RISK MANAGEMENT

G. Purchasing Power Risk

RISK – probability that future event could impact organization. - Possibility not be able to buy as much with your savings in future
- Measured in terms of probability and impact - Represents loss of value due inflation
- Exposure to possibility of loss, injury, and other adverse circumstances
- Inherent; can be mitigated Risk Associated with Manufacturing, Trading, and Service Concerns MOFB
A. Market Risk
Systematic Risk VS Unsystematic Risk - Risk faced by investor due to decrease in market value of financial product that may
affect the whole market
Systematic Risk Unsystematic Risk Product Risk: Complexity, Obsolescence, Research and Development, Packaging, Delivery of
-not controllable -controllable Warranties COR&DPDoW
-not entirely predictable -predictable Competitor Risk: Pricing strategy, Market share, Market strategy 2MS PS
-Macro nature -Micro nature B. Operation Risk
-affects large number of organization -directly affects individual organization - Risk of losses caused by failed processes, policies, systems or events that disrupt
-cannot be fully assessed and anticipated -assessed in advance with reasonable efforts business operations.
1. Process stoppage 2. Healthy and Safety 3. After sales service failure
E.g. Interest Rate Risk, Market Risk, E.g. Compliance Risk, Credit Risk, Operational Risk 4. Environmental 5. Technological Obsolescence 6. Integrity
Purchasing Power Risk PsH&SAssEToI Management Fraud
Employee Fraud
Risk Associated with Investments BDFIrLMPp Illegal acts
A. Business Risk C. Financial Risk
- Uncertainty about rate of return caused by nature of business - Likelihood of losing money on business or investment decision
- Related to sales volatility and operating leverage 1. Interest Rate Volatility 4. Derivative IrvFcLDV
Operating Leverage – caused by *fixed OPEX. 2. Foreign Currency 5. Viability
*cost OPIN to be more volatile than sales 3. Liquidity
B. Default Risk D. Business Risk
- Probability that investments will not be returned - Exposure a company or organization has to factor(s) that will lower its profits or lead
Degree of default Risk to fail
- Closely related to financial condition of company - Anything that threatens company’s ability to achieve its financial goals
C. Financial Risk 1. Regulatory Change 4. Regulatory and legal 7. Credit availability
- Firm’s capital structure or source of financing 2. Reputation 5. Shareholder relations 8. Business interruptions
Risk of DEFAULT: Any risk associated with financing that include company loans. 3. Political 6. Credit rating RcRPR&LSrCrCaBi
Financial Leverage: causing firm’s lenders and stockholders to view income streams
- Causes NI to vary more than OPIN Risk Associated with Financial Institutions
D. Interest Rate Risk A. Financial Risk LCMMlD
- Most commonly associated with bond price movements a. Liquidity Risk i. Financial Reporting Risk
Rising interest rates, bond prices decline b. Market Risk Adequacy, Completeness
Declining interest rates, bond prices rises Currency, Equity, Commodity
E. Liquidity Risk c. Credit Risk
- Inability to sell investment quickly for cash Counterparty, Trading
T-bills: sold immediately with very little concession Commercial: Loans, Guarantees
Ordinary equity: can be sold quickly d. Market Liquidity Risk
- Liquidity risk for this are more complex Currency rates, Interest rates
- Trade on organized and active markets Bond and equity rates
F. Management Risk e. Hedged Positions Risk
- Risk financial, ethical, or otherwise associated with ineffective, destructive, or f. Portfolio Exposure Risk
underperforming management. g. Derivative Risk
Areas affected: Product innovation and production methods; financing to acquisitions h. Accounting Information Risk
Completeness, Accuracy
 B. Non-Financial Risk OREIL Process of Risk Management EIR
a. Operational Risk a. Establishing Context
Systems: Information Processing, Technology. b. Identification of Potential Risk
Customer Satisfaction, Human Resources, Fraud and Illegal Acts, Bankruptcy Steps: IorMDaaMiPlarDev
b. Regulatory Risk ➢ Identification of risk in selected domain of interest
Capital Adequacy, Compliance, Taxation, Changing Laws and Policies ➢ Mapping out the:
c. Environmental Risk Social scope of RM
Politics, Natural Disasters, War, Terrorism Identity and objectives of stakeholders
d. Integrity Risk Basis of evaluations, constraints
Reputation ➢ Defining framework for activity and agenda
e. Leadership Risk ➢ Mitigation of risks using available technological, human, and organizational
Turnover, Succession resources
➢ Planning remaining process
Risk Responses ASMAC ➢ Develop analysis of risk in process
ISO 31000 – suggests once risk identified and assessed, techniques should be applied to Common risk Identification Methods: COSTR
manage risks a. Objective – Based Risk
- Family of standards relating to risk management codified by ISO b. Scenario – Based Risk
- International Organization for Standardization c. Taxonomy – Based Risk
Risk Avoidance – losing out potential gain; avoid possibility of earning d. Common risk checking
- Not performing activity that carry risk e. Risk Chart
Risk Sharing – sharing with another party the burden of loss or benefit of gain
Risk Mitigation – reducing severity of loss c. Risk Assessment – critical to make the best educated decisions in prioritizing
Risk Acceptance – accepting loss or benefit of gain from risk implementation of risk management plan
Risk Creation
ELEMENTS OF RISK MANAGEMENT IADIP
RISK MANAGEMENT a. Identification, characterization and assessment of threats. ICAThreats
- Process of measuring or assessing risk and developing strategies to manage it b. Assessment of the vulnerability of critical asset to specific threats. Assessment VCA-SThreats
- Systematic approach in identifying, analyzing, and controlling areas or events with c. Determination of the risk DoR
potential for causing unwanted change d. Identification of ways to reduce those risk. IoW (-)risk
- Act or practice of controlling risk: a. Risk planning b. Assessing risk areas c. Developing e. Prioritization of risk reduction measures on a strategy PrioRRmstrat
Risk-handling options d. Monitoring risks e. Documenting overall risk management
program RpAraDrhoMrDormp AREAS OF RISK MANAGEMENT
According to ISO 31000: Most commonly encountered areas of risk management
- Identification, assessment, and prioritization of risks — Enterprise Risk Management ERM
- Coordinated and economical application of resources to minimize, monitor, and — Risk management activities as applied to project managementRMactsappPM
control probability or impact of unfortunate events — Risk management for megaprojects RMfMP
- Maximizes realization of opportunities — Risk management of information technology RMofIT
— Risk management techniques in petroleum and natural gas RMtechsPetrolNG
Basic Principles of Risk Management CABBCB
a. Create Value Risk Management Process – framework for action that used to be taken to manage risk
b. Address uncertainty and assumption - Method of understanding what risk and opportunities are present
c. Be an integral part of organizational process and decision-making.
d. Be dynamic, iterative, transparent, tailorable, and responsive to change. STEPS IN RISK MANAGEMENT PROCESS
e. Create continual improvement and enhancement capability considering best 1. Set up separate risk management committee chaired by board member
available information and human factors. • Creation of a risk management committee at the board level will demonstrate the
f. Be systematic, structured, and continually or periodically reassessed. firm's commitment to adopt an integrated company-wide risk management
system.
2. Ensure that a formal comprehensive risk management system is in place
• This fully documented formal system will provide clear vision of board's desire foreffective
company-wide risk management
3. Assess whether the formal system possesses the necessary element
• Key Elements
o Goals and Objectives o Organization Structure
o Risk Language Identification o Risk Management Process and Documentation
4. Evaluate effectiveness of various steps in assessment of comprehensive risks faced by
business firm
5. Assess if management developed and implemented suitable risk management strategies and
evaluate their effectiveness
6. Evaluate if management has designed and implemented risk management capabilities
7. Assess management's efforts to monitor overall company risk management performance
and to improve continuously firm's capabilities
8. See to it that best practices as well as mistakes are shared by all
9. Assess regularly the level of sophistication of firm's risk management system
10. Hire experts when need
ENTERPRISE RISK MANAGEMENT
SEC Code of Governance Recommendation 2.11 and corresponding explanation provide the ff:
- Board should oversee that a sound ERM framework is in place to effectively identify, monitor,
assess, and manage key business risks.
Risk management framework should guide the BOARD in identifying units/business lines and
enterprise-level risk exposures, as well as the effectiveness of risk management strategies.
Risk management policy - part and parcel of a corporation’s corporate strategy.
Board - responsible for defining the company’s level of risk tolerance and providing oversight
over its risk management policies and procedures.
Principle 12 was the one that deals with strengthening the Internal Control System and
Enterprise Risk Management Framework
—> “To ensure the integrity, transparency, and proper governance in the conduct of its affairs,
the company should have a strong and effective internal control system and enterprise risk
management framework.”
Risk Management Framework
• Subject to corporation’s size, risk profile and complexity of operations, the BOARD
should establish a separate Board Risk Oversight Committee (BROC) that should be
responsible for the oversight of a company’s ERM system - to ensure functionality
and effectiveness.
BROC composed of:
• atleast three (3) members; majority of whom should be independent directors
including Chairman.
• Chairman should not be Chairman of the Board or of any other committee.
• atleast one (1) member of the committee must have relevant thorough knowledge
and experience on risk and risk management.
O Subject to its size, risk profile and complexity of operations, the company should have a
separate risk management function to IDENTIFY, ASSESS, AND MONITOR KEY RISK EXPOSURES.
Traditional Risk Management – process that aims to develop consistent understanding of
organization’s goal and risks that inhibit its success.
Enterprise Risk Management – aka Company wide-risk management
- consider risks and opportunities across organization, aligns with strategic objectives
and promotes risk-aware culture.
Distinctions between ERM and TRM: (12)
Reactiveness:
TRM - Reactive: respond to incidents that have occurred and focus on preventing reoccurrence
ERM - Proactive: looks forward to prevent risk occuring
Scope:
TRM - Focuses on insurable and financially tangible risks
ERM - Encompasses both insurable and non-insurable risk, and those where the cost is hard to
define (risk damage from brand reputation)
Adaptability:
TRM - Standardized, prescribed approaches
ERM - Fluid, adaptable, agile
Effort:
TRM - Focus on business units or departments; siloed; can create duplicatory activity
ERM - Holistic and enterprise-wide; minimizes duplication
Alignment:
TRM - Limit risk prioritization and alignment across teams
ERM - Enable risks that impact multiple departments to be prioritized and tackled in integrated
way,
Integration:
TRM - approach, metrics, and reporting inconsistent between teams, sites or departments
ERM - approach, metrics, and reporting consistent and integrated across the business.
Identification:
TRM - identifies and tackles risks on case by case basis
ERM - focuses on root cause risks common to every silo
Mitigation:
TRM - focuses on impact on individual business units or teams
ERM - takes into account impact on entire organization
Mindset:
TRM - risk averse; focuses on mitigation
ERM - risk tolerant; takes enterprise wide risk culture
Connection:
TRM - standards and approaches are business-specific and can be simplistic
ERM - aligns with recognized standards like the COSO Framework (internal framework) to
ensure risk management approach is in line with best practice
Prominence:
TRM - keeps risk conversations to team or department level
ERM - elevates risk discussions to board level
Responsiveness:
TRM - static checklist of risks and responses
ERM - real-time, responsive approach to the changing organization and risk landscape
SARBANES-OXLEY ACT OF 2002
• It was Enron’s fraudulent behavior why SOX ACT was passed in 2002
-largest company in US during 2001
Sarbanes-Oxley Act- a U.S Federal Law
-spearheaded by Senator Paul Sarbanes and Representative Michael Oxley
-signed into law by President George W. Bush on July 30, 2002
-aka SOX Act of 2002 and the Corporate Responsibility Act of 2002
-mandated strict reforms to existing securities regulations and imposed tough new penalties
on lawbreakers.
-aims to protect investors from fraudulent financial reporting by corporations
-came in response to financial scandals in early 2000s
New law set out reforms and additions in four (4) principal areas: CAIN
1. Corporate responsibility
2. Accounting regulation
3. Increased criminal punishment
4. New protections
Management level that SOX act affect STARBE
- External & Internal auditors
- Top executives
- Attorneys (Internal and external)
- BOD and their committees
- Senior managers
- Regulators
Sections of SOX Relevant to Compliance
Section 302 - Corporate Responsibility for Financial Reports
Financial reports and statement must certify that:
• Documents have been reviewed by signing officers and passed internal controls
within last 90 days.
• Documents are free of untrue statements or misleading omissions.
• Documents are truthfully represent the company’s financial health and position
• Documents must be accompanied by list of all deficiencies or changes in internal
controls and information on any fraud involving company employees.
Section 401 - Disclosures in Periodic Reports
-Financial statements are required to be accurate.
-Financial statements should also represent any off-balance liabilities, transaction, or
obligations
Section 404 - Management Assessment of Internal Controls
-requires management and auditors establish internal controls and reporting methods to
ensure adequacy of those controls
Section 409 - Real time issuer disclosures
-Companies are required to urgently disclose drastic changes in financial position or
operations
Section 802 - Criminal Penalties for Altering Documents
Contains three(3) rules that affect recordkeeping:
- Deals with destruction and falsification of records
- Defines retention period for storing records
- Outlines specific business records that companies need to store (electronic
communications)
Outlines PENALTIES:
-any company official found guilty of concealing, destroying, or altering documents, with
intent to disrupt investigation, will face up to 20 years in prison and applicable fines.
-any accountant who knowingly aids company officials in destroying, altering, or falsifying
financial statements could face up to 10 years in prison
Section 806 - Protection for Employees of Publicly Traded Companies who provide Evidence
of Fraud
-deals with whistleblower protection.
-mandates protection for whistleblowers, stating that employees and contractors who report
fraud or testify about fraud to Department of Labor are protected against retaliation,
including dismissal and discrimination.
Section 902 - Attempts & Conspiracies to Commit Fraud Offenses
-crime for any person to corruptly alter, destroy, mutilate, or conceal any document with
intent to impair object’s integrity or availability for use in an offical proceeding.
Section 906 - Corporate Responsibility for Financial Reports
-addresses criminal penalties for certifying a misleading or fraudulent financial reports.
-penalties can be upwards of $5 million in fines and 20 years in prison
Summary of Sarbanes-Oxley Act 2002 (11 titles)
TITLE I - Public company accounting oversight board (PCAOB)
• consists of 9 sections and establishes PCAOB, provide independent oversight of
public accounting firms providing audit services.
TITLE II - Auditor Independence
• consists of 9 sections and establishes standards for external auditor independence,
to limit conflicts of interest.
• addresses new auditor approval requirements, audit partner rotation, and auditor
reporting requirements
TITLE III - Corporate Responsibility
• consists of 8 sections and mandates that senior executives take individual
responsibility for the accuracy and completeness of corporate financial reports
TITLE IV - Enhanced Financial Disclosures
• consists of 9 sections and describes enhanced reporting requirements for financial
transactions, including off-balance sheet transactions, pro-forma figures and stock
transactions of corporate officers.
TITLE V - Analyst Conflicts of Interest
• consist of 1 section, includes measures designed to help restore investor
confidence in reporting of securities analysts.
TITLE VI - Commission Resources and Authority
• consists of 4 sections, defines practices to restore investor confidence in securities
analysts.
TITLE VII - Studies and Reports
• consists of 5 sections, requires Comptroller General and SEC to perform various
studies and report their findings
TITLE VIII - Corporate and Criminal Fraud Accountability
 • consists of 7 sections, referred to as the Corporate and Criminal fraud -personnel within organization need to have clear understanding of their responsibilites and
accountability Act of 2002 rules and regulation that govern their actions
TITLE IX - White-collar Crime Penalty Enhancements • Human Resources Policies and Procedure
• consists of 6 sections, aka White-collar crime penalty enhancement act of 2002 -important elements of IACS is the people who perform and execute established policies and
• increases criminal penalties associated with white-collar crimes and conspiracies procedures.
TITLE X - Corporate Tax Returns
• consists of 1 section B.Entity’s Risk Assessment Process
➢ Risk Assessment - identification, analysis, and management of risks pertaining
• Chief executive officers should sign company tax return
to preparation of FS.
TITLE XI - Corporate Fraud and Accountability
➢ Entity’s risk assessment process - process for identifying and responding to
• consists of 7 sections, called as Corporate Fraud Accountability Act of 2002 business risks and results thereof.
• identifies corporate fraud and records tampering as criminal offenses and joins -FS purposes: how management identifies risk relevant to preparation of FS that are
those offenses to specific penalties. presented fairly…

INTERNAL CONTROL Circumstances where RISKS can arise: CNNRN

Internal Control – process designed and affect by those charged with governance,
management, and other personnel. (Committee of Sponsoring Organization)
- Provide reasonable assurance about achievement of entity’s objectives.
OBJECTIVES: REC
✓ Reliability of the entity’s financial reporting.
✓ Effectiveness and efficiency of operations.
✓ Compliance with applicable laws and regulations
Others: ASP&DA&CT
✓ Adherence to management policies
✓ Safeguarding of assets
✓ Prevention and detection of fraud and error
✓ Accuracy and completeness of accounting records
✓ Timely preparation of financial information
Elements/Components CeErapIs&cCaMc
A. Control Environment
• Communication & Enforcement of Integrity and Ethical Values
-entity’s ethical and behavioral standards and manner in which it communicates and reinforces
them, determine entity’s integrity and ethical behavior
• Commitment to Competence
-knowledge and skills necessary to accomplish tasks that define employee’s job
• Participation by those charge with Governance
-entity’s control consciousness is influenced significantly by those charge with governance
-over sight and whistle blower mechanism
• Management’s Philosophy and Operating Style
-management’s approach to taking and monitoring business risk, its conservatice or aggresive
selection from alternative accounting principles
• Organizational Structure
-provides overall framework for planning, directing, and controlling operation
• Assignment of Authority and Responsibility
-changes in operating environment
-new personnel
-new or revamped information systems
-rapid growth
-new technology
-new business models, products, or activities
-corporate restructurings
-expanded foreign operation
-new accounting pronouncements
➢ Application to Small entities: Entity’s risk assessment process is likely to be less
formal and less structured.
-FR objectives may recognized implicitly rather than explicitly.
C. Information System and Communication
Information system - consists of infrastructure (physical and hardware components), software,
people, procedures, and data
AS procedures and records designed and established:
• Initiate, record, process, and report entity transactions and to maintain
accountability for related assets, liability, and equity.
• Resolve incorrect processing of transactions
• Process and account for system overrides or bypasses to controls
• Transfer information from transaction processing systems to general ledger
• capture information relevant to financial reporting for events and conditions other
than transactions
• Ensure information required to be disclosed by applicable financial reporting
framework is ACCUMULATED, RECORDED, PROCESSED, SUMMARIZED, and
appropriately reported in FS
*Entity’s IS includes use of standard JEs that are required on recurring basis; includes use of
non-standard JEs to record non-recurring, unusual transactions or adjustments.
 ➢ Related Business Processes WHY NEED INTERNAL CONTROL?
- Develop, purchase, produce, sell and distribute an entity’s products and services.
- Ensure compliance with laws and regulations. Internal control - organizational plan
- Record information, including accounting and financial reporting information. -all related measures to safeguard assets, ensure accuracy and reliability, promote operation
➢ Information System encompasses methods and records: efficiency, and encourage adherence
- Identify and record all calid transactions.
- Describe on timely basis the transactions in sufficient details. COSO - Committee of Sponsoring Organization of Tradeway Commission
- Measure value of transactions. -composed of representatives from five (5) organizations:
- Determine time period where transactions occurred. • American Accounting Association (AAA)
- Present transaction and related disclosures in FS properly. • American Institute of Certified Public Accountants (AICPA)
• Financial Executives International (FEI)
Communication - involves providing understanding of individual roles and responsibilities
• Institute of Management Accountants (IMA)
pertaining to internal control over financial reporting.
- takes such forms as policy manuals, accounting, and FRmanuals, and memoranda. • Institute of Internal Auditors (IIA)
- can be made electronically, orally, and through actions of management Coso framework - system used to established internal controls to be integrated in business
processes.
D. Control Activities - these controls provide reasonable assurance that organization is operating ethically,
- policies and procedures that help ensure that management directives are carried out. transaparently and in accordance with established industry standards.
3 major categories of control procedures PrIpcPc Coso Model – defines IC as “process effected by entity’s board of directors, management, and
other personnel
• Performance review - uses accounting and operating data to assess performance and
- designed to provide reasonable assurance of achievement of objectives. (Operations,
takes corrective action
reporting, Compliance)
-personnel at various levels in org may perform this
-manager may used for sole purpose of making operating decisions
Objectives of Coso Framework
• Information processing controls – policies and procedure designed to required a. Operation b. Reporting c. Compliance
authorization of transactions and ensure accuracy and completeness of transaction
processing. FIVE COMPONENTS OF COSO FRAMEWORK
Classification according to scope of system:
1. Application controls – control activities pertain to processing of specific type of A. Control Environment - set of standards, processes and structures provides basis for
transaction carrying out internal control across organization.
2. General controls – control activities prevent or detect errors for all accounting B. Risk Assessment - forms the basis for determining how risks will be managed.
systems. C. Control Activities - actions established through policies and procedures that help
Control Activities related to Processing transactions:
ensure risk are minimized.
a. Proper authorization of transaction and activities D. Information and Communication
b. Separation of duties
• Information - obtained by management from both internal and external sources to
c. Adequate documents and records
support internal control components.
d. Access to assets independents
e. Checks on performance • Communication - based on internal and external sources used to disseminate
important information throughout and outside org, as needed to respond and
support meeting requirements and expectations.
• Physical Control
E. Monitoring Activities - evaluation used to ascertain whether components of internal
-physical security of assets
control are present and functioning:
-authorization for access to compute programs and data files
-ongoing evaluations; separate evaluations
-periodic accounting and comparison with amounts shown on control records Two Types of Evaluation
17 Principles of Internal Control
E. Monitoring Controls
A. Control Environment DEEDE
-process that entity uses to assess quality of internal control over time.
1. Demonstrated commitment to integrity and ethical values
-involves assessing design and operation of control on timely basis and taking corrective action
2. Exercises oversight responsibility
as necessary.
3. Establishes structure, authority, and responsibility
4. Demonstrates commitment to competence
 5. Enforces accountability
B. Risk Assessment SIAI
6. Specifies suitable objectives
7. Identifies and analyze risk
8. Assess fraud risk
9. Identifies and analyzes significant change
C. Control Activities SSD
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys control activities through policies and procedures
D. Information and Communication UCC
13. Uses relevant information
14. Communicates internally
15. Communicates externally
E. Monitoring Activities CE
16. Conducts ongoing or separate evaluations
17. Evaluates and communicated deficiencies

BENEFITS OF COSO FRAMEWORK

-enables business procedures to be carried out consistently
-often better position to detect fraudulent act
-helps them to make existing business processes more efficient
LIMITATIONS OF COSO FRAMEWORK
-relatively broad in scope -broken into series of rigid categories