ERM REVIEWER

DEFINITION OF ERM

Enterprise Risk Management (ERM) is, in its simplest definition, risk management practiced at
the enterprise level. It puts the core strategic mission of the enterprise at the center of the
discussion, driving all possible responses to potential risks in a holistic approach. This has not
always been the case. The ever-increasing complexity of the world is engendering new and
sometimes previously unimagined risks, ones that don’t always fall within what was considered
traditional risk management practice. The need for a different approach had become
increasingly clear over the last two decades or so, and ERM emerged to the fore as a response
to these new challenges. ERM is still evolving, a fitting testament to the fact the ERM is itself an
ongoing process and not a one-time project. This section will describe the history of risk
management as a backdrop to better understand what is now considered cutting-edge ERM.

Benefits of implementation of ERM:

The benefits include providing an Integrated view of risks. ERM provides a comprehensive
framework for assessing risks across all areas of the business. This includes risks that are
associated with the strategic, financial, operational, compliance, and business risks. This
integrated view enables the business to identify the interconnected risks that may impact their
overall objectives and performance. The system will also help the business to anticipate and
mitigate the risks before they could escalate into a crisis. And by that, will enable them to
assess their likelihood and impact which will help them to implement a mitigation plan to reduce
the vulnerabilities and to enhance the resilience of the business.

RISK MANAGEMENT

Risk Management is the process of measuring, or assessing risk and then developing strategies
to manage the risk.

The traditional view of risk management has protected the organization from loss through
conformance procedures and hedging techniques. This is about avoiding the downside. The
new approach to risk management is about 'seeking the upside while managing the downside.
Anytime there is a possibility of loss (risk), there should be an opportunity for profit.

Risk management is an essential process because it empowers a business with the necessary
tools to identify and deal with potential risks adequately. Once a risk has been identified, it is
then easy to mitigate it. In addition, risk management provides a business with a basis upon
which it can undertake sound decision-making. For a business, assessment and management
of risks is the best way to prepare for eventualities that may come in progress and growth.
When a company evaluates its plan for handling potential threats and then develops structures
to address them, it improves its odds of becoming a successful entity.
DIFFERENT KINDS OF RISKS

Business risk—The possibility that an organization either will have a lower profit than expected
or will experience a loss instead of a profit.

Hazard risk—The risk that the workplace environment or a natural disaster can disrupt the
operations of an organization.

Financial risk—The risk that an organization's cash flow will not satisfy the shareholders' ability
to recover the cash invested in the business, particularly when the organization carries debt.

Operational risk—The risk of loss for an organization occurring from inadequate systems,
processes, or external events.

Strategic risk—The risk that a company's strategy will not be sufficient for the organization to
achieve its objectives and maximize shareholder value.

Legal risk—The risk that litigation (either civil or criminal) can negatively affect the organization.

Compliance risk—The risk associated with the organization's ability to meet rules and
regulations set forth by governmental agencies.

Political risk—The risk that political influence and decisions may impact the profitability and
effectiveness of an organization

Inherent risk— Broad term for all the risk a firm faces without any controls applied to business
activities or processes.

Residual risk—Broad term for the level of risk a firm faces after controls are applied and
assumptions about their effectiveness are made.

RISK MANAGEMENT PROCESSES

Risk management is the process of identifying, assessing, and controlling threats to an

organization's capital and earnings. These threats, or risks, could stem from a wide variety of
sources, including financial uncertainty, legal liabilities, strategic management errors, accidents,
and natural disasters.

Step 1: Risk Identification

Risk identification seeks to identify as many threats as possible without evaluating them. Risk
identification will naturally drive the process to include as many individuals from the organization
as possible, especially those with specific detailed information about the particular risk area
being considered. For example, a strategic risk assessment would involve senior management,
senior finance people, and the strategic planning area.
Internal Risk Factors External Risk Factors
• Communication methods • Regulatory changes
• Risk assessment activities • Industry competition
• Appropriateness of internal control activities • Relationships with key suppliers
• Labor relations • Relationships with customers
• Training and capability of the employees • Recruiting and hiring activities
• Degree of supervision of employees • International risk
• Operational risks • Hazard risks
• Financial risks
• Strategic risks

Step 2: Risk Assessment

Risk assessment is a forward-looking survey of the business environment to identify anything
that could prevent the accomplishment of organizational objectives. Risk assessment involves
the identification of internal and external means that could potentially defeat the organization's
internal control structure, compromise assets, or diminish the organization's financial viability. It
is a creative process covering both risk identification and risk response. It involves identifying as
many potential threats as possible and evaluating them to deter. mine the proper response (i.e.,
which requires action and the priority for that action). The risk response process also should
estimate the probability of each threat occurring.

Risk assessment is the process of analyzing the potential effects of identified risks. Risks are
analyzed, considering likelihood and impact, as a basis for determining how they should be
managed.

1. Impact. The effect the risk occurrence would have on the organization's objective if it were to
occur. For example, what loss would happen if a particular risk factor occurred and was not
detected and corrected?

2. Likelihood. The probability or chance that the risk actually will occur.

Risk assessment is a function of the organization's risk appetite and the estimate of potential
risk. Risk appetite is the level of risk the organization is willing to accept, given its mission and
business model. The organization's risk appetite determines how management will manage
risks.

Probabilistic or non-probabilistic models may be used to quantify risk.

Management uses qualitative techniques to assess risk when risks do not lend themselves to
quantification or when sufficient reliable data is not available to use a quantitative model.
Non-probabilistic models use subjective assumptions to estimate the impact of events without
quantifying an associated likelihood. Examples of non-probabilistic models include sensitivity
measures and stress tests. Probabilistic models associate a range of events and the resulting
impact with the likelihood of those events based on certain assumptions. Examples of
probabilistic models include VaR and the development of credit and operational loss
distributions.

How to compute probabilities: (example in module 2)

Assessing risk generally involves the use of probabilities. For example, if there is a 40% chance
that a company will suffer a 1,000,000 loss and a 60% chance that the company will suffer a
300,000 loss:
1,000,000 loss 40% = 1,000,000 x .40 = 400,000
300,000 loss 60% = 300,000 x .60 = + 180,000

the expected loss can be estimated as 580,000

(example in midterm exam)

Company A
Scenario Expected Loss Likelihood

Minor $100,000 80%

Moderate $400,000 15%

Significant 1,900,000 5%

If the company experienced a loss of $400,000 from this data breach, what is the unexpected
loss from the breach?
Solution:
100,000 x .80= 80,000
400,000 x .15= 60,000
1,900,000 x .5 = + 95,000
Expected loss: 235,000 - 400,000 (actual loss) = $165,000 unexpected loss

Company B
Scenario Expected Loss Likelihood

Minor $150,000 60%

Moderate $450,000 30%

Significant 2,100,000 10%

What is the maximum possible loss from the breach?

Solution:
150,000 x .60 = 90,000
450,000 x .30 = 135,000
2,100,000 x .10 = +210,000
The maximum possible loss is $435,000

Step 3: Risk Prioritization

In the risk prioritization step, the overall set of identified risk events, their impact assessments,
and their probabilities of occurrences are "processed" to derive a most-to-least-critical rank
order of identified risks. A significant purpose of prioritizing risks is to form a basis for allocating
resources. An organization's risk attitude is made up of a combination of its risk appetite, risk
tolerance, and risk threshold.

These three attributes are defined as:

a) Risk Appetite The degree of uncertainty an entity is prepared to accept in pursuit of its
objectives.
b) Risk Tolerance The degree, amount, or volume of risk impact that an organization or
individual will withstand
c) Risk Threshold The level of uncertainty or impact at which a stakeholder will have a specific
interest. Below the risk threshold, the stakeholder will accept the risk. Above the risk threshold,
the stakeholder will not accept the risk.

Step 4: Risk Response Formulation

Risk response involves reducing risks to an acceptable level by employing the following tactics:

Avoidance
Risk is avoided when the organization refuses to accept it. The exposure is not permitted to
come into existence. This step is accomplished by simply not engaging in the action that gives
rise to risk. If you do not want to risk losing your savings in a hazardous venture, then pick one
where there is less risk. If you want to avoid the risks associated with property ownership, do not
purchase property but lease or rent. If the use of a particular product is hazardous, then do not
manufacture or sell it.

This is a negative rather than a positive technique. It is sometimes an unsatisfactory approach

to dealing with many risks. If risk avoidance were used extensively, the business would be
deprived of many profit opportunities and probably would not achieve its objectives.

Reduction
This response involves taking action to reduce risk likelihood or impact, or both. Risk can be
reduced in 2 ways—through loss prevention and control. Examples of risk reduction are medical
care, fire departments, night security guards, sprinkler systems, burglar alarms—attempts to
deal with risk by preventing the loss or reducing the chance that it will occur. Some techniques
are used to avoid the occurrence of the loss, and other methods like sprinkler systems are
intended to control the severity of the loss if it does happen. No matter how hard we try, it is
impossible to prevent all losses. The loss prevention technique cannot cost more than the
losses.
Acceptance
This step is sometimes called risk retention. It is the most common method of dealing with risk.
Organizations and individuals face an almost unlimited number of risks, and in most cases,
nothing is done about them. When some positive action is not taken to avoid, reduce, or transfer
the risk, the possibility of loss involved in that risk is retained. Risk Retention can be conscious
or unconscious. Conscious risk retention takes place when the risk is perceived and not
transferred or reduced. When the risk is not recognized, it is unconsciously retained—the
person retains the financial risk without realizing that he or she is doing so.

Risk-retention may be voluntary or involuntary. Voluntary risk retention is when the risk is
recognized, and there is an agreement to assume the losses involved. This is done when there
are no more attractive alternatives. Involuntary risk retention occurs when risks are
unconsciously retained or cannot be avoided, transferred, or reduced. Risk-retention may be the
best way. Everyone decides which risks to retain and which to avoid or transfer. A person may
not be able to bear the loss. What may be a financial disaster for one may be handled by
another. As a general rule, the only risks that should be retained are those that can lead to
relatively small certain losses.

Transfer
Risk may be transferred to someone more willing to bear the risk. The transfer may be used to
deal with both speculative and pure risk. One example is hedging; hedging is a method of risk
transfer accomplished by buying and selling for future delivery so that dealers and processors
protect themselves against a decline or increase in market price between the time they buy a
product and sell it. Pure risks may be transferred through contracts, like a hold harmless
agreement where one individual assumes another's possibility of loss. Contractual agreements
are common in the construction industry. They are also used between manufacturers and
retailers about product liability exposure. Insurance is also a means of transferring risk. In
consideration of payment or premium by one party, the second party contracts to indemnify the
first party up to a specific limit for the specified loss.

Sharing
For example, consider a manufacturer that contracts with a sole supplier for a particular product.
Management might consider a scenario in which a natural disaster disrupts the supplier's
processes. Let's assume the magnitude of such an event would have a very high impact on the
business. If the likelihood is low, management might decide to transfer some of the risks to a
third party by purchasing business disruption insurance. If the likelihood is high, management
should consider finding alternate sources for needed supplies.

Financial risks may be lessened by adjusting the organization's capital structure to minimize the
cost of capital. The cost of capital is a function of the mixture of debt, preferred stock, retained
earnings, and common stock issued in the organization's capital structure. The proper mix will
reduce bankruptcy risk and agency costs to an acceptable level.
Step 5: Risk Monitoring and Control
The final step in the Risk Management Process is Risk Monitoring and Control. The purpose of
this is to address how risk will be monitored. This includes verifying compliance with the risk
response decisions by ensuring that the organization implements the risk response measures
(and any information security requirements), determines the ongoing effectiveness of risk
response measures, and identifies any changes that would impact the risk posture.

Risk monitoring activities at the various levels of the organization (or with other organizational
entities) should be coordinated and communicated. This can include sharing risk assessment
results that would have an organization-wide impact to risk responses being planned or
implemented. The organization should also consider the tools and technologies needed to
facilitate monitoring and the frequency necessary for effectively monitoring risks, including the
changes that would impact responses to risks.

For the risk management plan to be helpful for a business, the plan needs to clearly establish
and define policies and procedures for staff members to follow and understand easily. This
helps employees understand how their responsibilities and roles tie into the risk management
plan. Having all employees on the same page also will ensure they respond adequately when
necessary.

RISK APPETITE
Risk appetite is the most discussed and most misunderstood concept in risk management,
which has led to various experts to attempt to come up with a common definition.

Risk appetite is the level of risk that the organization is willing to take in its value creation
activities, particularly in its investing activities. It extends beyond quantitative factors like
numerical values for value creation. The board and management should also consider the
qualitative impact of certain uncertainties in the achievement of the company's goals.

Aside from utilizing risk appetite frameworks that begin by assessing risk capacity and then
establishing specific risk limits, discussions of risk attitude or philosophy and culture of the
organization can help to determine risk appetite. Through these discussions, the organization
can examine whether they tend to be risk aggressive or conservative.

Risk appetite can be applied to an organization and at all levels. When risk appetite has been
clearly defined, it becomes the responsibility of the management to communicate the risk
appetite throughout the organization to ensure the actions of the company at all levels are in line
with the risk the company is willing to accept.

RISK APPETITE STATEMENT

A Risk Appetite Statement is a formal document that states an organization’s willingness and
capacity to accept and manage risks. It serves as a guideline for decision-making processes,
enabling the organization to align its risk-taking activities with its overall strategic objectives and
risk-management framework.

A Risk Appetite Statement is a board-approved policy that defines the types and aggregate
levels of risk that an organization is willing to accept in pursuit of business objectives. It includes
qualitative statements and guidelines as well as quantitative metrics and exposure limits.

KEY RISK INDICATOR (KRI)

- is a quantifiable measurement used by organizations to monitor and manage potential
risks that could impact their objectives or operations. KRIs are typically derived from key
risk factors identified within an organization's risk management framework. They provide
early warning signs of potential risk events, allowing management to take proactive
actions to mitigate or prevent negative consequences.

Example of KRIs:
● Mean time to detect (MTTD) – the average length of time it takes to discover
incidents in their environment. (Average time it takes for the inventory management system to
detect when stock levels have fallen below a certain threshold; indicating potential stockouts)

● Mean time to respond/remediate (MTTR) – the amount of time it takes to respond and
remediate an identified threat or failure. (The average duration between identifying the need to
replenish inventory and actually initiating the replenishment process)

● Mean time between failure (MTBF) – the average time between failure of critical
components, systems, or processes within an organization.

QUANTITATIVE AND QUALITATIVE KEY RISK INDICATORS

Quantitative KRIs
These focus on provable facts and numerical data based on findings from mathematical models,
system outputs, and analysis methods.

Qualitative KRIs
These types of KRIs focus on predicting probability-based outcomes to support things like
sensitivity analysis.

Types of KRIs used across a range of industries and sectors.

● Financial KRIs
Quantitative financial KRIs may be more important to commercial or retail banks, asset
management organizations, or Certified Public Accountants (CPAs). Financial KRIs
pointing to external environmental issues may include those that measure an economic
downturn or regulatory changes. Internal variables could include changes in strategic
goals, funding constraints, or acquisitions.

● Human Resource KRIs

Staffing and recruitment agencies, as well as human resource departments, are likely to
be interested in employing quantitative or qualitative people-based key performance
Indicators.

● Operational KRIs
These KRIs can normally be developed in any industry. Factors influencing operational
KRIs could include process inefficiencies, leadership changes, or changes to strategic goals.

● Technological KRIs
These forms of KRIs have an impact on all industries, but they are especially important
for technological service providers and businesses that rely on online business portals.
Increased operational complexity, security difficulties, and changes to rules or legislation
are all potential technological risk factors.

COMMON RISK LANGUAGE

Common Risk Language refers to a standardized set of terms, definitions, and concepts used to
communicate about risks within an organization. Having a Common Risk Language ensures
that everyone involved in risk management processes speaks the same language when
discussing risks and their potential impacts. This will enable every individual from different
departments and organizational levels to communicate more effectively with each other and
identify relevant issues more quickly across the organization. It promotes clarity and mutual
understanding as everyone interprets risks and their implications in the same way, thereby
reducing misunderstandings and miscommunication. It eliminates confusion created by the
subjective use of terms and definitions by establishing a uniform vocabulary of terms and
definitions within the organization for the management and employees to utilize while discussing
the risks that could potentially impact the organization’s ability to achieve its objectives.

Guidelines in Creating the Common Risk Language [ FICS ]

1. Focused
- should focus solely on the nature of the risk without delving into factors or causes
that contributes to it.

2. Impact
- should briefly describe the immediate significant effect of the risk.

3. Concise
- should be specific, clear, and simple. It should not exceed 30 words.

4. Standard Format
- should state the nature of the risk first, followed by the impact.

N/3 FILTERING RULE

A method used to narrow down a list of risks by selecting a subset of the most critical ones for
further consideration or prioritization.

The n/3 filtering rule divides the total number of Tier 1 risks by 3, providing guidance on the
number of risks that should be selected for further attention and resource allocation.

RISK ANALYSIS
Risk analysis is a multi-step process aimed at mitigating the impact of risks on business
operations. Organizations from different industries use risk analysis to ensure that all aspects of
the business are protected from potential threats which enables them to make informed
decisions.

Types of Risk Analysis (BuRN FaR)

● Business Impact - planning for operational disruptions caused by external factors.

● Risk Benefit & Cost Benefit - weighing the pros and cons (benefits and risks) of an
action.
● Needs Assessment - identifying and evaluating organizational needs and gaps.
● Failure Mode & Effect - anticipating potential failures and mitigating their impact.
● Root Cause - identifying and eliminating root causes to solve problems.

Risk Analysis Approaches

➔ Risk Interrelationship Approach
- This approach considers the interconnection of the different prioritized risks to identify
the highly leveraged risks, or the risks that when the organization manages, will also
manage some other risks.
➔ Direct Approach
- This is a simple approach where there is no need to go through the interrelationship of
risks. Accordingly, all the identified risks will undergo the risk response options also
called risk treatment. The CRO immediately considers certain risks and the risk owners
will now develop risk management strategies and action plans.

Sourcing of Risks
- A very critical part of the risk analysis is the sourcing risk analysis or the identification of
the sources or causes of the identified risk. The risk drivers or causes of the risk are
critical in the risk analysis as the most effective risk management action plans or controls
are at the source of the identified risk

Bow-Tie Analysis (BTA)

- Bow-tie analysis is being used to represent the three components of risk source, event,
and impact. In this high-level representation, risk sources are identified as strategic,
tactical, operational, or compliance. Impacts are represented using the FIRM (financial,
infrastructure, reputational, and marketplace) risk scorecard. At the center of the bow-tie
 is the event, as described by the component of the organization that will be impacted by
the event.

Risk Averse
Having a preference for avoiding or minimizing risks. Individuals or organizations that are
risk-averse tend to prioritize safety and stability, opting for conservative strategies and decisions
that offer lower potential returns but also lower potential losses.

RISK MONITORING

Risk monitoring is assessing risks and making informed decisions about managing them. It
involves regularly reviewing risks and their potential impact on business processes, identifying
new threats, and updating plans and strategies as needed. It helps organizations proactively
manage risk and minimize its impact on operations. It is an essential component of
effective risk management and can help organizations avoid or mitigate losses.

The purpose of risk monitoring is to keep track of the risks that occur and effectiveness of the
responses which are implemented by an organization. Monitoring Can Help to ascertain
whether proper policies were followed, whether new risks cannot be identified or whether
previous assumptions to do with these risks are still valid. Monitoring Is Vital because risk is not
static.

Thus in essence, monitoring of the ERM process covers the following:

a. Existing priority risks - by systematically tracking their status and impact over time;
b. New emerging risks - by staying vigilant and adaptable to changes in business environment;
c. Risk management performance - by providing insights as to how effectively risk
management strategies are implemented and whether they are achieving the desired outcomes.
d. Specific policies and procedures both at the enterprise and business function levels -
by ensuring compliance, effectiveness, and alignment with organizational objectives.

How to Monitor and Review Risk Assessments

To monitor and review risk assessments, an organization’s risk managers should develop a risk
register. A Risk Register is a document that records all of the organization's identified risks, the
likelihood and consequences of a risk occurring, the actions the company is taking to reduce
those risks and who is responsible for managing them. It is a useful tool that enables an
organization to store all of its risk information in one, easily accessible location.

Importance of Risk Monitoring

Simply put, risk monitoring allows companies to keep an eye out for the risks that affect their
operations and ensure that strategies which best mitigate them are in place. Belowaresome
points that highlight the importance of risk monitoring in an organization:

● Minimizes risk by identifying it and ensuring there are defenses sufficient to prevent it;
● Mitigates the effects of risk of various types by having procedures in place take action once an
event arise;
● Provides a clear picture of the risk landscape, which in turn allows the company to be
proactive rather than reactive;
● Promotes accountability by recording and defining clear steps to mitigation;
● Utilizes historical events allowing organizations to learn from past failures to improve future
mitigation;
● Allows for growth by minimizing losses to risk of various types

Risk reporting
Is the regular provision of appropriate risk-related information to stakeholders and
decision-makers within an organization to support understanding of risk management issues
and to assist stakeholders in performing their duties within the organization.

It is a summary that describes the potential risks a company may face. They address critical
risks, which have the potential for severe consequences

Risk reporting provides a regular mechanism to direct updates to key stakeholders, ensuring the
right information is given to the right people, at the right level, at the right time.

Frequency of risk reporting- Annually

The Recipients for the Report

Risk reports should be delivered to a broad spectrum of organizational stakeholders. Typical
recipients of regular formal risk reports should include:
● CEO and Board of Directors
● Business unit heads of all major business functions
● Compliance committees (notably Internal Audit and Risk Management)
● Staff directly responsible for designing and implementing risk management treatments
● Employees who need to assist in the identification of risk and the implementation of risk plans
● Government ministries and agencies
● The public (through access to Annual Reports and press releases)

CONTENTS AND FORMAT OF RISK REPORTING

The content and format of reports vary depending on the expectations set at the start by the
Board Risk Oversight Committee (BROC). In most cases, Executive Management, through the
Chief Risk Officer (CRO), reports to the BROC on the following activities:

1. Critical Risk Identification: Highlighting the top 10 or 15 critical risks identified within the
organization

2. Risk Analysis, Sourcing, and Interrelationship: Providing an analysis of risks, their

sources, and how they interrelate within the organization's operations.
3. Risk Options and Risk Management Action Plans: Presenting various options for
managing identified risks and detailing the action plans to address them.

4. Progress of the Development of New Action Plans: Updating the Boardonthe Progress
made in developing new action plans to mitigate risks.

5. Monitoring the Effectiveness of Action Plans: Reporting on the effectiveness of

implemented action plans in managing risks and addressing any necessary adjustments or
improvements.

The design or format of these reports will depend on the allotted time to make the presentations
to the BROC. The CRO can prepare a comprehensive report - which is a detailed report of the
risk management of an organization or it can just focus on the outliers - highlight those unusual
risks that the organization has identified or those that might require specific immediate actions.
In some cases, the CRO may also present capsulized version of the monitoring dashboard -
comprising only of the most essential aspects of risks that needs to be communicated and if the
risk is becoming a concern, he or she can present the risk analysis and treatment template -
illustrating a detailed analysis of the risk and as well as the action plans that the organization
had arrived on to treat it. Regardless of the content, format, or design of the risk report, these
reports share the same goal: keep the Board informed about the organization's risk landscape
and the measures being taken to mitigate potential threats to further enhance their
decision-making for the organization

ERM RESET
ERM reset is a strategic process undertaken by organizations to reassess and re-calibrate their
approach to risk management. It involves a comprehensive review of existing risk profiles, risk
mitigation strategies, and risk appetite in response to significant changes in internal or external
factors affecting the organization's risk landscape. The goal of risk reset is to ensure that risk
management practices remain aligned with evolving business objectives, regulatory
requirements, and emerging risks.

ERM REFRESH
An ERM refresher is a training or educational session designed to provide stakeholders with
updates, reminders, and reinforcement of key Enterprise Risk Management (ERM) concepts,
principles, processes, and initiatives. The aim of a risk refresh initiative is to renew stakeholders'
comprehension of risk management practices, address alterations in risk landscape, and
apprise them of the latest advancements and updates in EnterpriseRiskManagement (ERM)
within the organization. This overarching goal aims to enhance the organization's capacity to
identify, evaluate, prioritize, and mitigate risks effectively, thereby safeguarding its objectives,
resources, and reputation.
Their Difference
While "ERM refresh" and "ERM reset" may appear similar, they entail different concepts within
the realm of risk management. ERM refresh involves updating or revising existing risk
assessments, strategies, or frameworks to ensure they remain relevant and effective in
addressing current and emerging risks. It often involves a periodic review of risk-related
processes and methodologies without necessarily making significant changes to the overall risk
management approach. ERM reset, on the other hand, refers to a more comprehensive
reassessment and re-calibration of risk levels within an organization or system, typically
prompted by a significant event or change in circumstances. It involves a fundamental review of
risk assumptions, risk appetite, and risk management strategies, with the aim of realigning them
to reflect the new risk landscape.

DIFFERENT PEOPLE RESPONSIBLE UNDER ERM

Stakeholders Responsibilities

1. Board of Directors (BOD) ● Provides an oversight role to risk management activities

including the periodic review and approval of the ERM Policy,
ERM Framework and ERM Process through the BROC.

2. Board Risk Oversight ● Assists the Board in fulfilling its responsibility for oversight of
Committee (BROC) the organization’s risk management activities.
● Sets the risk appetite of the organization.

3. Chief Executive Officer ● The ultimate risk executive and is essentially responsible for
(CEO) ERM priorities, strategies and policies.
● Heads of the RMET that sets the direction and leads the
decision-making as they relate to: ○ Recognition of risk
priorities; ○ Alignment of business objectives and risk
strategies, action plans and policies;and ○ Settlement of
conflicts regarding ERM strategies and action plans.
● Ensures that sufficient resources are allocated to pursuing
ERM initiatives, strategies and action plans.
● Reports to the BROC on a regular basis on ERM related
matters.
● He is the ultimate “risk owners” of all the critical risks

[Link] Management ● The ERM think tank

Executive Team (RMET) ● Defines risk priorities; and
● Aligns risk policies and strategies with overall company
plan.
● They are the primary risk owners.

5. Chief Risk Officer (CRO) ● Is the champion of the ERM process in the organization;
● Develops, implements risk management process, tools and
methodologies;
● Analyzes, develops and executes policies and report risks;
 ● Submits risk report to the RMET and BROC; and
● Monitors the implementation of the risk management
strategies and action plans.

6. Risk Management Unit ● Composed of the different Risk Leaders and Risk Owners
(RMU) that support the Risk Management Executive Team (RMET) in
the implementation of the ERM process.
● Suggest to the RMET the development of additional ERM
Policies and other related guidelines.
● Supervises, supports, and incorporates the ERM processes
across the organization in coordination with the RMET, Risk
Leaders, and Risk Owners.
● Gathers and evaluates the risk reports provided by the Risk
Leaders and Risk Owners and monitors the status of risk
management strategies and action plans.
● Organizes the sharing of best practices across the
organization
● Supports the Chief Risk Officer (CRO) in preparing the ERM
reports and materials to be presented to the RMET and the
Board Risk Oversight Committee (BROC)
● Drives the continuous improvement of the organization’s
current ERM Process.

7. Risk Leaders ● Leads the Risk Owners under each identified risk in the
consistent execution and continuous improvement of the risk
mitigation strategies in the ERM processes.
● Constantly reviews and provides updates in the behavior of
the critical risk and ensures that emerging risks are identified
and included.
● Guides the Risk Owners in making reports to be forwarded
to the CRO and RMET.

8. Risk Owners ● Has the responsibility for and ownership of the assigned risk
and interrelated risks.
● Actively participates in the risk identification process of the
organization.
● Performs risk prioritization, analysis, development of
strategies and action plans, and coordinates with other Risk
Owners
● Assesses and communicates the progress of the risk
management strategies and action plans to the Risk Leaders
and CRO.

9. All Personnel ● Maintains awareness of and the consciousness about ERM,

as well as how the identified risks will impact their roles and
responsibilities in the organization.
● Embeds risk management as part of their everyday
activities.
● Executes the formulated risk management strategies to
ensure the achievement of the organization’s objectives and
 the successful execution of its strategies.
● Communicate to their immediate superiors any risk that they
cannot manage.
● Reports emerging risks/opportunities to the Risk Leader in
the course of the risk management execution.

10. Internal Audit ● Provides an independent assessment of the effectiveness of

the ERM framework, processes, and the strategies formulated
to treat the risks identified.
● Gives assurance to the risk management process and
assurance that the risks are correctly evaluated.

- The Chief Executive Officer or its equivalent is usually referred to as the overall risk
management executive (or sometimes the chief paranoia officer, if the layman’s
definition is considered). Thus, the CEO is responsible for ensuring that critical risks
faced by the organization are being managed and mitigated to acceptable levels.

- The Risk Management Executive Team (RMET) is given the responsibility to assist the
CEO. Some companies will just have their executive committee, management
committee, or operations committee taking on this role.

- The Chief Risk Officer is the owner of the risk management process, but the owners of
the risks are the executives exposed to the specific risks.

- The Board Risk Oversight Committee (BROC) is a specialized committee of a

company's board of directors responsible for overseeing the organization's risk
management processes. The committee is typically composed of independent directors
who have the expertise and experience to assess and mitigate the various risks facing
the organization. The BROC plays a crucial role in ensuring that the company has
effective risk management policies and procedures in place and that these are aligned
with the organization's strategic objectives.

COSO ERM
COSO is short for the Committee of Sponsoring Organizations of the Treadway Commission
(COSO).
Founded in 1985, COSO is a private-sector initiative originally formed to combat
fraudulent financial reporting but has expanded its mission over the years to include internal
controls and enterprise risk management.

The COSO ERM – Integrated Framework is a widely recognized and applied risk management
framework that has become a valuable tool that provides a basis for coordinating and
integrating all of the organization’s risk management activities and practices and also offers an
effective lens through which it must be embedded throughout businesses for them to evaluate
their ability to align strategy, risk, and performance at all levels.
BENEFITS OF COSO ERM
1. Increasing the range of opportunities: By considering all possibilities—both positive
and negative aspects of risk—management can identify new opportunities and unique
challenges associated with current opportunities.

2. Identifying and managing risk entity-wide: Every entity faces myriad risks that can
affect many parts of the organization. Sometimes a risk can originate in one part of the
entity but impact a different part. Consequently, management identifies and manages
these entity-wide risks to sustain and improve performance.

3. Increasing positive outcomes and advantages while reducing negative

surprises: Enterprise risk management allows entities to improve their ability to identify
risks and establish appropriate responses, reducing surprises and related costs or
losses, while profiting from advantageous developments.

4. Reducing performance variability: For some, the challenge is less with surprises
and losses and more with variability in performance. Performing ahead of schedule or
beyond expectations may cause as much concern as performing short of scheduling and
expectations. Enterprise risk management allows organizations to anticipate the risks
that would affect performance and enable them to put in place the actions needed to
minimize disruption and maximize opportunity.

5. Improving resource deployment: Every risk could be considered a request for

resources. Obtaining robust information on risk allows management, in the face of finite
resources, to assess overall resource needs, prioritize resource deployment, and
enhance resource allocation

6. Enhancing enterprise resilience: An entity's medium- and long-term viability

depends on its ability to anticipate and respond to change, not only to survive but also to
evolve and thrive. This is, in part, enabled by effective enterprise risk management. It
becomes increasingly important as the pace of change accelerates and business
complexity increases.

Five Interrelated Components Of ERM

1. Governance and Culture
- Governance sets the organization’s tone and establishes responsibilities for ERM.
- Culture relates to the desired behaviors, values, and overall understanding of risk held
by personnel within the organization

2. Strategy Objective-Setting
- Strategy must support the organization’s mission, vision and core values.
 - The integration of ERM with strategy setting helps to understand the risk profile related
to strategy and business objectives.

3. Performance
- Relates to ERM practices that support the organization’s decisions in pursuit of value

4. Review and Revision

- The organization reviews and revises its current ERM capabilities and practices based
on changes in strategy and business objectives.

5. Information, Communication and Reporting

- The final component recognises the vital need for a continuous process to obtain and
share relevant information. This information for decision-making must flow up, down and
across the organization and provide insight to key stakeholders.

Comparison of COSO ERM Cube (2004) and COSO Framework (2017)

Aspect COSO ERM cube (2004) COSO Framework (2017)

ERM Definition It defined enterprise risk Defines enterprise risk

management as a process management as the culture,
influenced by the board of directors, capabilities, and practices
managers, and all employees to integrated with strategy-setting
identify events that have the and performance that
potential to affect the organization organizations rely on to manage
and manage risk within the risk in creating, preserving, and
framework of risk appetite. realizing value

Structure Had eight (8) components: Consists of five (5) interrelated

● Internal environment components:
● Objective setting ● Governance and culture
● Event identification ● Strategy and objective-setting
● Risk assessment ● Performance
● Risk response ● Review and revision
● Control activities ● Information, communication,
● Information and communication and reporting
● Monitoring

Principles Do not have underlying principles. It has 20 principles that define

each five interrelated
components.

Purpose Value Preservation: the primary Value creation: Recognized ERM

purpose was to help the as a facilitator for value creation.
organizations preserve value by It encourages organizations to
identifying and managing risks. It is view risk not only as a potential
more about protecting the existing threat but also as an opportunity.
 value. It is both protecting the existing
value and creating new value.
Risk avoidance: it emphasized risk
mitigation and compliance, often Forward-Looking Perspective:
adopting a defensive approach. Encouraged organizations to
consider risks during
strategy-setting processes, look
beyond risk avoidance, and adopt
proactive approach to risk
management.

Scope Focus on Internal Control – It views Broader Scope - It recognizes

ERM as an extension of internal that risk management extends
control, including risk management beyond internal control and
within internal control processes. compliance. The framework
The framework emphasizes the considers risk management as a
significance of analyzing and holistic process that
managing risks in order to establish encompasses all levels of the
effective internal controls. organization and involves various
stakeholders.
The ERM Cube emphasized a It aimed to provide a more
structured approach to identifying, detailed and structured approach
assessing, and managing risks, to ERM, with a focus on
with a focus on integrating risk enhancing the organization’s
management into the organization’s ability to anticipate and respond
strategic planning and to risks in pursuit of its objectives.
decision-making processes. It places greater emphasis on
governance, culture, and
integration of risk management
into decision—making.

Presentation Used a cube representation to Uses a rainbow double helix

illustrate the relationship between diagram that intertwines the five
components, objectives, and components throughout an
structure. organization's life cycle.

RISK DIVERSIFICATION
The concept of constructing a portfolio of different activities, products, services, and strategies
to mitigate the impact of a single event on overall risk management is rooted in the principle of
diversification. Diversification within an organization can take various forms, tailored to its
specific industry, capabilities, and market dynamics.

Diversification within an organization can take many different forms, including:

● Cultural Diversification: Embracing employees from different cultural backgrounds to foster
a more inclusive workplace.
● Product Diversification: Expanding the range of products or services offered to reduce
dependency on a single product line.
● Market Diversification: Entering new markets to protect the organization from
market-specific risks.
● Investment Diversification: Allocating resources across different financial instruments or
projects to minimize risks.
● Workforce Diversification: Hiring individuals with diverse skill sets, experiences, and
perspectives to enhance creativity and problem-solving.

INSURANCE

Insurance is defined as a contract or agreement whereby one undertakes for a consideration to

indemnify another against loss, damage or liability arising from an unknown or contingent event.
By this definition, the concept of insurance is revolving around the following elements:

[Link] insured possesses an interest of some kind susceptible of pecuniary estimations, known
as “insurable interest”;

[Link] insured is subject to a risk of loss through the destruction or impairment of that interest
by the happening of a designated peril;

[Link] insurer assumes that risk of loss;

[Link] assumption of risk is part of a generic scheme to distribute actual losses among a
large group or substantial member of persons bearing the same risk;

[Link] consideration for the insurer’s promise, the insured makes a ratable contribution called
“premium,” to a general insurance fund.
Parties to an Insurance Contract

There are generally two parties in an insurance contract: the insurer and the insured.

The insurer is the party who assumes or accepts the risk of loss and undertakes for a
consideration to indemnify the insured or to pay him a certain sum on the happening of a
specified contingency or event. Only corporations, partnerships, and associations may be an
insurer.

On the other hand, the insured is the party in whose favor the contract is operative and who is
indemnified against, or is to receive a certain sum upon the happening of a specified
contingency or event. He is the person whose loss is the occasion for the payment of the
insurance proceeds by the insurer. The insured is not, however, prohibited from designating a
beneficiary, other than himself. In other words, the proceeds of the insurance policy may go to
either the insured himself or to a third person designated by the insured as his beneficiary.
The Insurable Interest

In order for an insurance contract to be valid, the insurer must have an insurable interest.
Insurable interest is an important element of insurance contracts which segregates it apart from
a wagering contract.

In general, a person is deemed to have an insurable interest in the subject matter insured where
he has a relation or connection with or concern in it that he will derive pecuniary or financial
benefit or advantage from its preservation and will suffer pecuniary loss or damage from its
destruction, termination, or injury by the happening of the event insured against.

In cases of enterprise, insurable interest on the life of its employees, on its properties and on its
liabilities may validly arise.

The Insurable Risks

[Link] Risks—they are those involving the person. Primarily concerned with the time of
death or disability.
[Link] Risks—those involving loss or damage to property
[Link] risks—those involving liability for the injury to the person or property of others.

The Premium

It is the agreed price for assuming and carrying the risk—that is, the consideration paid by an
insurer for undertaking to indemnify the insured against a specified peril.

Types of Insurances common to Business Enterprises and their Coverage

1. Life Insurance
- life of the owners, shareholders and anyone on whose the enterprise is dependent on
capital and any financial support
- life of its employees
- life of its debtors

2. Property Insurance
- properties, facilities, equipment and similar things to which the enterprise is using for
the operation of business

3. Liability Insurance
- liability arising from employee’s claims resulting from bodily injury or disease sustained
during the course of employment
-liability arising from bodily injury, loss or damage to third parties’ property caused by
defective designs, packaging, etc. of goods sold, supplied, tested, repaired and serviced
by the insured.
POINTERS:
● Benefits of Risk Management
● Qualitative and quantitative and its example
● Risk response formulation (ARATS) and situations where it has been used
● 5 ERM processes (IAPRM )definition, elements
● Benefit and implementation of ERM and its disadvantages
● Definition of ERM
● Risk averse
● Key risk indicator vs KPI and its examples
● Risk appetite framework ; statements
● Common risk language
● Elements of creating common risk language
● Different kinds of risk
● N3 filtering rule and its use
● Two different approaches, their example and elements
● Risk diversification,
● Risk transfer techniques
● Importance of risk monitoring
● Audience of risk reporting
● Contents and form of risk report
● Erm reset and refresh and their advantages and disadvantages.
● Different people responsible under enterprise risk management (RMET, CEO ETC)
● Difference of COSO 2004 and 2017; their goals and benefits
● Insurance ; the concept and its elements
● Risk analysis