Governance, Business Ethics, Risk Management & Internal Control

CHAPTER 4: INTRODUCTION TO RISK MANAGEMENT: “WHAT CAN GO WRONG?”

DEFINITION AND NATURE OF RISK

➢ It is an event that can adversely affect the operating, profit, cash flow, capital and even
the reputation of the company.

➢ Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines

risk as "the possibility that an event will occur and adversely affect the achievement of
enterprise objectives."
➢ It is the likelihood that an event will occur. Such event can prevent the company from
achieving its business objectives.

INTERNAL EVENTS
➢ Those events that occur within the company.

EVENT POTENTIAL IMPACT

1. Internal fraud • Financial loss
• Damage to the reputation of the
company
2. Machine breakdown • Disruption in the production process
• Failure to deliver finished goods to
customers
3. Accident in the factory • Physical injuries, loss of lives
• Increase in medical cost
4. Violation of laws and regulations • Fines and penalties
• Potential criminal prosecution of
erring corporate officers and
employees

EXTERNAL EVENTS
➢ Those events that happen outside the company.

EVENT POTENTIAL IMPACT

1. Economic recession • Decline in sales revenue and operating
profit
• Possible closure of the business
2. Entry of more competitors in the • Loss of market share
market • Decline in sales revenue
3. Bankruptcy • Failure to collect receivables
• Decline in cash balance
4. Pandemics and Natural calamities • Disruption in business operations
• Decline in revenue and profits
• Possibility of closure of the business
 Governance, Business Ethics, Risk Management & Internal Control
CHAPTER 4: INTRODUCTION TO RISK MANAGEMENT: “WHAT CAN GO WRONG?”

TYPES OF RISK

Because of the increasing complexity of business, there are different kinds of ro that the
company may encounter. There is no single standard manner for classifying risks At the minimum.

FINANCIAL RISKS
➢ It is the likelihood that the company might incur a financial loss, or suffer a decline in
profit, capital, investment, or cash flows, on account of the occurrence of events or
transactions.

CATEGORY OF FINANCIAL RISK

➢ Credit risk
o the risk that a counter-party such as a customer or a borrower might fail to
pay its account on the due date. For instance, there is a possibility that a
borrower of a bank will be unable to pay his/her loan on the maturity date.
This is sometimes referred to as default risk. Credit risk is present in all
activities where there is an expectation of returns or repayment.

➢ Liquidity risk
o the risk that the business will be unable to meet its financial obligations as
they fall due because of insufficient cash, inability to liquidate assets, or
obtain adequate funding given a short period of time. This also includes
the possibility that the business may not be able to convert noncash assets
such as investments into cash on short notice.

➢ Market risk
o It is the risk of volatility in the market brought about by factors of interest
rate, foreign currency, and market prices.

Interest rate risk

It is the potential decline in earnings and capital arising from
changes in interest rates in the market. This risk generally occurs
because an entity may have a disproportionate amount of fixed and
variable interest-rate instruments on either side of the balance
sheet.

Foreign currency risk

the risk that fluctuations in exchange rates could affect the profit of
the business.
 Governance, Business Ethics, Risk Management & Internal Control
CHAPTER 4: INTRODUCTION TO RISK MANAGEMENT: “WHAT CAN GO WRONG?”

Price risk
the risk that changes in specific prices (stock price, price of other
investments) could affect the profit or cash flow of the business.

BUSINESS RISK
➢ is the possibility that the business may not be able to generate sufficient revenue,
or an increase in production and increased operating costs might occur.

NONFINANCIAL RISKS
➢ It does not have an immediate direct financial impact to the business However
than consequences may be serious and can late affect category of well being of
the business if not properly mitigated.

Operational risk
o the risk that business operations will be disrupted due to inadequate or
failed systems, processes, people, breaches in internal controls, or other
unforeseen catastrophes.

Legal or compliance risk

o the risk that the company might fail to comply with applicable laws and
regulations such as tax laws, labor laws, corporation law, anti-money
laundering law, and environment laws among others. This risk also includes
the possibility of not complying with contractual obligations to other
entities.

Health and safety risk

o the risk that unforeseen events could result to injuries, illnesses, or even
loss of lives

Environmental risk
o the risk that the company may fail to control or minimize factory wastes,
emissions, and other pollutants arising from its business activities. Failure
to remedy this negative contribution of the company to the environment
could result to possible government sanctions, fines, and penalties

Strategic risk
o the risk of selecting an inappropriate corporate strategy or the failure of
implementing an appropriate one. This type of risk may result to failure to
achieve long term strategic goals, loss of market share, and shrinkage in
corporate value.
 Governance, Business Ethics, Risk Management & Internal Control
CHAPTER 4: INTRODUCTION TO RISK MANAGEMENT: “WHAT CAN GO WRONG?”

Reputation risk
o the risk that reputation or image of the company will be damaged due to
reasons such as improper acts of corporate officers, poor financial
performance, and bad news about the company among others.

TWO IMPORTANT RISKS THAT ARE RELATED TO THE WORK OF PROFESSIONAL ACCOUNTANTS

Financial reporting risk

➢ is the possibility that the financial statements of the company will be incorrect due
to errors, lapses, or failure to apply accounting standards such as the International
Financial Reporting Standards (IFRS).

Fraud risk
➢ on the other hand, is the risk arising from deceptive and intentional acts that result
to loss of company assets, resources, and reputation.

DEFINITION AND NATURE OF RISK MANAGEMENT

As previously discussed, many risks affect a business. If these risks are not properly managed, it
will be “game over” because the business objectives of the company will not be achieved. A
formal risk management process, therefore, becomes imperative in order to address and manage
risks.

COSO defines enterprise risk management as:

Enterprise risk management

➢ is a process, effected by an entity’s board of directors, management, and other personnel,
applied in strategy setting and across the enterprise, designed to identify potential events
that may affect the entity, and manage risk to be within its risk appetite, to provide
reasonable assurance regarding the achievement of entity objectives.

Risk management
➢ is not an isolated activity within the company. It is composed of a set of interrelated
components that operate in an integrated manner in order to address the various risks
affecting the company.

ROLES IN THE RISK MANAGEMENT PROCESS

Everyone has a role to play in the company's risk management process. The following summarizes
the duties of key people pertaining to the management of risks:
 Governance, Business Ethics, Risk Management & Internal Control
CHAPTER 4: INTRODUCTION TO RISK MANAGEMENT: “WHAT CAN GO WRONG?”

Board of directors
➢ conducts an oversight of the effectiveness of the company's risk management process.
Risk oversight pertains to the periodic review and monitoring of the process being used
by management in addressing and controlling risks. It is common for large companies to
have risk oversight committees within the board of directors.

Management
➢ implements specific risk mitigation and control procedures in managing the various types
of risks affecting the company. Management also identifies and assesses risks prior to
selecting the appropriate risk response.

Internal auditors
➢ conduct examination of the risk management process for the purpose of determining its
effectiveness over time. The results of their examination. are communicated to either the
board of directors or the risk oversight committee

Other personnel
➢ implement specific tasks and duties pertaining to the processes within their departments.

RISK APPETITE
➢ It is the level of risk that the company can accept in pursuit of its objectives. As previously
mentioned, operating a business naturally involves the taking of risks. However, these
risks must be kept to within acceptable or manageable levels. This is one of the aims of
the risk management process-to keep risks within the company's risk appetite.

STEPS IN THE RISK MANAGEMENT PROCESS

1. Setting of business objectives.

The risk management process starts with the setting of business objectives. In this
regard, the COSO Risk Management framework categorizes business objectives
into strategic, operational, reporting, and compliance.

FOUR BUSINESS OBJECTIVES

a. Strategic objectives are high-level goals aligned with and support the
organization’s mission and long-term vision.

b. Operational objectives – are goals that are related to the effective and
efficient use of corporate resources.
Governance, Business Ethics, Risk Management & Internal Control
CHAPTER 4: INTRODUCTION TO RISK MANAGEMENT: “WHAT CAN GO WRONG?”

A. Reporting objectives – are goals relating to the reliability and transparency

of corporate reports such as financial and nonfinancial reports.

c. Compliance objectives – are goals relating to compliance and conformity

with applicable laws and regulatory requirements.

2. Identify the risks.

After setting the various objectives of the business, the risks or threats to the
achievement of those objectives are identified.

Risk identification
The process of identifying risk that can prevent the business objective of
the company.
Risks are not that easy to spot. To be able to identify risks, risk managers must
possess a comprehensive understanding of the company, the way it operates and
corporates mission and vision, major transactions, products and services, suppliers
and customers, and regulatory environment among others.

3. Assess the risks.

two dimensions of risk:
(1) the probability that something can go wrong and
(2) the negative consequence or impact if that event occurs.

Likelihood - pertains to the probability that the event will occur.

Impact - refers to the significance or magnitude of the negative effect of the risk
to the company.

Risk Assessment
The process of analyzing the identified risk in terms of likelihood and
impact.

4. Respond to the assessed risks.

Management will select the appropriate risk response depending on the result of
the risk assessment which can be “high”, “moderate”, or “low.” Possible responses
to assessed risks are listed as follows:

Accept – Tolerating or accepting the risk is permissible only if its of mine

effect to the business or if its likelihood is “remote” such that it is not worth
the money or effort to do anything about it.
 Governance, Business Ethics, Risk Management & Internal Control
CHAPTER 4: INTRODUCTION TO RISK MANAGEMENT: “WHAT CAN GO WRONG?”

Reduce – Risks that are likely to happen or those that are expected to have
a significant impact to the business cannot be simply accepted. These risks
should be mitigated or reduced to tolerable levels. Reducing risks can be
done through implementing controls or specific risk mitigation plans.

Share – In some situations, the appropriate response might be to share of

transfer the risks to some other entity such as an insurance company. An
insurance company manages other people’s risks.

Avoid – Avoiding a risk may be the right response when management

thinks that mere reducing it is not enough. For instance, the company may
terminate one of its product lines if it assesses that operating it has become
too risky.

5. Implement the risk response.

Implementing the risk response is done through deploying specific risk mitigating
plans or management action plans to control the risks.

6. Monitor the risk management process.

The risk management process must be continuously monitored to determine if it
remains to be effective and efficient over time.

RISK MANAGEMENT FRAMEWORKS

Strategies for managing risks can only operate well if they are based on an appropriate
framework for managing risks. A framework is used as a guide in formulating a company’s risk
management process. COSO Enterprise Risk Management and ISO 31000-Risk Management are
the two leading risk management frameworks today.

ISO 31000-RISK MANAGEMENT

➢ It is a series of risk management standards formulated by the International Organization
for Standardization.
➢ ISO 31000 provides a set of principles and guidelines for the design, implementation, and
evaluation of the risk management process for companies across different industries.
➢ ISO 31000 follows a structured approach toward the systematic application of
management policies and procedures to the activities of communication, consulting,
establishing the context, and identifying, analyzing, evaluating, treating, monitoring, and
reviewing risk.
 Governance, Business Ethics, Risk Management & Internal Control
CHAPTER 4: INTRODUCTION TO RISK MANAGEMENT: “WHAT CAN GO WRONG?”

Steps under ISO 31000

1. Identification of all risks that could prevent the company from achieving its
business objectives.
2. Analysis of risk including an understanding of its causes and effects.
3. Determination whether identified risks are tolerable or not.
4. Treatment of significant risks by way of mitigating procedures and thereby reduce
5. The impact and/or the likelihood of the risks. Monitoring risk management
strategy and implementation to determine gaps th should be addressed.
6. Communication of information pertaining to the risk management process of t
company.

COSO Enterprise Risk Management (COSO ERM).

➢ The original framework was published in 2004. The COSO organization was originally
established in order to study the causes of fraudulent financial reporting during the latter
part of the 1980s. It was also tasked to make recommendations on how to prevent such
improper accounting practices.