NAME: Anne Marielle Pla Uy

I. True or False. Justify your answer.

1. COSO ERM Framework focuses on culture as the main driver of risk management.
Answer: True
The COSO ERM does not requires a separate risk management function, rather it does not view ERM as a function
or department but rather as culture, capabilities, and practices.
2. One of the most widely used risk management frameworks is COSO which talks about value creation and answers
“how should an organization manage its risk?”
Answer: False
It should be the ISO that answers “how should an organization manage its risk?
3. The Board of Directors should be responsible for the oversight of a company’s Enterprise Risk Management system
to ensure its functionality and effectiveness.
Answer: False
It should be the Board Risk Oversight Committee that responsible for the oversight of a company’s ERM system to
ensure its functionality and effectiveness.
4. Each company can establish its own enterprise risk management framework tailored on its own need.
Answer: True
Each organization has its own approach to oversight and governance.
5. Information technology risk is an example of operational risk.
Answer: True
IT risk is the potential for technology shortfalls to result in losses. This includes the potential for project failures,
operational problems and information security incidents
6. When there is only one possible outcome to a decision, risk or uncertainty is present.
Answer: True
Certainty refers to the situation where there is only one possible outcome to a decision and this outcome is known
precisely. For example, investing in Treasury bills leads to only one outcome (the amount of the yield), and this is
known with certainty. The reason is that there is virtually no chance that the government will fail to redeem these
securities at maturity or that it will default on interest payment. On the other hand, when there is more than one
possible outcome to decision, risk or uncertainty is present.
7. A pure risk is a chance of loss or no loss, but no chance of gain.
Answer: True
Pure risk is the potential for losses and, in contrast to speculative risk, there is no opportunity for gain.
8. A risk seeking individual is the one who prefers less risk for the same expected return.
Answer: False
An individual is said to be risk seeking if the certainty is greater than the expected value of an investment
alternative.
9. The main objective of Risk Management is the mitigation of risk.
Answer: True
Risk management is the approach to identify risks with the aim to prevent, mitigate or eliminate the
potential harm from those risks. 
10. The President is the ultimate champion of ERM at the company.
Answer: False
It should be the Chief Risk Officer that is responsible for the firm's risk management operations, including
managing, identifying, evaluating, reporting and overseeing the firm's risks externally and internally to the organization
and works diligently with senior management.
II. Multiple Choice. Discuss your chosen answer.
1. The risk that refers to uncertainty about the rate of return caused by the nature of the business is
a. Default risk b. Business risk c. Liquidity risk d. Financial risk
Financial risks are everywhere and come in many different sizes, affecting everyone. You should be aware of all
financial risks. Knowing the dangers and how to protect yourself will not eliminate the risk, but it will mitigate their harm.
2. The risk associated with the uncertainty created by the inability to turn investment quickly for cash
a. Interest rate risk b. Business risk c. Liquidity risk d. Default risk
Liquidity risk occur when an individual investor, business, or financial institution cannot meet its short-term debt
obligations. The investor or entity might be unable to convert an asset into cash without giving up capital and income due
to a lack of buyers or inefficient market.
3. The risk that the real rate of return will be lesser that nominal or stated rate of return due to inflation is referred to
as
a. Purchasing power risk b. Liquidity risk c. Default risk d. Business risk
The chance that the cash flows from an investment won’t be worth as much in the future because of changes in
purchasing power due to inflation.
4. Operational risk is manifested in all of the following except
a. Interest rates volatility b. Process stoppage c. Technological obsolescence d. Management fraud.
Operational risk pertains to the execution of the basic activities within a process and encompasses the potentially
wide range of things that can wrong within a process. Potential risks relate to the excessive breakdowns or work stoppages
in the process.
5. Financial risks associated with financial institutions include the following except
a. Liquidity risk b. Credit risks c. Market liquidity risk d. Environment risk
Environmental risk management seeks to determine what environmental risks exist and then determine how to
manage those risk in a way best suited to protect human health and the environment.
6. Non- financial risks include the following except
a. Compliance risk b. Reputation risk c. Market risk d. Disaster risk
Market risk is the possibility of an investor experiencing losses due to factors that affect the overall performance of
the financial markets in which he or she is involved.
7. ISO 31000 suggests that once risks have been identified and assessed, techniques to manage the risk should be
applied. These techniques include the following except
a. Avoidance b. Sharing c. Reduction d. Complete disregard
ISO 31000 provides a level of reassurance in terms of economic resilience, professional reputation and
environmental and safety outcomes. In a world of uncertainty, ISO 31000 is tailor made for any organization seeking clear
guidance on risk management.
8. The technique of eliminating or reducing risk which could mean losing out on the potential gain is called
a. Avoidance b. Sharing c. Reduction d. Acceptance
Risk reduction deals with mitigating potential losses while engaging in potentially risky financial behavior.
9. This technique involves accepting the loss or benefit of gain from a risk when it occurs
a. Avoidance b. Sharing c. Reduction d. Acceptance
Retention involves accepting the loss, or benefit of gain, from a risk when it occurs.
10. Key tenets of the Turnbull guidance include
a. Engaging all employees
b. Streamlining risk management database
c. Ongoing, continuing monitoring of risk and control
d. All of the above.
The Turnbull guidance covers the following areas: Engaging all employees, Streamlining risk management database
and Ongoing, continuing monitoring of risk and control.
III.
1. Discuss Risk, Hazard and Uncertainty. Explain how they differ from each other by giving an illustration.
A risk is an unplanned event that may affect one or some of your project objectives if it occurs. The risk is positive if
it affects your project positively, and it is negative if it affects the project negatively. Hazard is the condition that increases
the probability of loss. In uncertainty, the outcome of any event is entirely unknown, and it cannot be measured or
guessed, you don’t have any background information on the event.
RISK HAZARD UNCERTAINTY
>the chance of harm caused >potential to cause harm >cannot predict the
by a hazard. >something that poses a threat chance of an outcome
>can predict the chance of an to life, health, property and to in the future
outcome in the future environment >lack of certainty
>a situation involving exposure >the condition that increases >unpredictable damage
to danger the probability of loss >unquantifiable
>uncontrolled certainty >ignorance of the future
>predictable loss
>quantifiable
>consequences of decision
makers actions
2. Enumerate the different classifications and types of risks. Briefly explain and give example for each.
Classified based on its:
Effect -  involves uncertainty about the effects/implications of an activity with respect to something that humans value
(such as health, well-being, wealth, property or the environment), often focusing on negative, undesirable consequences.
Example:
The reducing the risk of injury by through safety procedures.
Controllability - The degree to which the risk owner (or owning organization) is able to control the risk's outcome.
Example:
What can you do to decrease your risk of developing heart disease? You can exercise regularly, avoid smoking,
manage a healthy weight, and eat healthful, nutritious meals.
Correlation – refers to the risk of a financial loss when correlation in the market changes.
Example:
An increase in default correlation between bond issuers and insurers was observed, which represents wrong-way
risk.
Impact - is an estimate of the potential losses associated with an identified risk.
Example:
A project team may estimate of technical risks in terms of delays to a schedule.
Drivers - an attribute, characteristic, variable or other concrete determinant that influences the risk profile of a system,
entity, and financial asset.
Example:
Number of potential damaging incidents that could cause a disruption of service.
Types of Risks:
Business Risk - refers to the basic viability of a business, the question of whether a company will be able to make sufficient
sales and generate sufficient revenues to cover its operational expenses and turn a profit.
Example:
Changing preferences of customers.
Financial Risk - can sometimes be outside an organization’s control, but can often be influenced by its actions.
Example:
Having insufficient cash to meet obligations.
Market Risk - Risks which derive from the sector in which the business is operating, and from its customers.
Example:
Failure to provide goods customers require.
Product Risk - The risk that customers will not buy new products (or services) provided by the organization, or that the
sales demand for current products and services will decline unexpectedly.
Example:
Customer experience issues such as a product with poor usability.
Legal Risk – Risk such as changes in the law.
Example:
There is a breach of regulations, company act.
Political Risk - depends to a large extent on the political stability in the countries in which an organization operates and the
attitudes of governments towards protectionism.
Example:
Changes in taxes can reduce the profitability of a business and affect the price of assets such as stocks.
Technological risk- arising from factors such as communication technology and transport options.
Example:
Competitors achieve technological advantage.
Strategic and Operational Risks - This business risk can happen internally, externally or involve a combination of factors.
Something could unexpectedly happen that causes you to lose business continuity.
Example:
Unexpected event could be a natural disaster or fire that damages or destroys your physical business.
Environmental Risk - arising from changes in the political, economic, social and financial environment. Includes strategic
risk.
Example:
Natural disaster affecting supply chain
Probity Risk - is related to the governance and ethics of the organization. It can arise from unethical behavior by one or
more participants in a particular process. It is often discussed in the context of procurement, where issues such as failing to
treat information as confidential, lack of trust in business dealings and time spent in resolution of disputes may arise.
Example:
Directors/officers receive high bonuses when company is making losses.
Reputation Risk - there has always been the risk that an unhappy customer, product failure, negative press or lawsuit can
adversely impact a company's brand reputation.
Example:
Production of poor quality.
Fraud Risk – is the crime or offense of deliberately deceiving another in order to damage them, usually to obtain property
or services unjustly.
Example:
Failure to conduct background checks and other pre-employment screening and weak internal controls.
3. Identify 3 main attitudes toward risk. Briefly explain.
Risk averse - People are risk averse when they shy away from risks and prefer to have as much security and certainty as is
reasonably affordable in order to lower their discomfort level. They would be willing to pay extra to have the security of
knowing that unpleasant risks would be removed from their lives.
Risk seeker - A risk seeker, on the other hand, is not simply the person who hopes to maximize the value of retirement
investments by investing the stock market. Much like a gambler, a risk seeker is someone who will enter into an
endeavor as long as a positive long run return on the money is possible, however unlikely.
Risk neutral - an entity is said to be risk neutral when its risk preference lies in between these two extremes. Risk neutral
individuals will not pay extra to have the risk transferred to someone else, nor will they pay to engage in a risky endeavor.
To them, money is money. They don’t pay for insurance, nor will they gamble.
4. Discuss the 5 commonly used standards in managing risks.
• COSO 2017 Enterprise Risk Management – Integrating with Strategy and Performance
The Enterprise Risk Management–Integrating with Strategy and Performance principles apply to all entities,
including not-for-profit and governmental bodies, regardless of size. While some small and midsize entities may implement
the principles of enterprise risk management differently than large entities, they remain applicable to every type of entity.
• COSO 2004 Enterprise Risk Management – Integrated Framework
In response to a need for principles-based guidance to help entities design and implement effective enterprise-
wide approaches to risk management, COSO issued the ERM- Integrated Framework in 2003. This framework defines
essential ERM components, discusses key ERM principles and concepts, suggest a common ERM language, and provides
clear direction and guidance for ERM.
• ISO 31000:2018 – Risk Management Principles and Guidelines
ISO 31000 helps organizations develop a risk management strategy to effectively identify and mitigate risks,
thereby enhancing the likelihood of achieving their objectives and increasing the protection of their assets. Its goal is to
develop a risk management culture where employees and stakeholders are aware of the importance of monitoring and
managing risk.
• A Risk Management Standard – IRM/Alarm/AIRMIC 2002 – developed in 2002 by the UK’s 3 main risk organizations.
The Risk Management Standard was originally published by the Institute of Risk Management (IRM). The
Association of Insurance and Risk Manager (AIRMIC) and the Public Risk Management Association (Alarm) in 2002. It was
subsequently adopted by the Federation European Risk Management Association (FERMA). Risk Management protects and
adds value to the organization and its stakeholders through supporting the organization’s objectives.
• The Turnbull Guidance
Good internal controls should ensure that the company's management systems, accounting records, asset
maintenance and compliance issues are operating correctly. In relation to financial years beginning before 1 October 2014,
this note details the board's responsibilities for internal control, the recommendations of the Turnbull guidance and
practical steps for their implementation, the risks to be covered, establishing an effective internal control system and
reviewing it, and reporting to shareholders. The FRC's Internal Control: Guidance to Directors (known as the Turnbull
guidance) is effective for financial years beginning before 1 October 2014.
5. Explain and assess the importance of TARA framework for risk management.
Strategies for managing risks can be explained as TARA (or SARA): Transference (or Sharing), Avoidance, Reduction
or Acceptance. Transfer. This means passing the risk on to another party which, in practice means an insurer or a business
partner such as a supplier or a customer. Avoid. This means asking whether or not the organization needs to engage in the
activity where the risk is. If it is decided that the risk cannot be transferred nor avoided, it might be asked whether or not
something can be done to reduce the risk. Reduce. This means diversifying the risk or re-engineering a process to bring
about the reduction. It can also include Risk sharing. This involves finding a party that is willing to enter into a partnership
so that the risks of a venture might be spread Retain. This means believing there to be no other feasible option. Such
retention should be accepted when the risk and return characteristics are clearly known
6. What is Enterprise Risk Management?
A process, effected by an entity's Board of Director, management and other personnel, applied in a strategy setting
and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its
risk appetite, to provide reasonable assurance regarding the achievement of entity objectives
7. Compare the COSO risk management approach with ISO.
While the frameworks provide firms with a pragmatic and unified ERM approach, they do have their differences.
Some of differences include: First is, COSO targets accounting and auditing agencies, ISO can be used by any organization.
Secondly, ISO 31000 is used globally while COSO’s main users are in North America. Lastly, COSO focuses broadly on
corporate governance as a vital aspect of ERM, ISO offers risk management as a part of an organization’s entire strategic
planning.
8. Explain the risk appetite and how this affects risk policy?
An organization-wide risk appetite statement can be a powerful tool that gives your risk or compliance program
direction. However, like any policy, risk appetite without accompanying action this is nothing more than an idea.
9. Explain and analyze the concept of assessing the severity and probability of risk events.
Probability is the likelihood of an accident with a given hazard while severity describes the highest level of damage
possible when an accident occurs from a particular hazard.
10. Describe the steps in risk management process that companies can adopt in establishing effective risk
management framework.
The first step is to identify the risks that the business is exposed to in its operating environment. Once a risk has
been identified it needs to be analyzed. The scope of the risk must be determined. It is also important to understand the
link between the risk and different factors within the organization. To determine the severity and seriousness of the risk it
is necessary to see how many businesses functions the risk affects. Risks need to be ranked and prioritized. Most risk
management solutions have different categories of risks, depending on the severity of the risk. A risk that may cause some
inconvenience is rated-lowly, risks that can result in catastrophic loss are rated the highest. It is important to rank risks
because it allows the organization to gain a holistic view of the risk exposure of the whole organization. Every risk needs to
be eliminated or contained as much as possible. Not all risks can be eliminated – some risks are always present. Market
risks and environmental risks are just two examples of risks that always need to be monitored.