Chapter 3 Managing

Risk: Assignment
Questions

Ladao, Alliah Bea M.

IA-31
1. Describe the concept of risk and suggest ways that this concept
can be applied to business practice.
According to the given reference is that risk is a choice rather than a fate. It is the
actions we dare to take, which depend on how free we are to make choices. Based on what I
have comprehend from the given lesson that definition immediately introduces the concept
of choice when it comes to risk. Not simply being subject to risks as a part of life, but being
in charge of one’s destiny as there is much that we can control if we have the time and
inclination to do so. The stewardship concept underpinning corporate governance forces
management to seek out risks to the business and address them, where appropriate. A way to
apply this concept in a business practice is the threats and opportunities model where it can
relate to forces that have a negative impact on objectives, in that they pose a threat. Upside
risk on the other hand represents opportunities that are attainable but may be missed or
ignored, and so mean we do not exceed expectations. It is more about moving outside of
familiar areas and knowing when and where to take risks. This is quite important in that if
we view controls as means of reducing risk, we can now also view them as obstacles to
grasping opportunities. In other words, risk in a business practices makes sure that controls
are focused, worth it and has a sense.
2. Discuss the implications of high
levels of unmitigated risk in terms of
both threats to the business and missed
opportunities. In my previous answer I already stated the threats and opportunities
model, the implications of high levels of unmitigated risk in terms of both
threats to the business and missed opportunities are relate to forces that have
a negative impact on objectives, in that they pose a threat. Upside risk on the
other hand represents opportunities that are attainable but may be missed or
ignored. Since risk is based on uncertainty, it is also based on perceptions of
this uncertainty and whether having enough information to hand. Where the
uncertainty is caused by a lack of information then the question turns to
whether it is worth securing more information or examining the reliability of
the existing information. Uncertainty based on a lack of information that is in
fact readily available points to failings in the person most responsible for
dealing with the uncertainty. There is much that can be control, if there is
time to think about it and the capacity to digest the consequences.
3. Describe the risk management cycle and discuss each of the
main stages.
The risk management cycle has an objective in the middle whereas there are factors surrounded by
such as the threats, risk, opportunities and impacts. It means clear decisions can be made on the types of
controls that should be in place and how risk may be kept to an acceptable level. As to the stages of the
risk management are known as Identification, Assessment, Management and Review. As to the
Identification, the risk management process starts with a method for identifying all risks that face an
organization. It involve all parties who have expertise, responsibility and influence over the area affected
by the risks in question. All imaginable risks should be identified and recorded. Next would be the
Assessment which assess the significance of the risks that have been identified. This should revolve
around the two-dimensional Impact, Likelihood considerations that we have already described earlier. In
the third stage is the Management which is armed with the knowledge of what risks are significant and
which are less and this ensures that all key risks are tackled and that resources are channeled into areas of
most concern, which have been identified through a structured methodology. Lastly, the Review Stage
which the entire risk management process and outputs should be reviewed and revisited on a continual
basis. This should involve updating the risk management strategy and reviewing the validity of the process
that is being applied across the organization.
4. Discuss the view that high levels of business risk may be addressed
through a variety of methods.

A threat that when a company’s ability to achieve it’s financial goals is considered
a business risk. Any significant control with the view that high levels of business risk
may addressed through a variety of methods when failings or weaknesses identified
should be discussed in the reports, including the impact that they have had, could have
had, or may have, on the company and the actions being taken to rectify them. Going
back to the question that the view of high levels of business risk may addressed through
a variety of methods is when the company with a higher amount of business risk may be
addressed through variety of methods as well as there are ways to mitigate the overall
risks associated with operating a business such as most companies accomplish this
through adopting a risk management strategy. Also, there has been a model that
developed ten measures for addressing risks that have already been assessed for impact
and likelihood and those are 5Ts (Terminate, Transfer, Take more, Tolerate and Tell
someone) and 5Cs (Control, Contingency, Communicate, Commission Research and
Check Compliance) which model provides a wide range of techniques for developing a
suitable risk management strategy.
5. Explain the concept of risk registers and how they are affected by
the adopted risk appetite.

The risk registers based on the given reference was defined as the one that act as a vehicle for
capturing all the assessment and decisions made in respect of identified risks. The registers may form
part of the assurance process where they can be used as evidence of risk containment activity, which
supports the statement of internal control. Also, it must be updated to reflect changes in the objectives,
external and internal risks and controls, all of which in turn happens because of changes in the
environment within which we operate. On the other hand, the risk appetite or risk tolerance is what goes
in the register and has been document considered as significant as opposed to immaterial risk which
depends on the risk perception. The question on how the risk registers are affected by the risk appetite
is through when an organization gets the risk tolerance wrong then key stakeholders may well
misunderstand the extent to which their investment is insecure, and conversely, where corporate risk
tolerance is low, returns on investment may be likewise restrained. Funds will move in accordance with
the level of risk that they are attracted to, so long as this level has been properly communicated to all
interested parties. Risk appetite varies between organizations, between departments, between section,
teams and more importantly between individuals.
6. Describe the contents of a corporate risk policy and explain the
role of a chief risk officer in implementing this policy.

The contents of a corporate risk policy serves as an overview of the organization’s position of risk
management with comprehensible messages from the board. It is tge highest part of the organization.
Also, corporate risk policy statement is a tool used by companies and other organizations to identify and
respond to risks in a way that minimizes their impact. Although a risk policy statement often focuses on
financial risks to a company, the type of risks addressed can be highly variable and can include risk of
injury, accidents, and legal liability. It includes the goals and steps to identify risks to the organization,
prioritize risks in terms of magnitude and immediacy, design measures to avoid or minimize risks and seek
new opportunities created by risk-based situations. In regards to the role of Chief Risk Officer in
implementing the policy, he or she will make good in all aspects for the risk model and ensure that
together they provide an effective system of risk management that is owned by all employees and integrated
into the way the organization works. As for the Chief Risk Officer, no risk policy will work without a
commitment to resource the necessary process and ensure there is someone who can help managers
translate board ideals into working practices.
7. Explain what is meant by ‘enterprise-wide risk management’ and
describe the way that this concept may be developed for an organization.

Based on what I have understood that enterprise-wide risk

management is somehow a process which is affected by people and
applied in strategy setting and across the enterprise. It is becoming a
widely embraced business paradigm for accomplishing more effective risk
oversight that generate an understanding of the top risks that
management collectively believes are the current most critical risks to the
strategic success of the enterprise. The enterprise-wide risk management
may be develop for an organization through the five development phases
for risk assessment within the cycle and those are to Identify, Analyze,
Evaluate, Treat, and Monitor and Review the risk. Through this five
phases it can help the organization to develop their enterprise wide risk
management.
8. Explain how control self-assessment
can be used to implement risk
management.

The Control Self Assessment (CSA) which is defined as an effective

approach to identifying and managing areas of risk exposure, as well as
highlighting potential opportunities. Based on what I have understood is
it can be used to implement risk management by sharing, progressing and
promoting best practices in self assessment of control and risk in all
organizations. There are 8 stages in the given reference and I guess those
can be used to implement in managing the risk. Also it can be through
enhancing responsibility and accountability for risks and controls among
management and staff and reduce the time and effort it takes for internal
auditors to gather information on business units, and providing quicker
focus on areas requiring attention.
9. Explain the steps that an organization may take to embed risk
management into the business and the way people behave at work.

As what I had comprehend from the given reference that the steps that
an organization may take to embed risk management into the business which
is the final part of the model falls out of all the other components and consists
of the bottom line concept of embedding risk management into and inside the
organization. Also, according to my own way of thinking that the way people
behave at work will do good use of their time like they must accept that
embedding is complicated along the process and anticipate the need for work
on controls and direct resources to it in good time.
10. Prepare a presentation to the internal audit
management team on the role of internal audit in
the organization’s efforts to establish and validate
business risk management.
Good day, everyone! As for my presentation today, I would like
to discuss and elaborate the role of internal audit in the
organization’s efforts in which they establish and validate
business risk management.
What is the role of an internal
audit in the organization’s
efforts?
An Internal Auditor:

➢ Develop a reporting system that provides aggregated and

disaggregated reports at appropriate levels in the organization.
➢ Setting the risk appetite
➢ Imposing risk management processes.
➢ Management assurances on risks.
➢ Taking decisions on risk responses
➢ Implementing risk responses on management’s behalf.
➢ Accountability for risk management.
➢ Provide advice, challenge and support to management’s decision
making, as opposed to taking risk management decisions
themselves.
 Do Internal Auditor establish and
validate business risk management?
Yes, because...
➔ They review whether it is reliable, robust and meets the needs of the
organization.
➔ Make presentations to the board and turn up to meetings or workshops where
risk management is being discussed and decided on
➔ Bone up on facilitation skills and lead work teams, projects teams or
process-based work groups
➔ Help the teams prepare suitable risk registers to reflect their prioritized risks
and action plans.
➔ Compiles the corporate risks database from all the risk-based activities that
are happening in the organization
➔ play a full role in starting and developing systematic risk management across
the organization to get the process going.
➔ Moves away from the consulting service and back to the main assurance role.
➔ Give objective assurance on any part of the ERM framework for which it is
responsible
This would be the end of my presentation, Thank you. 😊