Huy Vu

My takeaways
on Risk

2024
Reference Sources
R I S K
1
Definition

What is Risk
Risk can be defined as ‘the effect of uncertainty on objectives’ (ISO 31000:2018). In all
types of undertakings, uncertainties arise and, therefore, there is the potential for events
that constitute opportunities for benefit (upside) or threats to success (downside). The
definition of risk holds the idea of both upside and downside risk simultaneously.

Risk: identified future event to which it is possible to associate a

distribution of probabilities of occurrence.

Uncertainty: identified future event to which it is not possible to associate

a distribution of probabilities of occurrence.

2
Definition

What is Risk
Risk encompasses the opportunities to create value for the organization (upside or
opportunity risk) as well as the threats or hazards present and to be considered to ensure
value is not compromised (downside risk), with recognition of the uncertainties attached to
the opportunities and hazards alike.

Risk-taking is what organizations do — it is part of every decision an

organization takes.

As risk is inherent to all activities and impossible to eliminate, risk

management is a key element for the survival of companies.

3
 RISK
MANAGEMENT

4
Definition
Risk management standard ISO 31000:2018 defines risk

management as “coordinated activities to direct and control an

organization with regard to risk”.

The risks to which the organization is subject must be

01
managed to support decision-making.

Risk management should be integrated with

02 governance in a single framework for any organization
overseen by a board.

Risk management is a central part of any

03 organization's strategic management.

5
Definition
Risk management can be understood as a system intrinsic to strategic
planning, consisting of continuous and structured processes – designed
to identify and respond to events that may affect the organization's
objectives.

Risk management is the process whereby organizations

01 methodically address the risks attaching to their activities with the

goal of achieving sustained benefit within each activity and across
the portfolio of all activities.

Risk management assists organizations in achieving

02 objectives, making informed decisions and potentially avoiding
loss events.

Risk management is an integrated system designed to

03 guide the appetite for risk taking in the business
environment, to achieve set objectives.

6
 Risk management is a continuous and developing
process which runs throughout the organization's
strategy and implementation of that strategy

Risk management must translate the

strategy into tactical and operational
objectives, assigning responsibility
throughout the organization.
Effective risk management is dictated by the quality of
Risk management is dynamic and
governance, human resources, strategies, culture,
inclusive and should be tailored to
perception of risks generated by quality of the business each organization's individual
environment, processes, controls and technologies context.

adopted.
Risk management must be integrated
into the culture of the organization with
an effective policy and a programmed
led by the most senior management.

Risk management is everyone’s

responsibility, no matter which level they
work at in the organization.
7
 Corporate Governance and Risk Management

The corporate governance model, represented by roles distributed within the company's structure, helps in managing risks in
different company levels. This model aims to ensure that information originating from the risk management process is effectively
communicated and used as basis for decision-making and accountability on all applicable company levels.

8
Risk management is part of the corporate governance as the risk needs
to be identified, measured, treated and monitored and this information
fuels the process of decision-making by the Board of Directors, the
senior management and the remaining stakeholders. The risk
management process requires:

Commitment from the chief executive and executive

01 management of the organization

Assignment of responsibilities within the organization

02

Allocation of appropriate resources for training and

03 the development of enhanced risk awareness by all
stakeholders.

9
Distribution of responsibility
The role of the Board
Determine the strategic direction and create
the structures for risk management to operate
effectively.

The role of Board Committees

Ensure the integrity of financial information,
compliance with regulations, and effective
management of risks.

The role of Management

Recommend, execute and operate within the
risk appetite, framework and process, in line
with the board’s strategy.

The Risk Management Function

Design and implement the risk management
framework that is appropriate for the
organization.

The role of Internal Audit

Brings a systematic approach to evaluating and
improving the effectiveness of risk
management and internal control processes
10
The role of the board:

The Board's mission is to protect and

value the company's heritage.

Risk management begins and ends with

the board.

11
 The board has overarching responsibility for setting the
organization's strategy and business model and the
corresponding level of risk.

The Board must oversee the determination

of strategic goals and risk profile suitable
to its risk appetite, culture, and identity.

The Board ensures that risk management is an The Board has responsibility for
creating the environment and the
integral part of decision-making and value
structures for risk management to
creation for the company. operate effectively.

The Board must monitor the functioning of

the risk management process and follow-up
on the company's risk profile and action
plans defined in response to risks.

The Board of Directors must ensure that

management implements effective controls to
mitigate business disruption risks.
12
The Board is also in charge of monitoring the efficiency and effectiveness of the
internal control system:

The nature and extent The company’s ability

of risks acceptable for to minimize the
the company to bear probability and impact
within its business on the business

The likelihood of
such risks
becoming a
reality
& The costs and benefits
of the risk and control
activity undertaken

The effectiveness of the

How unacceptable risks risk management
should be managed
process

The risk implications of

Board decisions

13
The role of the board committees:

Board Committees – Audit and Risk

The board is responsible for the oversight of risk management. In exercising this responsibility, boards often
establish committees with a focus on issues. Two common areas of focus are:

Risk oversight and internal control Integrity of financial reporting

The committee responsible needs to be satisfied that their Assist the Board with the quality control of financial statements
organizations are sufficiently prepared to address this risk for purposes of achieving reliability of information and
protecting all stakeholders

14
 Board Committee
Provides oversight and Must perform the role of
advice to the board in supervising processes
relation to current and related to internal control
emerging risks and risk system
management strategies.

&
Monitors performance of
risk policies and follow-up Must perform the role
on KRIs, orientating of supervising risk
decisions when KRIs management
demonstrate the need for
decision-making.

Provides recommendations Must perform the role of

about risk appetite, risk Risk Audit supervising the execution of
policies, compliance with
tolerance and monitors the
management of risk within its rules and following-up on
remit. KRIs.

15
 Unit managers direct application of internal control
The role of management: activities in their spheres of authority, ensuring their
application is consistent with the risk profile and risk
appetite.

Unit managers execute and operate within

the risk appetite, framework and process, in
line with the board’s strategy and subject to
its oversight.

Management establishes mechanisms

Unit managers are entrusted with management
to monitor risk exposure, risk appetite
of risks related to their units' goals and at all the areas of the organization and
risk management performance.
processes.

Management establishes mechanisms to

enforce the risk tolerances prescribed by
the board.

Management establishes mechanisms to

routinely monitor and evaluate the risk
management processes and report to the
board. 16
The role of business units:

The business units have primary Each business unit’s

responsibility for managing risk management should ensure that
on a day-to-day basis risk management is incorporated
throughout a project.

Each business unit’s Risk management is everyone’s

management is responsible for business and is about making
promoting risk awareness within informed business decisions by
its operations. creating awareness of risk.

17
Risk management function

Risk management performs both a control and a strategic function. Risk

management is less effective in organizations where it operates purely as a
control function.

A risk management function is responsible for designing and implementing the

risk management framework that is appropriate for the organization.

The risk management function must retain sufficient independence to fulfill its
assurance function, question the decisions of other business.

A risk management function develops channels of communication to ensure

that strategy and risk appetite are central to developing risk management
strategies

18
The role of the risk Management function:

Setting policy and Building a risk-aware

strategy for risk culture, including
management providing appropriate
education

Primary champion of
Establishing internal risk Developing risk-response
risk management at processes, including
policy and structures for
the business units the strategic & business continuity
operational level programs

Designing and reviewing Preparing reports on risk

processes for risk for the Board and the
management stakeholders

19
Internal Audit Function

Corporate Governance
Internal audit plays a key role in assessing effectiveness and
determining improvements in corporate governance and internal
control systems.

Internal Control
An internal audit function brings a systematic, disciplined
approach to evaluating and continually improving the
effectiveness of an organization's risk management and internal
control processes.

Risk Management
An internal audit function provides a perspective on organizational
practices and risk culture based on its observations of practices
and behaviors.

20
 Focusing the internal audit work on the significant risks,
The role of internal audit: as identified by management, and auditing the risk
management processes across an organization

Providing assurance on the

management of risk

The internal audit function provides independent

Providing active support and
assurance that an organization's governance, risk
involvement in the risk
management, and internal control processes are management process

effective.
Facilitating risk identification/ assessment
and educating line staff in risk
management and internal control

Co-ordinating risk reporting to the Board,

audit committee, etc.

21
 The Three Lines of Defense

The 3LOD helps organizations identify structures and processes that best assist the achievement of objectives and
facilitate strong governance and risk management. The 3LOD has been widely adopted and generally accepted as a
standard approach by financial institutions as well as having become integral to regulators’ approaches to regulating
operational risk.
22
The three lines of defense framework

#1 Line of Defense
The 1st LoD consists of the business owners, whose role is
to identify risk, as well as execute actions to manage and
treat it.

#2 Line of Defense
The 2nd LoD is comprised of the standard setters or risk
oversight groups which are responsible for establishing
policies and procedures and serving as the management
oversight over the first line.

#3 Line of Defense
The 3rd LoD is comprised of independent assurance
providers. These groups report independently to the board
or the audit committee and include functions such as
internal audit, a Chief Risk Officer and special committees.

23
Risk Rookie

Huy Vu

About Myself

A business nerd on a journey to help others by

gathering value information, making it useful and
sharing insights on Strategy, Risk & Governance