Governance, Business Ethics, Risk Management and Internal Control

chapter 3:INTRODUCTION TO RISK MANAGEMENT

Risks are inherent, in every business. No profit will be earned without taking a
certain degree of risk. It can be said that "doing business" is indeed a risk-
taking activity. Nevertheless, risks must be properly managed and be kept
within manageable levels. Too high levels of risks can result to operational
bottlenecks, financial losses, poor corporate reputation, and, worst of all,
closure of the business. Consequently, the economic and personal well-being
of investors, creditors, and other stakeholders will be adversely affected.

Risk can simply be described as "things that can go wrong." In the sphere of
managing risk, it is not right to say "let's just cross the bridge when we get
there." On the contrary, risks should be identified before they even happen so
that the company will be in a better position and time to prepare for them.

Risk can also be described as an event that can adversely affect the operating
profit. cash flows, capital, and even the reputation of a company. An example
of risk is credit risk, the possibility that customers of the company may not be
able to pay on the due date Another example is operational risk, the possibility
of a disruption in the operations of the business due to machine breakdowns,
natural calamities, and other causes.

Govemance

Risk Management

Internal Control

Figure 18. Risk management and internal control are central to good corporate
governance.

Managing risks is central to good corporate governance. In a well-governed

company, risk managers must properly control and manage the various risks
affecting the business. On the other hand, corporate boards and risk
committees must actively perform their oversight function pertaining to risks.
Internal auditors must conduct evaluation of the risk management process in
order to determine its effectiveness over time. All of these must be done in
order to ensure that risks are kept within tolerable levels. This is the essence
of risk management.

Definition and Nature of Risk

 Governance, Business Ethics, Risk Management and Internal Control
chapter 3:INTRODUCTION TO RISK MANAGEMENT

The Committee of Sponsoring Organizations of the Treadway Commission

(COSO) defines risk as "the possibility that an event will occur and adversely
affect the achievement of enterprise objectives."

Based on the definition, risk is the likelihood that an event will occur. Such
event can prevent the company from achieving its business objectives. These
objectives may include, for instance, achieving a specific COMMITTEE OF
SPONSORING CHEGANZATION OF THE TREADWAY COMMER amount of
revenue or profit, manufacturing the required quantity of products,
safeguarding of corporate assets, and ensuring compliance with applicable
laws and regulations among others.

Table 4 provides examples of events that may affect the achievement of

business objectives.

Table 4. Events Affecting the Achievement of Business Objectives

Business Objective

Event

Increase in production and operating costs

Generating P10 million profit

Manufacturing 20,000 units of the product

Loss of supply of raw materials needed in production

Producing reliable financial statements

Reducing bad debts by 20%

Clerical errors in recording transactions

 Governance, Business Ethics, Risk Management and Internal Control
chapter 3:INTRODUCTION TO RISK MANAGEMENT

Bankruptcy of a major customer

Uninterrupted computer processing of business transactions

etc

Brownouts, computer breakdown, flood in the office.

There are many events that can affect the business. These events can either
be

internal or external. Those events that occur within the company are called
internal

events and those that happen outside are external events.

The following table shows examples of internal and external events as well as
their potential impacts to the company.

Internal events.

Table 5. Internal Events and Their Potential Impact to the Company

Event

Internal fraud

Machine breakdown

Accident in the Factory

4
 Governance, Business Ethics, Risk Management and Internal Control
chapter 3:INTRODUCTION TO RISK MANAGEMENT

Violation of laws and regulations

Potential impact

Financial loss

Damage to the reputation of the company

Disruption in the production process

Fallure to deliver finished goods to customers

Physical Injuries, loss of lives

Increase in medical costs

Fines and penalties

Potential criminal prosecution of erring corporate officers and employees

External events:

Table 6. External Events and Their Potential Impact to the Company

Event

Economic recession

Entry of more competitors in the market

Potential impact

Decline in sales revenue and operating profit

Possible closure of the business

Loss of market share

 Governance, Business Ethics, Risk Management and Internal Control
chapter 3:INTRODUCTION TO RISK MANAGEMENT

Decline in sales revenue

Bankruptcy of a major customer

Pandemic (eg, COVID-19, SARS) and natural calamities (flood, earthquakes,

volcanic eruption)

Failure to collect receivables

Decline in cash balance

Disruption in business operations

Decline in revenue and profit

Possibility of closure of the business

3.

Types of Risk

Because of the increasing complexity of business, there are different kinds of

risk that the company may encounter. There is no single standard manner for
classifying risks At the minimum, however, risks can be categorized into two
broad groups: financial ristu and nonfinancial risks.

Financial Risks

Financial risk is the likelihood that the company might incur a financial loss, or
suffer a decline in profit, capital, investment, or cash flows, on account of the
occurrence of events or transactions.

Specific risks included under the financial risk category are credit risk, liquidity
risk, and market risks. Market risks can be further subdivided into interest rate
risk, foreign currency risk, and price risk.
 Governance, Business Ethics, Risk Management and Internal Control
chapter 3:INTRODUCTION TO RISK MANAGEMENT

These risks are defined as follows:

1 Credit risk-the risk that a counter-party such as a customer or a borrower

might fail to pay its account on the due date. For instance, there is a possibility
that a borrower of a bank will be unable to pay his/her loan on the maturity
date. This is sometimes referred to as default risk. Credit risk is present in all
activities where there is an expectation of returns or repayment

Credit Score

Excellent

2 Liquidity risk the risk that the business will be unable to meet its financial
obligations as they fall due because of insufficient cash, inability to liquidate
assets, or obtain adequate funding given a short period of time. This also
includes the possibility that the business may not be able to convert noncash
assets such as Investments into cash on short notice

. Market risk-is the risk of volatility in the market brought about by factors of
interest rate, foreign currency, and market prices.

a. Interest rate risk is the potential decline in earnings and capital arising from
changes in interest rates in the market. This risk generally occurs because an
entity may have a disproportionate amount of fixed and variable interest-rate
instruments on either side of the balance sheet. For instance, a % %% %%%
company will pay a higher interest cost to the bank for its variable rate-loan
when market interest rates increase. Higher interest expenses will result to
lower profit.

b. Foreign currency risk the risk that fluctuations in exchange rates could
affect the profit of the business. For example, weakening of the Philippine
peso will result to foreign currency loss to a Philippine importer of goods when
the transaction is denominated in US dollars.

C Price risk-the risk that changes in specific prices (stock price, price of other
investments) could affect the profit or cash flow of the business. For instance,
a decline in the price of shares owned by the company traded in the stock
exchange will result to a decrease in the value of the stock investments

Closely related to financial risks are business risks. A business risk is the
possibility that the business may not be able to generate sufficient revenue, or
 Governance, Business Ethics, Risk Management and Internal Control
chapter 3:INTRODUCTION TO RISK MANAGEMENT

an increase in production and increased operating costs might occur For

example, an increase in raw material cost will result to a decline in the gross
profit margin of the company. In the same manner, when the company is
unable to achieve its sales target, revenues will not be enough to cover
operating costs and provide a reasonable profit margin to shareholders.

Nonfinancial Risks

Nonfinancial risks do not have an immediate direct financial impact to the

business. However, their consequences may be serious and can later affect
the financial well-being of the business if not properly mitigated. Many risks
belong to this category. The following are some examples:

Operational risk

Legal or compliance risk

> Health and safety risk

Environmental risk

Strategic risk

Reputation risk

1. Operational risk the risk that business operations will be disrupted due to
Inadequate or failed systems, processes, people, breaches in internal
controls, or other unforeseen catastrophes.

2. Legal or compliance risk the risk that the company might fail to comply with
applicable laws and regulations such as tax laws, labor laws, corporation law,
anti-money laundering law, and environment laws among others. This risk also
includes the possibility of not complying with contractual obligations to other
entities. This type of risk may result to fines and penalties as well as possible
criminal prosecution of erring company officers and employees.

3. Health and safety risk-the risk that unforeseen events could result to
injuries, illnesses, or even loss of lives. Examples include injuries sustained by
workers in the factory and transmission of COVID-19 virus to company staff.
These examples will increase medical costs that will be incurred by the
company
 Governance, Business Ethics, Risk Management and Internal Control
chapter 3:INTRODUCTION TO RISK MANAGEMENT

4. Environmental risk the risk that the company may fail to control or minimize
factory wastes, emissions, and other pollutants arising from its business
activities. Failure to remedy this negative contribution of the company to the
environment could result to possible government sanctions, fines, and
penalties.

5. Strategic risk the risk of selecting an inappropriate corporate strategy or the

failure of implementing an appropriate one. This type of risk may result to
failure to achieve long- term strategic goals, loss of market share, and
shrinkage in corporate value.

6. Reputation risk the risk that reputation or image of the company will be
damaged due to reasons such as improper acts of corporate officers, poor
financial performance, and bad news about the company among others.

REPUTATION

The two important risks that are related to the work of professional
accountants are financial reporting risk and fraud risk.

Financial reporting risk is the possibility that the financial statements of the
company will be incorrect due to errors, lapses, or failure to apply accounting
standards such as the International Financial Reporting Standards (IFRS).

Unreliable financial statements could result to erroneous financial analysis

affecting the business decisions of investors and creditors.

Fraud risk, on the other hand, is the risk arising from deceptive and intentional
acts that result to loss of company assets, resources, and reputation.
Examples of fraud include theft of cash and Inventories, bogus deliveries,
ghost employees, and window dressing among others

FRAUD

Definition and Nature of Risk Management

As previously discussed, many risks affect a business. If these risks are not
properly managed, it will be "game over" because the business objectives of
the company will not be achieved. A formal risk management process,
therefore, becomes imperative in order to address and manage risks.
 Governance, Business Ethics, Risk Management and Internal Control
chapter 3:INTRODUCTION TO RISK MANAGEMENT

COSO defines enterprise risk management as:

MANAGE

... RISK YOUR

Enterprise risk management is a process, effected by an entity's board of

directors, management, and other personnel, applied in strategy setting and
across the enterprise, designed to identify potential events that may affect the
entity, and manage risk to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives

You may download the ERM Executive Summary using the link below:
https://www.coso.org/Documents/COSO-ERM-Executive-Summary.pdf

Risk Management as a Process

Risk management is not an isolated activity within the company. It is

composed of a set of interrelated components that operate in an integrated
manner in order to address the various risks affecting the company. The
components of risk management will be discussed in the next chapter

Roles in the Risk Management Process

Everyone has a role to play in the company's risk management process. The
following summarizes the duties of key people pertaining to the management
of risks:

1 Board of directors-conducts an oversight of the effectiveness of the

company's risk management process, Risk oversight pertains to the periodic
review and monitoring of the process being used by management in
addressing and controlling risks. It is common for large companies to have risk
oversight committees within the board of directors.

2. Management Implements specific risk mitigation and control procedures In

managing the various types of risks affecting the company. Management also
identifies and assesses risks prior to selecting the appropriate risk response.

3. Internal auditors conduct examination of the risk management process for

the purpose of determining its effectiveness over time. The results of their
 Governance, Business Ethics, Risk Management and Internal Control
chapter 3:INTRODUCTION TO RISK MANAGEMENT

examination are communicated to either the board of directors or the risk

oversight committee.

Board of Directors

INTERNAL AUDIT

4 Other personnel - implement specific tasks and duties pertaining to the

processes within their departments.

Risk Appetite

Risk appetite is the level of risk that the company can accept in pursuit of its
objectives. As previously mentioned, operating a business naturally involves
the taking of risks. However, these risks must be kept to within acceptable or
manageable levels. This is one of the aims of the risk management process to
keep risks within the company's risk appetite.

Steps in the Risk Management Process

1. Setting of business objectives.

The risk management process starts with the setting of business objectives in
this regard, the COSO Risk Management framework categorizes business
objectives into strategic, operational, reporting, and compliance.

Descriptions of the four business objectives are shown below

a Strategic objectives are high-level goals aligned with and support the
organization's mission and long-term vision.

b Operational objectives-are goals that are related to the effective and efficient
use of corporate resources

Reporting objectives - are goals relating to the reliability and transparency of

corporate reports such as financial and nonfinancial reports.

d. Compliance objectives - are goals relating to compliance and conformity

with applicable laws and regulatory requirements.

Examples of business objectives in the four categories are shown below:

 Governance, Business Ethics, Risk Management and Internal Control
chapter 3:INTRODUCTION TO RISK MANAGEMENT

Table 7. The Four Categories of Objectives with Specific Examples

Category of objective

Strategic

Specific example

Increase market share of the company to 40% through business

expansion.

Operational

Achieve profit after tax of P100 million

Reporting

Generate financial statements that are reliable and compliant with the
International Financial Reporting Standards (IFRS)

Compliance

Compute, file, and pay taxes based on the requirements of tax laws and BIR
Regulations

2. Identify the risks.

After setting the various objectives of the business, the risks or threats to the
achievement of those objectives are identified. This is the process called risk
identification. To reiterate, risks are events that can prevent the company from
achieving its business objectives.

Risks are not that easy to spot. To be able to identify risks, risk managers
must possess a comprehensive understanding of the company, the way it
operates and corporates mission and vision, major transactions, products and
services, suppliers and customers, and regulatory environment among others

It is a common practice for a company to hold workshops or technical

sessions where key people from different departments participate. The aim is
 Governance, Business Ethics, Risk Management and Internal Control
chapter 3:INTRODUCTION TO RISK MANAGEMENT

to produce a comprehensive listing of all risks affecting the company. This list
is often called a risk matrix. These are the "known" risks. It should be
mentioned, however, that there are also "unknown" risks. These are the more
dangerous kind of risks since they are yet to be identified even though they
can occur anytime

The table below shows risks that can prevent business objectives:

Table B. Examples of business objectives and risks in achieving them

Business objective

Increase market share of the company to 40% through business expansion

Achieve profit after tax of P100 millian

Generate financial statements that are compliant with the International

Financial Reporting Standards (IFRS)

Compute, file, and pay taxes based on the requirements of tax laws and
Bureau of Internal Revenue Regulations

Risk

Possible entry of more competitors in the market

Change in the taste and preference of customers

Potential decline in the sales revenue of the company

Increase in production and operating costs

Complexity in applying complex accounting requirements

Changes in the IFRS

Error in computing taxable income and the tax due

Intentional understatement of taxable income to reduce the tax due

3. Assess the risks.

 Governance, Business Ethics, Risk Management and Internal Control
chapter 3:INTRODUCTION TO RISK MANAGEMENT

Any risk has two dimensions: (1) the probability that something can go wrong
and (2) the negative consequence or impact if that event occurs. Hence,
identified risks should be assessed in terms of (1) likelihood of occurrence and
(2) impact. "Likelihood" pertains to the probability that the event will occur. In
other words, "likelihood" means the chance of occurrence. "Likelihood" is often
classified into "high", "moderate", or "low"

On the other hand, "Impact" refers to the significance or magnitude of the

negative effect of the risk to the company. The "Impact" of a risk is also
classified into "high", "moderate", or "low." Analyzing risk in terms of
"likelihood" and "Impact" is known as risk assessment

Assessment of risks will be discussed in the next chapter

Respond to the assessed risks.

Management will select the appropriate risk response depending on the result
of the risk assessment which can be "high", "moderate", or "low." Possible
responses to assessed risks are listed as follows:

a Accept - Tolerating or accepting the risk is permissible only if it is of minor

effect to the business or if its likelihood is "remote" such that it is not worth the
money or effort to do anything about it.

b Reduce - Risks that are likely to happen or those that are expected to have
a significant impact to the business cannot be simply accepted. These risks
should be mitigated or reduced to tolerable levels. Reducing risks can be done
through implementing controls or specific risk mitigation plans.

C Share In some situations, the appropriate response might be to share or

transfer the risks to some other entity such as an insurance company. An
insurance company manages other people's risks.

d. Avoid - Avoiding a risk may be the right response when management thinks
that mere reducing it is not enough. For instance, the company may terminate
one of its product lines if it assesses that operating it has become too risky.

5. Implement the risk response.

 Governance, Business Ethics, Risk Management and Internal Control
chapter 3:INTRODUCTION TO RISK MANAGEMENT

Implementing the risk response is done through deploying specific risk

mitigating plans or management action plans to control the risks. The following
are examples of specific action plans or controls needed to address assessed
risks:

Table 9. Examples of risks and the corresponding risk mitigating action of

management

Risk

Loss of supply of raw materials needed in production

Entry of more competitors in the market

Pussibility that customers will be Unable to pay their accounts on the due date

Pasdbility that the business will ran out of cash

Clerical errans in the recording

and processing of tramactions

Possitalny of computer

breakdown and loss of data

Risk mitigating action or management control

Identify alternative sources of raw materials

Maintain safety stock or buffer in raw materials inventory

Massive advertising to promote the company's product

Product improvement through research and development

Proper evaluation of the paying-ability of customers and credit analysis

Applying credit limits to customers

Obtaining cash from preapproved and standby bank credit lines

 Governance, Business Ethics, Risk Management and Internal Control
chapter 3:INTRODUCTION TO RISK MANAGEMENT

Policy for converting investments into cash

Computerization of transaction processing

Auditing of the recorded transactions to determine correctness

Use of uninterruptible power supply (UPS)

Backup procedures on computer files

6 Monitor the risk management process.

The risk management process must be continuously monitored to determine if

it remains to be effective and efficient over time. Management and corporate
boards cannot make the erroneous assumption that an effective risk
management process will simply remain to be effective. A risk management
process that is effective today may no longer be effective for the next period.
This is because risks are always changing. There are even new and emerging
risks such as cybercrime risk and the risk of pandemics. Therefore, there must
be a periodic evaluation of the risk management process. This is usually done
through an internal audit process.

Risk Management Frameworks

Strategies for managing risks can only operate well if they are based on an
appropriate framework for managing risks. A framework is used as a guide in
formulating a company's risk management process. COSO Enterprise Risk
Management and ISO 31000-Risk Management are the two leading risk
management frameworks today.

ISO 9001:2015

ISO 31000-Risk Management is a series of risk management standards

formulated by the International Organization for Standardization. 150 31000
provides a set of principles and guidelines for the design, implementation, and
evaluation of the risk management process for companies across different
industries.

Information about ISO 31000 may be downloaded using the following link:
https://www.iso.org/iso-31000-risk-management.html
 Governance, Business Ethics, Risk Management and Internal Control
chapter 3:INTRODUCTION TO RISK MANAGEMENT

The International Organization for Standardization is an independent,

nongovernmental organization that develops voluntary international standards
and is comprised of 165 member-countries as of 2020. It was founded in
1947.

150 31000 follows a structured approach toward the systematic application of

management policies and procedures to the activities of communication,
consulting, establishing the context, and identifying, analyzing, evaluating,
treating, monitoring, and reviewing risk.

The steps under ISO 31000 are summarized below:

Identification of all risks that could prevent the company from achieving its
business objectives.

Analysis of risk including an understanding of its causes and effects.

Determination whether identified risks are tolerable or not.

Treatment of significant risks by way of mitigating procedures and thereby

reducing the impact and/or the likelihood of the risks.

Monitoring risk management strategy and implementation to determine gaps

that should be addressed.

Communication of information pertaining to the risk management process of

the company.

Another global framework is COSO Enterprise Risk Management (COSO

ERM). The original framework was published in 2004. The COSO organization
was originally established in order to study the causes of fraudulent financial
reporting during the latter part of the 1980s. It was also tasked to make
recommendations on how to prevent such improper accounting practices.

COSO

Enterprise Risk Management Framework: Integrating with Strategy and

Performance

Figure 19. COSO Enterprise Risk Management

 Governance, Business Ethics, Risk Management and Internal Control
chapter 3:INTRODUCTION TO RISK MANAGEMENT

Information about the COSO Framework may be obtained using the link
below:

https://www.coso.org/pages/erm-integrated framework.aspx

Source: Committee of Sponsoring Organizations of the Treadway Commission

2004. COSO Enterprise Risk Management. Accessed November 20, 2020.