability is evident in the following ways:
1. Management and BOD clearly communicate expectations (e.g.,
enforcing standards of conduct).
2. Management ensure information on risk flows through entity
3. Employees commit to business objectives (e.g., aligning individual
targets and performance )
4. Management respond to deviations from standards of behaviour(
e.g., terminating personnel or taking other corrective actions for
failing to adhere to organizational standards).

The chief executive officer and other members of management, together, are
responsible for all aspects of accountability-from initial design to periodic assessment of
the culture and enterprise risk management capabilities

d) Holding Itself Accountable

• In some governance structures, performance targets cascade from the BOD to
the chief executive officer, management, and other personnel, and performance
is evaluated at each of these levels.
• BOD evaluates performance of CEO who evaluates management
• At each level, adherence to core values and culture behaviours are
evaluated and rewards are allocated or disciplinary action is applied
• The board may also conduct a self-evaluation to assess its own strengths
and identify opportunities to improve ERM
 e) Keeping Communication Open and Free from Retribution
• Management must assure open communication and transparency of risk
• Transparency of information relates to:
1. Better understanding of objective setting
2. Ongoing adequacy of a risk response
3. Incidents, failures, errors, or unexpected losses
4. Variations in performance, including over-performance
5. Changes in risk profile view of risk
6. Deviations in expected behaviours compared to the core values

f) Responding to Deviations in Core Values and Behaviours

• Why do things go sometimes wrong? Operational failures, scandals,
crises do occur – damaging reputation
• Wrongdoing occurs for 3 reasons:
1. People make mistakes
2. People have a moment of weakness
3. People choose to do harm
• Management must help people avoid mistakes and identify potential
wrongdoers
• Response to deviation may include – employee put on probation or
terminated

Example 6.4: When Deviations to Core Values Occur

• For a global pharmaceutical company, research and development (R&D) is often
one of the biggest costs, as products may take ten to twenty years to develop
and bring to market and require significant financial investment. During the
research phase, it is common for many side effects of a product to be identified.
But if R&D did not disclose all potential side effects to management, thereby
impeding management from making an informed decision on moving from drug
trials to production, and the drug is launched, there could be severe effects to the
entity if patients who use the drug experience adverse side effects. Moreover,
R&D's failure to disclose would likely be a clear violation of the desired conduct
of the company.
 Principle 5: Attracts, develops, and retains
capable individuals
The organisation is committed to building human capital in alignment with the strategy
and business objectives
a) Establishing and Evaluating Competence
• Management defines human capital needed to achieve objectives
• Componence and skills are required to carry out business processes
• This begins with BOD that evaluates the competence of the CEO and
management evaluates competence across entity.
• The human resources function helps promote competence by assisting
management in developing job descriptions and roles and responsibilities,
facilitating training, and evaluating individual performance for managing
risk.
• Management consider – skills, experience, costs vs benefits of different
skill levels, degree of judgement
b) Attracting, Developing, and Retaining Individuals
• Management establishes structure and process of commitment in
competence to:
1. Attract – seek out candidates who is fit for risk-awareness culture,
competent for roles
2. Train – develop and maintain ERM competencies. Techniques
include, classroom instruction and self-study.
3. Mentor – provide guidance on the individual's performance. Help
him/her to adapt to evolving business context
4. Evaluate – measure performance in relation to objectives
5. Retain (reward performance) – provide incentives to motivate and
retain individuals. E.g. increased salary/bonuses or rewards like
giving visibility, recognition
Retain : This includes offering training and credentialing as appropriate.
c) Addressing pressure
• Pressure in an organization comes from many sources. Can occur in tasks
(negotiating a sales contract) or self-imposed
• Pressure can either motivate or fear individuals to meet expectations. Fear
may engage fraudulent activity.
• Excessive pressure is associated with:
• Unrealistic short-term performance targets
• Conflicting business objectives of different stakeholders
• Imbalance between rewards for short-term financial performance and those for
long-term focused stakeholders
• Organisations must influence pressure positively – e.g. rebalancing workloads,
increased resource levels and communicated the importance of ethical behaviour
Self-evaluation
• Name the five principles relating to Governance and Culture.
• Who is responsible for risk oversight and day-to-day risk activities?
• What are factors that impede(obstruct) board independence?
• Explain bias (favouritism) in an entity.
• What is an operating structure and its importance in the ERM context?
• What are the factors to consider when establishing an operating structure?
• Explain risk culture as the third principle in a organisation. Name the
internal and external factors that shape a entity's culture.
• What are the reasons when core values are not adhered to in an entity?
• Why should there be a commitment to core values in an organisation?
• How can an organisation embrace a risk-aware culture?
• Explain the importance of communication within the organisation and
what does transparency of information relates to?
• Discuss the importance of an organisation’s human resource function when
evaluating competency
• How do management attract develop and retain individuals?
• Name the factors excessive pressure are associated with. How can
organisations address pressure?
5.3_2 - GOVERNANCE AND CULTURE

Principle 1. Exercises board risk oversight

(supervision)
a) Accountability and Responsibility
 Develop a statement to define BOD & management’s responsibilities
 BOD – responsible for risk oversight VS management – day-to-day risk
management

b) Skills, Experience, and Business Knowledge

 Risk changes - so must BOD adjust (e.g. qualifications)
 BOD determines and review periodically if it has necessary skills,
experience. ( e.g. IT expertise in cyber risk exposure)

c) Independence
 BOD should be independent. Why?
o To be objective without conflict of interest
o Ensure best interest of stakeholders
 Factors impede board member independence: - See slide 8
d) Suitability of ERM
 BOD must understand how ERM can create value (either on practices or
strategy-setting) - see notes

e) Organisational bias (favouritism)

 Dominant personalities.
 BOD must understand bias and overcome them

Principle 2. Establishes operating structures

a) Operating structure and reporting lines
• Operating structure - how the entity organises and carries out day-to-day
operations
• i) Legal- and ii) management structure – see slide 11
• Different operating structures result in different risk profiles, affecting ERM
practices – (centralised vs decentralised)
• Factors to consider when establishing operating structure - see slide 12

b) ERM structures
Formal vs informal

c) Authority and Responsibilities

 Defining authority is important. It empowers people to act as needed in a given
role but with limits on authority
 d) ERM within evolving entity

 As entity changes – so should ERM

 Regular evaluate operating structure and reporting lines

Principle 3. Defines desired culture

a) Culture and Desired Behaviours

Core values VS culture

 Culture reflects core values, behaviours, and decisions

 Culture identify types of risk and management of risks
 BOD defines desire culture
 Internal factors that shapes culture: - slide 18
 External factors that shapes culture – slide 19
 Culture – no size fits all. Culture spectrum (risk averse – risk aggressive)

b) Applying Judgement

 Judgement is a function of experience, risk appetite, capabilities, information

available, and bias
c) Effect of culture
See slide 22 & 23 and notes

d) Aligning core values, decisions and behaviours

• Misalignment result in - loss of confidence from stakeholders, inconsistent
approaches, and lower than targeted performance.
• Reasons when core values not adhered to:
I. Tone at the top does not effectively convey expectations
II. BOD does not provide oversight of management’s adherence to
standards
III. Risk is an afterthought to strategy
IV. Performance targets create incentives or pressures (unrealistic in
targets) that instil behaviour contrary to core values
e) Shifting Culture
 New leadership may - different attitude and philosophy about ERM
 Mergers and acquisitions can also shift culture and alter the entity’s mission and
vision
Principle 4. Commitment to core values

 Consistent tone – not easy.

 Align culture and tone – provides confidence to stakeholders – see note for
example
b) Embrace a Risk-Aware Culture
1. Maintaining strong leadership (BOD & management)
2. Employing a participative management style
3. Enforcing accountability for all actions
4. Aligning risk-aware behaviours and decision-making performance
5. Embedding risk in decision-making
6. Having open and honest discussions about risk facing the entity
7. Encouraging risk awareness across the entity

c) Enforcing Accountability
 BOD holds CEO accountable for managing risks - See slide 28

d) Holding itself accountable

 BOD evaluates performance of CEO who evaluates management
 At each level, adherence to core values and culture behaviours are evaluated
and rewards are allocated
 BOD also conduct self-evaluation on own strengths and how to improve ERM

e) Keeping communication open and free

 Management demonstrates that risk is not a discussion to be left for the
boardroom. Must be transparent.

f) Responding to deviations in core values and behaviours

 Wrongdoing occurs for 3 reasons:
 People make mistakes
 People have a moment of weakness
 People choose to do harm
 Response to deviation may include – employee put on
probation or terminated
 See note on slide 31
 Principle 5. Attract, develop & retain capable individuals

a) Establishing and Evaluating Competence

The human resources function helps promote competence by assisting management in
developing job descriptions and roles and responsibilities, facilitating training, and
evaluating individual performance for managing risk.

b) Attracting, Developing, and Retaining Individuals

Management establishes commitment in competence to
1. Attract
2. Train
3. Mentor
4. Evaluate
5. Retain (reward performance)

c) Addressing pressure
Pressure – either motivate or fear (fear can create fraudulent activity)
Pressure is associated with:
o Unrealistic short term performance targets
o Imbalance between rewards for short-term financial performance and
those for long-term focused stakeholders
o Etc.
 Organisations must influence pressure positively – rebalancing workloads,
increased resources levels, etc.
 SU 5.4
COSO – ERM
Component 2
Strategy and Objective Setting

Outcome:
• Understand the importance of an entity’s business context and what type
of factors influence an entity’s internal and external environment
• Understand how and entity defines, determines, articulate and apply its
risk appetite
• Understand the importance of aligning strategy with mission and vision
and the implications of misalignment
• Understand of formulating and aligning business objectives as well as
implications of chosen business objective
• Understand the importance of tolerance and how to set tolerance levels

Introduction
• Strategy brings mission and vision to reality
• Difficult to asses if strategy will align with mission, vision, and values, but
challenge must be taken on
• By integrating ERM with strategy-setting an organisation gains insight into risk
profile of strategy and objectives
• It guides an entity and sharpens strategy and tasks needed to carry out
 Principle 6: Analyses business context
The organisation considers potential effects of business context on risk profile
a) Understanding Business Context
• “Business context” refers to trends, relationships, etc. that influence
current and future strategy and business objectives.
• Business context may include:
1. Dynamic, where new risks disrupting the status quo (e.g. new
competitor causes sales to decrease)
2. Complex, many interconnections and interdependencies (e.g. an
entity has many operational units with own political and regulatory
policies and taxation laws)
3. Unpredictable, quick unanticipated change (e.g. currency
fluctuations and political forces)

b) Considering External Environment and Stakeholders

• External environment is anything outside the entity to influence strategy
and business objectives and is characterised by:

• External stakeholders:
 • Are affected by the entity (customers, suppliers, competitors)
• Influence the entity’s business environment (government, regulators)
• Influence the entity’s reputation, brand and trust (communities, interest
groups)

• An example of an external stakeholder is a regulatory body that grants an entity a

license to operate, but also has the authority to fine the entity or force it to shut
down temporarily or permanently.
• Another example is an investor who provides the entity with capital but who can
decide to take that investment elsewhere if it does not agree with the entity 's
strategic direction or its level of performance.
Example 7.1: External Environment Influences
• Two competing global technology companies are both seeking to increase
revenues. The first company is considering launching an established product in
developing countries, while the other company is developing a new product that
would expand its existing consumer base.
• As each company evaluates alternative strategies, they consider different
external environment categories. The first company is influenced by political,
legal, and economic factors as it navigates country-specific laws, government
regulations, and supply chain considerations. In contrast, the second company
focuses on social and technological factors as it seeks to understand changing
customer needs. Even though both companies are in the same industry, they
have different external environments that influence their specific risk profiles and
their chosen strategy.

c) Considering Internal Environment and Stakeholders (continue)

• Internal environment is anything inside the entity to influence strategy
and business objectives and is characterised by:
 d) How Business Context Affects Risk Profile
• The effect of business context on an entity may be viewed in 3 stages –
past, present, and future
• Past provides insight into risk profiles
• Present provides insight into current trends, relationships, etc.
• Future provides insight into evolution of risk profile in relation to where it
wants to go

Example 7.2: Considering Business Context in Each of the Framework

Components
The management of a retail company integrates understanding of business context with
other enterprise risk management practices as follows:
Governance and Culture: The organization develops an understanding of governance
and associated regulatory trends. The board incorporates this under standing of
emerging expectations into its oversight of enterprise risk management practices.
Strategy and Objective-Setting: Management conducts a detailed analysis of social
trends, retail trends, and consumer confidence levels driving behavior of its core
customer base and incorporates findings into its strategic-setting cycle for long-term
value and success.
Performance: Management incorporates its understanding of environmental trends and
how they may affect the assessment of risks relating to the objective of reducing
packing by 50% in line with its core values.
Review and Revision: Management considers how changes in workforce practices,
namely the emergence of the mobile workforce, may also affect the entity's culture and
enterprise risk management practices, including opportunities fo enhance current
practices.
Information, Communication, and Reporting: Management considers that legislation
concerning information privacy may affect the way the entity captures, communicates,
and reports on risk information.

Principle 7: Defines risk appetite

The organisation defines risk appetite in the context of creating, preserving, and
realising value
a) Applying Risk Appetite
• Selecting a strategy and developing risk appetite is not linear – one will
follow the other
• Risk appetite -no one size fits all
• The organisation must understand risk appetite based on mission and
vision
• Appetite can be qualitative or quantitative – must reflect culture
• Best approach is one that aligns with risk assessment
• Developing risk appetite is an exercise in seeking the optimal balance
between risk and opportunity

Risk Appetite:
The types and amount of risk, an organization is willing to accept in pursuit of value.
 • Risk capacity refers to the maximum amount of risk an entity can absorb
in the pursuit of strategy and business objectives
• Organisations must strives to hold risk appetite within risk capacity
• If operating above risk appetite – amend policies.
• If risk appetite is above risk capacity – organisations accept the threat and
insolvency but success can create considerable value

Figure: Risk profile showing risk appetite and risk capacity

b) Determining Risk Appetite

• There is no standard or "right" risk appetite that applies to all entities.
• Management and board determine risk appetite by taking into account risk
vs reward (trade-off)
• Different approaches to determine risk appetite include facilitating
decisions, review past- and current performance targets, and modelling
• Terminology may also differ – low/hight appetite (too vague) vs
quantitative measure (precise)
• Risk appetite should be a dynamic approach to shape entity’s risk profile
rather a constraint
• Parameters to determine risk appetite:
1. Strategic – new products to pursue or avoid, merger and
acquisition activity
2. Financial – maximum acceptable variation in financial performance,
ROA, risk adjusted return on capital
3. Operating – safety- and quality targets, environmental targets
Other parameters to determine risk appetite:
• Risk profile (the entity’s current level of risk and how risk is distributed),
• Risk capacity (max amount of risk to absorb),
• ERM capability and maturity (how well ERM is functioning)
 • Terminology differ
• For some entities, using general terms such as "low appetite" or "high appetite" is
sufficient. Others may view such statements as too vague to effectively
communicate and implement, and therefore they may look for more quantitative
measures. Often, as organizations become more experienced in enterprise risk
management, their description of risk appetite becomes more precise. In some
instances, organizations may develop quantitative measures that link to the
• risk appetite statement.

Risk profile: New organizations will not have an existing risk profile to draw from, but
they may be able to get valuable information from their industry and competitors.
Risk capacity If risk appetite is very high, but its risk capacity is not large enough to
withstand the potential impact of the related risks, the entity could fail. On the other
hand, if the entity's risk capacity significantly exceeds its risk appetite, the organization
may lose opportunities to add value for its stakeholders

c) Articulating (Expressing) Risk Appetite

• Risk appetite can be expressed as a single point or continuum (scale/ range)

• An organisation may articulate risk appetite statements in the context of:

1. Strategy and objectives that align mission, vision, and values
2. Business objective categories
3. Performance targets
• Risk appetite is communicated by management, endorsed (approved) by
the BOD, and disseminated (distributed) throughout the entity
 d) Using Risk Appetite
• Risk appetite guides allocation of resources
• Goal is to align resource allocation to mission, vision, and core values
• Management monitors risk appetite and accommodates changes when
needed
• In this way, it creates a culture that emphasize the importance of risk
appetite
• Risk appetite must cascade through and align with other practices (e.g.
tolerance & KRI indicators)

There must be a relationship between risk appetite, tolerance and risk indicators
Tolerance – focus on objectives and variation on plan
Indicators - KRI

Principle 8: Evaluates alternative strategies

The organisation evaluates alternative strategies and potential impact on risk profile
a) The Importance of Aligning Strategy
• Strategy must align with mission and vision. If not, then the entity may not
achieve mission and vision
• Misalignment may also lead to reputation damage

Introduction
An organization must evaluate alternative strategies as part of strategy-setting and
assess the risk and opportunities of each option. Alternative strategies are assessed in
the context of the organization's resources and capabilities to create, preserve, and
realize value. A part of enterprise risk management includes evaluating strategies from
two different perspectives: (1) the possibility that the strategy does not align with the
mission, vision, and core values of the entity, and (2) the implications from the chosen
strategy

a) The Importance of Aligning Strategy (continue)

Example: Telecommunication company – Vodacom

Mission: being a provider of critical services and a leading corporate

citizen in the local community

• Strategy: A telecommunication company considers a strategy of limiting

the areas in which its products and services are available to improve its
financial performance.
 • Strategy contradicts its mission. While the anticipated improvement in
financial results is intended to appeal to shareholders and investors, it
may be undermined by an adverse effect to its reputation with community
groups and regulators that insist that services be maintained.

b) Understanding the Implications from Chosen Strategy

• Risk profile of each alternative strategy is considered given risk appetite
• Different strategies yield different risk profiles
• Also consider business context, resources, and capabilities when
evaluating different strategies with supporting assumptions
• Once a strategy is chosen management can determine required resources
(e.g. infrastructure, technical expertise) and allocate to support strategy to
remain in risk appetite
• Approaches in evaluating of strategy include: SWOT, modelling, valuation,
revenue forecast, competitor analysis, scenario analysis, etc.

Introduction
When evaluating alternative strategies, the organization seeks to identify and
understand the potential risks and opportunities of each strategy being considered.
Assumptions are an important part of the strategy.
• Where assumptions are unproven, there is often a higher risk of disruption than
there would be if the organization had greater certainty that there would not be
disruptive events associated with a strategy. The level of confidence of
management and the board associated with each assumption will affect the risk
profile of each of the strategies
• When developing alternative strategies, management makes certain
assumptions. These underlying assumptions can be sensitive to change, and
that tendency to change can greatly affect the risk profile.

See example on efundi: Considering alternative strategies

Not aligning with mission & vision and implications of alternative
strategies on risk profile
 Mission:

To provide the highest-quality transportation

services to customers with safety being the
foremost consideration for operations while
maintaining strong financial returns for
shareholders.
Example: Considering Alternative Strategies

A global logistics service provider would like to expand operations to meet global demand, and to do so it
Vision:
needs a new distribution hub. During the strategy-setting process, several alternatives are assessed.
Alternative 1 Enhance our brand to be the go-to transportation
• Opening a distribution hub offshore in a developing country. provider for the globe

• This is the least expensive of the locations being considered both in cost to build and labor to run, but would
increase delivery time by an average of 30%.
• Locating in this developing country also introduces geopolitical and economic risks.

Alternative 2
• Opening a distribution hub located onshore in a midsized city.
• This location is a bit more expensive to build than alternative 1, but the labor supply is strong.
• However, winters are severe in the area, which heightens the risk that weather-related events
will disrupt transportation.
• Alternative 3
• Is an onshore location in a larger city.
• This location is the most expensive to build in and has the most competitive labor market,
which may result in increased operating costs. However, the climate is temperate all year
round.
The possibility of the strategy not aligning with the mission and vision, and the
implications from the strategy on the risk profile, are summarized below

Business objective Performance measure and target

Alternative 1 • Possibility of operating in such • Risk that additional variability in opera-

a manner that quality and tions may affect customer satisfaction and
safety are not aligned with the erode value
company's core values • Risk that increased complexity of opera- tions
(e.g., regulations, tax laws, foreign exchange
rates) may impact efficiency of operations

Alternative 2 • Possibility of operating in a • Risk that the company cannot maintain high-
manner that weather may quality year-round transportation services,
represent difficult working which means customer satisfac- tion would
conditions for staff and be affected
equipment, and impact safety
of operations

Alternative 3 • Possibility of operating in a • Risk of operating in a manner where

manner that increased costs may investing in high-quality transportation
erode shareholder returns practices increases costs and impacts
shareholder returns
 c) Aligning Strategy with Risk Appetite
• If the risk associated with a strategy is inconsistent with risk appetite &
risk capacity it needs to be revised with an alternative strategy
• Making changes to strategy
• A change in strategy is necessary :
• if the organization determines that the current strategy fails to
create, realize, or preserve value
• A change in business context cause to get too near the boundary
of risk it is willing to accept
• Requires resources and capabilities that is not available

See example on efundi:

Aligning strategy with risk appetite
Making changes to strategy

Example: Aligning strategy with risk appetite

Strategy: To grow business by expanding global manufacturing locations."

Inconsistent: some global locations presented risk that exceeded the
manufacturer's risk appetite
Update strategy: "To grow business by expanding to global locations within
established infrastructure requirements and governmental regulations."

Example: Making changes to strategy

A global camera manufacturer used to sell film cameras, but as digital cameras became more
popular, the company started to experience lower sales.
Modified strategy: by adapting to a changing consumer need and new technology. It now
develops digital cameras and mitigates the risk that its products may become obsolete. These
changes to strategy are supported by changes to relevant business objectives and
performance targets
 Principle 9: Formulates business objectives
The organisation considers risk while establishing the business objectives at various
levels that align and support strategy
a) Establishing Business Objectives
• Objectives should be specific, measurable, attainable, and relevant
and may relate to:
1. Financial performance – maintain profitable operations
2. Customer excellence – establish customer care centres in
convenient locations to access
• Operational excellence – negotiate competitive labour contracts to
attract and retain employees
• Compliance obligations – comply health and safety laws
• Efficiency gains – operate in energy-efficient environment
• Innovation leadership – lead innovation in the market with frequent new
product launches
b) Aligning Business Objectives
• Misalignment of business objectives to strategy and risk appetite may
result in ineffective allocation of resources or accepting too much or too
little risk
• If business objectives not support the achievement of strategy a review of
either the strategy or the risk profile is required.
c) Understanding the Implications from Chosen Business Objectives
• Entity must have reasonable expectation that objectives can be achieved
within risk appetite
• Expectation is informed by entity’s capabilities and resources
• Where reasonable expectation does not exist either choose to exceed risk
appetite, procure more resources, or change objectives

Example 7.8: Determining the Implications of a Chosen Business Objective

As part of its five-year strategy, an agricultural producer is looking to cultivate organic

produce as a competitive differentiator. The company analyzes the cost of transitioning
to an organic environment and determines that significant investment will be required,
which may threaten the financial performance objectives. Given the importance of
maintaining financial performance, the organization chooses to abandon the selected
business objectives.
Example 2
• An organization has the opportunity to upgrade its core operating systems and
redesign its existing IT infrastructure.
• One option is to pursue a business objective of identifying a suitable vendor and
enter into a third-party arrangement to develop a customized IT system.
 • Another option is for the organization to build its own system internally by
investing significantly in its IT capabilities and increasing the number of
personnel.
• Both objectives align with the overall strategy, and therefore management must
evaluate both and determine the appropriate course of action given the potential
implications to the risk profile, resources, and capabilities of the entity.

d) Setting Performance Measures and Targets

• The organisation set targets to monitor performance and achievement of
business objective, e.g. A restaurant targets home delivery orders to be
delivered in 40 min
• Targets enable entity to influence risk profile. Aggressive target results in
greater risk and visa versa
e.g. An asset management company seeks to achieve a ROI of 5% annually If it strives
for a return of 7%, it would incur greater risk in performance. If it strives for 3%, which
allows for a less aggressive risk profile, it will not achieve its broader financial objectives

See example on efundi:

Business objectives by level

Business objectives • Continue to develop innovative • 8 products in R&D at all times

(entity) products that interest and excite • 5% growth year over year
consumers
• Expand retail presence in the
health food sector

Business objectives  Increase shelf space in leading • 7% increase in shelf space

for North America stores that share our core values •
1 • 92 % local source rate
(division) • Continue to source products in
local markets
Business objectives • Develop high-quality and safe • 4.8 out of 5 in customer satis-
for Confectionary snack products that exceed faction survey
(operating consumer expectations
unit)
Business objectives • Maintain favorable annual turn- • Turnover less than 10%
for Human over of employees • Recruit 50 sales managers
Resources • Recruit and train product sales • 95% training rate for sales staff
(function) managers in the coming year
 e) Understanding Tolerance
• Tolerance measures if risks are acceptable or not
• Tolerance is tactical and focused – measurable units, unlike appetite
which is broad
• Operating within tolerance levels provides comfort that objectives will be
achieved
• Tolerance focuses on objectives and performance, not risks

Tolerance
Boundaries of acceptable variation in performance related to achieving
business objectives within risk appetite

.Risk tolerance - It describes the range of acceptable outcomes related to achieving a

business objective within the risk appetite
For those objectives viewed as being highly important to achieving the entity 's strategy,
or where a strategy is highly important to the entity's mission and vision, the
organization may wish to set a lower range of tolerance.

• Target line and/or Right boundary of tolerance (variance) should not

exceed the intercept between risk profile and risk appetite
• Maximum/optimal point to set performance target – where target line
and/or right boundary of tolerance intersects with risk appetite without
bordering in risk profile

Figure – Risk profile showing tolerance

.Risk tolerance - It describes the range of acceptable outcomes related to achieving a
business objective within the risk appetite
For those objectives viewed as being highly important to achieving the entity 's strategy,
or where a strategy is highly important to the entity's mission and vision, the
organization may wish to set a lower range of tolerance.

Set risk tolerance levels where target line intersects with risk appetite since this entity
would take on an acceptable amount of risk to gain a reasonable return without
bordering in risk profile

f) Performance Measure and Established Tolerances

• Performance measures can be qualitative or quantitative
• Tolerance considers exceeding and trailing (tracking) variation (i.e.
positive or negative variation)
• Exceeding a target indicates good performance
• Trailing a target does not always mean failure – depends on targets
and variation defined

The amount of exceeding and trailing variation depends on several factors: The entity's
risk appetite : an entity with a lower risk appetite may prefer to have less performance
variation compared to an entity with a greater risk appetite.

See example on e-fundi

Trailing target variation

A large beverage bottler sets a target of having no more than five lost-time incidents in
a year and sets the tolerance as zero to seven incidents.
The exceeding variation between five and seven represents greater incidents and
potential for lost time and an increase in health and safety claims, which is a negative
result for the entity.
In contrast, the trailing variation up to five represents a benefit: fewer incidents of lost
time and fewer health and safety claims. The organization also needs to consider the
cost of striving for zero lost-time incidents
 f) Performance Measure and Established Tolerances (continue)
• Organisation must understand relationship between costs and tolerance
• The narrower the tolerance – greater amount of resources required to
operate within that level of performance e.g. An airline decide to stop
serving several routes since on-time performance (arrivals& departures)
does not fit in (decreased) tolerance. Airline must weight cost implications
of forgoing revenue to realise a decreased tolerance in its performance
target.
Example: Tolerance statements

Self-evaluation
• Define an entity’s business context and name the factors that influences
an entity’s internal and external environment
• Define risk appetite and explain how and entity defines, determines,
articulate and apply its risk appetite
• Why is it important to align an entity’s strategy and business objectives
with its mission, vision? What is the implications of a misalignment
strategy and the implication of a chosen business objective?
• Define tolerance and explain how and where tolerance levels are set
given an entity risk appetite, risk capacity and risk profile
SU 5.4 Strategy and objective setting

Principle 6: Analyses business context

a) Understanding business context

Def: “Business context” refers to trends, relationships, etc. that influence current and future
strategy and business objectives

• Business context may include: See slide 5

1. Dynamic…
2. Complex…
3. Unpredictable…

b) Considering External Environment and Stakeholders

External environment is anything outside the entity to influence strategy and business objectives

External Political… see slide 6 for examples and notes

Economical…
Social…
Technological …
Legal…
Environmental…

c) Considering Internal Environment and Stakeholders

Internal environment is anything inside the entity to influence strategy and business objectives

Capital… see slide 7 for examples a

People…
Process…
Technology…

d) How Business Context Affects Risk Profile

The effect of business context on an entity may be viewed as:
 Past profiles (provides insight into risk profiles)
 Present profiles (provides insight into current trends, relationships
 Future profiles ( provides insight into evolution of risk profile in relation to where it wants to go)
See notes for example
Principle 7: Defines risk appetite

a) Applying Risk Appetite

Def: Risk appetite - The types and amount of risk, an organization is willing to accept in pursuit of
value.

• Selecting a strategy and risk appetite is not linear

• Risk appetite -no one size fits all
• Appetite can be qualitative or quantitative
Figure: Risk profile showing risk appetite and
risk capacity…. SLIDE 10

b) Determining Risk Appetite

 No standard or "right" risk appetite that applies to all entities.

 Different approaches to determine risk appetite include facilitating decisions, review past- and
current performance targets, and modelling
 Terminology can differ – low/high appetite (too vague) vs quantitative measure (precise). See
Notes – slide 11
 Risk appetite should be a dynamic approach rather a constraint
Parameters to determine risk appetite:

 Strategic… Slide 12
 Financial …
 Operating…

c) Articulating (Expressing) Risk Appetite

• Risk appetite can be expressed as a single point or continuum (scale/ range). See example on
efundi – Cascading risk appetite

 Risk appetite is communicated by management, endorsed (approved) by the BOD, and

disseminated (distributed) throughout the entity
 d) Using Risk Appetite

 Risk appetite guides allocation of resources

 Goal is to align resource allocation to mission, vision, and core values
 Risk appetite must cascade through and align with other practices (e.g. tolerance & KRI
indicators)
Principle 8: Evaluates alternative strategies

a) The Importance of Aligning Strategy

 Strategy must align with mission and vision. If not, - not achieve mission and vision
 Misalignment may also lead to reputation damage
See example slide 18

b) Understanding the implications of chosen strategy

 Risk profile of each alternative strategy is considered given risk appetite
 Also consider business context, resources, and capabilities
 Approaches in evaluating of strategy: SWOT analysis, revenue forecasting…
See example on efundi:
Considering alternative strategies. Not aligning with mission & vision and implications of alternative
strategies on risk profile

c) Aligning Strategy with Risk Appetite – revise alternative strategies

d) Making changes to strategy

Change in strategy is necessary:

 if the current strategy fails to create, realize, or preserve value

 A change in business context cause to get too near the boundary of risk it is willing to accept
 Requires resources and capabilities that is not available
See example on efundi: Aligning strategy with risk appetite. Making changes to strategy

Principle 9: Formulates business objectives

a) Establishing Business Objectives

• Objectives should be specific, measurable, attainable, and relevant and may relate to:

1. Financial performance … see slide 21

2. Customer excellence …
3. Operational excellence…
4. Compliance obligations …
5. Efficiency gains …
6. Innovation leadership…
 b) Aligning Business Objectives
• Misalignment of business objectives to strategy and risk appetite may result in ineffective
allocation of resources or accepting too much or too little risk
• If business objectives not support the achievement of strategy a review of either the strategy
or the risk profile is required

c) Understanding the Implications from Chosen Business Objectives

• Must have reasonable expectation that objectives can be achieved within risk appetite
• Where reasonable expectation does not exist either choose to exceed risk appetite, procure
more resources, or change objectives
See example in notes

d) Setting Performance Measures and Targets

 The organisation set targets to monitor performance and achievement of business objective,
e.g. A restaurant targets home delivery orders to be delivered in 40 min
 Aggressive target results in greater risk and visa versa – see example on slide 24

See example on efundi: Business objectives by level

e) Understanding Tolerance
• Def: Tolerance : Boundaries of acceptable variation in performance related to achieving
business objectives within risk appetite

Tolerance:
• measures if risks are acceptable or not
• It is tactical and focused – measurable units, unlike appetite which is broad
• Operating within tolerance levels provides comfort that objectives will be achieved
• It focuses on objectives and performance, not risks

Figure – Risk profile showing tolerance

NB!!! – see interpretation - slide 26

f)Performance Measure and Established Tolerances

• Performance measures can be qualitative or quantitative
• Tolerance considers exceeding and trailing (tracking) variation (i.e. positive or negative
variation)
• Exceeding a target indicates good performance
• Trailing a target does not always mean failure - See example on e-fundi – trailing target
variation
Example: Tolerance statements – see slide 28
 SU 5.5
COSO – ERM
Component 3
Performance
Introduction
• Performance focus on practices that support entity’s objectives and strategy
• Entity use operating structure to develop a practice that:
− Identifies new risk so that management can respond accordingly
− Assesses risk severity – understand how risk may change
− Prioritises risks to optimise resource allocation
− Identifies and selects risk responses
− Develops portfolio view to articulate amount of risk assumed in pursuit of
objectives

Creating , preserving, realizing, and minimizing the erosion of an entity's value is further
enabled by identifying, assessing, and responding to risk that may impact the
achievement of the entity's strategy and business objectives

11. Assesses severity

10. Identifies risk 12. Prioritises risks
of risk

13. Implements Risk 14. Develop portfolio

Responses view
 Principle 10: Identifies risk
The organisation identifies risk that impacts the performance of strategy and business
objectives
a) Identifying Risk
• Risk identification activities establish inventory of risks and confirm
existing risks
• New, emerging, and changing risks include those that:
1. Arise from a change in objectives (e.g. new strategy)
2. Arise from a change in business context (e.g. changes in consumer
preferences for environmentally friendly products)
3. Arise due to a change in business context previously irrelevant (e.g.
new regulations)
4. Were previously unknown (e.g. discovery of susceptibility of
corrosion in materials)
5. Were previously identified but altered due to a change in risk
appetite or business context (e.g. increase in sales forecasts
affecting production capacity)

• Emerging risks arise when business context change – may alter entity’s risk
profile in future
• Emerging risk may not be understood well enough, but allows and gives time for
a organization to assess severity and anticipate risk responses
• Some risks remain unknown – no expectation to consider in risk identification
(e.g. future actions of competitors are unknown)
• Entity needs to identify these risks that are likely to disrupt operations and affect
the reasonable expectation of achieving objectives

• Risk events may be specific or evolving and include:

1. Emerging technology – advances in technology, affects relevance of
existing products
2. Expanding role of big data and data analytics – how to effectively
access, transform and analyse large volumes of data
3. Depleting natural resources – diminishing availability of natural resources
4. Rise of virtual entities – effect of virtual entities on supply, demand and
distribution channels on traditional market structures
5. Mobility of workforce – that introduce new activities to operations
6. Labour shortages – challenges of securing labour with relevant skills
7. Shifts in lifestyle, healthcare, and demographics – change of habits and
needs of clients
8. Political environment – Government actions that alter operations of entity
 a) It undertakes risk identification activities to first establish an inventory of risks,
and then to confirm existing risks as being still applicable and relevant
How often an organization does this will depend on how quickly risks change or new
risks emerge. Where risks are likely to take months or years to materialize, the
frequency at which risk identification occurs will be less than where risks are less
predictable or will occur at a greater speed.
New, emerging, and changing risks include those that:
1. Arise from a change in business objectives (e.g., the entity adopts a new strategy
supported by business objectives or amends an existing business objective).
2. Arise from a change in business context (e.g., changes in consumer preferences
for environ mentally friendly or organic products that have potentially adverse
impacts on the sales of the company's products).
3. Pertain to a change in business context that may not have applied to the entity
previously (e.g., a change in regulations that results in new obligations to the
entity).
4. Were previously unknown (e.g., the discovery of a susceptibility for corrosion in
raw materials used in the company's manufacturing operations).
5. Were previously identified but have since been altered due to a change in the
business context, risk appetite, or supporting assumptions (e.g., a positive
increase in the expected sales fore casts affecting production capacity).

b) Using a Risk Inventory

• Risk inventory - Listing of risks that the entity faces and can be structured
by category (group similar risks)
• E.g. financial risks, customer risks, compliance risk
• Risk impact cannot be limited to specific levels/functions – identify all risks
in entity
• Comprehensive risk identification – identify risks and opportunities across
all levels and also unique to a specific product
Because the impact of risks cannot be limited to specific levels or functions,
identification activities should capture all risks, and regardless of where they are
identified, all risks form part of the entity's risk inventory.
Figure 8.2: Risk Impacts at Differing Levels
Risk 1 potentially impacts the strategy directly.
Risk 2 impacts the entity business objectives.
Risk 3 impacts multiple business objectives
Risk 4 impacts a single business objective and that also impacts entity business
objectives

c) Approaches to Identify Risk

• Identify risks through day-to-day activities such as budgeting, performance
reviews, meetings.
• Complex entities use more than one technique which may include:
1. Cognitive computing – collect and analyse large volumes of data
to detect future trends
2. Data tracking – Databases developed by third party services help
predict future (predictive models) from past events. Data available
on a subscription basis.
3. Interviews – ask for individual’s knowledge, for large groups –
surveys are used
4. Key indicators – qualitative and quantitative measure to identify
changes in risks
5. Process analysis – diagram/map of a process to better
understand the interrelationships
6. Workshops – group’s collective knowledge to develop a list of risks
they relate to the entity’s strategy and business objectives

Identify risks through day-to-day activities such as budgeting, performance reviews, and
meetings for new products and designs, customer complaints, incidents, or financial
losses
 Principle 11: Assesses severity of risk
The organisation assesses the severity of risk
a) Assessing risk
• Identified risks are assessed to understand severity
• Risk assessments inform selection of risk responses
• When severity of risk are identified, resources and capabilities are
deployed for the risk to remain in risk appetite
b) Assessing Severity at Different Levels of the Entity
• Severity assessed at multiple levels (e.g. divisions, functions, units)
• Higher levels have greater impact on reputation, brand, trustworthiness
• Risk terminology and categories help assess risks at all levels
• Example: the risk of technology disruptions identified by multiple
divisions may be grouped and assessed collectively
• Grouped common risks – severity rating may change
Figure example:
• In a Top-down entity risk-assessment, risk 4 have low level of severity.
• But in business unit level assessment, risk 4 have greater severity
• Also consider risk 2 given severity, they are entity-level concern

b) Assessing severity
It may be that risks assessed as important at the operating unit level, for example, may
be less important at a division or entity level
When common risks are grouped, the severity rating may change. Risks that are of low
severity individually may become more or less severe when considered collectively
across business units or divisions.
For example, an entity-level assess ment would assess entity-level risks, but should
also consider those severe risks identified at the entity business objective
level, such as risk 2, to determine if, given their severity, they are an entity-level
concern.
 c) Selecting Severity Measures
Selecting Severity Measures
• Determine severity (likelihood and impact) to select appropriate response
1. Impact – Result/effect of a risk – positive or negative
2. Likelihood – possibility of a risk occurring expressed as:
i. Qualitative – possibility is remote
ii. Quantitative – possibility is 80%
iii. Frequency – once every 12 months
• Consider combinations of likelihood and impact

• Management determines the relative severity of various risks in order to select an

appropriate risk response, allocate resources
• Different thresholds may also be used at varying levels of an entity for which a
risk is being assessed
i) The possibility of a risk relating to a potential occurrence or circumstance and the
associated impacts on a specific business objective [within the time horizon con
templated by the business objective, e.g., twelve months) is remote
ii) The possibility of a risk relating to a potential occurrence or circumstance and the
associated impacts on a specific business objective [within the time horizon con
templated by the business objective, e.g., twelve months) is 80%
iii) The possibility of a risk relating to a potential occurrence or circumstance and the
associated impacts on a specific business objective [within the time horizon con
templated by the business objective, e.g., twelve months) is once every 12
months
 d) Assessing Approaches
• Can be qualitative, quantitative, or both
• Qualitative used when it’s more cost effective (e.g. interviews,
workshops, surveys)
• Quantitative support cost-benefit analysis and allow for precision
(e.g. Monte Carlo simulation, modelling, decision trees)
• Quantitative approaches are more complex and include:
Probabilistic models (e.g., value at risk, operational loss distributions) that associate a
range of events and the resulting impact with the likelihood of those events based on
certain assumptions.
Non-probabilistic models (e.g., sensitivity analysis, scenario analysis) use subjective
assumptions to estimate the impact of events without quantifying an associated like-
lihood on a business objective.
• Risk assessement helps explain interdependencies between risks

Non-probabilistic models - For example, scenario analysis allows management to

understand the impact on a business objective to increase profitability under different
scenarios, such as a competitor releasing a new product, a disruption in the supply
chain, or an increase in product costs.
The anticipated severity of a risk may influence the type of approach used. In
assessing risks that could have extreme impacts, management may use scenario
analysis, but when assessing the effects of multiple events, management might find
simulations more useful (e.g., stress testing). Conversely, high-frequency, low-impact
risks may be more suited to data tracking and cognitive computing.
Risk assessment – interdependencies between risks: For example, for a technology
innovator the delay in launching new products results in a concurrent loss of market
share and dilution of the entity's brand value

e) Inherent, Target, and Residual Risk

During assessment management considers:
1. Inherent risk – risk in absence of any direct or focused actions by
management to alter the severity
2. Target residual risk – amount of risk an entity prefers to take in pursuit of
strategy and objectives, knowing management has/will implement
direct/focused actions to alter the severity
3. Actual residual risk – risk that remain after management has taken
action to alter severity. Actual residual risk =< target residual risk
 f) Depicting Assessment Results
• Assessment results are depicted using a heat map
• Each risk plotted on heat map assumes a given level of performance of
that business objective
• Various combinations of likelihood and impact are colour coded to reflect
severity
• Colour coding aligns to severity outcome and reflect risk appetite of entity
• Risk averse entity code more red squares
• Risk aggressive entity code more green squares

Example: The Figure illustrates the risk profile for a single business objective. Each
data point on risk curve represents severity of risk of business objective. If performance
level change, - new risk arise, or risk shift in severity, or risk are removed
Use risk profile in assessment to:
1. Confirm performance is within tolerance
2. Confirm risk is within appetite
3. Compare severity of risk at various points on the risk curve (blue
line)
4. Assess the disruption point on the curve – risk exceeds appetite
• Also, consider how different risks may present different impacts to same
objective – enabled to make risk-aware decisions

The risk inventory forms

the basis to construct a risk
profile
 • In addition, management considers how different risks may present
different impacts to the same business objective. For example, a hardware
store franchise identifies the risk of poor sales due to not stocking a diverse
product range that will appeal to a broad group of customers.
• Management is also aware that changes in marketing and advertising ·efforts
can significantly affect sales.
• Focusing on the business objective of sales, management is able to better
understand the risks that have an impact on sales.
• Understanding the severity of different risks to the same business objective,
management can make risk-aware decisions about the diversity of products in
stock and the desired budget to spend on marketing and advertising costs in
order to manage the risk of low sales.

g) Identifying Triggers for Reassessment

• Triggers are typically changes in business context or risk appetite
• Triggers serve as early-warning systems (e.g. increased customer
complaints, drop in sales, spike in customer complaints, competitors )
• Severity and frequency will inform how often assessment may be triggered
(e.g. Risks associated with changing commodity prices may need to be
assessed daily, vs changing demographics or market tastes for new
products may need to be assessed only annually.
h) Bias in Assessment
• Management must identify and mitigate affect of bias in risk assessment
• Bias may result in severity of a risk being over- or underestimated
• Underestimating the severity - result in an inadequate response
• Overestimating the severity – resources unnecessarily deployed in
response

Principle 12: Prioritises risks

The organisation prioritises risks as a basis for selecting responses to risks
a) Establishing the Criteria
• Organisations must prioritise risks for decision-making and optimise
allocation of resources
• Greater priority may be given to those risks likely to approach or exceed
risk appetite.
• Priorities are determined by criteria that includes:
1. Adaptability – capacity to adapt/respond to a risk
2. Complexity – scope and nature of a risk to entity’s success
3. Velocity – speed at which risk impacts an entity
4. Persistence – duration of impact of risk
5. Recovery – capacity of entity to return to tolerance
 1. Adaptability: The capacity of an entity to adapt and respond to risks (e.g.,
responding to chang ing demographics such as the age of the population and the
impact on business objectives relating to product innovation).
2. Complexity: The scope and nature of a risk to the entity's success. The
interdependency of risks will typically increase their complexity (e.g., risks of
product obsolescence and low sales to a company's objective of being market
leader in technology and customer satisfaction).
3. Velocity (snelheid): The speed at which a risk impacts an entity. The velocity
may move the entity away from the acceptable variation in performance. (e.g.,
the risk of disruptions due to strikes by port and customs officers affecting the
objective relating to efficient supply chain management.)
4. Persistence: How long a risk impacts an entity (e.g., the persistence of adverse
media coverage and impact on sales objectives following the identification of
potential brake failures and subse quent global car recalls).
5. Recovery: The capacity of an entity to return to tolerance (e.g., continuing to
function after a severe flood or other natural disaster.) Recovery excludes the
time taken to return to tolerance, which is considered part of persistence, not
recovery.

b) Prioritising Risk
Two risks with same severity may be prioritised differently due to for example velocity
and persistence.

Example: Restaurant chain (e.g. Spur)

• Risk response – greater priority if customer complaints remain unre-
solved and attract adverse attention in social media is considered a
greater priority VS
• Risk response of extended contract negotiations with vendors and
suppliers.
• Both risks are severe, but the speed and scope of on-line scrutiny
may have a greater impact on the performance and reputation of
the restaurant chain

How a risk is prioritized typically informs the risk responses that management considers.
Risks of greater priority are more likely to be those that affect the entity as a whole or
arise at the entity level. For example, the risk that new competitors will introduce new
products and services to the market may require greater adaptability and a review of the
entity's strategy and business objectives in order for the entity to remain viable and
relevant.
 A combination of responses
provides the optimum result

Principle 13: Implements Risk Responses Residual risk will always exist,
The organisation identifies and selects risk responses due to resources limitation, and
a) Choosing Risk Responses future uncertainty.
For all risks there is a response:
1. Accept – no action is taken to change the severity (risk already
within appetite) (e.g. not purchasing insurance products – impact of
event is acceptable and outcome can be handled internally
2. Avoid – action is taken to remove the risk (e.g. ceasing a product
line, selling a division, declining expansion to a new geographical
market) – organisation was unable to identify an appropriate
response to reduce severity
3. Pursue – action is taken to accept increased risk to achieve
performance (e.g. new product, aggressive growth strategies,
expanding operations) – management will not exceed boundaries
of tolerance to achieve performance
4. Reduce/mitigate – action is taken to reduce the severity of the risk
(e.g. back-up systems)
5. Share – action is taken to reduce the severity by transfer/sharing
the risk (e.g. insurance, outsourcing to specialist)

b) Selecting and Deploying Risk Response

• Management deploys response while considering:
1. Business context – responses are tailored to industry, regulatory
environment and geographic footprint.
2. Cost and benefit – costs and benefits are commensurate (equal)
with severity and prioritisation of risk
3. Obligations and expectations – response addresses industry
standards, stakeholder expectations, and alignment of mission and
vision
4. Prioritising of risk – priority informs resource allocations. Risk
response that have large costs (system upgrade, increased staff)
vs low priority risks
5. Risk appetite – identify responses that bring residual risk within
appetite. (e.g. purchase insurance and implement internal
responses)
6. Risk severity – response reflect size, scope, and nature of risk and
impact

Risk severity: Risk response should reflect the size, scope, and nature of the risk and its
impact on the entity. For example, production environment, where risks are driven by
changes in volume, the proposed response is scaled to accommodate increased activity

c) Considering Costs
Risk responses and
will Benefits
bring of Risk risk
the residual Responses
in line with the tolerance
 • Costs and benefits are equal to severity and prioritisation of risk
e.g. high priority risk need increased resource cost, given expected
benefits
• If no optimal response ITO cost vs benefit – revisit strategy/objectives
d) Additional Considerations
• Response may yield new risks as unintended consequence – assess
severity/priority and determine the effectiveness of response
• Example, for the fruit farmer, the risk of floods damaging the crops was
reduced by purchasing insurance; however, the farmer may now be at
risk of low cash flow.

Management is also responsible for risk responses that address any regulatory obliga-
tions, which again may not be optimal from the perspective of costs and benefits, but
comply with legal or other obligations (see Example 8.6). In selecting the appropriate
response, management must consider the expectations of stakeholders such as
shareholders, regulators, and customers.

Principle 14: Develop portfolio view

The organisation develops and evaluates a portfolio view of risk
a) Understanding a Portfolio View
• Management first consider risk as it relates to division, operating
unit/function
• Each manager develops assessment of risks to reflect the unit’s residual
risk profile
• Portfolio view allows management/board to consider type, severity, and
interdependencies of risks
• Using a portfolio view organisations identify severe risks at entity level
• With a portfolio view management determines if residual risk aligns with
risk appetite
• The same risk across different units may be acceptable for the operating
units, but taken together may give a different picture

Conversely, a risk may not be acceptable in one unit, but be well within the range in
another. For example, some operating units have higher risk than others, yet the overall
risk remains within the entity's risk appetite
 b) Develop a Portfolio View
• Portfolio view can be developed in various ways:
• Use major risk categories on operating units or metrics such as
risk-adjusted capital
• Portfolio view may also be depicted graphically – compare types
and amount of risk to appetite for each strategy and business
objective.

Risk-adjusted capital or capital at risk - This method is particularly useful when

assessing risk
against business objectives stated in terms of earnings, growth, and other performance
measures, sometimes relative to allocated or available capital.

• Characteristics of portfolio view:

1. Severity of technology disruptions increases as risk become
aggregated
2. Risk of counterparty defaults decrease in severity - no single
creditor large enough to impact entity as a whole
3. Risk of low sales from multiple operating units act as hedge where
low sales in one operating unit are offset by strong sales in another
4. Strong positive correlation between risk of product recalls and risk
of compliance breaches increases the priority of risk responses to
both risks
5. Strong positive correlation between business objectives requires
investing in the best technology

1. Severity of technology disruptions increases as risks are progressively

aggregated, recognizing the reliance that multiple businesses have on
common operating systems and technology.
2. Risk of counterparty defaults decrease in severity as the entity does not
have a single creditor considered large enough to impact the entity as a
whole.
3. Risk of low sales from multiple operating units may act as a natural hedge
where low sales in one operating unit are offset by strong sales in another.
4. Risk of currency fluctuations may also act as a natural hedge where
currency changes in one country offset changes in another.
5. Strong positive correlation between risk of product recalls and the risk of
compliance breaches increases the priority of risk responses to both risks.
6. Strong positive correlation between the business objectives requires
investing in best-in-class technology solutions and minimizes losses and
inefficiencies that are taken into account when selecting associated risk
responses
 c) Analysing the Portfolio View
To evaluate the portfolio view of risk, the organization uses qualitative and
quantitative techniques.
• Quantitative (understand the sensitivity of the portfolio to changes and shocks
and to avoid/respond better to big surprises/losses)
e.g. – regression modelling, stress testing
• Qualitative (understand the trends in opinions, dive deeper into the problem )
e.g. – scenario analysis & benchmarking
Intro
Developing a portfolio view of the risks to the entity enables risk-based decision-making and
helps set performance targets and manage changes in either the performance or the risk profile
Qualitative Research is also used to uncover trends in thought and opinions, and dive deeper
into the problem. Qualitative data collection methods vary using unstructured or semi-
structured techniques. Some common methods include focus groups (group discussions),
individual interviews, and participation/observations.
Undertaking stress testing, scenario analysis, or other analytical exercises helps an organization
to avoid or better respond to big surprises and losses. The organization uses different
techniques to assess the effect of changes in the business context or other variables on a
business objective or strategy. For example, an organization may choose to analyze the
,effect of a change in interest rates on the portfolio view. Alternatively, the organization
may seek to understand the impact of multiple variables occurring concurrently, such as
changing interest rates combined with a spike in commodity prices that affect the entity's
profitability. Finally, the organization may choose to evaluate the impact of a large-scale
event, such as an operational incident or third-party failure. By analyzing the effect of
hypothetical changes on the portfolio view, the organization identifies potential new,
emerging, or changing risks and evaluates the adequacy of existing risk responses.
Stress testing helps an organization understand how the shape or height of the risk
curve may respond to potential changes. For example:
Validation of events that could become disruptive and cause the risk curve to exceed risk
appe tite (e.g., the magnitude of a potential funding gap that impacts the viability of the
business, which would be represented by the intersect of the risk curve with the risk
appetite of the entity.
The extent to which the risk curve may shift up or down in response to a change (e.g.,
con firming to what extent changing economic health indicators such as unemployment
levels and gross domestic product represent a sufficient deterioration in the business
context and causing the risk curve to shift up).
Risk responses that can cause sections of the curve to become flatter (e.g., diversifying
prod ucts entering into new financial hedging strategies or purchasing additional
insurance).
The ease at which the organization can move along the curve. The speed and agility of
the organization to make decisions and travel along the risk curve to a new desired
intersection of risk and performance (e.g., the ability and speed of adjusting production
volumes in response to changes in sales).
SU 5.5

Intro

Creating, preserving and realizing the entity's value is further enabled by

 Identifying new risk
 Assessing risk severity and prioritise risk (to optimise resource allocation)
 Responding (accept, avoid, mitigate, share, pursue) to risk that may impact the achievement of
the entity's strategy and business objectives
 Develop portfolio view

10. Identifies risk

a) Identifying Risk

How often an organization identifies risk will depend on how quickly risks change or new risks emerge

New, emerging, and changing risks:

1. Arise from a change in objectives…

2. Arise from a change in business context…
3. Pertain to a change in business context that may not have applied to the entity previously
4. Were previously unknown …
5. Were previously identified but have since been altered due to a change in the business
context, risk appetite, or supporting assumptions…
 Emerging risks arise when business context change – may alter entity’s risk profile in future
 Some risks remain unknown – no expectation to consider in risk identification (e.g. future
actions of competitors are unknown)
Risk events may be specific or evolving and include:

1. Emerging technology –
2. Expanding role of big data and data analytics –
3. Depleting natural resources –
4. Rise of virtual entities –
5. Mobility of workforce –
6. Labour shortages –
7. Shifts in lifestyle, healthcare, and demographics –
8. Political environment –

b) Using a Risk Inventory

 Risk inventory - Listing of risks that the entity faces and can be structured by category (group
similar risks)
E.g. financial risks, customer risks, compliance risk

 Risk impact cannot be limited to specific levels/functions – identify all risks in entity
Figure 8.2: Risk Impacts at Differing Levels
Risk 1 potentially impacts the strategy directly.
Risk 2 impacts the entity business objectives.
Risk 3 impacts multiple business objectives
Risk 4 impacts a single business objective and that also impacts entity business objectives

c) Approaches to Identify Risk

1. Cognitive computing – collect and analyse large volumes of data to detect future trends

2. Data tracking – Databases developed by third party services help predict future (predictive models)
from past events. Data available on a subscription basis.

3. Interviews – ask for individual’s knowledge, for large groups – surveys are used

4. Key indicators – qualitative and quantitative measure to identify changes in risks

5. Process analysis – diagram/map of a process to better understand the interrelationships

6. Workshops – group’s collective knowledge to develop a list of risks they relate to the entity’s
strategy and business objectives

Principle 11: Assesses severity of risk

a) Assessing risk & b) Assessing severity at different levels of entity (see figure on slide)

 When severity of risk are identified, resources and capabilities are deployed for the risk to
remain in risk appetite
 Higher levels have greater impact on reputation, brand, trustworthiness

c) Selecting Severity Measure

 Determine severity [likelihood (possibility of risk occurring) and impact(result-
positive/negative)] to select appropriate response and allocate resources
 Different thresholds may also be used at varying levels of an entity for which a risk is being
assessed
 Likelihood can be expressed as

• Qualitative – possibility is remote

• Quantitative – possibility is 80%
• Frequency – once every 12 months

d) Assessing Approaches

 Qualitative used when it’s more cost effective (e.g. interviews, workshops, surveys)
 Quantitative support cost-benefit analysis and allow for precision (e.g. Monte Carlo simulation,
modelling,)
• Quantitative (understand the sensitivity of the portfolio to changes and shocks and to
avoid/respond better to big surprises/losses)

e.g. – regression modelling, stress testing

• Qualitative (understand the trends in opinions, dive deeper into the problem )

e.g. – scenario analysis & benchmarking

Quantitative approaches are more complex and include:

o Probabilistic models (e.g., value at risk, operational loss distributions) that associate a range of
events and the resulting impact with the likelihood of those events based on certain
assumptions.
o Non-probabilistic models (e.g., sensitivity analysis, scenario analysis) use subjective
assumptions to estimate the impact of events without quantifying an associated likelihood on a
business objective.
o Risk assessement helps explain interdependencies between risks
 e) Inherent, Target, and Residual Risk
During assessment, consider:
1. Inherent risk – risk in absence of any direct or focused actions by management to alter the
severity
2. Target residual risk – amount of risk an entity prefers to take in pursuit of strategy and
objectives, knowing management has/will implement direct/focused actions to alter the severity
3. Actual residual risk – risk that remain after management has taken action to alter severity.
Actual residual risk =< target residual risk

f) Depicting Assessment Results

• Assessment results are depicted using a heat map

• Each risk plotted on heat map assumes a given level of performance of that business
objective
• Various combinations of likelihood and impact are colour coded to reflect severity
• Colour coding aligns to severity outcome and reflect risk appetite of entity
• Risk averse entity code more red squares
• Risk aggressive entity code more green squares

Example: Figure 8.9 illustrates the risk profile for a single business objective. Each data point on risk
curve represents severity of risk of business objective. If performance level change, - new risk arise, or
risk shift in severity, or risk are removed

Use risk profile in assessment to:

1. Confirm performance is within tolerance

2. Confirm risk is within appetite
3. Compare severity of risk at various points on the risk curve (blue line)
4. Assess the disruption point on the curve – risk exceeds appetite
 g) Identifying Triggers for Reassessment

• Triggers are typically changes in business context or risk appetite

• Triggers serve as early-warning systems (e.g. increased customer complaints, drop in

sales, spike in customer complaints, competitors )

• Severity and frequency will inform how often assessment may be triggered (e.g. Risks
associated with changing commodity prices may need to be assessed daily, vs changing
demographics or market tastes for new products may need to be assessed only annually.

h) Bias in Assessment – Self-study

Principle 12: Prioritises risk

a) Establishing the Criteria

• Organisations must prioritise risks for decision-making and optimise allocation of

resources

Priorities are determined by criteria that includes:

• Adaptability: The capacity of an entity to adapt and respond to risks ...

• Complexity: The scope and nature of a risk to the entity's success. The interdependency of risks
will typically increase their complexity

• Velocity: The speed at which a risk impacts an entity. The velocity may move the entity away
from the acceptable variation in performance.

• Persistence: How long a risk impacts an entity

• Recovery: The capacity of an entity to return to tolerance (e.g., continuing to function after a
severe flood or other natural disaster.)

b) Prioritising Risk
Two risks with same severity may be prioritised differently due to for example velocity and
persistence. See example of e-fundi

Principle 13: Implements risk responses

a) Choosing Risk Responses

1. Accept – no action is taken to change the severity (risk already within appetite)
2. Avoid – action is taken to remove the risk
3. Pursue – action is taken to accept increased risk to achieve performance
4. (Reduce/mitigate – action is taken to reduce the severity of the risk
5. Share – action is taken to reduce the severity by transfer/sharing the risk
A combination of responses provides the optimum result
 b) Selecting and Deploying Risk Response

Management must consider the following when deploying risk response:

1. Business context – responses are tailored to industry…,

2. Cost and benefit – costs and benefits are commensurate (equal) with severity and prioritisation
of risk
3. Obligations and expectations – response addresses industry standards, stakeholder
expectations, and alignment of mission and vision
4. Prioritising of risk – priority informs resource allocations. Risk response that have large costs
(system upgrade, increased staff) vs low priority risks
5. Risk appetite – identify responses that bring residual risk within appetite. (e.g. purchase
insurance and implement internal responses)
6. Risk severity – response reflect size, scope, and nature of risk and impact

c) Considering cost and benefits & d) additional considerations – self-study

Principle 14: Develop portfolio view

a) Understanding a Portfolio View

 Consider risk from an entity-wide or portfolio perspective

• Management may follow an approach where each department, function or business unit
develop a composite assessment of risks and responses for that unit.

• This view reflects the risk profile of the unit relative to its objectives and risk tolerances

• Using a portfolio view organisations identify severe risks at entity level

• Risk levels may be within unit’s tolerance and appetite level, but might exceed entity’s when
added together

b) Develop portfolio view & c ) Analysing portfolio view – Self-study

 SU 5.6
COSO – ERM
Review and Revision

• Introduction
• An entity’s strategy, objectives and ERM practices/capabilities may change over
time
• Also, business context in which entity operates may also change – current
practices no longer effective
• As necessary, entity will revise/supplement its practices and capabilities
• Responding to changes are iterative processes. Includes how well the
organisation responded
• Also, consider what lessons learned could be applied to future events

Principle 15: Assesses substantial change

The organisation identifies and assesses changes that may substantially affect strategy
and business objectives
a) Integrating Reviews into Business Practices
• Substantial change may lead to changed risks and affect strategy
• Practices for identification of changes should be built into business
activities and reviewed continually
• E.g. acquiring a joint business venture could effect existing culture and
risk ownership.
• E.g. Implementing new system – exposes information security that may
influence data capturing
• Organisations must consider how change affect ERM, strategy, and
objectives by identifying internal- and external changes related to
business and culture

Substantial changes such as acquiring an entity or implementing a new system could

potentially change the entity's portfolio view of risk or affect how enterprise risk
management functions. In the case of an acquisition, integrating the acquired
company's operations could affect the existing culture and risk ownership.
Implementing a new system could present new exposures related to information
security, which could influence how data is captured and managed.
 a) Integrating Reviews into Business Practices (continue)
Examples of changes:
1. Internal Environment
i. Rapid growth: operations expand quickly – resources may be
affected
ii. Innovation: responses/actions need to be modified (e.g. training)
iii. Changes in leadership/personnel: a newcomer misunderstanding
company culture, or have a different risk philosophy
2. External Environment
i. Changing regulatory or economic environment: may result in
increased competitive pressures
e.g. if a publicly traded company have poor transparency – regulatory
reporting requirements are introduced for all public companies

Rapid growthFor instance, supervisors may not successfully adapt to higher activity
levels that require adding manufacturing shifts or increasing personnel OR Information
systems may not be able to effectively meet risk information requirements because of
the increased volume of transactions
Innovation:. For instance, introducing sales capabilities through mobile devices may
require access controls specific to that technology. Training may be needed for users.
Innovation technology may also enhance enterprise risk management. For example, a
new system of using mobile devices that captures previously unavailable sales
information gives management the ability to monitor performance, forecast potential
sales, and make real-time inventory decisions.
Changing regulatory or economic environment
For instance, if toxic material is released in a populated or environmentally sensitive
area, new industry-wide transportation restrictions may be introduced that affect an
entity's shipping logistics. If a publicly traded company is seen to have poor
transparency, enhanced regulatory reporting requirements may be introduced for all
public companies. The revelation of patients being treated poorly in one care facility
may prompt additional requirements for all care facil ities. And a more competitive
environment may drive individuals to make decisions that are not aligned with the
entity's risk appetite
 Principle 16: Reviews risk and performance
The organisation reviews entity performance and considers risk
a) Integrating Reviews into Business Practices
• The focus of ERM is to manage risk - either reduce the type or amount of risk or
pursuing new opportunities
• An organisation must review performance to answer the following:
1. Has the entity performed as expected and achieved its target?
2. What risks are occurring that may affect performance?
3. Was the entity taking enough risk to attain its target?
4. Was the estimated amount of risk accurate?

1. Has the entity performed as expected and achieved its target?

For example, con sider an entity that has committed to opening five new office
locations every year to support its longer-term growth strategy to build a presence
across the country. .The organization therefore monitors performance and
determines whether the entity has opened the expected number of offices, and how
those new offices are performing. If the growth is below plan, the organization may
need to revisit the strategy.
2. What risks are occurring that may affect performance?
For example, reviewing performance helps confirm that the risk of delays due to
additional permit requirements for construction did occur and affected the number
of new offices opened, and whether the number of offices to be opened is still within
the range of acceptable performance.
3. Was the entity taking enough risk to attain its target?,
Using the same example, suppose the entity opens only three offices. In this case,
management observes that the planning and logistics teams are operating below
capacity and that other resources set aside to support the opening of new offices
have remained unused
4. Was the estimated amount of risk accurate?
For example, suppose the entity opens five offices and observes that the estimated
amount of risk was too low compared to the types and amount
of risk that have occurred (e.g., more problems, delays, and unexpected events than
initially assessed).
 • If performance is not acceptable, entity may need to:
1. Review business objectives – change or abandon objectives
2. Review strategy – reconsider alternative strategies
3. Review culture – review culture to form risk-aware nature
4. Revise target performance – revise to reflect better understanding of
reasonable outcomes
5. Reassess severity of risk results – re-do risk assessment for some
risks. e.g. new data enables a more accurate assessment
6. Revise risk responses – altering or adding responses
7. Revise risk appetite – Corrective action (reallocate resources, revise
alternative strategies etc.) is taken to restore alignment of risk profile with
risk appetite

7. Corrective action: Consider, for example, a small retailer that stocks a significant
port ion of its inventory from local producers. The retailer monitors the financial results
of its shop on a weekly basis and realizes locally produced goods are not sufficiently
profitable to meet its financial goals. It there fore decides to revise its business
objective of sourcing locally and begins to import less expensive goods to improve its
financial performance. The retailer also recognizes that this change may affect other
risks , such as logistics, currency fluctuations, and time to market

Principle 17: Pursues improvement in ERM

The organisation pursues improvement of ERM
b) Pursuing Improvement
• Opportunities for improvement may include:
1. New technology (e.g. implement data-mining technology to
process high volume customer satisfaction data quickly and
accurately)
2. Historical shortcomings (e.g. identify area of shortcoming/failures
in past and improve)
3. Organisational change (e.g. the need for change in governance
structure)
4. Risk appetite (e.g. increase risk appetite (of new product) if market
performed well and less volatile than organically thought)
5. Risk categories (Revise category e.g. include cyber risk for on-line
products/services not previously included as risk category)
6. Communications (e.g. replace emails that are unsuccessful with
blogs/instant message feed to appeal to changing workforce)
7. Peer comparison (e.g. increase competitiveness in areas
performing below competitors)
8. Rate of change (e.g. high rate of technology change offer frequent
opportunities)
7. Peer comparison - For example, a global package delivery provider discovered
during a peer review that its operations in Asia were performing significantly below its
major competitor

SU 5.6

Intro.

 An entity must revise its strategy, objectives, ERM practices/capabilities and business context
as it may change over time
 Current practices no longer effective
 What lessons learned could be applied in future events

Principle 15: Assesses substantial change

a) Integrating Reviews into Business Practices

Substantial change may lead to changed risks and affect strategy

E.g. acquiring a joint business venture could affect existing culture and risk ownership.

Examples of changes:

1. Internal Environment
I. Rapid growth: operations expand quickly – resources may be affected
II. Innovation: responses/actions need to be modified (e.g. training)
III. Changes in leadership/personnel: a newcomer misunderstanding company culture, or have
a different risk philosophy
2. External Environment
I. Changing regulatory or economic environment: may result in increased competitive pressures
e.g. if a publicly traded company have poor transparency – regulatory reporting requirements are
introduced for all public companies

Principle 16: Reviews risk and performance

 An organisation must review performance to answer the following:

1. Has the entity performed as expected and achieved its target?
2. What risks are occurring that may affect performance?
3. Was the entity taking enough risk to attain its target?
4. Was the estimated amount of risk accurate?
 If performance is not acceptable, entity may need to:
1. Review business objectives –
2. Review strategy –
3. Review culture –
4. Revise target performance –
5. Reassess severity of risk results – re-do risk assessment for some risks. e.g. new data
enables a more accurate assessment
6. Revise risk responses –
7. Revise risk appetite – see notes, slide 6

Principle 17: Pursues improvement in ERM

b) Pursuing Improvement
Improvement includes:

1. New technology (e.g. implement data-mining technology to process high volume customer
satisfaction data quickly and accurately)
2. Historical shortcomings (e.g. identify area of shortcoming/failures in past and improve)
3. Organisational change (e.g. the need for change in governance structure)
4. Risk appetite (e.g. increase risk appetite (of new product) if market performed well and less
volatile than organically thought)
5. Risk categories (Revise category e.g. include cyber risk for on-line products/services not
previously included as risk category)
6. Communications (e.g. replace emails that are unsuccessful with blogs/instant message feed
to appeal to changing workforce)
7. Peer comparison (e.g. increase competitiveness in areas performing below competitors)
8. Rate of change (e.g. high rate of technology change offer frequent opportunities)
 SU 5.7
COSO – ERM
Information, Communication, and Reporting

Introduction
• Entities are challenged by large quantity of data and speed of process,
organisation, and storage
• Organisations transform data of stakeholders, markets, products, competitor
actions to timely and relevant information
• It is important to provide the right information, in right form, a right level of detail,
to right people, at the right time to ovoid “information overload”

Principle 18: Leverages information and

technology
The organisation leverages the entity’s information and technology systems to support
ERM
a) Putting Relevant Information to Use
• Information must be available when needed and of high quality
• Inaccurate/incomplete data – unable to make sound
judgements/estimates
• To maintain high quality information – implement data management
systems and information management policies
• Management can identify how information supports ERM which may
include:
• For governance and culture – information needed on standards
of conduct and performance
• For strategy and objective setting – information needed on
stakeholder expectations and risk appetite
• For performance – information needed of competitors
• For review and revision – information needed on emerging trends
in ERM
 1. For governance and culture - For instance, professional service firms
have specific standards of conduct to help maintain independent
relationships with clients. Annual staff training reinforces those standards,
and management gathers information by testing the staff's knowledge to
determine whether they understand what is expected of them.
2. For strategy and objective-setting - Stakeholders such as investors
and customers may express their expectations through analyst calls, blog
postings, contract terms and conditions, etc. All of these provide relevant
information on the types and amount of risk an entity may be willing to
accept and strategy it pursues.
3. For performance-, For example, a large residential real estate company
may assess the risk of losing market share to smaller boutique firms. The
information they need is their competitors' commission pricing models and
on-line marketing plans. If their competitors' commission rates are low and
aggressive, and their on-line presence is widespread, the large company
may review its ability to achieve its sales targets.
4. For review and revision - Organizations can collect such information
from attending enterprise risk management conferences and following
industry-specific blogs.

b) Evolving Information
• Structured data – organised and readily searchable (e.g. database files,
spreadsheets)
• Unstructured data – unorganised (e.g. emails, photos, videos)
• Data needs to be transformed into information via data mining, AI, etc. –
helps to make better business decisions.
• Advances in data analytics help an entity:
• to avoid information overload
• Detect correlations not previously readily apparent in a traditional data
analysis approach
• Identify trends in performance earlier
• Reduce reliance on individual experience and judgement in decision-
making

Artificial intelligence can be defined as theory and development of computer systems

that perform tasks that normally require human intelligence such as speec h recognition,
decision-making, visual perception, and other factors
 c) Data Sources
• Data transformed into information becomes knowledge (e.g. analysis of
comments posted on social media identifies potential risk to the entity’s
brand)
• Data requirements should be based on information requirements
• Data can be collected from a variety of sources, structured or
unstructured:
• E.g. Emails, metadata, meetings, surveys, public indexes, social
media blogs, etc.

d) Managing Data
• Consider 3 elements for effective data management
1. Data and information governance – help deliver high-quality data
to end users. Also, define roles and responsibilities for data owners
2. Process and controls – help reinforce reliability of data and allow
for corrections. Also involves preventing issues of quality from
occurring in first the place
3. Data management architecture – composed of models, policies,
rules, or standards that dictate which data is collected and stored,
arranged, and put to use

Processes and controls - For example, organizations may have a process to identify
instances and patterns of both low- and high-quality data, and whether that data is
relevant to meeting requirements.
Data management architecture Organizations implement standards and provide rules
for structuring information so that the data can be reliably read, sorted, indexed,
retrieved, and shared with both internal and external stakeholders, ultimately protecting
its long-term value.

e) Using Technology to Support Information

e) Technology can help manage specific risks (e.g. robotics used in
manufacturing, smart appliances that manage energy use, wearable
technology)
f) Technology can also introduce new risks
g) What technology to implement? Determined by the following:
e) Organisational goals, market-place needs, competitive
requirements, and cost vs benefits.
 Principle 19: Communicates risk information
The organisation uses communication channels to support ERM
a) Communicating with Stakeholders
• Various channels are available to communicate relevant information to
internal- and external stakeholders for decision-making
• Communication channels enable management to convey:
1. The importance, relevance, and value of ERM
2. The characteristics, desired behaviours, and core values of entity’s
culture
3. The strategy and business objectives of the entity
4. The risk appetite and tolerance
5. Expectations of management and personnel in relation to ERM and
performance
6. Expectations of entity on important matters (weakness, non-
adherence) relating to ERM
 An entity can also receive information (e.g. customers/suppliers
provide input on design/quality of products) or external communication
– quarterly analyst meetings to discuss performance

b) Communicating with the Board

• Effective communication between BOD and management is critical to
achieve strategy and objectives
• Communication about risk starts by defining responsibility
• Organisations must examine governance structure and ensure
responsibilities are allocated and defined
• Board should provide oversight and ensure measures relating to a risk
management are in place
• To communicate effectively the BOD and management must have a
shared understanding of risk and its relation to strategy and objectives

c) Methods of Communication
• Communication methods include:
1. Electronic messages (e.g. emails, text messages, social media)
2. External/third-party materials (e.g. journals, media reports, peer
company websites)
3. Informal/verbal communications (e.g. meetings, one-on-one
discussions)
4. Public events (e.g. roadshows, conferences)
5. Training and seminars (live or on-line training, webcasts,
workshops)
6. Written internal documents (e.g. dashboards, performance
evaluations, presentations, questionnaires, policies and
procedures)
 Principle 20: Reports on risk, culture, and
performance
The organisation reports on risk, culture, and performance at multiple levels and across
the entity
a) Identifying Report Users and Their Roles
• Reporting supports personnel to understand relationship between risk,
culture, and performance
• Report users may include:
1. Management and the BOD with responsibility for governance and
oversight
2. Risk owners accountable for management of risks
3. Assurance providers who seek insight into performance and risk
responses
4. External stakeholders (e.g. regulators, rating agencies, community
groups)
5. Other parties that require reporting on risk to fulfil their roles and
responsibilities
b) Types of Reporting
• Risk reporting may include any or all of the following:
1. Portfolio view of risk – outlines highest risk at entity level (this
view is found in board reporting)
2. Profile view of risk – outlines severity of risks with focus on
different levels
3. Analysis of root causes – enable users to understand
assumptions/changes that underpin portfolio and profile view of risk
4. Sensitivity analysis – measures sensitivity of changes in
assumptions embedded in strategy
5. Analysis of new, emerging, and changing risks – forward-
looking view to anticipate changes to risk inventory, performance
and resource requirements and allocation
6. Key performance indicators - outlines the entity’s tolerance and
potential risk to strategy and objectives
7. Trend analysis – shows changes in portfolio view risk, risk profile,
and performance
8. Disclosure of incidents, breaches, and losses – provide insight
into effectiveness of risk responses
9. Tracking ERM plans and initiatives – summary of the plan and
initiatives to establish or maintain ERM
 Risk reporting is supplemented by commentary and analysis by subject matter experts.
For example, compliance, legal, and technology experts often provide commentary and
analysis on the severity of risk, effectiveness of risk responses, drivers for changes in
trend analysis, and industry developments and opportunities the entity may have.
1. Portfolio view of risk outlines the severity of the risks at the entity level that may
impact the achievement of strategy and business objectives. The reporting of the
portfolio view highlights the greatest risks to the entity, interdependencies
between specific risks, and opportunities. The portfolio view of risk is typically
found in management and board reporting.
2. Profile view of risk, similar to the portfolio view, outlines the severity of risks, but
focuses on different levels within the entity. For example, the risk profile of a
division or operating unit may feature in designated risk reporting for management
or those areas of the entity.
3. Analysis of root causes enables users to understand assumptions and changes
underpinning the portfolio and profile views of risk.
4. Sensitivity analysis measures the sensitivity of changes in key assumptions
embedded in strat egy and the potential effect on strategy and business
objectives.
5. Analysis of new, emerging, and changing risks provides the forward-looking
view to anticipate changes to the risk inventory, effects on resource requirements
and allocation, and the anticipated performance of the entity.
6. Key performance indicators and measures outline the tolerance of the entity
and potential risk to a strategy or business objective.
7. Trend analysis demonstrates movements and changes in the portfolio view of
risk, risk profile, and performance of the entity.
8. Disclosure of incidents, breaches, and losses provides insight into
effectiveness of risk responses.
9. Tracking enterprise risk management plans and initiatives provides a
summary of the plan and initiatives in establishing or maintaining enterprise risk
management practices . Investment in resources, and the urgency by which
initiatives are completed, may also reflect the commitment to enterprise risk
management and culture by organizational leaders in responding to risks.

c) Reporting Risk to the Board

• At board level - Formal and informal information sharing
• Informal – discussions of strategy and alternative strategies and
implication
• Formal – executing strategy, reviewing risk appetite
• Various ways management may report to board but the focus of reporting
must be the link between strategy, objectives, risk, and performance
• Reporting to the board is the highest level of reporting
d) Reporting on Culture
• May be embodied in:
1. Analytics of cultural trends
2. Benchmarking to other entities or standards
3. Compensation schemes and the potential influence on decision-
making
4. Lessons learned analyses
5. Review of behavioural trends
6. Surveys of risk attitudes and risk awareness

e) Key Indicators
• Used to predict risk
• Usually quantitative but can be qualitative
• KRI must be reported with KPI to demonstrate interrelationship of risk and
performance
• KRI support proactive approach to performance management
• KRI and KPI indicators can be reflected in a single measure, e.g. in a
manufacturing company, production volumes and the thresholds around
them can be viewed through a risk lens. Production volumes above the
target can be seen as potential risks to quality, and production
volumes below the target can suggest potential risk such as supplier
delays, labor shortages, or equipment downtime.

f) Reporting Frequency and Quality

• Frequency should correspond to severity and priority of risk
• E.g. changes in stock prices, or competitor pricing in the hospitality or
airline industries, may be reported on daily, corresponding with the
potential changes in risk. In contrast, reporting on the risks originated
from an organization's progress toward long-term strategic projects and
initiatives may be monthly or quarterly.
• Management should implement controls to assure reporting is accurate,
clear, and complete
SU 5.7

Intro.

• It is important to provide the right information, in right form, a right level of detail, to right
people, at the right time to ovoid “information overload”

Principle 18: Leverages information and technology

a) Putting Relevant Information to Use

 Inaccurate/incomplete data – unable to make sound judgements/estimates

 To maintain high quality information – implement data management systems
Management can identify how information supports ERM which may include:

1. For governance and culture – information needed on standards of conduct and performance
2. For strategy and objective setting – information needed on stakeholder expectations and risk
appetite
3. For performance – information needed of competitors
4. For review and revision – information needed on emerging trends in ERM

b) Evolving Information

 Structured data…
 Unstructured data…
 See Efundi: Example: Using unstructured info in decision making
 Data needs to be transformed into information via data mining, AI, etc. – helps to make better
business decisions.

c) Data sources
 Data requirements should be based on information requirements.
 See efundi_Example: Determining information requirements
 Data transformed into information becomes knowledge (e.g. analysis of comments posted on
social media identifies potential risk to the entity’s brand)

d) Managing data

See slide 6

e) Using technology to support information

Technology can help manage specific risks (e.g. robotics used in manufacturing, smart
appliances that manage energy use, wearable technology)
Principle 19: Communicates risk information

a) Communicating with Stakeholders

 An entity can also receive information (e.g. customers/suppliers provide input on
design/quality of products) or external communication – quarterly analyst meetings to discuss
performance

b) Communicating with the Board

 Effective communication between BOD and management is critical to achieve strategy and
objectives
 Communication about risk starts by defining responsibility
 Board should provide oversight and ensure measures relating to a risk management are in place
 To communicate effectively the BOD and management must have a shared understanding of risk
and its relation to strategy and objectives

c) Methods of communication
1. Electronic messages (e.g. emails, text messages, social media)
2. External/third-party materials (e.g. journals, media reports, peer company websites)
3. Informal/verbal communications (e.g. meetings, one-on-one discussions)
4. Public events (e.g. roadshows, conferences)
5. Training and seminars (live or on-line training, webcasts, workshops)
6. Written internal documents (e.g. dashboards, performance evaluations, presentations,
questionnaires, policies and procedures

Principle 20: Reports on risk, culture, and performance

a) Identifying Report Users and Their Roles

Report users may include:

 Management and the BOD with responsibility for governance and oversight

 Risk owners accountable for management of risks

 External stakeholders (e.g. regulators, rating agencies, community groups)

 Other parties that require reporting on risk to fulfil their roles and responsibilities

b) Types of Reporting
See slide 12
c) Reporting risk to the board
 Various ways management may report to board but the focus of reporting must be the link
between strategy, objectives, risk, and performance
 Reporting to the board is the highest level of reporting

d) Reporting on culture
• May be embodied in:

1. Analytics of cultural trends

2. Benchmarking to other entities or standards
3. Compensation schemes and the potential influence on decision-making
4. Lessons learned analyses
5. Review of behavioural trends
6. Surveys of risk attitudes and risk awareness

e) Key indicators
 Used to predict risk
 Usually quantitative but can be qualitative
 KRI must be reported with KPI to demonstrate interrelationship of risk and performance
 KRI and KPI indicators can be reflected in a single measure. See example on slide 15

f) Reporting Frequency and Quality

See Slide 16 for example
 11. Assesses severity
10. Identifies risk 12. Prioritises risks
of risk

13. Implements Risk 14. Develop portfolio

Responses view