1. Risk management involves identifying, assessing, and responding to risks that may impact an organization. Key risks include market risk, credit risk, operational risk, business risk, and financial risk.
2. When managing risks, organizations should establish the context, identify potential risks, and assess risks using methods like scenario analysis. Common risks to consider include strategic, financial, operational, hazard, and compliance risks.
3. Once risks are identified and assessed, organizations can select risk responses like risk avoidance, risk reduction, risk sharing, or risk retention to manage the impact of risks. The goal is to appropriately handle risks and uncertainties that could negatively affect an organization.
1. Risk management involves identifying, assessing, and responding to risks that may impact an organization. Key risks include market risk, credit risk, operational risk, business risk, and financial risk.
2. When managing risks, organizations should establish the context, identify potential risks, and assess risks using methods like scenario analysis. Common risks to consider include strategic, financial, operational, hazard, and compliance risks.
3. Once risks are identified and assessed, organizations can select risk responses like risk avoidance, risk reduction, risk sharing, or risk retention to manage the impact of risks. The goal is to appropriately handle risks and uncertainties that could negatively affect an organization.
1. Risk management involves identifying, assessing, and responding to risks that may impact an organization. Key risks include market risk, credit risk, operational risk, business risk, and financial risk.
2. When managing risks, organizations should establish the context, identify potential risks, and assess risks using methods like scenario analysis. Common risks to consider include strategic, financial, operational, hazard, and compliance risks.
3. Once risks are identified and assessed, organizations can select risk responses like risk avoidance, risk reduction, risk sharing, or risk retention to manage the impact of risks. The goal is to appropriately handle risks and uncertainties that could negatively affect an organization.
RISK – probability that future event could impact organization. - Possibility not be able to buy as much with your savings in future - Measured in terms of probability and impact - Represents loss of value due inflation - Exposure to possibility of loss, injury, and other adverse circumstances - Inherent; can be mitigated Risk Associated with Manufacturing, Trading, and Service Concerns A. Market Risk Systematic Risk VS Unsystematic Risk - Risk faced by investor due to decrease in market value of financial product that may affect the whole market Systematic Risk Unsystematic Risk Product Risk: Complexity, Obsolescence, Research and Development, Packaging, Delivery of -not controllable -controllable Warranties -not entirely predictable -predictable Competitor Risk: Pricing strategy, Market share, Market strategy -Macro nature -Micro nature B. Operation Risk -affects large number of organization -directly affects individual organization - Risk of losses caused by failed processes, policies, systems or events that disrupt -cannot be fully assessed and anticipated -assessed in advance with reasonable efforts business operations. 1. Process stoppage 2. Healthy and Safety 3. After sales service failure E.g. Interest Rate Risk, Market Risk, E.g. Compliance Risk, Credit Risk, Operational Risk 4. Environmental 5. Technological Obsolescence 6. Integrity Purchasing Power Risk Management Fraud Employee Fraud Risk Associated with Investments Illegal acts A. Business Risk C. Financial Risk - Uncertainty about rate of return caused by nature of business - Likelihood of losing money on business or investment decision - Related to sales volatility and operating leverage 1. Interest Rate Volatility 4. Derivative Operating Leverage – caused by *fixed OPEX. 2. Foreign Currency 5. Viability *cost OPIN to be more volatile than sales 3. Liquidity B. Default Risk D. Business Risk - Probability that investments will not be returned - Exposure a company or organization has to factor(s) that will lower its profits or Degree of default Risk lead to fail - Closely related to financial condition of company - Anything that threatens company’s ability to achieve its financial goals C. Financial Risk 1. Regulatory Change 4. Regulatory and legal 7. Credit availability - Firm’s capital structure or source of financing 2. Reputation 5. Shareholder relations 8. Business interruptions Risk of DEFAULT: Any risk associated with financing that include company loans. 3. Political 6. Credit rating Financial Leverage: causing firm’s lenders and stockholders to view income streams - Causes NI to vary more than OPIN Risk Associated with Financial Institutions D. Interest Rate Risk A. Financial Risk - Most commonly associated with bond price movements a. Liquidity Risk i. Financial Reporting Risk Rising interest rates, bond prices decline b. Market Risk Adequacy, Completeness Declining interest rates, bond prices rises Currency, Equity, Commodity E. Liquidity Risk c. Credit Risk - Inability to sell investment quickly for cash Counterparty, Trading T-bills: sold immediately with very little concession Commercial: Loans, Guarantees Ordinary equity: can be sold quickly d. Market Liquidity Risk - Liquidity risk for this are more complex Currency rates, Interest rates - Trade on organized and active markets Bond and equity rates F. Management Risk e. Hedged Positions Risk - Risk financial, ethical, or otherwise associated with ineffective, destructive, or f. Portfolio Exposure Risk underperforming management. g. Derivative Risk Areas affected: Product innovation and production methods; financing to acquisitions h. Accounting Information Risk Completeness, Accuracy B. Non-Financial Risk Process of Risk Management a. Operational Risk a. Establishing Context Systems: Information Processing, Technology. b. Identification of Potential Risk Customer Satisfaction, Human Resources, Fraud and Illegal Acts, Bankruptcy Steps: b. Regulatory Risk Identification of risk in selected domain of interest Capital Adequacy, Compliance, Taxation, Changing Laws and Policies Mapping out the: c. Environmental Risk Social scope of RM Politics, Natural Disasters, War, Terrorism Identity and objectives of stakeholders d. Integrity Risk Basis of evaluations, constraints Reputation Defining framework for activity and agenda e. Leadership Risk Mitigation of risks using available technological, human, and organizational Turnover, Succession resources Planning remaining process Risk Responses Develop analysis of risk in process ISO 31000 – suggests once risk identified and assessed, techniques should be applied to Common risk Identification Methods: manage risks a. Objective – Based Risk - Family of standards relating to risk management codified by ISO b. Scenario – Based Risk - International Organization for Standardization c. Taxonomy – Based Risk Risk Avoidance – losing out potential gain; avoid possibility of earning d. Common risk checking - Not performing activity that carry risk e. Risk Chart Risk Sharing – sharing with another party the burden of loss or benefit of gain Risk Mitigation – reducing severity of loss c. Risk Assessment – critical to make the best educated decisions in prioritizing Risk Acceptance – accepting loss or benefit of gain from risk implementation of risk management plan Risk Creation ELEMENTS OF RISK MANAGEMENT RISK MANAGEMENT a. Identification, characterization and assessment of threats. - Process of measuring or assessing risk and developing strategies to manage it b. Assessment of the vulnerability of critical asset to specific threats. - Systematic approach in identifying, analyzing, and controlling areas or events with c. Determination of the risk potential for causing unwanted change d. Identification of ways to reduce those risk. - Act or practice of controlling risk: a. Risk planning b. Assessing risk areas c. e. Prioritization of risk reduction measures on a strategy Developing Risk-handling options d. Monitoring risks e. Documenting overall risk management program AREAS OF RISK MANAGEMENT According to ISO 31000: Most commonly encountered areas of risk management - Identification, assessment, and prioritization of risks — Enterprise Risk Management - Coordinated and economical application of resources to minimize, monitor, and — Risk management activities as applied to project management control probability or impact of unfortunate events — Risk management for megaprojects - Maximizes realization of opportunities — Risk management of information technology — Risk management techniques in petroleum and natural gas Basic Principles of Risk Management a. Create Value Risk Management Process – framework for action that used to be taken to manage risk b. Address uncertainty and assumption - Method of understanding what risk and opportunities are present c. Be an integral part of organizational process and decision-making. d. Be dynamic, iterative, transparent, tailorable, and responsive to change. STEPS IN RISK MANAGEMENT PROCESS e. Create continual improvement and enhancement capability considering best 1. Set up separate risk management committee chaired by board member available information and human factors. • Creation of a risk management committee at the board level will demonstrate the f. Be systematic, structured, and continually or periodically reassessed. firm's commitment to adopt an integrated company-wide risk management system. 2. Ensure that a formal comprehensive risk management system is in place • This fully documented formal system will provide clear vision of board's desire foreffective O Subject to its size, risk profile and complexity of operations, the company should have a company-wide risk management separate risk management function to IDENTIFY, ASSESS, AND MONITOR KEY RISK 3. Assess whether the formal system possesses the necessary element EXPOSURES. • Key Elements o Goals and Objectives o Organization Structure Traditional Risk Management – process that aims to develop consistent understanding of o Risk Language Identification o Risk Management Process and Documentation organization’s goal and risks that inhibit its success. 4. Evaluate effectiveness of various steps in assessment of comprehensive risks faced by Enterprise Risk Management – aka Company wide-risk management business firm - consider risks and opportunities across organization, aligns with strategic objectives 5. Assess if management developed and implemented suitable risk management strategies and promotes risk-aware culture. and evaluate their effectiveness 6. Evaluate if management has designed and implemented risk management capabilities Distinctions between ERM and TRM: 7. Assess management's efforts to monitor overall company risk management performance Reactiveness: and to improve continuously firm's capabilities TRM - Reactive: respond to incidents that have occurred and focus on preventing 8. See to it that best practices as well as mistakes are shared by all reoccurrence 9. Assess regularly the level of sophistication of firm's risk management system ERM - Proactive: looks forward to prevent risk occuring 10. Hire experts when need Scope: TRM - Focuses on insurable and financially tangible risks ENTERPRISE RISK MANAGEMENT ERM - Encompasses both insurable and non-insurable risk, and those where the cost is hard SEC Code of Governance Recommendation 2.11 and corresponding explanation provide the to define (risk damage from brand reputation) ff: Adaptability: - Board should oversee that a sound ERM framework is in place to effectively identify, TRM - Standardized, prescribed approaches monitor, assess, and manage key business risks. ERM - Fluid, adaptable, agile Effort: Risk management framework should guide the BOARD in identifying units/business lines and TRM - Focus on business units or departments; siloed; can create duplicatory activity enterprise-level risk exposures, as well as the effectiveness of risk management strategies. ERM - Holistic and enterprise-wide; minimizes duplication Alignment: Risk management policy - part and parcel of a corporation’s corporate strategy. TRM - Limit risk prioritization and alignment across teams Board - responsible for defining the company’s level of risk tolerance and providing oversight ERM - Enable risks that impact multiple departments to be prioritized and tackled in over its risk management policies and procedures. integrated way, Integration: Principle 12 was the one that deals with strengthening the Internal Control System and TRM - approach, metrics, and reporting inconsistent between teams, sites or departments Enterprise Risk Management Framework ERM - approach, metrics, and reporting consistent and integrated across the business. —> “To ensure the integrity, transparency, and proper governance in the conduct of its affairs, Identification: the company should have a strong and effective internal control system and enterprise risk TRM - identifies and tackles risks on case by case basis management framework.” ERM - focuses on root cause risks common to every silo Mitigation: Risk Management Framework TRM - focuses on impact on individual business units or teams Subject to corporation’s size, risk profile and complexity of operations, the BOARD ERM - takes into account impact on entire organization should establish a separate Board Risk Oversight Committee (BROC) that should be Mindset: responsible for the oversight of a company’s ERM system - to ensure functionality TRM - risk averse; focuses on mitigation and effectiveness. ERM - risk tolerant; takes enterprise wide risk culture BROC composed of: Connection: atleast three (3) members; majority of whom should be independent directors TRM - standards and approaches are business-specific and can be simplistic including Chairman. ERM - aligns with recognized standards like the COSO Framework (internal framework) to Chairman should not be Chairman of the Board or of any other committee. ensure risk management approach is in line with best practice Prominence: atleast one (1) member of the committee must have relevant thorough knowledge TRM - keeps risk conversations to team or department level and experience on risk and risk management. ERM - elevates risk discussions to board level Responsiveness: Section 802 - Criminal Penalties for Altering Documents TRM - static checklist of risks and responses Contains three(3) rules that affect recordkeeping: ERM - real-time, responsive approach to the changing organization and risk landscape - Deals with destruction and falsification of records SARBANES-OXLEY ACT OF 2002 - Defines retention period for storing records It was Enron’s fraudulent behavior why SOX ACT was passed in 2002 - Outlines specific business records that companies need to store (electronic -largest company in US during 2001 communications) Outlines PENALTIES: Sarbanes-Oxley Act- a U.S Federal Law -any company official found guilty of concealing, destroying, or altering documents, with -spearheaded by Senator Paul Sarbanes and Representative Michael Oxley intent to disrupt investigation, will face up to 20 years in prison and applicable fines. -signed into law by President George W. Bush on July 30, 2002 -any accountant who knowingly aids company officials in destroying, altering, or falsifying -aka SOX Act of 2002 and the Corporate Responsibility Act of 2002 financial statements could face up to 10 years in prison -mandated strict reforms to existing securities regulations and imposed tough new penalties Section 806 - Protection for Employees of Publicly Traded Companies who provide Evidence on lawbreakers. of Fraud -aims to protect investors from fraudulent financial reporting by corporations -deals with whistleblower protection. -came in response to financial scandals in early 2000s -mandates protection for whistleblowers, stating that employees and contractors who report fraud or testify about fraud to Department of Labor are protected against retaliation, New law set out reforms and additions in four (4) principal areas: including dismissal and discrimination. 1. Corporate responsibility Section 902 - Attempts & Conspiracies to Commit Fraud Offenses 2. Accounting regulation -crime for any person to corruptly alter, destroy, mutilate, or conceal any document with 3. Increased criminal punishment intent to impair object’s integrity or availability for use in an offical proceeding. 4. New protections Section 906 - Corporate Responsibility for Financial Reports Management level that SOX act affect -addresses criminal penalties for certifying a misleading or fraudulent financial reports. - External & Internal auditors -penalties can be upwards of $5 million in fines and 20 years in prison - Top executives - Attorneys (Internal and external) Summary of Sarbanes-Oxley Act 2002 (11 titles) - BOD and their committees TITLE I - Public company accounting oversight board (PCAOB) - Senior managers consists of 9 sections and establishes PCAOB, provide independent oversight of - Regulators public accounting firms providing audit services. TITLE II - Auditor Independence Sections of SOX Relevant to Compliance consists of 9 sections and establishes standards for external auditor independence, Section 302 - Corporate Responsibility for Financial Reports to limit conflicts of interest. Financial reports and statement must certify that: addresses new auditor approval requirements, audit partner rotation, and auditor Documents have been reviewed by signing officers and passed internal controls reporting requirements within last 90 days. TITLE III - Corporate Responsibility Documents are free of untrue statements or misleading omissions. consists of 8 sections and mandates that senior executives take individual Documents are truthfully represent the company’s financial health and position responsibility for the accuracy and completeness of corporate financial reports Documents must be accompanied by list of all deficiencies or changes in internal TITLE IV - Enhanced Financial Disclosures controls and information on any fraud involving company employees. consists of 9 sections and describes enhanced reporting requirements for financial Section 401 - Disclosures in Periodic Reports transactions, including off-balance sheet transactions, pro-forma figures and stock -Financial statements are required to be accurate. transactions of corporate officers. -Financial statements should also represent any off-balance liabilities, transaction, or TITLE V - Analyst Conflicts of Interest obligations consist of 1 section, includes measures designed to help restore investor Section 404 - Management Assessment of Internal Controls confidence in reporting of securities analysts. -requires management and auditors establish internal controls and reporting methods to TITLE VI - Commission Resources and Authority ensure adequacy of those controls consists of 4 sections, defines practices to restore investor confidence in securities Section 409 - Real time issuer disclosures analysts. -Companies are required to urgently disclose drastic changes in financial position or TITLE VII - Studies and Reports operations consists of 5 sections, requires Comptroller General and SEC to perform various -provides overall framework for planning, directing, and controlling operation studies and report their findings Assignment of Authority and Responsibility TITLE VIII - Corporate and Criminal Fraud Accountability -personnel within organization need to have clear understanding of their responsibilites and consists of 7 sections, referred to as the Corporate and Criminal fraud rules and regulation that govern their actions accountability Act of 2002 Human Resources Policies and Procedure TITLE IX - White-collar Crime Penalty Enhancements -important elements of IACS is the people who perform and execute established policies and consists of 6 sections, aka White-collar crime penalty enhancement act of 2002 procedures. increases criminal penalties associated with white-collar crimes and conspiracies TITLE X - Corporate Tax Returns B.Entity’s Risk Assessment Process consists of 1 section Risk Assessment - identification, analysis, and management of risks pertaining to preparation of FS. Chief executive officers should sign company tax return Entity’s risk assessment process - process for identifying and responding to TITLE XI - Corporate Fraud and Accountability business risks and results thereof. consists of 7 sections, called as Corporate Fraud Accountability Act of 2002 -FS purposes: how management identifies risk relevant to preparation of FS that are identifies corporate fraud and records tampering as criminal offenses and joins presented fairly… those offenses to specific penalties. Circumstances where RISKS can arise: INTERNAL CONTROL -changes in operating environment -new personnel Internal Control – process designed and affect by those charged with governance, -new or revamped information systems management, and other personnel. (Committee of Sponsoring Organization) -rapid growth - Provide reasonable assurance about achievement of entity’s objectives. -new technology OBJECTIVES: -new business models, products, or activities Reliability of the entity’s financial reporting. -corporate restructurings Effectiveness and efficiency of operations. -expanded foreign operation Compliance with applicable laws and regulations -new accounting pronouncements Others: Adherence to management policies Application to Small entities: Entity’s risk assessment process is likely to be less Safeguarding of assets formal and less structured. Prevention and detection of fraud and error -FR objectives may recognized implicitly rather than explicitly. Accuracy and completeness of accounting records Timely preparation of financial information C. Information System and Communication Information system - consists of infrastructure (physical and hardware components), Elements/Components software, people, procedures, and data
A. Control Environment AS procedures and records designed and established:
Communication & Enforcement of Integrity and Ethical Values Initiate, record, process, and report entity transactions and to maintain -entity’s ethical and behavioral standards and manner in which it communicates and accountability for related assets, liability, and equity. reinforces them, determine entity’s integrity and ethical behavior Resolve incorrect processing of transactions Commitment to Competence Process and account for system overrides or bypasses to controls -knowledge and skills necessary to accomplish tasks that define employee’s job Transfer information from transaction processing systems to general ledger Participation by those charge with Governance capture information relevant to financial reporting for events and conditions other -entity’s control consciousness is influenced significantly by those charge with governance than transactions -over sight and whistle blower mechanism Ensure information required to be disclosed by applicable financial reporting Management’s Philosophy and Operating Style framework is ACCUMULATED, RECORDED, PROCESSED, SUMMARIZED, and -management’s approach to taking and monitoring business risk, its conservatice or aggresive appropriately reported in FS selection from alternative accounting principles *Entity’s IS includes use of standard JEs that are required on recurring basis; includes use of Organizational Structure non-standard JEs to record non-recurring, unusual transactions or adjustments. -involves assessing design and operation of control on timely basis and taking corrective action as necessary. Related Business Processes - Develop, purchase, produce, sell and distribute an entity’s products and services. WHY NEED INTERNAL CONTROL? - Ensure compliance with laws and regulations. - Record information, including accounting and financial reporting information. Internal control - organizational plan Information System encompasses methods and records: -all related measures to safeguard assets, ensure accuracy and reliability, promote operation - Identify and record all calid transactions. efficiency, and encourage adherence - Describe on timely basis the transactions in sufficient details. - Measure value of transactions. COSO - Committee of Sponsoring Organization of Tradeway Commission - Determine time period where transactions occurred. -composed of representatives from five (5) organizations: - Present transaction and related disclosures in FS properly. American Accounting Association (AAA) American Institute of Certified Public Accountants (AICPA) Communication - involves providing understanding of individual roles and responsibilities Financial Executives International (FEI) pertaining to internal control over financial reporting. Institute of Management Accountants (IMA) - takes such forms as policy manuals, accounting, and FRmanuals, and memoranda. - can be made electronically, orally, and through actions of management Institute of Internal Auditors (IIA) Coso framework - system used to established internal controls to be integrated in business processes. D. Control Activities - these controls provide reasonable assurance that organization is operating ethically, - policies and procedures that help ensure that management directives are carried out. transaparently and in accordance with established industry standards. 3 major categories of control procedures Coso Model – defines IC as “process effected by entity’s board of directors, management, and Performance review - uses accounting and operating data to assess performance other personnel and takes corrective action - designed to provide reasonable assurance of achievement of objectives. (Operations, -personnel at various levels in org may perform this reporting, Compliance) -manager may used for sole purpose of making operating decisions Information processing controls – policies and procedure designed to required Objectives of Coso Framework authorization of transactions and ensure accuracy and completeness of transaction a. Operation b. Reporting c. Compliance processing. Classification according to scope of system: FIVE COMPONENTS OF COSO FRAMEWORK 1. Application controls – control activities pertain to processing of specific type of transaction A. Control Environment - set of standards, processes and structures provides basis for 2. General controls – control activities prevent or detect errors for all accounting carrying out internal control across organization. systems. B. Risk Assessment - forms the basis for determining how risks will be managed. Control Activities related to Processing transactions: C. Control Activities - actions established through policies and procedures that help a. Proper authorization of transaction and activities ensure risk are minimized. b. Separation of duties D. Information and Communication c. Adequate documents and records Information - obtained by management from both internal and external sources to d. Access to assets independents support internal control components. e. Checks on performance Communication - based on internal and external sources used to disseminate important information throughout and outside org, as needed to respond and Physical Control support meeting requirements and expectations. -physical security of assets E. Monitoring Activities - evaluation used to ascertain whether components of internal -authorization for access to compute programs and data files control are present and functioning: -periodic accounting and comparison with amounts shown on control records -ongoing evaluations; separate evaluations E. Monitoring Controls 17 Principles of Internal Control -process that entity uses to assess quality of internal control over time. A. Control Environment 1. Demonstrated commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority, and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability B. Risk Assessment 6. Specifies suitable objectives 7. Identifies and analyze risk 8. Assess fraud risk 9. Identifies and analyzes significant change C. Control Activities 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys control activities through policies and procedures D. Information and Communication 13. Uses relevant information 14. Communicates internally 15. Communicates externally E. Monitoring Activities 16. Conducts ongoing or separate evaluations 17. Evaluates and communicated deficiencies
BENEFITS OF COSO FRAMEWORK
-enables business procedures to be carried out consistently -often better position to detect fraudulent act -helps them to make existing business processes more efficient LIMITATIONS OF COSO FRAMEWORK -relatively broad in scope -broken into series of rigid categories