Module III. Risk Management
Module III. Risk Management
Module III. Risk Management
RISK MANAGEMENT
Objectives:
1. Define risk management.
2. Discuss the risk model and the processes involved in risk management.
3. Describe the principles and benefits of effective risk management.
Introduction
Are you aware of and prepared for the many risks faced by organizations today?
Any one of a variety of risks could threaten an organization's success and lead to a decrease in
stakeholder value, including: globalization, technology, demands for customized products and services,
shifts in regulation, mergers and restructurings, accounting and reporting deficiencies, and complex
financial instruments. Leaders must be aware of a holistic approach to risk management and the need
for a stronger governance structure.
In line with this, The International Federation of Accountants (IFAC) has published an interesting and
useful piece, Enabling the Accountant’s Role in Effective Enterprise Risk Management.
The information in this document provides an overview for implementing Enterprise Risk
Management (ERM). It presents:
A definition of ERM;
A classification of various risks;
An understanding of the roles and responsibilities of management accountants in ERM projects;
An overview of ERM frameworks from several different global professional organizations;
A discussion of the foundational elements of ERM;
Suggestions of how ERM can enhance on-going management activities; and
Ideas for adding value to the Sarbanes-Oxley Act of 2002 (SOX) 404 compliance requirement by
employing a risk-based approach to identify, test, and document key internal controls to assure
investors on the quality of the firm's financial statements and related disclosures.
Most ERM frameworks advocate a similar approach:
Activity
Make an insight paper about the published report of The International Federation of Accountants
(IFAC), Enabling the Accountant’s Role in Effective Enterprise Risk Management.
Format: 2-3 pages legal size paper, 1.5 spacing, Arial, 11, pdf format
Page | 1
Abstraction
Risk management is the process of identifying, assessing and controlling threats to an
organization's capital and earnings. These threats, or risks, could stem from a wide variety of sources,
including financial uncertainty, legal liabilities, strategic management errors, accidents and natural
disasters. IT security threats and data-related risks, and the risk management strategies to alleviate
them, have become a top priority for digitized companies. As a result, a risk management plan
increasingly includes companies' processes for identifying and controlling threats to its digital assets,
including proprietary corporate data, a customer's personally identifiable information (PII) and intellectual
property.
Every business and organization faces the risk of unexpected, harmful events that can cost the
company money or cause it to permanently close. Risk management allows organizations to attempt to
prepare for the unexpected by minimizing risks and extra costs before they happen.
Importance
By implementing a risk management plan and considering the various potential risks or events
before they occur, an organization can save money and protect their future. This is because a robust risk
management plan will help a company establish procedures to avoid potential threats, minimize their
impact should they occur and cope with the results. This ability to understand and control risk enables
organizations to be more confident in their business decisions. Furthermore, strong corporate
governance principles that focus specifically on risk management can help a company reach their goals.
Creates a safe and secure work environment for all staff and customers.
Increases the stability of business operations while also decreasing legal liability.
Provides protection from events that are detrimental to both the company and the environment.
Helps establish the organization's insurance needs in order to save on unnecessary premiums.
The importance of combining risk management with patient safety has also been revealed. In most
hospitals and organizations, the risk management and patient safety departments are separated; they
incorporate different leadership, goals and scope. However, some hospitals are recognizing that the
ability to provide safe, high-quality patient care is necessary to the protection of financial assets and, as
a result, should be incorporated with risk management.
All risk management plans follow the same steps that combine to make up the overall risk
management process:
Page | 2
Establish context. Understand the circumstances in which the rest of the process will take place.
The criteria that will be used to evaluate risk should also be established and the structure of the
analysis should be defined.
Risk identification. The company identifies and defines potential risks that may negatively influence
a specific company process or project.
Risk analysis. Once specific types of risk are identified, the company then determines the odds of
them occurring, as well as their consequences. The goal of risk analysis is to further understand each
specific instance of risk, and how it could influence the company's projects and objectives.
Risk assessment and evaluation. The risk is then further evaluated after determining the risk's
overall likelihood of occurrence combined with its overall consequence. The company can then make
decisions on whether the risk is acceptable and whether the company is willing to take it on based
on its risk appetite.
Risk mitigation. During this step, companies assess their highest-ranked risks and develop a plan
to alleviate them using specific risk controls. These plans include risk mitigation processes, risk
prevention tactics and contingency plans in the event the risk comes to fruition.
Risk monitoring. Part of the mitigation plan includes following up on both the risks and the overall
plan to continuously monitor and track new and existing risks. The overall risk management process
should also be reviewed and updated accordingly.
Risk management strategies should also attempt to answer the following questions:
1. What can go wrong? Consider both the workplace as a whole and individual work.
2. How will it affect the organization? Consider the probability of the event and whether it will have a
large or small impact.
3. What can be done? What steps can be taken to prevent the loss? What can be done recover if a loss
does occur?
After the company's specific risks are identified and the risk management process has been implemented,
there are several different strategies companies can take in regard to different types of risk:
Risk avoidance. While the complete elimination of all risk is rarely possible, a risk avoidance strategy
is designed to deflect as many threats as possible in order to avoid the costly and disruptive
consequences of a damaging event.
Page | 3
Risk reduction. Companies are sometimes able to reduce the amount of damage certain risks can
have on company processes. This is achieved by adjusting certain aspects of an overall project plan
or company process, or by reducing its scope.
Risk sharing. Sometimes, the consequences of a risk are shared, or distributed among several of
the project's participants or business departments. The risk could also be shared with a third party,
such as a vendor or business partner.
Risk retaining. Sometimes, companies decide a risk is worth it from a business standpoint, and
decide to keep the risk and deal with any potential fallout. Companies will often retain a certain level
of risk if a project's anticipated profit is greater than the costs of its potential risk.
Limitations
While risk management can be an extremely beneficial practice for organizations, its limitations
should also be considered. Many risk analysis techniques -- such as creating a model or simulation --
require gathering large amounts of data. This extensive data collection can be expensive and is not
guaranteed to be reliable.
Furthermore, the use of data in decision making processes may have poor outcomes if simple
indicators are used to reflect the much more complex realities of the situation. Similarly, adopting a
decision throughout the whole project that was intended for one small aspect can lead to unexpected
results.
Another limitation is the lack of analysis expertise and time. Computer software programs have
been developed to simulate events that might have a negative impact on the company. While cost
effective, these complex programs require trained personnel with comprehensive skills and knowledge
in order to accurately understand the generated results. Analyzing historical data to identify risks also
requires highly trained personnel. These individuals may not always be assigned to the project. Even if
they are, there frequently is not enough time to gather all their findings, thus resulting in conflicts.
A false sense of stability. Value-at-risk measures focus on the past instead of the future. Therefore,
the longer things go smoothly, the better the situation looks. Unfortunately, this makes a downturn
more likely.
The illusion of control. Risk models can give organizations the false belief that they can quantify
and regulate every potential risk. This may cause an organization to neglect the possibility of novel
or unexpected risks. Furthermore, there is no historical data for new products, so there's no
experience to base models on.
Failure to see the big picture. It's difficult to see and understand the complete picture of cumulative
risk.
Page | 4
Risk management examples
One example of risk management could be a business identifying the various risks associated
with opening a new location. They can mitigate risks by choosing locations with a lot of foot traffic and
low competition from similar businesses in the area.
Another example could be an outdoor amusement park that acknowledges their business is
completely weather-dependent. In order to alleviate the risk of a large financial hit whenever there is a
bad season, the park might choose to consistently spend low and build up cash reserves.
Yet another example could be an investor buying stock in an exciting new company with high
valuation even though they know the stock could significantly drop. In this situation, risk acceptance is
displayed as the investor buys despite the threat, feeling the potential of the large reward outweighs the
risk.
Other Sources
Kindly read the other attachments:
1. ERM: Framework, Elements and Integration
2. Chapter 5 of Internal Audit by Tan
3. Chapter 5 of Internal Audit by Enrico D. Tabag
4. Review Material for Governance, Risk, and Ethics
Take note of important terms and concepts especially those which are repeatedly mentioned.
References:
1. Enterprise Risk Management: Frameworks, Elements, and Integration;
https://www.imanet.org/insights-and-trends/risk--management/enterprise-risk-
management?ssopc=1
2. Risk Management; https://searchcompliance.techtarget.com/definition/risk-management
Page | 5