ENTERPRISE RISK MANAGEMENT

TOPIC 5

TOPIC 5
PART I : RISK ANALYSIS
1. Approaches to Risk:
Interrelationship Approach
Direct Approach
2. Sourcing of Risks
Bow-Tie Analysis

PART II: RISK OPTIONS AND ACTION PLANS

1. Risk Management Options- ACCEPT:
Retain
Reduce
Exploit
Transfer
2. Managing Risks
3. Controls
4. Risk Management Strategies

Prepared by:

Bermudez, Adrian Paul

Convocar, Andrew James
Dela Cruz, Pyar Paolo
Faminia, Keneth Adrian
Merlin, Sarah Jane
Navarra, Kim Patrice
Vargas, Jon Oliver

March 2024
RISK ANALYSIS
After prioritizing the risks using the criteria, the next
activity is to analyze the results of the risk
identification and prioritization process. As
mentioned previously, the prioritization can be on a
gross or net of controls basis. But regardless of the
approach and where the company is in its ERM
maturity.

There are two (2) options that the CRO can use to initially analyze the risks:

First is the "interrelationship" approach, where you identify interdependencies among a group
of risks, and the second is the "direct" approach, where the Chief Risk Officer (CRO)
immediately considers the prioritized risks to be the ones that will go to the treatment stage or
where the risk owners will now develop the risk management strategies and action plans to
prevent the risks from happening.

1. INTERRELATIONSHIP APPROACH- This approach involves identifying how different

risks are connected or dependent on each other.

The risk interrelationship approach, considers the interconnection of the different

prioritized risks to identify the highly leveraged risks, or the risks that when the company
manages, will also manage some other risks.

The benefits of having this step are:

1. The risk owners can determine where the risk management efforts can best be directed.
2. The risk owners can identify focus areas of great significance and avoid the identification of
"quick fix solutions”.

Factors to consider in developing a risk interrelationship:

1. The cause-and-effect relationship- risks that occur mode because of unmanaged risks.
2. Interdependencies- risks that are interconnected and management of one can assist in the
management of the other.
3. Compounding effect- risks that when left unmanaged, may branch out and result in the
occurrence of multiple risks.

From the sample of the risk profile above, we can easily see the interrelationships of certain
risks that made it to the top 10 risks that the company faces.

2
PART I RISK ANALYSIS

Think about the following:

Competition, innovation, and customer
Succession planning, talent management, and people retention
Resource allocation, efficiency, and inventory management
IT Integrity (Security)

By understanding these connections, companies can focus their risk management efforts more
effectively and avoid quick-fix solutions that might overlook interconnected risks.

Competition
Innovation
Customer

First, if innovation is well managed, then it will be also able to manage customer wants and
ultimately put the organization ahead of its competitors.

Before investing resources in innovative projects, companies conduct risk analysis to assess
potential challenges and uncertainties. This analysis helps in evaluating the feasibility of new
ideas, identifying potential obstacles, and developing mitigation strategies. For example, a
technology company like SpaceX conducts thorough risk analysis before launching a new
rocket design to ensure safety and reliability.

Example:
Apple Inc.: Before launching a new product like the iPhone, Apple conducts extensive risk
analysis to ensure that the innovation meets both technological standards and customer
expectations. This analysis includes assessing risks related to manufacturing, supply chain
disruptions, market acceptance, and competition. By mitigating these risks through
thorough planning and testing, Apple enhances the likelihood of delivering a product that
satisfies customers and maintains its competitive edge.

Talent People Success

Management Retention Planning

Second, if talent management is managed well, then it will be able to manage people retention and
will have a deep bench for succession planning.

Effective talent management involves assessing and mitigating various risks associated with
workforce dynamics. This includes risks related to employee turnover, skill gaps, succession
planning, and compliance issues.

3
PART I RISK ANALYSIS

By conducting risk analysis, companies can anticipate talent shortages, identify critical skill
gaps, and develop contingency plans to minimize disruptions. For instance, a pharmaceutical
company may analyze the risk of losing key researchers and develop retention strategies to
mitigate this risk.

Example:
Procter & Gamble (P&G): P&G's talent management practices include risk analysis to
identify and address potential disruptions to its talent pipeline. This analysis involves
assessing risks such as skill shortages, leadership gaps, and succession bottlenecks. By
implementing talent development programs, mentorship initiatives, and leadership
rotations, P&G mitigates these risks, ensuring a steady supply of skilled employees and
future leaders.

Inventory Resource
Efficiency
Management Allocation

Finally, in the last group, if there is an effective inventory management process, then proper
resource allocation will result in efficiency.

In inventory management, risk analysis helps in optimizing inventory levels while minimizing
the risk of stockouts or excess inventory. Companies analyze demand patterns, supplier
reliability, lead times, and market volatility to assess inventory-related risks. By identifying
potential supply chain disruptions or demand fluctuations, companies can implement risk
mitigation strategies such as safety stock, supplier diversification, or demand forecasting
models. For example, a food retailer may conduct risk analysis to anticipate disruptions in the
supply chain due to weather events or transportation issues and adjust inventory levels
accordingly.

The objective of this activity is to identify which of the prioritized risks are considered highly
leveraged risks -the risks when managed well will also manage several other risks. In the first
grouping, it appears that innovation is a highly leveraged risk. While in the second group, it is
talent management. And in the third grouping, it is inventory management.

Example:
Zara: Zara's agile inventory management system is built upon risk analysis to anticipate
and mitigate supply chain disruptions. This analysis includes evaluating risks such as
supplier reliability, lead time variability, and demand volatility. By implementing risk
mitigation strategies such as dual-sourcing, safety stock buffers, and real-time demand
sensing, Zara minimizes the risk of stockouts or excess inventory, ensuring a responsive and
efficient supply chain.

4
PART I RISK ANALYSIS

2. DIRECT APPROACH- This approach involves identifying how different risks are connected
or dependent on each other.

Second is the direct approach This is a simple approach where there is no need to go through
the interrelationship of risks. Accordingly, all the top ten risks (as presented in the sample) will
undergo risk treatment.

It offers a simpler and more straightforward method of risk treatment, especially when time or
resources are limited.

Example:
McDonald's: McDonald’s faces various risks in its global operations, including competition,
supply chain disruptions, food safety concerns, franchisee relations, and regulatory
compliance issues. In employing a direct approach to managing these risks, McDonald's
treats each of its top ten risks individually without analyzing their interconnections.

Here's how McDonald's might implement the direct approach:

Competition:
McDonald's focuses on product innovation, menu diversification, and marketing strategies
to maintain its competitive position in the fast-food industry. This includes launching new
menu items, enhancing customer experience, and expanding its digital presence to attract
and retain customers.

Supply Chain Disruptions:

The company implements measures to mitigate supply chain disruptions, such as
diversifying suppliers, establishing backup plans for critical ingredients, and investing in
technology to track and manage inventory levels effectively.

Food Safety Concerns:

McDonald's prioritizes food safety by implementing strict quality control standards, regular
inspections, and training programs for employees and suppliers. The company also
collaborates with regulatory authorities and industry partners to address emerging food
safety challenges.

Franchisee Relations:
McDonald's maintains positive relationships with its franchisees through open
communication, support programs, and franchisee advisory councils. The company
provides ongoing training, operational support, and marketing assistance to ensure
franchisee success and alignment with brand standards.

5
PART I RISK ANALYSIS

Regulatory Compliance Issues:

McDonald's allocates resources to ensure compliance with various regulations and
standards governing food safety, labor practices, and environmental sustainability. This
includes conducting regular audits, training employees on compliance requirements, and
implementing policies and procedures to address regulatory changes.

Sourcing of Risk

A risk source is essentially the origin point from which potential risks may arise within a project
or enterprise. It encompasses any factor, condition, or driver that has the capacity to initiate or
exacerbate a risk event. These sources can be diverse and multifaceted, ranging from internal
processes to external environmental factors. Identifying these sources is a pivotal element of risk
analysis, as it enables the formulation of preemptive action plans or control measures aimed at
mitigating the risk at its inception, thereby averting potential crises.

Determining the Sources of Risks

Risk taxonomy refers to the categorization of risk types, typically in a hierarchical manner. It’s
a way of organizing and classifying risks, from abstract to specific, based on their sources or
nature. Risk taxonomy structures risks in such a way that it becomes clearer where risks are
emanating from. By categorizing risks according to their nature or source, it becomes easier to
trace back to the origin point—the risk source. This structured approach allows for a more
systematic identification of potential risks and their sources, which is essential for effective risk
management.

Bow-Tie Analysis
Bowtie analysis stands as a sophisticated risk assessment method that empowers users
to not only gauge the likelihood and gravity of risks but also to chronicle the origins of
risks, quantify potential impacts, delegate and track risk mitigations, and methodically
assess the array of elements contributing to an organization's total risk profile.

A 'bowtie' diagram epitomizes the risk at hand in a singular, intelligible illustration. Its
namesake shape distinguishes between proactive and reactive risk management
strategies. The strength of a BowTie diagram lies in its capacity to encapsulate multiple
potential scenarios within one depiction, offering a straightforward visual
representation of a risk that would otherwise be challenging to convey.

6
PART I RISK ANALYSIS

Performing a Bow-Tie Analysis

Step 1: Defining the Risk Event

Bowtie analysis begins with identification of a risk event, sometimes referred to as a “top
event.” The risk event provides everyone workshop with a clear starting point and context for
the assessment. Once you’ve identified the risk event you want to analyze, place it in the center
of the bowtie diagram.

Step 2: Charting Risk Causes & Impacts

Once you’ve identified the risk event, you can begin to chart potential causes and impacts of
that risk event. To the left side of the diagram, all the potential causes of a risk event are listed.
To the right side, all the potential impacts of the event are listed.

7
PART I RISK ANALYSIS

Step 3: Assigning Risk Controls

Once you’ve identified all potential risk causes and impacts, you can then begin developing and
assigning the appropriate risk controls to eliminate or reduce them.

Step 4: Identify & Control Escalation Factors

After you’ve assigned risk controls, bowtie analysis allows to you to further analyze and control
risks by identifying conditions that could negatively affect control reliability. These conditions
are called escalation factors.

8
PART I RISK ANALYSIS

Bow-tie Analysis as Interrelationship Approach

If the CRO and the risk owners prefer to go through the inter-relationship approach, then the
center of the bow-tie-analysis (BTA) should be the highly leveraged risks. In this approach, the
focus is on the highly leveraged risks, which are risks that, if not properly managed, could have
significant consequences for the organization. The idea is to understand how these risks are
interrelated and can impact each other. This approach is particularly useful when dealing with
complex systems where risks are not isolated but are interconnected. The Bow-Tie Analysis
(BTA) in this case would focus on these highly leveraged risks, with the aim of understanding
their causes (left side of the bow-tie) and potential consequences (right side of the bow-tie), as
well as the preventive and mitigative controls that can be put in place.

Bow-tie Analysis as Direct Approach

On the other hand, if they are using the direct approach, all the top 10 risks can be at the center
of this analysis in identifying the causes and consequences of the risks. In this approach, the
focus is on the top risks identified by the organization, regardless of their interrelationships.
These risks are placed at the center of the BTA. The aim is to directly address these risks by
identifying their causes and potential consequences, and by developing appropriate controls.
This approach can be more straightforward and easier to manage, especially for organizations
that are just starting their risk management journey.

Bow-tie Analysis Causes

The left side of the Business Threat Analysis (BTA) pertains to the causes of risks within an
organization. Understanding these causes is crucial for identifying the underlying drivers of
risks, which is a key step in developing effective risk management strategies. A preventive
approach to risk management, informed by a thorough analysis of risk causes, can mitigate the
need for crisis management by addressing issues before they escalate. Its significance can be
measured in these few points:

Delving into the causes of risks sheds light on their origins and influences, forming the
foundation for crafting targeted risk management plans.
Proactively managing risks by pinpointing and tackling their causes can lead to more cost-
effective and efficient outcomes compared to reactive crisis management.
Evaluating the criticality of different risk causes allows the Chief Risk Officer (CRO) and
risk owners to focus on the most significant threats, optimizing resource allocation.
Insights gained from understanding risk causes enhance strategic planning and decision-
making processes across the organization.
The dynamic nature of business necessitates an ongoing process of identifying and
reassessing risk causes to adapt to new challenges and maintain effective risk management.

9
PART I RISK ANALYSIS

Existing Controls

In a Bow-Tie Analysis (BTA), existing controls, also known as barriers, are crucial components
that help manage risks. They are depicted on both sides of the bow-tie diagram. Here's how they
work:

On the left side of the bow-tie, which represents the causes or threats of a risk, controls are
preventive measures put in place to mitigate these threats and prevent the top event (the central
risk event) from occurring. These controls are designed to stop the causes from leading to the
risk.
On the right side of the bow-tie, which represents the potential consequences of the top event,
controls are mitigative measures designed to reduce the impact or severity of these
consequences. These controls provide appropriate responses to consequences being felt or create
barriers to the consequences developing.

Controls can be passive (associated with protective design), active (mechanisms that activate to
ensure functionality), or behavioral (related to a person who ensures functionality to operate
the system). A primary use of BTA is to identify control gaps, where additional controls may be
warranted. Examining causes, consequences, and the existing controls that address them helps
to identify gaps in the current controls.

In addition to illustrating the existing preventive and control barriers, bow-tie diagrams
highlight potential escalation factors that may compromise the effectiveness or reliability of a
barrier. By identifying these factors, organizations can proactively implement control measures
to prevent or mitigate their detrimental effects.

In summary, existing controls in a BTA are measures put in place to either prevent a risk from
occurring or to mitigate its consequences if it does occur. They play a crucial role in managing
risks effectively.

ORMI

Opportunities for Risk Management Improvement in Controls are essentially areas where the
existing risk management strategies can be enhanced. They can be identified at various points in
the Bow-Tie Analysis (BTA):

Preventive Controls: Are the existing preventive controls effective? Are there gaps or
weaknesses that need to be addressed? Could new technologies or practices enhance these
controls?
Mitigative Controls: Are the mitigative controls sufficient to limit the consequences of the
top event? Are there opportunities to improve these controls or implement additional ones?

10
PART I RISK ANALYSIS

By identifying these opportunities for improvement, an organization can enhance its risk
management strategies, making them more robust and effective. This is a continuous process, as
risks, their causes, and potential consequences can change over time.

For example, a manufacturing company identifies a risk of defects in a top selling product in its
portfolio. The first step in the analysis of this risk is to determine what could cause the defects
to happen. If this event had happened in the past then the company could look back at the root
causes of those problems in the past. If not, the company may go through a process of
brainstorming to identify potential root causes. In this case, the company identified a couple of
root causes that had occurred in the past: the first was a significant amount of turnover in the
personnel working on the assembly process, and the second was an increase in defective parts
coming from a supplier. With respect to the first root cause, by reviewing historical data the
company determined that inexperienced assembly employees were a key factor in the defects.

This is an example of how a company can identify opportunities for improvement in controls as
part of a BTA.

Consequences

In a Bow-Tie Analysis (BTA), consequences are the potential outcomes or impacts of the top
event. They are depicted on the right side of the bow-tie diagram. Here’s how they work:

After the top event (the central risk event) occurs, there can be multiple potential consequences.
These consequences are identified and placed on the right side of the bow-tie diagram.

Consequences can vary widely depending on the nature of the top event and can include
financial loss, harm to people, damage to the environment, reputational damage, and more.
Each consequence is typically assessed for its severity. This helps in prioritizing risk
management efforts.

For each identified consequence, mitigative controls (also known as recovery measures or
barriers) are identified. These are actions or systems put in place to reduce the impact or severity
of the consequences.

The potential consequences and their mitigative controls should be regularly reviewed and
updated as necessary. This ensures that the BTA remains relevant and effective.

In summary, consequences in a BTA are the potential outcomes or impacts if the top event
occurs. They are a crucial component of the analysis, helping to understand what could happen
if a risk materializes and how severe the impact could be.

11
PART I RISK ANALYSIS

RISK OPTIONS AND ACTION PLANS

Now that we have the causes or sources of the risks, the next step is to identify the risk options
and the corresponding risk management strategies and action plans to manage the source of the
risks. As mentioned earlier, the most effective way to manage a risk is to manage it at the
source.

ACCEPT: Retain Reduce Exploit Transfer

RETAIN
Risk retention is a crucial aspect of managing and mitigating
risks in various industries. It involves the deliberate decision to
assume and retain a certain level of risk rather than avoid,
reduce, or transfer it to another party through insurance or
other means.

No action
Inherent in the business but the current level of residual risk is acceptable. When an
entity acknowledges that certain risks are inherent in its operations, it means that these
risks are an unavoidable aspect of conducting business within that industry or operating
environment.

12
PART 2 RISK OPTIONS AND ACTION PLANS

However, despite the presence of these inherent risks, the entity evaluates the current
level of residual risk – that is, the risk remaining after risk mitigation measures have been
applied – and determines that it is acceptable within its risk tolerance framework.

This acknowledgment suggests that the entity recognizes the existence of these risks but
believes that they are manageable or within acceptable limits. It implies that the entity
has implemented measures to mitigate these risks to a degree that aligns with its risk
appetite and strategic objectives.

For Example:
Imagine you own a small online store that sells handmade crafts. One of the risks
inherent in your business is the possibility of delivery delays, which could result in
customer dissatisfaction and potential loss of sales. To mitigate this risk, you choose
reliable shipping providers with a good track record and provide customers with
estimated delivery times.

After monitoring your shipping process, you determine that while there's still a risk of
delivery delays, it's at an acceptable level. You haven't had many complaints from
customers, and investing in expedited shipping options or a backup delivery service
would be too costly for your small business.

As a result, you decide to retain the risk and continue with your current shipping
methods. You're comfortable with the remaining risk because you believe it's manageable
within your business's capabilities and budget.

Premium Price
In the context of risk retention, Premium Price refers to adjusting the prices of products
or services based on the level of risk involved, considering the risk and reward concept.
When a business decides to retain certain risks instead of transferring them, they may
increase prices to compensate for potential losses. This reflects the principle that higher
risk correlates with higher prices, ensuring that the business remains profitable while
managing its risk exposure.

For Example:
You run a small electronics store that sells laptops. You offer a warranty program where
customers can pay extra for extended coverage against damages.In this scenario, you've
assessed the risk associated with offering warranty coverage. If a laptop breaks down
under warranty, you'll need to repair or replace it, incurring costs. To compensate for
this risk, you adjust your prices accordingly. Laptops with warranty coverage are priced
higher than those without.

13
PART 2 RISK OPTIONS AND ACTION PLANS

Reserve
Reserve involves setting aside funds to prepare for the potential financial impact of risks
that a business chooses to retain. This involves allocating a portion of earnings or
charging operations periodically to build up a reserve fund. These reserves serve as a
financial cushion to cover losses or liabilities that may arise if a retained risk materializes.

For Example:
You own a small bakery. You decide to retain the risk of potential equipment
breakdowns instead of purchasing expensive equipment insurance. To prepare for the
possibility of equipment failures, you set aside a portion of your monthly profits into a
reserve fund specifically designated for equipment repairs or replacements.

Over time, this reserve fund grows, providing a financial safety net in case any of your
bakery's equipment breaks down unexpectedly. If your oven malfunctions or your mixer
stops working, you can dip into the reserve fund to cover the repair or replacement costs
without significantly impacting your bakery's cash flow or profitability.

Offset

Offsetting in risk management involves identifying benefits or opportunities from other

risks that can help lessen the impact of the risk being addressed. This strategy allows
businesses to diversify their approach to risk management, harnessing the positive
outcomes of one risk to counterbalance the negative effects of another. By effectively
leveraging these rewards, organizations can enhance their resilience and adaptability in
the face of uncertain circumstances.

For Example:
Consider a multinational corporation with subsidiaries engaged in both importing and
exporting activities. If one subsidiary faces currency risk due to currency depreciation,
resulting in losses for the importing subsidiary, the corporation can manage this risk by
increasing the exporting activities of another subsidiary.

By ramping up exporting activities, the corporation can take advantage of the favorable
exchange rates caused by the currency depreciation. This can lead to increased revenues
and profits from export sales, which can then help offset the losses incurred by the
importing subsidiary. In essence, the gains from exporting activities act as a reward that
softens the impact of the currency risk on the overall financial performance of the
corporation.

14
PART 2 RISK OPTIONS AND ACTION PLANS

REDUCE
Risk reduction is the practice of decreasing both the probability
and consequences of potential risks. This encompasses the
identification of risks, evaluation of their potential effects, and
the implementation of proactive measures to diminish their
likelihood or impact.

Spread
Spreading the risk, also known as diversification, is a strategy used to reduce the impact
of potential losses by spreading investments or activities across different areas.
By spreading risk, you're essentially not putting all your eggs in one basket. While it
doesn't eliminate risk entirely, it helps reduce the potential impact of adverse events on
your overall financial or operational stability.

For Example:
Imagine you have P100,000 to invest. Instead of putting all of it into one company's
stock, you decide to diversify your investment across different sectors. You invest
P30,000 in technology stocks, P30,000 in healthcare stocks, and P40,000 in consumer
goods stocks.

Now, if there's a downturn in the technology sector, causing the value of your technology
stocks to drop, it won't have as big of an impact on your overall investment portfolio
because you've also invested in healthcare and consumer goods stocks.

Risk Management/Control
Risk management/control, particularly in the context of risk retention, involves the
systematic process of identifying, evaluating, and mitigating risks that an organization
chooses to retain rather than transfer. This approach acknowledges that some risks are
inherent to the business and cannot be fully eliminated. Instead, the organization
implements controls and management strategies to minimize the impact of these retained
risks to an acceptable level. By proactively managing these risks, the organization aims to
protect itself from potential losses or threats to its ongoing operations, such as financial
losses, reputational damage, or harm to employees.

It's imperative for organizations to develop a comprehensive risk management/control

plan tailored to their specific risk landscape, outlining the identified retained risks and
the corresponding measures in place to mitigate them effectively. Through this proactive
approach, organizations can optimize risk retention strategies, reducing the likelihood of
adverse outcomes and safeguarding their long-term viability..

15
PART 2 RISK OPTIONS AND ACTION PLANS

For Example:
Let's say you own a small clothing store. You recognize that there's a risk of theft, which
is common in retail businesses. Instead of investing in costly security systems, you decide
to retain this risk.

To manage the risk of theft, you implement simple controls such as training your staff to
be vigilant, keeping high-value items in locked display cases, and installing mirrors to
increase visibility in blind spots. By taking these measures, you reduce the likelihood of
theft occurring and minimize potential losses.

EXPLOIT
Typically refers to the act of taking advantage of a vulnerability
or weakness in a system or situation for one's own benefit.

Take advantage
Make the risk work for the company rather than against it. Identify new opportunities
brought about by the risk. To harness risk to the company's advantage means finding
ways to turn uncertainties to opportunities. Rather than viewing risk solely as a threat,
this approach involves a proactive mindset that seeks to understand, evaluate, and
capitalize on the potential advantage that may accompany to it.

By identifying new avenues for products or services that can both mitigate the negative
effects of risk and create additional value. This may involve diversifying offerings,
exploring new markets, or developing cutting-edge solutions that address challenges.

Ultimately, by embracing risk in this manner, the company can not only safeguard
against potential losses but also unlock new pathways to success and resilience in a
changing business world.

For Example:
The software company identified the risk of cybersecurity breaches due to advanced
hacking techniques but instead of solely focusing on defense mechanisms, they turned it
into an opportunity. They developed a comprehensive cybersecurity suite using advanced
machine learning algorithms to predict and prevent future attacks, while also integrating
features for streamlined compliance with data protection regulations.

16
PART 2 RISK OPTIONS AND ACTION PLANS

Diversify

Widen the financial, physical, customer, employee/supplier and organizational asset

holing used by the firm's business model. Diversification within a firm's business model
involves expanding its asset holdings across multiple dimensions. This includes:

Financial diversification by investing in different asset classes to manage risk and

optimize returns.
Physical diversification entails expanding the firm's presence across various locations
or broadening its product offerings to appeal to diverse markets and consumer
segments.
Customer diversification focuses on attracting a wider customer base or segmenting
existing ones to reduce reliance on any single revenue source.
Employee and supplier diversification involves building relationships with a diverse
pool of talent and suppliers to enhance operational flexibility and resilience.
Organizational diversification encompasses fostering adaptability and innovation
within the firm's structure and processes to effectively navigate changing market
conditions.

Overall, diversification across these dimensions enables a firm to strengthen its

competitive position, reduce vulnerabilities, and capitalize on emerging opportunities in
the dynamic business environment.

For Example:
BAKIT SIYA Inc. invests in a portfolio of stocks, bonds, and alternative assets to
mitigate risks associated with market volatility.

Expand

Bolster the business portfolio by investing in new industries, geographical areas and/or
customer groups. Expanding the business portfolio entails diversifying investments into
new industries, geographical areas, or customer groups. This strategy aims to mitigate
risks associated with overreliance on a single market or customer base, thereby
enhancing long-term sustainability and growth prospects. This expansion may involve
entering untapped markets, acquiring complementary businesses, or developing
innovative products/services to meet the evolving needs of diverse customer segments.
Overall, the goal is to strengthen the overall resilience and competitiveness of the
business by strategically extending its reach and presence across different sectors and
markets.

17
PART 2 RISK OPTIONS AND ACTION PLANS

For Example:
ABC-XYZ Holdings' expansion into renewable energy by acquiring solar and wind
power companies marks a significant expansion beyond its traditional automotive
manufacturing portfolio. By exapnding its portfolio, the company not only mitigates
risks associated with over-reliance on a single industry but also capitalizes on the
growing demand for renewable energy sector.

Create

Developing new value-adding products, services, and channels involves the innovation
and introduction of offerings that enhance customer satisfaction and generate additional
revenue streams. This process entails identifying unmet needs or opportunities in the
market, conducting thorough research and development, and designing solutions that
address those needs effectively. Value-adding products or services may provide unique
features, improved functionality, or greater convenience compared to existing offerings,
thereby delivering tangible benefits to customers. Additionally, exploring new
distribution channels or sales channels can expand the business's reach and accessibility
to target markets, facilitating increased customer engagement and sales opportunities.

For Example:
Gamot ni Sarah Pharmaceuticals, a leading pharmaceutical company launches patient
support programs and adherence services to enhance patient outcomes and differentiate
its offerings from competitors. These services provide additional value to healthcare
providers and patients, fostering brand loyalty and reducing the risk of losing market
share to generic competitors.

Redesign

Streamline the firm’s business model, i.e., its unique combination of assets and
technologies for creating value. Redesigning the firm's business model involves
optimizing its unique blend of assets and technologies to efficiently create value for
stakeholders. This process entails reassessing and refining various elements such as
resources, capabilities, processes, and technologies to enhance operational efficiency,
reduce costs, and improve overall performance. By aligning these components more
effectively with the firm's strategic objectives and market dynamics, businesses can better
capitalize on opportunities, mitigate risks, and achieve sustainable growth.

This may involve reconfiguring internal operations, reallocating resources, leveraging

emerging technologies, or exploring new partnerships to enhance value creation across
the organization.

18
PART 2 RISK OPTIONS AND ACTION PLANS

For Example:
Sparkle Shine Car Wash, has been offering traditional car wash services – hand washing,
waxing, and interior detailing. The business faces a declining in its customer base due to
a demographic shift towards younger, tech-savvy professionals who prefer convenience
over traditional methods. Recognizing the need for change, owner Emily conducts
market research and implements innovations such as express wash services, online
booking, and loyalty programs.

These changes successfully attract new customers while retaining existing ones,
solidifying Sparkle Shine's position as a modern and customer-centric car wash business.

Restructure

Transform the company’s processes for maximum results and exploit any by-product.
Restructuring involves overhauling the company's processes to achieve optimal outcomes
and leverage any benefits. This strategic initiative entails reevaluating and redesigning
operational workflows, procedures, and systems to enhance efficiency, productivity, and
overall performance.

Additionally, restructuring aims to identify and capitalize on any advantages that arise
during the process. This may include discovering new revenue streams, improving
resource utilization, or uncovering opportunities for innovation and differentiation. By
systematically transforming its processes, the company can unlock hidden value, adapt to
evolving market conditions, and position itself for sustained success in the long term.

For Example:
The company leverages its successful Enterprise Resource Planning (ERP) roll-out by
transforming its strong IT team into a consultancy service. This team not only fulfills
internal Enterprise Resource Planning (ERP) requirements but also extends its expertise
to third-party companies seeking similar migration assistance. By doing so, the company
creates a new revenue stream through consultancy services.

Furthermore, the restructured IT team can specialize in offering additional IT products

and services, expanding its offerings and revenue potential. This restructuring initiative
optimizes the company's resources, maximizes the value of its expertise, and diversifies its
revenue streams for long-term growth and sustainability.

19
PART 2 RISK OPTIONS AND ACTION PLANS

TRANSFER
Risk transfer involves shifting the responsibility of a risk
from one party to another, typically a third party, as a
technique in risk management.

Insure/Reinsure

The traditional risk management approach involves transferring risk to an independent

insurance company through the purchase of insurance policies. Insurance is a financial
safeguard against unexpected losses like illness, accidents, or death. Without it,
individuals face potential financial strain. When buying insurance, they pay a premium
to the insurer, who offers compensation based on the policy terms. In the realm of
insurance, plans can broadly be categorized into two groups: life insurance and general
insurance.

Insurance provides financial protection against unexpected losses, promotes peace of

mind by transferring risk to insurers, facilitates continuity by aiding in recovery efforts,
and encourages risk mitigation through incentives for implementing safety measures.
However it doesn't eradicate risk entirely. Selecting an insurance provider requires
thorough due diligence to ensure financial stability and coverage adequacy, mitigating
the risk of insurer insolvency and inadequate protection against losses.

For Example:
Sarah, a local bakery owner, purchases insurance to safeguard her business against fire
damage, paying a premium to transfer the risk of potential losses to the insurer.
However, when a fire incident transpires, Sarah anticipates compensation from her
insurer, only to discover that the insurer lacks financial stability, resulting in inadequate
coverage and financial strain for Sarah. This underscores the significance of selecting a
dependable insurer to mitigate unexpected hardships despite having insurance coverage
in place.

Outsource

Outsourcing risk management involves delegating the responsibility of managing

identified risks to a third-party specialist when a company lacks the expertise or
resources to handle them internally. If a company identifies risks related to physical
security or health and safety, it may opt to outsource these functions to specialized third-
party providers. However, it brings new considerations, including the reliability,
competence, and accountability of third-party providers, alongside alleviating direct
responsibility for managing certain risks.

20
PART 2 RISK OPTIONS AND ACTION PLANS

Outsourcing offers several key benefits to businesses, including, cost and time efficiency,
crisis prevention planning, future risk projections, access to expert knowledge and
resources, and strengthened cybersecurity.

For Example:
A small technology startup that lacks expertise in physical security for its office premises.
Concerned about potential risks like theft or unauthorized access, the company decides
to outsource its security management to a specialized security firm. The security firm
installs surveillance cameras, implements access control measures, and conducts regular
patrols to ensure the safety of the premises. It allows the startup to focus on its core
business activities while leveraging the expertise of a specialized third party.

Hedge

Hedging is a financial strategy used to mitigate the risk of adverse price movements in
assets or liabilities. While insurance protects against specific risks like accidents or losses,
hedging focuses on financial risks such as fluctuations in commodity prices, exchange
rates, or interest rates.

Hedging involves the use of financial instruments such as forward contracts, futures
contracts, options, and swaps.These instruments enable companies to lock in prices for
future transactions, thereby reducing uncertainty and stabilizing cash flows.

Hedging plays a crucial role in effectively managing the source of risks by providing
several key benefits. Firstly, it helps limit potential losses. Secondly, hedging enhances
liquidity by enabling investment in various asset classes. Additionally, hedging requires
lower initial investment, offering a flexible price mechanism and allowing for strategic
risk management tailored to specific needs and market conditions. Overall, hedging is
essential for mitigating financial risks such as fluctuations in commodity prices, exchange
rates, or interest rates, ensuring stability and resilience in the face of uncertainty.

For Example:
A small bakery relies on imported flour to make its signature bread. The bakery owner is
worried about potential price increases due to fluctuations in currency exchange rates.
To hedge against this risk, the bakery enters into a forward contract with a supplier to
purchase a certain amount of flour at a fixed price in six months. This forward contract
ensures that the bakery can buy the needed flour at a predictable cost, regardless of any
currency fluctuations during that time. By using this hedging strategy, the bakery can
better manage its expenses, maintain stable product prices, and safeguard against
financial risks associated with currency volatility.

21
PART 2 RISK OPTIONS AND ACTION PLANS

Alliance

An alliance in business involves forming a collaborative relationship with another party

to pursue a specific venture, project, or goal. In this arrangement, both parties agree to
share the associated risks and rewards. This collaboration can take various forms, such
as forming a joint venture, either incorporated or unincorporated, or participating in a
consortium.

Alliances are vital for managing risks by enabling businesses to combine resources and
expertise, distributing the burden of uncertainty among partners. Through shared risk
structures, collaborations reduce individual exposure and foster proactive risk
management strategies. By pooling diverse perspectives and capabilities, alliances
enhance resilience and enable innovative solutions to emerging challenges, empowering
businesses to navigate complexities more effectively.

For Example:
Two small bakeries, Bakery A and Bakery B, collaborate on a large catering order
requiring a variety of baked goods. By forming an alliance, they pool their resources and
expertise to fulfil the order efficiently. Sharing ingredients, equipment, and staff, they
ensure timely delivery and customer satisfaction. This collaboration allows them to
manage risks associated with large orders by leveraging their complementary specialties,
resulting in a successful partnership and satisfied customers.

“The most effective way to manage a risk is to

manage it at the source.”
This passage outlines a structured and comprehensive method for identifying, assessing, and
managing risks within an organization, involving key stakeholders at various stages of the
process.

Managing Risk at the Source

The most effective way to manage risk is addressing the root causes or factors that lead to those
risks and implementing measures to mitigate them. For example, if a company identifies a risk
of data breaches due to outdated security systems, they could manage it at the source by
investing in updated security technology.

22
PART 2 RISK OPTIONS AND ACTION PLANS

Assessing Consequences
It's important to consider the potential consequences of a risk materializing. This involves
measuring or estimating the negative impact, often in financial terms, across various scenarios
from acceptable to worst-case situations. For instance, if a manufacturing company faces the
risk of equipment failure, they would calculate the potential financial losses from downtime,
repair costs, and lost production.

Involvement of CRO (Chief Risk Officer)

The CRO, along with identified expert risk owners, plays a crucial role in assessing and
managing risks within the organization. In cases where risks are significant but necessary for
business operations, companies may need to allocate additional resources or hire experts to
manage them effectively. For example, if a transportation company faces the risk of vehicle
accidents, they might invest in driver training programs or safety equipment to mitigate this
risk.

Resource Allocation
If a risk is deemed significant but inherent in creating value, or that when a company tries to
make something valuable or improve its worth, there are naturally some potential dangers or
uncertainties involved which the company may need to allocate additional resources or hire
experts to manage it effectively.
These risks could be market changes, competition, or technological challenges.

Premium Pricing
Is another strategy to manage risks. In some cases, the company might apply premium pricing
to compensate for the additional costs incurred in managing the risk and to cushion potential
losses.For instance, an insurance company might charge higher premiums for policies covering
high-risk circumstances like fire accidents, to compensate for the increased likelihood of claims.

Risk Management Options

The organization may choose from various risk management options, including deploying
additional resources, engaging consultants, acquiring insurance coverage (if applicable), and
institutionalizing controls.

Decision-Making Process
Once risk management options are identified, they are discussed with the Risk Management
Evaluation Team (RMET). If significant company resources are required, these options are
presented to the Board Risk Oversight Committee (BROC) for approval.

23
PART 2 RISK OPTIONS AND ACTION PLANS

Controls
If the risks can be managed by instituting or improving existing controls, then the REDUCE
option is taken. Controls to manage risks can have a pervasive or specific impact to manage the
risk. It could be system-based or people-based or a combination of both as shown below:

MORE Systems-based
preventive control
RELIABLE/DESIRABLE
Systems-based
detective control

People-based
preventive control
LESS People-based
RELIABLE/DESIRABLE detective control

The CRO, together with the identified expert risk owner, will have to measure the potential
financial loss considering different scenarios, from acceptable to the worst scenarios.

System-based preventive control People-based preventive control

This type of control is automated and These controls rely on human actions and
designed to prevent errors or risks from behaviors to prevent errors or risks from
occurring within a system or process. occurring.

Example: In an online banking system, Example: Requiring employees to undergo

setting up transaction limits for users to
prevent overspending or potential fraud.
System-based detective control
These controls are also automated but are
designed to identify errors or risks after they
have occurred but before they cause
significant harm.
training on cybersecurity best practices to
reduce the risk of falling victim to phishing
attacks.
People-based detective control
These controls involve human actions to
identify errors or risks after they have
occurred.

Example: Implementing automated alerts for Example: Conducting regular internal audits
unusual account activity, such as large to review financial transactions and identify
withdrawals or transfers, to detect potential any discrepancies or irregularities.
fraudulent transactions.

24
PART 2 RISK OPTIONS AND ACTION PLANS

Risk Management Strategies

A risk management strategy addresses how organizations intend to assess risk, respond to risk,
and monitor risk—making explicit and transparent the risk perceptions that organizations
routinely use in making both investment and operational decisions.

Not all risks can be managed using typical transactional or operational controls found in
textbooks. Strategic risks, especially those related to significant decisions like acquiring another
company, require different approaches. Instead of relying solely on regular controls, these risks
are addressed through more comprehensive strategies, often at higher levels of the
organization's structure.

To illustrate, one risk management strategy in acquiring a business is conducting thorough due
diligence. This involves thoroughly researching and analyzing all aspects of the target company,
including its financial health, legal obligations, market position, and potential risks. By
identifying potential issues early on, the acquiring company can make more informed decisions
and take steps to mitigate risks before finalizing the acquisition.

Without a thorough information-seeking process, your firm could get caught up in obligations
it’s not yet ready to assume, such as litigation issues and complicated tax matters. (Matt Gavin,
2022)

Common types of risk management strategy

Risk Avoidance

A risk is eliminated by not taking any action that would mean the risk could occur.

If you choose this approach, you are aiming to completely eliminate the possibility of the
risk occurring. One example of risk avoidance would be with investment. If, after
analyzing the risks associated with that investment, you deem it too risky, then you
simply do not make the investment.

Treating risks by avoiding them should be reserved for risks that would have a major
impact on your organization if they were to occur. However, if you avoid every risk you
come up against, you may miss out on positive opportunities. You never know, that
investment you decided not to make could have paid off. That is why it’s important to
thoroughly analyze risks and make the most informed judgment you can.

25
Risk Reduction

Risk reduction is when a risk becomes less severe through actions taken to prevent or
minimize its impact.

Risk reduction is a common strategy when it comes to risk treatment. It is sometimes

known as lowering risk. By choosing this approach, you will need to work out the
measures or actions you can take that will make risks more manageable.

One example of risk reduction would be within manufacturing and the risk of products
being produced to incor

Risk Acceptance

A risk is accepted with no action taken to mitigate it.

This approach will not reduce the impact of a risk or even prevent it from happening, but
that is not necessarily a bad thing. Sometimes the cost of mitigating risks can exceed the
cost of the risk itself, in which case it makes more sense to simply accept the risk. After
all, why spend P200,000 to prevent a P20,000 risk?

However, this approach does come with a gamble. You will need to be sure that, if the
risk does occur in the future, then you will be able to deal with it when the time comes.
Because of this, it is best to accept risks only when the risk has a low chance of occurring
or will have minimal impact if it does occur.

Risk Transfer

A risk transferred via a contract to an external party who will assume the risk on an
organization’s behalf.'

Choosing to transfer a risk does not entirely eliminate it. The risk still exists, only the
responsibility for it shifts from your organisation to another.

An example of this would be travel insurance. You don’t accept the risk of a lost suitcase
or an accident abroad and the costs that this would bring you to pay a travel insurance
company to bear the financial consequences for you.

26
DEFINTION OF TERMS:

Risk Analysis - the process of identifying, assessing, and prioritizing potential threats or
uncertainties to achieve informed decision-making and mitigate adverse outcomes.

Interrelationship Approach - involves identifying how different risks are connected or dependent
on each other.

Direct Approach - involves treating all top-priority risks without analyzing their
interconnections.

Sourcing of Risks - the origin point from which potential risks may arise within a project or
enterprise.

Bow-Tie Analysis - a sophisticated risk assessment method that empowers users to not only
gauge the likelihood and gravity of risks but also to chronicle the origins of risks, quantify
potential impacts, delegate and track risk mitigations, and methodically assess the array of
elements contributing to an organization's total risk profile.

Risk Options and Action Plans - involve developing strategies to address identified risks, with
risk options focusing on potential responses to risks and action plans detailing specific steps to
mitigate or manage those risks.

Retain - involves the deliberate decision to assume and retain a certain level of risk rather than
avoid, reduce, or transfer it to another party through insurance or other means.

Reduce - the practice of decreasing both the probability and consequences of potential risks.

Exploit - refers to the act of taking advantage of a vulnerability or weakness in a system or

situation for one's own benefit.

Transfer - involves shifting the responsibility of a risk from one party to another, typically a
third party, as a technique in risk management.

Controls - a pervasive or specific impact to manage the risk. It could be system-based or people-
based or a combination of both.

Risk Management Strategies - addresses how organizations intend to assess risk, respond to
risk, and monitor risk—making explicit and transparent the risk perceptions that organizations
routinely use in making both investment and operational decisions.

27
REFERENCES

Metheny, M. (2013). Risk management. In Elsevier eBooks (pp. 169–194).

https://doi.org/10.1016/b978-1-59-749737-4.00006-x

What is a risk management strategy? (n.d.). https://www.ideagen.com/thought-

leadership/blog/what-is-a-risk-management-strategy

Team, C. (2023, October 4). Risk transfer. Corporate Finance Institute.

https://corporatefinanceinstitute.com/resources/career-map/sell-side/risk-management/risk-
transfer/#:~:text=Risk%20transfer%20refers%20to%20a,entity%20to%20an%20insurance%20c
ompany.

Insurance basics. (n.d.). Singlife Philippines. https://singlife.com.ph/insurance-basics/

Bharti AXA. (n.d.). Types of insurance. https://www.bhartiaxa.com/life-insurance/types-of-

insurance

Infinit-O. (2023, May 19). Top benefits of Outsourcing Risk Management Services. Infinit-O
Global. https://resourcecenter.infinit-o.com/blog/top-3-reasons-to-outsource-risk-
management/#:~:text=1.,is%20not%20on%20your%20payroll.

Fred, P. (2022, May 30). RISK RETENTION: definition and best strategies. GMU Consults.
https://gmuconsults.com/business/risk-retention/#:~:text=Risk-
retention%20is%20the%20decision%20of%20an%20individual%20or,risk%20to%20an%20insur
ance%20company%20by%20purchasing%20insurance.

Kenton, W. (2022, September 29). Accepting Risk: Definition, how it works, and alternatives.
Investopedia. https://www.investopedia.com/terms/a/accepting-risk.asp

Bot verification. (n.d.). https://www.ablison.com/what-is-risk-reduction/

The importance of risk management | SafetyCulture. (2024, March 8). SafetyCulture.

https://safetyculture.com/topics/risk-management/

28