ERM - COSO FRAMEWORK

PrE: ENTERPRISE RISK MANAGEMENT

2nd Semester- SY: 2023-2024
TOPIC 8

INTRODUCTION & OVERVIEW

Enterprise risk management (ERM) is a process used by organizations to identify, assess, and
manage risks that could affect their business. The goal of ERM is to minimize the impact of adverse
events on an organization's financial performance, reputation, and ability to operate. ERM programs
typically involve identifying organizational risks, assessing their potential impact, and developing plans to
mitigate or transfer them. ERM can help organizations improve their decision-making, protect their value,
and build resiliency in the face of uncertainty. Many organizations use formal ERM frameworks, such as
the COSO framework or the ISO 31000 standard, to guide their efforts. Regardless of the approach used,
successful ERM programs require buy-in from senior leaders and ongoing communication between all
levels of the organization.

By taking a proactive approach to risk management, organizations can protect themselves from the
potentially devastating consequences of risk events. This module intends to discuss what ERM benefits
the organization, how COSO ERM Framework works and identify risk events that may occur and present
risk to the firm.

OBJECTIVES

1. To know what ERM and COSO ERM Framework is.

2. To understand the benefits of integrating ERM.
3. To identify and understand different components and principles under COSO ERM Framework.
4. To identify and explain various risk events that may occur and present to the firm.

GROUP 6
Leader: BASA, Joemarie J.
Members: ALLAS, John Mark S.
BADILLA, Vanna Sophia B.
DENUBO, Francheska Edmerey F.
MAGDAYAO, Ariane Gladys C.
MARANAN, Ziannuzzelli F.
PINGOL, Alexandra N.
UBARRE, Jeremy John C.
COSO Framework

The COSO(Committee of Sponsoring Organizations of the Treadway Commission) Framework is a

system used to establish internal controls to be integrated into business processes. Collectively, these
controls provide reasonable assurance that the organization is operating ethically, transparently and in
accordance with established industry standards.

COSO was organized in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an
independent private-sector initiative that studied the causal factors that can lead to fraudulent financial
reporting. It also developed recommendations for public companies and their independent auditors, for the
SEC and other regulators, and for educational institutions.

The National Commission was sponsored jointly by five major professional associations ​headquartered in
the United States:

● American Accounting Association (AAA),

● American Institute of Certified Public Accountants (AICPA),
● Financial Executives International (FEI)​,
● Institute of Internal Auditors (IIA), and
● National Association of Accountants, now known as Institute of Management
Accountants (IMA).
Wholly independent of each of the sponsoring organizations, the Commission included representatives
from industry, public accounting, investment firms, and the New
York Stock Exchange.

The COSO framework was updated in 2013 to include the COSO

cube, a 3-D diagram that demonstrates how all elements of an
internal control system are related. In 2017, the committee
introduced their COSO Enterprise Risk Management Framework.
The COSO ERM Framework aims to help organizations
understand and prioritize risks and create a strong link between
risk, strategy and how a business performs.

Enterprise Risk Management

Enterprise risk management (ERM) is the process of identifying and controlling situations and events that
may have an impact on a company's capacity to meet its goals. ERM is a systematic, cross-organizational
risk management system. It is a comprehensive approach to a company's culture, competencies, and
procedures rather than a department or function. ERM places a strong emphasis on departmental
collaboration in order to manage the entire variety of risks facing the organization rather than just reacting
to each incident separately.
BENEFITS OF ENTERPRISE RISK MANAGEMENT

An organization needs to identify challenges that lie ahead and adapt to meet those challenges. It
must engage in decision-making with an awareness of both the opportunities for creating value and the
risks that challenge the organization in creating value. In short, it must integrate enterprise risk
management practices with strategy-setting and performance management practices, and in doing so it
will realize benefits related to value. Benefits of integrating enterprise risk management include the ability
to:

1. Increase the range of opportunities: By considering all reasonable possibilities—both positive

and negative aspects of risk—management can identify opportunities for the entity and unique
challenges associated with current and future opportunities.

EXAMPLE: When the managers of a locally based food company considered potential risks likely to
affect the business objective of sustainable revenue growth, they determined that the company’s primary
consumers were becoming increasingly health conscious and changing their diet. This change indicated a
potential decline in future demand for the company’s current products. In response, management
identified ways to develop new products and improve existing ones, which allowed the company to
maintain revenue from existing customers (preserving value) and to create additional revenue by
appealing to a broader consumer base (creating value).

2. Increase positive outcomes and advantage while reducing negative surprises: Enterprise risk
management allows an organization to improve its ability to identify risks and establish
appropriate responses, increasing positive outcomes while reducing negative surprises and related
costs or losses.

EXAMPLE: A manufacturing company that provides just-in-time parts to customers for use in
production risks penalties for failing to deliver on time. In response to this risk, the company assessed its
internal shipping processes by reviewing time of day for deliveries, typical delivery routes, and
unscheduled repairs on the delivery fleet. It used the findings to set maintenance schedules for its fleet,
schedule deliveries outside of rush periods, and devise alternatives to key routes. Recognizing that not all
traffic delays can be avoided, it also developed protocols to warn clients of potential delays. In this case,
performance was improved by management influencing risk within its ability (production and scheduling)
and adapting to risks beyond its direct influence (traffic delays).

3. Identify and manage entity-wide risks: Every entity faces myriad risks that can impact many
parts of the entity. Sometimes a risk can originate in one part of the entity but affect a different
part. Management must identify and manage these entity-wide risks to sustain and improve
performance.

EXAMPLE: When a bank realized that it faced a variety of risks in trading activities, management
responded by developing a system to analyze internal transaction and market information that was
supported by relevant external information. The system provided an aggregate view of risks across all
trading activities, allowing drill-down capability to departments, customers, and traders. It also allowed
the bank to quantify the relative risks. The system met the entity’s enterprise risk management
requirements and allowed the bank to bring together previously disparate data to respond more effectively
to risks.

4. Reduce performance variability: For some entities, the challenge is less about surprises and
losses, and more about performance variability. Performing ahead of schedule or beyond
expectations may cause as much concern as performing below expectations.

EXAMPLE: For instance, within a public transportation system, riders will be just as annoyed when a bus
or train departs ten minutes early as when it is ten minutes late: both can cause riders to miss connections.
To manage such variability, transit schedulers build natural pauses into the schedule. Drivers wait at
designated stops until a set time, regardless of when they arrive. This helps smooth out variability in
travel times and improve overall performance and rider views of the transit system. Enterprise risk
management allows organizations to anticipate the risks that would affect performance and enable them to
take action to minimize disruption.

5. Improve resource deployment: Obtaining robust information on risk allows management to

assess overall resource needs and helps to optimize resource allocation.

EXAMPLE: A downstream gas distribution company recognized that its aging infrastructure increased
the risk of a gas leak occurring. By looking at trends in gas leak–related data, the organization was able to
assess the risk across its distribution network. Management subsequently developed a plan to replace
worn-out infrastructure and repair those sections that had remaining useful life. This approach allowed the
company to maintain the integrity of the infrastructure while allocating significant additional resources
over a longer period of time.

6. Enhancing enterprise resilience: An entity's medium- and long-term viability depends on its
ability to anticipate and respond to change, not only to survive but also to evolve and thrive. This
is, in part, enabled by effective enterprise risk management. It becomes increasingly important as
the pace of change accelerates and business complexity increases.

EXAMPLE:

Keep in mind that the benefits of integrating enterprise risk management practices with strategy setting
and performance management practices will vary by entity. There is no one-size-fits-all approach
available for all entities. However, implementing enterprise risk management practices will generally help
an organization achieve its performance and profitability targets and prevent or reduce the loss of
resources.
COSO ERM FRAMEWORK

1. Governance and Culture

Governance sets the tone for the organization and establishes oversight responsibilities for ERM.
Culture relates to ethical values, desired behaviors and understanding of risk.

There are five principles for this component.

● Exercises Board Risk Oversight – Risk governance and culture start at the top with the influence
and oversight of the board. Board members must be accountable and responsible for risk
oversight and possess the required skills, experience and business knowledge.

EXAMPLE: The board of a financial institution periodically reviews and defines the organization's risk
appetite statement. This statement outlines the level of risk the organization is willing to accept in pursuit
of its strategic objectives. Board members assess changes in the business environment, regulatory
landscape, and market conditions to ensure alignment between risk appetite and the company's
risk-taking activities.

● Establishes Operating Structures – Strategy is executed by organization and execution of

day-to-day operations to achieve business objectives. How the operating model is administered
and governed can introduce new and different risks or complexities.

EXAMPLE: A large financial institution establishes a Risk Management Committee composed of senior
executives from various departments, including risk management, finance, compliance, and operations.
This committee meets regularly to review the organization's risk management policies, procedures, and
practices. It oversees the identification, assessment, and mitigation of risks across different business units
and ensures alignment with the organization's risk appetite and strategic objectives.
 ● Defines Desired Culture – COSO frames desired behaviors within the context of culture, core
values and attitudes toward risk. Whether an organization considers itself to be risk averse, risk
neutral or risk aggressive, it should have a risk-aware culture.

EXAMPLE: The firm cultivates a risk-aware culture where all employees understand their role in
identifying, assessing, and mitigating risks relevant to their areas of responsibility. Employees are
encouraged to speak up about potential risks and concerns, fostering a culture of open communication
and accountability.

● Demonstrates Commitment to Core Values – Culture and tone at the top is defined by the
operating style and personal conduct of management and the board of directors and it must be
driven deep down into the organization.

EXAMPLE: The company invests in comprehensive training and development programs focused on
reinforcing core values and promoting ethical leadership. Employees receive training on topics such as
compliance, ethical decision-making, conflict resolution, and cultural sensitivity to equip them with the
skills and knowledge needed to uphold the organization's values in their daily work.

● Attracts, Develops and Retains Capable Individuals – Management must define the knowledge,
skills and experience needed to execute strategy; set appropriate performance targets; attract,
develop and retain appropriate personnel and strategic partners; and arrange for succession.

EXAMPLE: A Technology company defines its requirements through the company’s management that
identifies the specific knowledge, skills, and experience necessary to execute its strategic goals. For
instance, they may determine a need for software engineers proficient in machine learning and cloud
computing for their AI-focused initiatives.

2. Strategy and Objective-Setting

ERM, strategy and objective-setting work together in the strategic-planning process. Risk appetite
should be aligned with strategy and business objectives to successfully implement strategy.

The updated COSO framework elevates the discussion of strategy and the integration of ERM
with strategy by asserting that all aspects and implications of strategy need to be considered when setting
strategy. There are four principles for this component.

● Analyses Business Context – The updated framework considers business context and the role of
internal and external stakeholders. The point is that management must consider risk from changes
in business context and adapt accordingly in executing strategy.

EXAMPLE: In response to changes in the business context, A retail company adapts its strategy
accordingly. This might involve revising product offerings to align with emerging consumer trends,
investing in technology to enhance the online shopping experience, or implementing cost-saving measures
to improve profitability.
 ● Defines Risk Appetite – The organization defines risk appetite in the context of creating,
preserving and realizing value. The risk appetite statement is considered during strategy setting,
communicated by management, embraced by the board and integrated across the organization.

EXAMPLE: A technology company defines its risk appetite in the context of creating, preserving, and
realizing value for its stakeholders, including shareholders, customers, employees, and the community.
The risk appetite statement reflects the company's willingness to take risks in pursuit of strategic
objectives while safeguarding its reputation and financial stability.

● Evaluates Alternative Strategies – Alternative strategies are built on different assumptions – and
those assumptions may be sensitive to change. The organization evaluates strategic options and
sets its strategy to enhance value, considering risk resulting from the strategy chosen.

EXAMPLE: Considering a global automotive manufacturer, another alternative strategy they could take
consideration in diversifying its product portfolio to include electric vehicles (EVs) and autonomous
driving technologies. The assumption is that there is a growing trend towards sustainability and
automation in the automotive industry, presenting opportunities for innovation and differentiation.
However, the company acknowledges the risks associated with investing in new technologies, including
technological hurdles, uncertain consumer adoption, and potential regulatory changes.

● Formulates Business Objectives – Management establishes objectives that align with and support
the strategy at various levels of the business. These objectives should consider, and be aligned
with, risk appetite.

EXAMPLE: In addition to operational objectives, the company sets financial objectives that align with its
risk appetite and strategic priorities. These may include targets for revenue growth, profitability margins,
return on investment (ROI), and cash flow generation. For instance, the company aims to achieve a
certain level of annual revenue growth while maintaining a healthy balance between risk and return.

3. Performance

Risks that can impact achievement of strategy and business objectives need to be identified and
assessed and risks prioritized by severity in the context of risk appetite, so that risk responses can be
selected.

Risks that could impact achievement of strategy and objectives should be identified and assessed.
These risks must be prioritized in terms of severity in the context of risk appetite. Risk responses should
be selected to form a portfolio view of risk. There are five principles for this component.

● Identifies Risk – The organization identifies new and emerging risks, as well as changes to
known risks to the execution of its strategy. The risk identification process should consider risks
arising from a change in business context and risks currently existing but not yet known.
EXAMPLE: The financial services firm identifies market risk as a significant factor affecting the
execution of its strategy. This includes risks related to fluctuations in interest rates, foreign exchange
rates, equity prices, and commodity prices. The firm continuously monitors market conditions and
assesses the potential impact of macroeconomic factors, geopolitical events, and regulatory changes on
its business operations and financial performance.

● Assesses Severity of Risk – Depending on the anticipated severity of the risk, COSO suggests the
use of qualitative and quantitative approaches in assessment processes. Scenario analysis may be
appropriate in assessing risks that could have an extreme impact.

EXAMPLE: A significant risk for the pharmaceutical company is supply chain disruptions, particularly
those related to raw material shortages, manufacturing delays, and distribution challenges. To assess the
severity of this risk, the company utilizes scenario analysis in which it develops multiple scenarios
representing different types and magnitudes of supply chain disruptions, such as natural disasters,
geopolitical conflicts, or regulatory changes. For each scenario, the company evaluates the potential
impact on its ability to manufacture and deliver products to market, including potential delays in
production schedules, shortages of critical supplies, and reputational damage. By simulating various
supply chain disruptions and their corresponding effects on business operations, the company can identify
vulnerabilities and develop contingency plans to mitigate the impact of such events.

● Prioritises Risk – The organization prioritizes risks as a basis for selecting risk responses using
appropriate criteria. Risk criteria might include adaptability, complexity, velocity, persistence and
recovery, as well as acceptable variation in performance.

EXAMPLE: The financial institution assesses the adaptability of each risk by evaluating its potential to
evolve over time and its impact on the organization's ability to respond effectively. Risks that are highly
adaptable, such as cybersecurity threats or regulatory changes, are prioritized as they may require
ongoing monitoring and adjustments to risk management strategies.

● Implements Risk Responses – Risk responses may accept, avoid, exploit, reduce and share risk.
In selecting risk responses, management considers such factors as the business context, costs and
benefits, severity of the risk, and the appetite for risk.

EXAMPLE: The technology company faces market risk due to fluctuations in demand, changes in
technology trends, and competitive pressures. In response, the company may implement risk avoidance by
diversifying its product portfolio and expanding into new markets and customer segments. By reducing its
reliance on a single market or product, the company mitigates the impact of market volatility and
enhances its resilience to economic downturns.

● Develops Portfolio View – Portfolio view is a composite view of the risks the organization faces
relative to business objectives, which allows management and the board to consider the nature,
likelihood, relative size and interdependencies of risks, and how they may affect performance.
 Developing a portfolio review allows management and the board to consider the type, severity,
and interdependencies of risks and how they may affect performance. Using the portfolio view, the
organization identifies severe risks at the organizational and business unit level. Business unit risk
registers need to be aggregated and so they can be evaluated and prioritized across business units into an
enterprise risk profile. Assessing cyber risks alongside other types of risks and overall business objectives
enables proactive and effective risk decisions by company leadership.

4. Review and Revision

The fourth component focuses on monitoring risk management performance. Effective

monitoring provides insight into the relationship between risk and performance, how strategic risks are
affecting performance, and emerging risks. By reviewing organization performance, an organization can
consider how well the ERM components are functioning over time and following substantial change, and
what revisions are necessary. There are three principles for this component.

● Assesses Substantial Change – Change can create significant competitor performance gaps or
invalidate critical assumptions underlying strategy. Monitoring substantial change is built into
business processes in the ordinary course of running the business.
EXAMPLE: Reviewing the plan for integrating a newly acquired joint business venture may identify the
need for future enhancements of information technology.

Organizations consider how change can affect enterprise risk management and the achievement of
strategy and business objectives. This requires identifying internal and external environmental changes
related to the business context as well as changes in culture. Some examples of substantial change in both
the internal and external environment are highlighted below.

INTERNAL ENVIRONMENT
● Rapid Growth. When operations expand quickly, existing structures, business activities,
information systems, or resources may be affected.

EXAMPLE: Supervisors may not successfully adapt to higher activity levels that require adding
manufacturing shifts or increasing personnel.

● Innovation. Whenever innovation is introduced, risk responses and management actions will
likely need to be modified.

EXAMPLE: A new system of using mobile devices that captures previously unavailable sales
information gives management the ability to monitor performance, forecast potential sales, and
make real-time inventory decisions.

● Substantial changes in leadership personnel. A change in management may affect enterprise

risk management.

EXAMPLE: A newcomer to management may not understand the entity’s culture and may have a
different philosophy, or may focus solely on performance to the exclusion of risk appetite or
tolerance.

EXTERNAL ENVIRONMENT
Changing regulatory or economic environment. Changes to regulations or in the economy can
result in increased competitive pressures, changes in operating requirements, and different risks.
If a large-scale failure in operations, reporting, and compliance occurs in one entity, regulators
may introduce broad regulations that affect all entities within an industry.

EXAMPLE: If toxic material is released in a populated or environmentally sensitive area, new

industry-wide transportation restrictions may be introduced that affect an entity’s shipping
logistics.

● Reviews Risk and Performance – Risk responses must be evaluated to ensure they are
performing as intended. The task of assessing risk responses is typically owned by those
accountable for the effective management of identified risks and by assurance providers.
Performance is affected because of the inherent nature of risk, which an organization cannot
 predict with complete accuracy. By reviewing performance, organizations seek answers to
questions such as:

Has the entity performed as expected and achieved its target? The organization identifies variances that
have occurred and considers what may have contributed to them.

EXAMPLE: Consider an entity that has committed to opening five new office locations every year to
support its longer-term growth strategy to build a presence across the country. The organization has
determined that it could continue to achieve its strategy with only three offices opening, and would be
taking on more risk than desired if it opened seven or more offices. The organization therefore monitors
performance and determines whether the entity has opened the expected number of offices, and how those
new offices are performing. If the growth is below plan, the organization may need to revisit the strategy.

What risks are occurring that may be affecting performance? Reviewing performance confirms whether
risks were previously identified, or whether new, emerging risks have occurred. The organization also
reviews whether the actual risk levels are within the boundaries established for tolerance.

EXAMPLE: Reviewing performance helps confirm that the risk of delays due to additional permit
requirements for construction did occur and affected the number of new offices opened, and whether the
number of offices to be opened is still within the range of acceptable performance.

Was the entity taking enough risk to attain its target? Where an entity has failed to meet its target, the
organization needs to determine if the failure is due to risks that are impacting the achievement of the
target or insufficient risk being taken to support the achievement of the target.

EXAMPLE: Using the same example, suppose the entity opens only three offices. In this case,
management observes that the planning and logistics teams are operating below capacity and that other
resources set aside to support the opening of new offices have remained unused. Insufficient risk was
taken by the entity despite having allocated resources.

Was the estimate of the amount of risk accurate? When risk has not been assessed accurately, the
organization asks why. To answer that question, the organization must challenge the understanding of the
business context and the assumptions underpinning the initial assessment. It must also determine whether
new information has become available that would help refine the assessment.

EXAMPLE: Suppose the example entity opens five offices and observes that the estimated amount of risk
was too low compared to the types and amount of risk that have occurred (e.g., more problems, delays,
and unexpected events than initially assessed).

● Pursues Improvement in ERM – ERM should be improved continuously over time. Even mature
ERM processes can become more efficient and effective in increasing its value. Embedding
continuous evaluations can systematically identify improvements. Management pursues continual
improvement throughout the entity (functions, operating units, divisions) to improve the
 efficiency and usefulness of enterprise risk management at all levels. Opportunities to revisit and
improve efficiency and usefulness may occur in any of the following areas:

New technology: New technology may offer an opportunity to improve efficiency.

EXAMPLE: An entity that uses customer satisfaction data finds it voluminous to process. To improve
efficiency it implements a new data-mining technology that pinpoints key data points quickly and
accurately.

Historical shortcomings: Reviewing performance can identify historical shortcomings or the causes of
past failures, and that information can be used to improve enterprise risk management.

EXAMPLE: Management in an entity observes that there have been shortcomings noted over time related
to risk assessment. Although management compensates for these, the organization decides to improve its
risk assessment practices to reduce the number of shortcomings and enhance enterprise risk management.

Organizational change: By pursuing continual improvement, an organization can identify the need for
organizational changes such as a change in the governance structure.

EXAMPLE: An enterprise risk management function reports to the chief financial officer, but when the
entity redevelops its strategy group, it decides to realign the responsibility for enterprise risk management
to that reorganized group.

5. Information, Communication and Reporting

ERM requires a continual process of obtaining and sharing necessary information, from both
internal and external sources, which flows up, down, and across the organization. The final component
recognises the vital need for a continuous process to obtain and share relevant information. This
information for decision-making must flow up, down and across the organization and provide insight to
key stakeholders. It is important that organizations provide the right information, in the right form,
at the right level of detail, to the right people, at the right time. There are three principles for this
component.

● Leverages Information and Technology – Information systems provide the organization with the
data and information to support ERM. Factors influencing technology selection include the
strategy, marketplace needs, competitive requirements, and the associated costs and benefits.

Organizations consider what information is available to management, what information systems and
technology are in use for capturing that information (which may be more than is needed), and what the
costs are of obtaining that information. Management and other personnel can then identify how
information supports the enterprise risk management practices, which may include any of the following:

• For governance and culture-related practices, the organization may need information on the standards
of conduct and individual performance in relation to those standards.
• For strategy and objective-setting related practices, the organization may need information on
stakeholder expectations of risk appetite.

• For performance-related practices, organizations may need information on their competitors to assess
changes in the amount of risk.

• For review and revision-related practices, organizations may need information on emerging trends in
enterprise risk management.

● Communicates Risk Information – The organization reports on risk at multiple levels across the
organization. Organizations use different channels to communicate risk data and information to
internal and external stakeholders.

Various channels are available to the organization for communicating risk data and information to
internal and external stakeholders. These channels enable organizations to provide relevant information
for use in decision-making.

Internally, management communicates the entity’s strategy and business objectives clearly throughout the
organization so that all personnel at all levels understand their individual roles. Specifically,
communication channels enable management to convey:

• The importance, relevance, and value of enterprise risk management.

• The characteristics, desired behaviors, and core values that define the culture of the entity.
• The strategy and business objectives of the entity.
• The risk appetite and tolerance.
• The overarching expectations of management and personnel in relation to enterprise risk and
performance management.
• The expectations of the organization on any important matters relating to enterprise risk management,
including instances of weakness, deterioration, or non-adherence.

Methods of Communicating
Communication methods vary widely, from holding face-to-face meetings, to posting messages
on the entity’s intranet, to announcing a new product at an industry convention, to broadcasting to
shareholders globally through social media and newswires. Communication methods can take the form of:

• Electronic messages (e.g., emails, social media, text messages, instant messaging).
• External/third-party materials (e.g., industry, trade, and professional journals, media reports, peer
company websites, key internal and external indexes).
• Informal/verbal communications (e.g., one-on-one discussions, meetings).
• Public events (e.g., roadshows, town hall meetings, industry/technical conferences).
• Training and seminars (e.g., live or on-line training, webcast and other video forms, workshops).
• Written internal documents (e.g., briefing documents, dashboards, performance evaluations,
presentations, questionnaires and surveys, policies and procedures, FAQs).
 ● Reports on Risk, Culture and Performance – Risk reporting encompasses information required
to support decision-making and enable the board and others to fulfill their risk oversight
responsibilities. There are many different types of reports on risk, culture and performance.

Reporting supports personnel at all levels to understand the relationships between risk, culture,
and performance and to improve decision-making in strategy- and objective-setting, governance, and
day-to-day operations. Reporting requirements depend on the needs of the report user. Report users may
include:

• Management and the board of directors

• Risk owners
• Assurance providers
• External stakeholders (regulators, rating agencies, community groups, and others).
• Other parties that require reporting of risk in order to fulfill their roles and responsibilities.

Types of Reporting

Risk reporting may include any or all of the following:

• Analysis of root causes enables users to understand assumptions and changes underpinning the portfolio
and profile views of risk.

• Sensitivity analysis measures the sensitivity of changes in key assumptions embedded in strategy and the
potential effect on strategy and business objectives.

• Analysis of new, emerging, and changing risks provides the forward-looking view to anticipate changes
to the risk inventory, effects on resource requirements and allocation, and the anticipated performance of
the entity.

• Trend analysis demonstrates movements and changes in the portfolio view of risk, risk profile, and
performance of the entity.

• Tracking enterprise risk management plans and initiatives provides a summary of the plan and
initiatives in establishing or maintaining enterprise risk management practices. Investment in resources,
and the urgency by which initiatives are completed, may also reflect the commitment to enterprise risk
management and culture by organizational leaders in responding to risks.
RISK EVENTS

Risk events refers to the specific events or occurrences that have the potential to affect the
achievement of an organization’s objectives. Risk events play a crucial role in identifying, assessing and
managing risk within an organization. The COSO ERM framework provides a structured approach in
order to understand and manage risk events in alignment with the organization’s objectives and risk
appetite. It's essentially any event or situation that could either help or harm what you're trying to
accomplish.

EXAMPLE: Imagine you're planning an outdoor event like a picnic. One risk event could be rain. If it
rains on the day of your picnic, it could spoil the event and affect your enjoyment. On the other hand, a
pleasant sunny day would be a positive risk event that could enhance the experience.

Risk Events are composed of both external and internal events existing and may occur in the firm.

Examples of External Risk:

1. Natural disasters, particularly those common in the area of operations
2. External computer hacking
3. Technological change making current offerings obsolete
4. Competitive pressure
5. Relationships with key suppliers and/or customers
6. Risk of political issues disrupting operation

Examples of Internal risks:

1. Fraud and collusion by employees
2. Management departures
3. Employee morale
4. Liquidity and solvency concerns
 Firms can construct a portfolio of different activities, products, services, and strategies to mitigate
the impact of a single event on the overall risk management program.

Diversification - the practice of spreading investments around so that exposure to any one type of asset is
limited. This practice is designed to help reduce the volatility of your portfolio over time. It is one way
to balance risk and reward in investment portfolio.

Volatility - often refers to the fluctuation in the price of stocks, bonds, or other financial assets. If the price
of a stock goes up and down a lot in a short period, it's considered highly volatile. But if the price changes
more slowly and steadily, it's less volatile.

1. Diversification within an organization can take many different forms.

a. A manufacturing company may offer repair services with products or serve
customers in different industries to lessen the impact of lower sales in one line of
business.

EXAMPLE: PAPASA BA AKO COMPANY that manufactures and sells smartphones. To mitigate
the risk of lower sales in its smartphone line, it also offers repair services for not only its own
products but also for various electronic devices from other manufacturers. Additionally, PAPASA
BA AKO COMPANY expands its customer base by providing electronic components to industries
such as automotive, healthcare, and telecommunications.

How does it mitigate risks?

​ i. Revenue Stability: By offering repair services alongside product sales, the company ensures a
consistent revenue stream even if smartphone sales decline.
​ ii. Customer Base Diversification: Serving multiple industries reduces reliance on a single
market. If smartphone sales decrease, revenue from selling components to other industries can
offset the impact.

In essence, diversification allows the company to spread its risks across different revenue streams
and customer segments, ensuring financial stability even if one line of business faces challenges.

b. A service organization may serve customers in different industries or offer different

services to protect itself in the event of a slowdown in one particular area.
c.
1. Accounting firms may offer audit and tax services, which are needed in any
economic climate, in addition to technology and consulting services, which
may be more dependent on strong economic conditions.

EXAMPLE: PAPASA BA AKO, an Accounting firm, offers audit and tax services. In addition, the
firm provides technology and consulting services. While these services may be more in demand
during strong economic conditions when businesses are investing more in growth and efficiency,
they offer an additional revenue stream.
 How does it mitigate risks?

​ i. Stability: Audit and tax services are essential regardless of economic conditions because
businesses must comply with regulations and pay taxes no matter the economic climate. It ensures
a steady income stream for the firm.
​ ii. Diversification: By offering technology and consulting services, it diversifies its revenue
sources. If demand for these services declines during economic downturns, revenue from audit
and tax services can help mitigate the impact.
​
In simple terms, the firm reduces risks by offering services that are necessary regardless of
economic conditions alongside those that are more dependent on strong economic periods,
ensuring a balanced revenue stream and financial stability.

2. A web design firm may also offer graphic design or logo design to lessen the
impact of businesses not requiring web design services.

EXAMPLE: CreativeWeb primarily offers web design services, but to mitigate the risk of
businesses not requiring web design at a given time, it also provides graphic design and logo
design services.

How does it mitigate the risk?

​ i. Diversification of Services: By offering graphic design and logo design services in addition to
web design, CreativeWeb diversifies its offerings. If businesses are not actively seeking web
design services, they may still require graphic design or logo design services.
​ ii. Broader Client/Customer Base: Offering multiple services attracts a broader range of clients.
Some clients may specifically seek web design services, while others may be more interested in
graphic design or logo design. This diversification ensures that CreativeWeb can cater to different
client needs, reducing the impact of fluctuations in demand for web design services.
​
By offering a variety of design services, CreativeWeb spreads its risk and ensures a more stable
stream of clients and revenue, even if businesses are not currently focused on web design.
2. Firms with strong portfolios of different activities and risk management tools can rely on the
strength of their other areas to offset risks in riskier areas.

Asset Allocations Chart

In the chart given, we can observe that:

- The aggressive the growth is, the higher the return, and the higher its volatility.
- The conservative the growth is, the lower its return, and the lower its volatility.

The primary goal of diversification isn't to maximize returns. Its primary goal is to limit the impact of
volatility on a portfolio.
REFERENCES:

● https://online.jwu.edu/blog/8-benefits-enterprise-risk-management/
● https://www.youtube.com/watch?v=lWBqjdNXrV0&t=11s
● https://www.youtube.com/watch?v=bhkWu4DWTfI&list=PLxP0KZzCGFYP5brx0TY8MsqrNuk
oskREc&index=2
● https://www.youtube.com/watch?v=hZkX1T5I4aY&list=PLxP0KZzCGFYP5brx0TY8MsqrNuko
skREc&index=3
● https://www.youtube.com/watch?v=BqYG_WRYVo4&list=PLxP0KZzCGFYP5brx0TY8MsqrNu
koskREc&index=4
● https://www.youtube.com/watch?v=6-j9IOs9-vA&list=PLxP0KZzCGFYP5brx0TY8MsqrNukosk
REc&index=5
● https://www.fidelity.com/learning-center/investment-products/mutual-funds/diversification
● Everson, M.E.A., Chesley, D., Martens, Frank, J., etc. (2017). Enterprise Risk
Management-Integrating with Strategy and Performance.