RISK MANAGEMENT

G. Purchasing Power Risk

RISK – probability that future event could impact organization. - Possibility not be able to buy as much with your savings in future
- Measured in terms of probability and impact - Represents loss of value due inflation
- Exposure to possibility of loss, injury, and other adverse circumstances
- Inherent; can be mitigated Risk Associated with Manufacturing, Trading, and Service Concerns
A. Market Risk
Systematic Risk VS Unsystematic Risk - Risk faced by investor due to decrease in market value of financial product that may
affect the whole market
Systematic Risk Unsystematic Risk Product Risk: Complexity, Obsolescence, Research and Development, Packaging, Delivery of
-not controllable -controllable Warranties
-not entirely predictable -predictable Competitor Risk: Pricing strategy, Market share, Market strategy
-Macro nature -Micro nature B. Operation Risk
-affects large number of organization -directly affects individual organization - Risk of losses caused by failed processes, policies, systems or events that disrupt
-cannot be fully assessed and anticipated -assessed in advance with reasonable efforts business operations.
1. Process stoppage 2. Healthy and Safety 3. After sales service failure
E.g. Interest Rate Risk, Market Risk, E.g. Compliance Risk, Credit Risk, Operational Risk 4. Environmental 5. Technological Obsolescence 6. Integrity
Purchasing Power Risk Management Fraud
Employee Fraud
Risk Associated with Investments Illegal acts
A. Business Risk C. Financial Risk
- Uncertainty about rate of return caused by nature of business - Likelihood of losing money on business or investment decision
- Related to sales volatility and operating leverage 1. Interest Rate Volatility 4. Derivative
Operating Leverage – caused by *fixed OPEX. 2. Foreign Currency 5. Viability
*cost OPIN to be more volatile than sales 3. Liquidity
B. Default Risk D. Business Risk
- Probability that investments will not be returned - Exposure a company or organization has to factor(s) that will lower its profits or
Degree of default Risk lead to fail
- Closely related to financial condition of company - Anything that threatens company’s ability to achieve its financial goals
C. Financial Risk 1. Regulatory Change 4. Regulatory and legal 7. Credit availability
- Firm’s capital structure or source of financing 2. Reputation 5. Shareholder relations 8. Business interruptions
Risk of DEFAULT: Any risk associated with financing that include company loans. 3. Political 6. Credit rating
Financial Leverage: causing firm’s lenders and stockholders to view income streams
- Causes NI to vary more than OPIN Risk Associated with Financial Institutions
D. Interest Rate Risk A. Financial Risk
- Most commonly associated with bond price movements a. Liquidity Risk i. Financial Reporting Risk
Rising interest rates, bond prices decline b. Market Risk Adequacy, Completeness
Declining interest rates, bond prices rises Currency, Equity, Commodity
E. Liquidity Risk c. Credit Risk
- Inability to sell investment quickly for cash Counterparty, Trading
T-bills: sold immediately with very little concession Commercial: Loans, Guarantees
Ordinary equity: can be sold quickly d. Market Liquidity Risk
- Liquidity risk for this are more complex Currency rates, Interest rates
- Trade on organized and active markets Bond and equity rates
F. Management Risk e. Hedged Positions Risk
- Risk financial, ethical, or otherwise associated with ineffective, destructive, or f. Portfolio Exposure Risk
underperforming management. g. Derivative Risk
Areas affected: Product innovation and production methods; financing to acquisitions h. Accounting Information Risk
Completeness, Accuracy
 B. Non-Financial Risk Process of Risk Management
a. Operational Risk a. Establishing Context
Systems: Information Processing, Technology. b. Identification of Potential Risk
Customer Satisfaction, Human Resources, Fraud and Illegal Acts, Bankruptcy Steps:
b. Regulatory Risk  Identification of risk in selected domain of interest
Capital Adequacy, Compliance, Taxation, Changing Laws and Policies  Mapping out the:
c. Environmental Risk Social scope of RM
Politics, Natural Disasters, War, Terrorism Identity and objectives of stakeholders
d. Integrity Risk Basis of evaluations, constraints
Reputation  Defining framework for activity and agenda
e. Leadership Risk  Mitigation of risks using available technological, human, and organizational
Turnover, Succession resources
 Planning remaining process
Risk Responses  Develop analysis of risk in process
ISO 31000 – suggests once risk identified and assessed, techniques should be applied to Common risk Identification Methods:
manage risks a. Objective – Based Risk
- Family of standards relating to risk management codified by ISO b. Scenario – Based Risk
- International Organization for Standardization c. Taxonomy – Based Risk
Risk Avoidance – losing out potential gain; avoid possibility of earning d. Common risk checking
- Not performing activity that carry risk e. Risk Chart
Risk Sharing – sharing with another party the burden of loss or benefit of gain
Risk Mitigation – reducing severity of loss c. Risk Assessment – critical to make the best educated decisions in prioritizing
Risk Acceptance – accepting loss or benefit of gain from risk implementation of risk management plan
Risk Creation
ELEMENTS OF RISK MANAGEMENT
RISK MANAGEMENT a. Identification, characterization and assessment of threats.
- Process of measuring or assessing risk and developing strategies to manage it b. Assessment of the vulnerability of critical asset to specific threats.
- Systematic approach in identifying, analyzing, and controlling areas or events with c. Determination of the risk
potential for causing unwanted change d. Identification of ways to reduce those risk.
- Act or practice of controlling risk: a. Risk planning b. Assessing risk areas c. e. Prioritization of risk reduction measures on a strategy
Developing Risk-handling options d. Monitoring risks e. Documenting overall risk
management program AREAS OF RISK MANAGEMENT
According to ISO 31000: Most commonly encountered areas of risk management
- Identification, assessment, and prioritization of risks — Enterprise Risk Management
- Coordinated and economical application of resources to minimize, monitor, and — Risk management activities as applied to project management
control probability or impact of unfortunate events — Risk management for megaprojects
- Maximizes realization of opportunities — Risk management of information technology
— Risk management techniques in petroleum and natural gas
Basic Principles of Risk Management
a. Create Value Risk Management Process – framework for action that used to be taken to manage risk
b. Address uncertainty and assumption - Method of understanding what risk and opportunities are present
c. Be an integral part of organizational process and decision-making.
d. Be dynamic, iterative, transparent, tailorable, and responsive to change. STEPS IN RISK MANAGEMENT PROCESS
e. Create continual improvement and enhancement capability considering best 1. Set up separate risk management committee chaired by board member
available information and human factors. • Creation of a risk management committee at the board level will demonstrate the
f. Be systematic, structured, and continually or periodically reassessed. firm's commitment to adopt an integrated company-wide risk management
system.
2. Ensure that a formal comprehensive risk management system is in place
• This fully documented formal system will provide clear vision of board's desire foreffective
company-wide risk management
3. Assess whether the formal system possesses the necessary element
• Key Elements
o Goals and Objectives o Organization Structure
o Risk Language Identification o Risk Management Process and Documentation
4. Evaluate effectiveness of various steps in assessment of comprehensive risks faced by
business firm
5. Assess if management developed and implemented suitable risk management strategies
and evaluate their effectiveness
6. Evaluate if management has designed and implemented risk management capabilities
7. Assess management's efforts to monitor overall company risk management performance
and to improve continuously firm's capabilities
8. See to it that best practices as well as mistakes are shared by all
9. Assess regularly the level of sophistication of firm's risk management system
10. Hire experts when need
ENTERPRISE RISK MANAGEMENT
SEC Code of Governance Recommendation 2.11 and corresponding explanation provide the
ff:
- Board should oversee that a sound ERM framework is in place to effectively identify,
monitor, assess, and manage key business risks.
Risk management framework should guide the BOARD in identifying units/business lines and
enterprise-level risk exposures, as well as the effectiveness of risk management strategies.
Risk management policy - part and parcel of a corporation’s corporate strategy.
Board - responsible for defining the company’s level of risk tolerance and providing oversight
over its risk management policies and procedures.
Principle 12 was the one that deals with strengthening the Internal Control System and
Enterprise Risk Management Framework
—> “To ensure the integrity, transparency, and proper governance in the conduct of its affairs,
the company should have a strong and effective internal control system and enterprise risk
management framework.”
Risk Management Framework
 Subject to corporation’s size, risk profile and complexity of operations, the BOARD
should establish a separate Board Risk Oversight Committee (BROC) that should be
responsible for the oversight of a company’s ERM system - to ensure functionality
and effectiveness.
BROC composed of:
 atleast three (3) members; majority of whom should be independent directors
including Chairman.
 Chairman should not be Chairman of the Board or of any other committee.
 atleast one (1) member of the committee must have relevant thorough knowledge
and experience on risk and risk management.
O Subject to its size, risk profile and complexity of operations, the company should have a
separate risk management function to IDENTIFY, ASSESS, AND MONITOR KEY RISK
EXPOSURES.
Traditional Risk Management – process that aims to develop consistent understanding of
organization’s goal and risks that inhibit its success.
Enterprise Risk Management – aka Company wide-risk management
- consider risks and opportunities across organization, aligns with strategic objectives
and promotes risk-aware culture.
Distinctions between ERM and TRM:
Reactiveness:
TRM - Reactive: respond to incidents that have occurred and focus on preventing
reoccurrence
ERM - Proactive: looks forward to prevent risk occuring
Scope:
TRM - Focuses on insurable and financially tangible risks
ERM - Encompasses both insurable and non-insurable risk, and those where the cost is hard
to define (risk damage from brand reputation)
Adaptability:
TRM - Standardized, prescribed approaches
ERM - Fluid, adaptable, agile
Effort:
TRM - Focus on business units or departments; siloed; can create duplicatory activity
ERM - Holistic and enterprise-wide; minimizes duplication
Alignment:
TRM - Limit risk prioritization and alignment across teams
ERM - Enable risks that impact multiple departments to be prioritized and tackled in
integrated way,
Integration:
TRM - approach, metrics, and reporting inconsistent between teams, sites or departments
ERM - approach, metrics, and reporting consistent and integrated across the business.
Identification:
TRM - identifies and tackles risks on case by case basis
ERM - focuses on root cause risks common to every silo
Mitigation:
TRM - focuses on impact on individual business units or teams
ERM - takes into account impact on entire organization
Mindset:
TRM - risk averse; focuses on mitigation
ERM - risk tolerant; takes enterprise wide risk culture
Connection:
TRM - standards and approaches are business-specific and can be simplistic
ERM - aligns with recognized standards like the COSO Framework (internal framework) to
ensure risk management approach is in line with best practice
Prominence:
TRM - keeps risk conversations to team or department level
ERM - elevates risk discussions to board level
Responsiveness: Section 802 - Criminal Penalties for Altering Documents
TRM - static checklist of risks and responses Contains three(3) rules that affect recordkeeping:
ERM - real-time, responsive approach to the changing organization and risk landscape - Deals with destruction and falsification of records
SARBANES-OXLEY ACT OF 2002 - Defines retention period for storing records
 It was Enron’s fraudulent behavior why SOX ACT was passed in 2002 - Outlines specific business records that companies need to store (electronic
-largest company in US during 2001 communications)
Outlines PENALTIES:
Sarbanes-Oxley Act- a U.S Federal Law -any company official found guilty of concealing, destroying, or altering documents, with
-spearheaded by Senator Paul Sarbanes and Representative Michael Oxley intent to disrupt investigation, will face up to 20 years in prison and applicable fines.
-signed into law by President George W. Bush on July 30, 2002 -any accountant who knowingly aids company officials in destroying, altering, or falsifying
-aka SOX Act of 2002 and the Corporate Responsibility Act of 2002 financial statements could face up to 10 years in prison
-mandated strict reforms to existing securities regulations and imposed tough new penalties Section 806 - Protection for Employees of Publicly Traded Companies who provide Evidence
on lawbreakers. of Fraud
-aims to protect investors from fraudulent financial reporting by corporations -deals with whistleblower protection.
-came in response to financial scandals in early 2000s -mandates protection for whistleblowers, stating that employees and contractors who report
fraud or testify about fraud to Department of Labor are protected against retaliation,
New law set out reforms and additions in four (4) principal areas: including dismissal and discrimination.
1. Corporate responsibility Section 902 - Attempts & Conspiracies to Commit Fraud Offenses
2. Accounting regulation -crime for any person to corruptly alter, destroy, mutilate, or conceal any document with
3. Increased criminal punishment intent to impair object’s integrity or availability for use in an offical proceeding.
4. New protections Section 906 - Corporate Responsibility for Financial Reports
Management level that SOX act affect -addresses criminal penalties for certifying a misleading or fraudulent financial reports.
- External & Internal auditors -penalties can be upwards of $5 million in fines and 20 years in prison
- Top executives
- Attorneys (Internal and external) Summary of Sarbanes-Oxley Act 2002 (11 titles)
- BOD and their committees TITLE I - Public company accounting oversight board (PCAOB)
- Senior managers  consists of 9 sections and establishes PCAOB, provide independent oversight of
- Regulators public accounting firms providing audit services.
TITLE II - Auditor Independence
Sections of SOX Relevant to Compliance  consists of 9 sections and establishes standards for external auditor independence,
Section 302 - Corporate Responsibility for Financial Reports to limit conflicts of interest.
Financial reports and statement must certify that:  addresses new auditor approval requirements, audit partner rotation, and auditor
 Documents have been reviewed by signing officers and passed internal controls reporting requirements
within last 90 days. TITLE III - Corporate Responsibility
 Documents are free of untrue statements or misleading omissions.  consists of 8 sections and mandates that senior executives take individual
 Documents are truthfully represent the company’s financial health and position responsibility for the accuracy and completeness of corporate financial reports
 Documents must be accompanied by list of all deficiencies or changes in internal TITLE IV - Enhanced Financial Disclosures
controls and information on any fraud involving company employees.  consists of 9 sections and describes enhanced reporting requirements for financial
Section 401 - Disclosures in Periodic Reports transactions, including off-balance sheet transactions, pro-forma figures and stock
-Financial statements are required to be accurate. transactions of corporate officers.
-Financial statements should also represent any off-balance liabilities, transaction, or TITLE V - Analyst Conflicts of Interest
obligations  consist of 1 section, includes measures designed to help restore investor
Section 404 - Management Assessment of Internal Controls confidence in reporting of securities analysts.
-requires management and auditors establish internal controls and reporting methods to TITLE VI - Commission Resources and Authority
ensure adequacy of those controls  consists of 4 sections, defines practices to restore investor confidence in securities
Section 409 - Real time issuer disclosures analysts.
-Companies are required to urgently disclose drastic changes in financial position or TITLE VII - Studies and Reports
operations
  consists of 5 sections, requires Comptroller General and SEC to perform various
studies and report their findings
TITLE VIII - Corporate and Criminal Fraud Accountability
 consists of 7 sections, referred to as the Corporate and Criminal fraud
accountability Act of 2002
TITLE IX - White-collar Crime Penalty Enhancements
 consists of 6 sections, aka White-collar crime penalty enhancement act of 2002
 increases criminal penalties associated with white-collar crimes and conspiracies
TITLE X - Corporate Tax Returns
 consists of 1 section
 Chief executive officers should sign company tax return
TITLE XI - Corporate Fraud and Accountability
 consists of 7 sections, called as Corporate Fraud Accountability Act of 2002
 identifies corporate fraud and records tampering as criminal offenses and joins
those offenses to specific penalties.
INTERNAL CONTROL
Internal Control – process designed and affect by those charged with governance,
management, and other personnel. (Committee of Sponsoring Organization)
- Provide reasonable assurance about achievement of entity’s objectives.
OBJECTIVES:
 Reliability of the entity’s financial reporting.
 Effectiveness and efficiency of operations.
 Compliance with applicable laws and regulations
Others:
 Adherence to management policies
 Safeguarding of assets
 Prevention and detection of fraud and error
 Accuracy and completeness of accounting records
 Timely preparation of financial information
Elements/Components
A. Control Environment
 Communication & Enforcement of Integrity and Ethical Values
-entity’s ethical and behavioral standards and manner in which it communicates and
reinforces them, determine entity’s integrity and ethical behavior
 Commitment to Competence
-knowledge and skills necessary to accomplish tasks that define employee’s job
 Participation by those charge with Governance
-entity’s control consciousness is influenced significantly by those charge with governance
-over sight and whistle blower mechanism
 Management’s Philosophy and Operating Style
-management’s approach to taking and monitoring business risk, its conservatice or aggresive
selection from alternative accounting principles
 Organizational Structure
-provides overall framework for planning, directing, and controlling operation
 Assignment of Authority and Responsibility
-personnel within organization need to have clear understanding of their responsibilites and
rules and regulation that govern their actions
 Human Resources Policies and Procedure
-important elements of IACS is the people who perform and execute established policies and
procedures.
B.Entity’s Risk Assessment Process
 Risk Assessment - identification, analysis, and management of risks pertaining
to preparation of FS.
 Entity’s risk assessment process - process for identifying and responding to
business risks and results thereof.
-FS purposes: how management identifies risk relevant to preparation of FS that are
presented fairly…
Circumstances where RISKS can arise:
-changes in operating environment
-new personnel
-new or revamped information systems
-rapid growth
-new technology
-new business models, products, or activities
-corporate restructurings
-expanded foreign operation
-new accounting pronouncements
 Application to Small entities: Entity’s risk assessment process is likely to be less
formal and less structured.
-FR objectives may recognized implicitly rather than explicitly.
C. Information System and Communication
Information system - consists of infrastructure (physical and hardware components),
software, people, procedures, and data
AS procedures and records designed and established:
 Initiate, record, process, and report entity transactions and to maintain
accountability for related assets, liability, and equity.
 Resolve incorrect processing of transactions
 Process and account for system overrides or bypasses to controls
 Transfer information from transaction processing systems to general ledger
 capture information relevant to financial reporting for events and conditions other
than transactions
 Ensure information required to be disclosed by applicable financial reporting
framework is ACCUMULATED, RECORDED, PROCESSED, SUMMARIZED, and
appropriately reported in FS
*Entity’s IS includes use of standard JEs that are required on recurring basis; includes use of
non-standard JEs to record non-recurring, unusual transactions or adjustments.
 -involves assessing design and operation of control on timely basis and taking corrective
action as necessary.
 Related Business Processes
- Develop, purchase, produce, sell and distribute an entity’s products and services. WHY NEED INTERNAL CONTROL?
- Ensure compliance with laws and regulations.
- Record information, including accounting and financial reporting information. Internal control - organizational plan
 Information System encompasses methods and records: -all related measures to safeguard assets, ensure accuracy and reliability, promote operation
- Identify and record all calid transactions. efficiency, and encourage adherence
- Describe on timely basis the transactions in sufficient details.
- Measure value of transactions. COSO - Committee of Sponsoring Organization of Tradeway Commission
- Determine time period where transactions occurred. -composed of representatives from five (5) organizations:
- Present transaction and related disclosures in FS properly.  American Accounting Association (AAA)
 American Institute of Certified Public Accountants (AICPA)
Communication - involves providing understanding of individual roles and responsibilities  Financial Executives International (FEI)
pertaining to internal control over financial reporting.
 Institute of Management Accountants (IMA)
- takes such forms as policy manuals, accounting, and FRmanuals, and memoranda.
- can be made electronically, orally, and through actions of management  Institute of Internal Auditors (IIA)
Coso framework - system used to established internal controls to be integrated in business
processes.
D. Control Activities
- these controls provide reasonable assurance that organization is operating ethically,
- policies and procedures that help ensure that management directives are carried out.
transaparently and in accordance with established industry standards.
3 major categories of control procedures
Coso Model – defines IC as “process effected by entity’s board of directors, management, and
 Performance review - uses accounting and operating data to assess performance
other personnel
and takes corrective action
- designed to provide reasonable assurance of achievement of objectives. (Operations,
-personnel at various levels in org may perform this
reporting, Compliance)
-manager may used for sole purpose of making operating decisions
 Information processing controls – policies and procedure designed to required Objectives of Coso Framework
authorization of transactions and ensure accuracy and completeness of transaction a. Operation b. Reporting c. Compliance
processing.
Classification according to scope of system: FIVE COMPONENTS OF COSO FRAMEWORK
1. Application controls – control activities pertain to processing of specific type of
transaction A. Control Environment - set of standards, processes and structures provides basis for
2. General controls – control activities prevent or detect errors for all accounting carrying out internal control across organization.
systems. B. Risk Assessment - forms the basis for determining how risks will be managed.
Control Activities related to Processing transactions: C. Control Activities - actions established through policies and procedures that help
a. Proper authorization of transaction and activities ensure risk are minimized.
b. Separation of duties D. Information and Communication
c. Adequate documents and records
 Information - obtained by management from both internal and external sources to
d. Access to assets independents
support internal control components.
e. Checks on performance
 Communication - based on internal and external sources used to disseminate
important information throughout and outside org, as needed to respond and
 Physical Control
support meeting requirements and expectations.
-physical security of assets
E. Monitoring Activities - evaluation used to ascertain whether components of internal
-authorization for access to compute programs and data files
control are present and functioning:
-periodic accounting and comparison with amounts shown on control records
-ongoing evaluations; separate evaluations
E. Monitoring Controls
17 Principles of Internal Control
-process that entity uses to assess quality of internal control over time.
A. Control Environment
1. Demonstrated commitment to integrity and ethical values
 2. Exercises oversight responsibility
3. Establishes structure, authority, and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
B. Risk Assessment
6. Specifies suitable objectives
7. Identifies and analyze risk
8. Assess fraud risk
9. Identifies and analyzes significant change
C. Control Activities
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys control activities through policies and procedures
D. Information and Communication
13. Uses relevant information
14. Communicates internally
15. Communicates externally
E. Monitoring Activities
16. Conducts ongoing or separate evaluations
17. Evaluates and communicated deficiencies

BENEFITS OF COSO FRAMEWORK

-enables business procedures to be carried out consistently
-often better position to detect fraudulent act
-helps them to make existing business processes more efficient
LIMITATIONS OF COSO FRAMEWORK
-relatively broad in scope -broken into series of rigid categories