PALAWAN STATE UNIVERSITY

College of Business and Accountancy

Department of Accountancy
Puerto Princesa City

MODULE 2:
RISK MANAGEMENT
PrE 4: ENTERPRISE RISK MANAGEMENT
2ND Semester | SY: 2020-2021

BSA 3

LARA CAMILLE C. CELESTIAL, CMA, CTT

College of Business and Accountancy
Palawan State University
TABLE OF CONTENTS

Title Page of Module 1

Table of Contents 2

Overview 3
Course Outcome 3
Learning Outcomes 3
Summary of Topics 3

Content
Topic 1: Risk Management Defined 4
Topic 2: Risk Management Process
2.1 Risk Identification 5
2.2 Risk Assessment 7
2.3 Risk Prioritization 8
2.4 Risk Response Formulation 9
2.5 Risk Monitoring and Control 11

Reference 13

PrE 4: Enterprise Risk Management| Module 2: Risk Management

2
 MODULE 2| RISK MANAGEMENT PROCESS
Overview
No business is without risks, but the key to any business is
understanding the importance of preventing, minimizing, or eliminating
risks whenever possible to prevent losses. After all, less risk should
theoretically create more success for the business.
For any business, risk can be defined as an internal or external factor
that may ultimately affect objectives by either lowering the projected
profits or even causing a loss. Whether the risk is due to economic
issues, financial rates, industry regulations, business costs, breaches in
the information, or political influences, risks can cause a business to lose
money or ultimately go under.

That is where risk management comes in.

Since our business ventures encounter many risks that can affect their survival and growth, this
module will introduce you to the importance of the basic principles of risk management, its
process, and how they can help mitigate the effects of risks on business entities.

Intended Learning Outcomes:

 Define risk management
 Explain how the attitude toward risk might affect the management of risk
 Identify and describe the key steps in the risk management process
 Demonstrate an understanding of every step in risk management and its examples

Topics:
1. Risk Management Defined
2. Risk Management Process
2.1 Risk Identification
2.2 Risk Assessment
2.3 Risk Prioritization
2.4 Risk Response Formulation
2.5 Risk Monitoring and Control

PrE 4: Enterprise Risk Management| Module 2: Risk Management

3
Topic #1: Risk Management Defined

DEFINITION OF RISK MANAGEMENT:

1) Risk management is an integrated process of

delineating (define) specific areas of risk, developing
a comprehensive plan, integrating the plan, and
conducting the ongoing evaluation' – Dr. P.K. Gupta.

2) Risk Management is the process of measuring, or

assessing risk and then developing strategies to
manage the risk' – Wikipedia.

3) Managing the risk can involve taking out insurance

against a loss, hedging a loan against interest rate
rises, and protecting an investment against a fall in interest rates' – Oxford Business Dictionary.

When an entity makes an investment decision, it exposes itself to several financial risks.
The quantum of such risks depends on the type of financial instrument. These financial risks
might be in the form of high inflation, volatility in capital markets, recession, bankruptcy, etc.
Hence, to minimize and control the exposure of investment to such risks, fund managers and
investors practice risk management. Not giving due importance to risk management while
making investment decisions, but risk arises due to change in an economy. Different levels of
risk come attached with different categories of asset classes.

For example:
A fixed deposit is considered a less risky investment. On the
other hand, equity investment is regarded as a risky venture.
While practicing risk management, equity investors and fund
managers tend to diversify their portfolios to minimize the risk
exposure.

The traditional view of risk management has protected the

organization from loss through conformance procedures and
hedging techniques. This is about avoiding the downside. The
new approach to risk management is about 'seeking the
upside while managing the downside. Anytime there is a possibility of loss (risk), there should
be an opportunity for profit.

Risk management is an essential process because it empowers a business with the

necessary tools to identify and deal with potential risks adequately. Once a risk has been
identified, it is then easy to mitigate it. In addition, risk management provides a business with a
basis upon which it can undertake sound decision-making.

For a business, assessment and management of risks is the best way to prepare for
eventualities that may come in progress and growth. When a company evaluates its plan for
handling potential threats and then develops structures to address them, it improves its odds of
becoming a successful entity.

PrE 4: Enterprise Risk Management| Module 2: Risk Management

4
In addition, progressive risk management ensures that high-priority risks are dealt with as
aggressively as possible. Moreover, the management will have the necessary information that
they can use to make informed decisions and ensure that the business remains profitable

Topic #2: Risk Management Process

Risk management is the process of identifying, assessing, and controlling threats to an

organization's capital and earnings. These threats, or risks, could stem from a wide variety of
sources, including financial uncertainty, legal liabilities, strategic management errors, accidents,
and natural disasters. IT security threats and data-related risks and the risk management
strategies to alleviate them have become top priorities for digitized companies. As a result, a
risk management plan increasingly includes companies' processes for identifying and controlling
threats to its digital assets, including proprietary corporate data, a customer's personally
identifiable information, and intellectual property

Given the potential ramifications of mismanaging risk, companies should implement a risk
management process that will enable them to avoid risks, reduce the adverse effects of risks,
prepare to accept some risks, and/or transfer risks to another party (typically by purchasing
insurance). As an example, an organization may purchase hazard insurance to transfer the loss
from major catastrophes. Although the formality and specifics of the process will vary across
different organizations, the general steps of a risk management process are summarized below.

Step 1 Risk Identification

Step 2 Risk Assessment
Step 3 Risk Prioritization
Step 4 Risk Response Formulation
Step 5 Risk Monitoring and Control

2.1 RISK IDENTIFICATION

Risk identification seeks to identify as
many threats as possible. This step requires
knowledge of the organization, the market in
which it operates, the legal, social, economic,
political, and climatic environment in which it does
its business, its financial strengths and
weaknesses, its helplessness to unexpected
losses the manufacturing processes, and the
management systems and the business
mechanism by which it operates. Any failure at
this stage to identify risk may cause a significant
loss for the organization.

Risk identification will naturally drive the process to include as many individuals from the
organization as possible, especially those with specific detailed information about the particular
risk area being considered. For example, a strategic risk assessment would involve senior
management, senior finance people, and the strategic planning area. An operational risk
assessment would include those from the operating units because they have the insight into

PrE 4: Enterprise Risk Management| Module 2: Risk Management

5
how the business processes actually work and, specifically, what threats would interrupt the
accomplishment of operational objectives.

Internal Risk Factors

 Communication methods
 Risk assessment activities
 Appropriateness of internal control activities
 Labor relations
 Training and capability of the employees
 Degree of supervision of employees
 Operational risks
 Financial risks
 Strategic risks

External Risk Factors

 Regulatory changes
 Industry competition
 Relationships with key suppliers
 Relationships with customers
 Recruiting and hiring activities
 International risk
 Hazard risks

Tools, diagnostics, and processes that may be used to support risk identification include:

 Brainstorming
 Interview
 Checklists
 Flowcharts
 Scenario analysis
 Value chain analysis
 Business process analysis
 Systems engineering
 Process mapping
 Computed cash flow at risk
 Projected earnings at risk
 Projected earnings distributions
 Projected EPS distributions

Once risks are identified, they can be prioritized by risk ranking or risk mapping. A risk map
graphically illustrates the impact of risks. It is helpful for management to periodically perform a
hindsight evaluation to identify events that were not identified in the prior risk assessment. This
allows management to refine and improve the risk assessment process.

PrE 4: Enterprise Risk Management| Module 2: Risk Management

6
2.2 RISK ASSESSMENT
Risk assessment is the process of analyzing the potential effects of identified risks. Risks
are analyzed, considering likelihood and impact, as a basis for determining how they should be
managed.
1. Impact. The effect the risk occurrence would have on the organization's objective if it
were to occur. For example, what loss would happen if a particular risk factor occurred
and was not detected and corrected?
2. Likelihood. The probability or chance that the risk actually will occur.

Risk assessment is a function of the organization's risk appetite and the estimate of
potential risk. Risk appetite is the level of risk the organization is willing to accept, given its
mission and business model. The organization's risk appetite determines how management will
manage risks. For example, the more risk-averse an organization is, the more management will
be willing to spend on mitigating the risk.
Probabilistic or non-probabilistic models may be used to quantify risk. Management uses
qualitative techniques to assess risk when risks do not lend themselves to quantification or when
sufficient reliable data is not available to use a quantitative model. Non-probabilistic models use
subjective assumptions to estimate the impact of events without quantifying an associated
likelihood. Examples of non-probabilistic models include sensitivity measures and stress tests.
Probabilistic models associate a range of events and the resulting impact with the likelihood of
those events based on certain assumptions. Examples of probabilistic models include VaR and
the development of credit and operational loss distributions. Scenario analysis may be applied
on a non-probabilistic or probabilistic basis. As described previously, scenario analysis involves
identifying possible future outcomes, attaching probabilities to the results, and mitigating the
risks that exceed the organization's risk appetite.

PrE 4: Enterprise Risk Management| Module 2: Risk Management

7
 Ideally, risk assessment activities are performed continuously by all employees within the
organization. However, the process must be driven by those responsible for organization
governance: the board of directors and the audit committee. Their commitment and involvement
and attitude toward risk must be communicated down through the entire organization. As risks
are identified, they are assigned to the appropriate level of management for consideration. The
resulting risk assessment culture becomes an integral part of the organization's control
environment. In most instances, and typically for strategic risks, the risk assessment process is
conducted at regular intervals, usually once a year.
Management should assess both the inherent risk and the residual risk for an event.
a) Inherent risk is the risk to achieving entity objectives in the absence of any actions
management might take to alter the risk's likelihood or impact.
b) Residual risk is the risk to achieving objectives that remain after management's
responses have been developed.
Assessing risk generally involves the use of probabilities. For example, if there is a 40% chance
that a company will suffer a $1,000,000 loss and a 60% chance that the company will suffer a
$300,000 loss, the expected loss can be estimated as $580,000 [(.4 × $1,000,000) + (.6 ×
$300,000)]. Determining the estimated amounts and their probabilities involves experience,
information, and judgment.

2.3 RISK PRIORITIZATION

In the risk prioritization step, the overall set of identified risk events, their impact assessments,
and their probabilities of occurrences are "processed" to derive a most-to-least-critical rank-
order of identified risks. A significant purpose of prioritizing risks is to form a basis for allocating
resources.
An organization's risk attitude is made up of a combination of its risk appetite, risk tolerance,
and risk threshold. These three attributes are defined as:
a) Risk Appetite
The degree of uncertainty an entity is prepared to accept in pursuit of its objectives.
b) Risk Tolerance
The degree, amount, or volume of risk impact that an organization or individual will
withstand
c) Risk Threshold
The level of uncertainty or impact at which a stakeholder will have a specific interest.
Below the risk threshold, the stakeholder will accept the risk. Above the risk threshold,
the stakeholder will not accept the risk.
Suppose an organization has a high-risk appetite but low-risk tolerance. In that case, it will tend
to prioritize its risk responses around the anticipated level of the risk impacts rather than the
level of uncertainty in risk event occurrence. This may be due to the fact that the organization's
business strategy is to operate in unstable or high threat environments, where they are
constantly exposed to the occurrence of risk events. In this case, the organization will develop
its risk response plan to prioritize the neutralization (or optimization, in the case of opportunity
risks) of risk impacts rather than control the occurrence of risk events.

PrE 4: Enterprise Risk Management| Module 2: Risk Management

8
Conversely, an organization with a low-risk appetite but high-risk tolerance (a very unusual case)
will prioritize their risk responses by minimizing the probability of risk event occurrence and
putting less effort into controlling the risk impacts.
The organizations' risk thresholds will be defined by their respective risk appetite and risk
tolerance levels in both cases. Risk attitude is also primarily determined by the industry sector
in which an organization operates.

2.4 RISK RESPONSE FORMULATION

Risk response involves reducing risks to an acceptable level by employing the following tactics:
 Avoidance
Risk is avoided when the organization refuses to accept
it. The exposure is not permitted to come into existence.
This step is accomplished by simply not engaging in the
action that gives rise to risk. If you do not want to risk
losing your savings in a hazardous venture, then pick
one where there is less risk. If you want to avoid the
risks associated with property ownership, do not
purchase property but lease or rent. If the use of a
particular product is hazardous, then do not
manufacture or sell it.

This is a negative rather than a positive technique. It is sometimes an unsatisfactory

approach to dealing with many risks. If risk avoidance were used extensively, the
business would be deprived of many profit opportunities and probably would not achieve
its objectives.

 Reduction
This response involves taking action to reduce risk likelihood or impact, or both. Risk can
be reduced in 2 ways—through loss prevention and control. Examples of risk reduction
are medical care, fire departments, night security guards, sprinkler systems, burglar
alarms—attempts to deal with risk by preventing the loss or reducing the chance that it
will occur. Some techniques are used to avoid the occurrence of the loss, and other
methods like sprinkler systems are intended to control the severity of the loss if it does
happen. No matter how hard we try, it is impossible to prevent all losses. The loss
prevention technique cannot cost more than the losses.

 Acceptance
This step is sometimes called risk retention. It is the most common method of dealing
with risk. Organizations and individuals face an almost unlimited number of risks, and in
most cases, nothing is done about them. When some positive action is not taken to avoid,
reduce, or transfer the risk, the possibility of loss involved in that risk is retained. Risk-
retention can be conscious or unconscious. Conscious risk retention takes place when
the risk is perceived and not transferred or reduced. When the risk is not recognized, it is
unconsciously retained—the person retains the financial risk without realizing that he or
she is doing so.

PrE 4: Enterprise Risk Management| Module 2: Risk Management

9
 Risk-retention may be voluntary or involuntary. Voluntary risk retention is when the risk
is recognized, and there is an agreement to assume the losses involved. This is done
when there are no more attractive alternatives. Involuntary risk retention occurs when
risks are unconsciously retained or cannot be avoided, transferred, or reduced.

Risk-retention may be the best way. Everyone decides which risks to retain and which to
avoid or transfer. A person may not be able to bear the loss. What may be a financial
disaster for one may be handled by another. As a general rule, the only risks that should
be retained are those that can lead to relatively small certain losses.

 Transfer.
Risk may be transferred to someone more willing to bear the
risk. The transfer may be used to deal with both speculative and
pure risk. One example is hedging; hedging is a method of risk
transfer accomplished by buying and selling for future delivery
so that dealers and processors protect themselves against a
decline or increase in market price between the time they buy
a product and sell it. Pure risks may be transferred through
contracts, like a hold-harmless agreement where one individual
assumes another's possibility of loss. Contractual agreements
are common in the construction industry. They are also used between manufacturers and
retailers about product liability exposure. Insurance is also a means of transferring risk.
In consideration of payment or premium by one party, the second party contracts to
indemnify the first party up to a specific limit for the specified loss.

 Sharing
The following chart is useful in determining which
response may be most appropriate given the likelihood
and impact of a certain risk. For example, consider a
manufacturer that contracts with a sole supplier for a
particular product. Management might consider a
scenario in which a natural disaster disrupts the
supplier's processes. Let's assume the magnitude of
such an event would have a very high impact on the
business. If the likelihood is low, management might
decide to transfer some of the risks to a third party by
purchasing business disruption insurance. If the
likelihood is high, management should consider finding
alternate sources for needed supplies.

Low Impact High Impact

Low Likelihood Accept risk Purchase insurance to transfer

risk to another party

High Likelihood Reduce risk with Avoid risk by changing where

internal controls, and how business is conducted
etc.

PrE 4: Enterprise Risk Management| Module 2: Risk Management

10
Financial risks may be lessened by adjusting the organization's capital structure to minimize the
cost of capital. The cost of capital is a function of the mixture of debt, preferred stock, retained
earnings, and common stock issued in the organization's capital structure. The proper mix will
reduce bankruptcy risk and agency costs to an acceptable level.
It is vital to perform a cost-benefit analysis on all risk responses. For example, establishing
controls costing $10,000 per year to mitigate a low risk of $50,000 would probably not be a good
business decision.

2.4 RISK MONITORING AND CONTROL

The final step in Risk Management Process is Risk Monitoring and Control. The purpose of
this is to address how risk will be monitored. This includes verifying compliance with the risk
response decisions by ensuring that the organization implements the risk response measures
(and any information security requirements), determines the ongoing effectiveness of risk
response measures, and identifies any changes that would impact the risk posture.
Risk monitoring activities at the various levels of the organization (or with other organizational
entities) should be coordinated and communicated. This can include sharing risk assessment
results that would have an organization-wide impact to risk responses being planned or
implemented. The organization should also consider the tools and technologies needed to
facilitate monitoring and the frequency necessary for effectively monitoring risks, including the
changes that would impact responses to risks.

For the risk management plan to be helpful for a business, the plan needs to clearly establish
and define policies and procedures for staff members to follow and understand easily. This helps
employees understand how their responsibilities and roles tie into the risk management plan.
Having all employees on the same page also will ensure they respond adequately when
necessary.
There is no guarantee which – or if any – risks will occur for a business. Still, the key is to be
prepared for any possibilities and understand the importance of properly managing these
potential risks. With the proper understanding of risk management and an effective risk

PrE 4: Enterprise Risk Management| Module 2: Risk Management

11
management plan, a business can operate confidently, knowing that they are prepared for all
potential circumstances that could negatively impact the bottom line.
___________________________________________________________________________
-end

PrE 4: Enterprise Risk Management| Module 2: Risk Management

12
REFERENCES|
https://bookshelf.vitalsource.com/#/books/9781119518655/cfi/6/34!/4/2/12/38/14/4/6/
4/4/6/2@0:16.0
https://www.shahucollegelatur.org.in/Department/Studymaterial/comm/bcom3yr/1%
20Inroduction%20to%20risk%20management.pdf
https://www.asqs.net/solutions/offshore/risk-management
https://simplicable.com/new/risk-
monitoring#:~:text=Risk%20monitoring%20is%20the%20ongoing,identify%20and%20ma
nage%20new%20risks.

PrE 4: Enterprise Risk Management| Module 2: Risk Management

13