1ST TOPICS

DIFFERENT KINDS OF RISK (LEGAL, COMPLIANCE, FIIAL) (FORBSHaLICoP)

1. Financial- inability to finance the business, including short-term (liquidity) and long-term (solvency). (Cashflows)
(MACLISOL)
a. Market risk – movement in prices of financial instruments
 Directional Risk – movement in stock price, interest rates
 Non-directional risk- volatility risks
b. Credit risk (default risk) - risk arises when an organization fails to fulfill its obligations towards its counterparties
 Sovereign risk - complex foreign exchange policies
 Settlement risk - when one party makes the payment while the other party fails to fulfill the obligations.
c. Liquidity risk - inability to execute transactions and refers to a firm's inability to meet its cash flow needs without
affecting the daily operations or financial condition of the firm.
d. Solvency- refers to the ability of a firm to meet its long-term financial obligations. A firm that is solvent can pay its
debt obligations.
 Asset liquidity risk - insufficient buyers or insufficient sellers against sell orders and buy orders
 Funding liquidity risk
e. Legal risk - arises out of legal constraints such as lawsuits.
2. Operational- the risk of loss of corporation occurring from inadequate systems, processes, or external event
3. Residual- with control
4. Business (profitability)- fundamental viability of a business
5. Strategic (goals) not sufficient to achieve its objectives
6. Hazards- natural disasters
7. Legal- lawsuit, litigation
8. Inherent- without control
9. Compliance- rules and regulations by government agencies
10. Political- legislation, political influence

GROUP 1

RISK APPETITE STATEMENTS

 a formal document that states an organization’s willingness and capacity to accept and manage risks

Elements of Risk Appetite Statements: Steps in Risk Appetite Statements are based on:

a. Qualitative statements 1. Context for risk appetite statements

b. Guidelines 2. Design and content of risk appetite statements
c. Quantitative aspects 3. Implementation of risk appetite statements
4. Monitoring Impact of risk appetite statements
5. Governance of risk appetite statements

Stages involved in Developing RAS (IEDRF)

1. Identify stakeholders and their expectations, together with an analysis of the risks to strategy, tactics, operations, and
compliance, as set out in the risk register.
2. Establish the desired level of risk exposure that will lead to a risk appetite statement that provides a set of qualitative
and quantitative statements.
3. Define the range of acceptable volatility or uncertainty around each of the types of risks leading to a statement of
acceptable risk tolerances
4. Reconcile the risk appetite and risk tolerances with the current level of risk exposure and plan actions to bring
current risk exposures into line with risk appetite.
5. Formalize and ratify a risk appetite statement(s), communicate the statement with stakeholders, and implement
accordingly.

RISK APPETITE FRAMEWORK

Assesses risk exposure against potential rewards at these levels:

a. Corporate Level – set at the organizational level and approved by the senior management
b. Business Unit Level – dictates the performance targets set for every business unit.
c. Department or Product Level – it will determine the risk limits at department or product level

Five Elements of Risk Appetite Framework:

  Stakeholder Objectives - Project stakeholders may include corporate management, customers, employees, communities
participating or affected by a project, regulatory bodies, and many more. Their interests will determine the required
payoff between the strategic direction, resource investment and risks.
 Corporate Risk Appetite - Chosen risk appetite and risk tolerances need to be reviewed and approved by the senior
management.
 Business Unit and Department Risk Appetite - Risk appetite and risk tolerance decisions made at the corporate level
will determine targets and project portfolios that will be chosen on the business unit or department level based on the
project risk and return comparison.
 Capabilities - Certain capabilities need to be in place to ensure that the organization is able to support its risk appetite
framework. These include a set of performance indicators, procedures for monitoring and reporting performance,
documented policies and guidelines for risk management, and clear accountabilities for implementing the processes.
 Risk Appetite Process - The risk appetite process itself needs to be documented and continuously reviewed to make sure
that it meets the needs of an organization. A sample process can include four steps: setting the risk appetite, embedding
it, continuous risk mitigation, and reviewing the risk appetite.

COMMON RISK LANGUAGE

 Common Risk Language refers to a standardized set of terms, definitions, and concepts used to communicate risks within
an organization.

Guidelines:

a. Focused - The definition should focus solely on the nature of the risk without delving into factors or causes that
contribute to it.
b. Impact - The definition should briefly describe the immediate significant effect of the risk.
c. Concise - The definition should be specific, clear, and simple.
d. Standard Format - The definition should state the nature of the risk first, followed by the impact.

Additional Guidelines: (MEWING)

 In developing a risk definition, avoid using words that are already mentioned in the risk.
 Avoid a definition that is wordy and not clear.
 The risks below are usually perceived to be the same.
 Avoid combining two risks
Risk Taxonomy - provides a clear explanation of key terms or concepts such as probability, severity, risk tolerance levels and so
on.

OTHER IMPORTANT TOPICS

RISK APPETITE - is the amount of risk that an organization is willing to seek or accept in the pursuit of long-term objectives.

RISK CAPACITY is the maximum amount of risk an individual or organization can take on, or their capability to handle risk,
without compromising or harming their overall financial stability.

RISK TOLERANCE is the degree, amount, or volume of risk impact that an organization or individual will withstand. An
entity's capacity to bear the effects of risk.

Levels of Risk Tolerance

 Low/ conservative - risk-averse individuals. They prioritize stability and security and are more inclined to choose
conservative business strategies.
 Moderate - tolerance strike a balance between caution and ambition.
 High/ Aggressive - all-or-nothing attitude. They are comfortable with ambiguity, uncertainty, and the possibility of
failure.

GROUP 2

N/3 Filtering RULE - -A method used to narrow down a list of risks by selecting a subset of the most critical ones for
further consideration or prioritization.

RISK PRIORITIZATION - vital process of recognizing and dealing with potential issues in a business, concentrating on
addressing the most significant ones first. (IN FIRST TOPIC ALSO)

OTHER IMPORTANT TOPICS

Risk Universe refers to the comprehensive scope of potential risks that an organization might face in its operations. Is the sum of
all risks associated with the organization. It ensures that no risk is overlooked, allows you to design appreciative budgets, and
gives you a language to use when discussing risk with your stakeholders.
Risk Self-Assessment: is a structured approach used by organizations to identify risks within their operations. A process in
which individuals or teams within an organization assess and evaluate risks faced by the organization, often through the
completion of questionnaires or surveys.

RSA Process

1. Identifying respondents for RSA Questionnaire (CRO, CEO, RMET, RMU)

2. Providing Information on Company Objectives and Strategies (RMET, RMU)
3. Completing the RSA Questionnaire
 Inherent Level - For companies that are just starting on their ERM implementation, it is advisable not to take
existing controls or risk management strategies into consideration at this stage.
 Netting - with a more mature ERM program, where internal auditors have validated controls for their
effectiveness by design and operating effectiveness.
4. Consolidating and Categorizing Risks into Tiers
5. Validating risk tiering through interviews and FGDs (RMU and RMET)
6. Further trimming tier 1 risks
7. Final Prioritization of Trimmed Tier 1 risks

Risk Attitude - approach an organization takes towards Risk Manageability pertains to how well a risk can be
uncertainty. (RISK AVERSE, RISK SEEKING, RISK handled and whether the company has the capacity to deal
NEUTRAL) with its occurrence and impact.

Risk Sensitivity - It dictates the resources to be evaluated, the Risk Assessment Matrix (qualitative) also known as a
frequency and depth of reassessments, prioritization of risk probability and severity or likelihood and impact risk
findings, acceptable risk thresholds, and the level of matrix, is a visual tool used to show potential business risks.
managerial approval required for exceptions.
Control Effectiveness Criteria is where organizations ensure
Resource Availability involves important information about that the control is properly built and works as intended.
the accessibility of resources needed for operation or project
execution. Control is any action taken by management, the board,
and other parties to manage risk and increase the
Cost plays a role in prioritizing risks by assigning a likelihood that established objectives and goals will be
monetary value to each risk achieved. Controls may be preventive, detective, or
directive.
Risk Severity is the extent to which a risk can inflict harm
on the organization.

GROUP 3

RISK ANALYSIS - a multi-step process aimed at mitigating the impact of risks on business operations.

A. Risk management is the proactive control and evaluation of risks

B. risk assessment is primarily focused on safety and hazard identification.
C. risk communication is the exchange of information involving risks.

Type of Risk Analysis (BURNFAR)

A. Business Impact - planning for operational disruptions caused by external factors

B. Risk Benefit & Cost Benefit- weighing the pros and cons (benefits and risks) of an action.
C. Needs Assessment - identifying and evaluating organizational needs and gaps.
D. Failure Mode & Effect - anticipating potential failures and mitigating their impact.
E. Root Cause - identifying and eliminating root causes to solve problems.

Methods of Risk Analysis (BORRFSS)

1. Bow tie evaluation – a method that visually represents potential risks and their consequences, similar to a bow tie shape
(Causes Left – Impact Right)
2. Risk analysis matrix (Qualitative) - a tool used to assess and prioritize risks based on their likelihood and impact.
(Low, medium, high)
3. Risk register - a document used to record and track identified risks throughout the risk management process
(description, likelihood, severity, impact, strategies and responsible parties). Risk Register is a document that records all
of the organization's identified risks, the likelihood and consequences of a risk occurring, the actions the company are
taking to reduce those risks and who is responsible for managing them.
4. Fault Tree Analysis (Quantitative) - a method used to analyze the causes of failures or risks by constructing a logical
diagram of events leading to undesirable outcomes.
5. Sensitivity analysis (Quantitative) - involves assessing how changes in input variables or assumptions impact the
outcomes of a decision or project.
6. SWIFT Evaluation - a systematic method used to identify and assess potential risks by asking "what if" questions.
RISK ANALYSIS APPROACHES

1. RISK INTERRELATIONSHIP APPROACH - This approach considers the interconnection of the different prioritized
risks to identify the highly leveraged risks, or the risks that when the organization manages, will also manage some other
risks
a. Cause and effect relationship - risks that occur because of unmanaged risks.
b. Interdependencies - risks are interconnected and management of one risk can assist in the management of the
other.
c. Compounding effect - risks left unmanaged may branch out and result in multiple risks.
2. RISK DIRECT APPROACH - a simple approach where there is no need to go through the interrelationship of risks.

RISK MGT OPTION - risk response, are strategic choices available to organizations for managing specific risks

Factors

 Time Horizon
a. Short Term Horizon (Immediate Action)
b. Medium Term Horizon (Months to a year)
c. Long-term horizon (Several Years)
 Severity of Impact

ARATS

Risk Avoidance - Risk is avoided when the organization refuses to accept it. The exposure is not permitted to come into
existence. A negative rather than a positive technique.

Reduce (MANS) - to the implementation of strategies and measures aimed at decreasing the likelihood or impact of potential
risks on individuals, organizations, or systems. Taking action to reduce risk likelihood or impact, or both. Risk can be reduced in 2
ways—through loss prevention and control.

1. Risk management/ control - It is a systematic process of identifying, assessing, prioritizing, and mitigating risks to
minimize their potential impact on individuals, organizations, or systems.
2. Spread - A strategy used in risk management to reduce exposure to potential losses by spreading investments, resources,
or activities across different assets, sectors, or geographic regions.

Retain/ Accept (No Pore) - the deliberate decision to assume and retain a certain level of risk rather than avoid, reduce, or
transfer it to another party through insurance or other means.
 Conscious risk retention - takes place when the risk is perceived and not transferred or reduced.
 Unconsciously risk retention - When the risk is not recognized, the person retains the financial risk without realizing that
he or she is doing so.
 Voluntary Risk Retention - when the risk is recognized, and there is an agreement to assume the losses involved.
 Involuntary risk retention - occurs when risks are unconsciously retained or cannot be avoided, transferred, or reduced.
1. No Action - Inherent in the business but the current level of residual risk is acceptable. This indicates that the
organization is willing to endure the risk without taking any explicit actions to mitigate it.
2. Premium Price - adjusting the prices of products or services based on the level of risk involved, considering the risk
and reward concept
3. Offset– akin to a strategic balancing act and recognizing potential benefits or opportunities associated with other risks,
which can be utilized to mitigate the impact of the risk at hand.
4. Reserve - essentially a pool of funds set aside by an organization to address potential losses or expenses associated with
risks that it chooses to accept.

Transfer (RIOCHA) - shifting the potential loss of an adverse outcome from an individual or entity to a third party. It involves
one party paying another to take responsibility for mitigating specific losses.
- The transfer may be used to deal with both speculative and pure risk
1. Reinsure - an agreement between the reinsured and the reinsurer wherein the latter agrees to accept a certain fixed share
of the reinsured's risk upon terms set out in the agreement.
2. Insure - a contract or agreement whereby one undertakes for a consideration to indemnify another against loss, damage
or liability arising from an unknown or contingent event.
3. Outsource - When a company lacks the expertise or resources needed to effectively handle a specific risk, it may choose
to outsource its risk management responsibilities to a third-party specialist.
4. Contracts (Pure risk) - Involving parties agreeing on the terms and conditions of their relationship and assigning
responsibilities and liabilities for potential outcomes.
5. Hedge - The use of financial instruments, such as forward contracts, futures, options, or swaps, to offset the exposure to
adverse price movements or fluctuations in the market.
6. Alliance - This includes forming a joint venture or participating in a consortium where multiple entities collaborate on a
project or endeavor.

Sharing - The practice of distributing the financial consequences of potential losses among multiple parties.
 1. Pooling - Several parties come together to pool their resources and share risks among themselves.

Exploit (CRREDET) - It refers to the strategic utilization or leveraging of risks to achieve potential gains or advantages.

1. Create- This process entails identifying unmet needs that traditional competitors may overlook or opportunities in the
market, conducting thorough research and development, and designing solutions that address those needs effectively.
2. Redesign - This process entails reassessing and refining various elements such as resources, capabilities, processes,
and technologies to enhance operational efficiency, reduce costs, and improve overall performance.
3. Restructure - involves overhauling the company's processes and serves as a strategic tool for organizations to
effectively exploit risk by adapting to changing market conditions, enhancing operational efficiency, and seizing
opportunities for growth and innovation.
4. Diversify (Spread) - Diversification is a strategic approach to exploiting risk by spreading investments or exposures
across multiple assets, sectors, or geographic regions.
5. Expand - This approach involves seizing opportunities that arise from venturing into uncharted territories, whether it
be entering emerging markets, diversifying into new industries, or targeting previously untapped customer segments.
6. Take Advantage - Instead of viewing risk solely as a threat, seize the chance to capitalize on potential benefits or
advantages it presents.

TYPES OF DIVERSIFICATION (COPFE)

 Customer diversification - attracting a wider customer base or segmenting existing ones to reduce reliance on any
single revenue source.
 Organizational diversification - fostering adaptability and innovation within the firm's structure and processes to
effectively navigate changing market conditions
 Financial diversification -investing in different asset classes to manage risk and optimize returns.
 Physical diversification - expanding the firm's presence across various locations or broadening its product offerings to
appeal to diverse markets and consumer segments.
 Employee and supplier diversification - building relationships with a diverse pool of talent and suppliers to enhance
operational flexibility and resilience.
Group 6 (WIPCUM)

 Workforce Diversification: Hiring individuals with diverse skill sets, experiences, and perspectives to enhance
creativity and problem-solving.
 Investment Diversification: Allocating resources across different financial instruments or projects to minimize risks.
 Product Diversification: Expanding the range of products or services offered to reduce dependency on a single
product line.
 Cultural Diversification: Embracing employees from different cultural backgrounds to foster a more inclusive
workplace.
 Market Diversification: Entering new markets to protect the organization from market-specific risks.

CONTROLS 2. People Based Controls - Depend on human

actions and adherence to policies, procedures, and
1. System Based Controls - Rely on automated training.
systems, processes, and technology to prevent or  Preventive - Relies on individuals
detect risks. following established procedures and
 Preventive - Implementing automated protocols to prevent errors or risks
systems and processes to prevent errors or  Detective - It is the least reliable as it
risks from occurring. involves relying on individuals to identify
 Detective - Focused on identifying errors errors or risks after they have occurred.
or risks after they have occurred.

GROUP 4

KPI AND KRI DIFFERENCES (GROUP 1ALSO)

 KRI - is a quantifiable measurement used by organizations to monitor and manage potential risks that could impact their
objectives or operations
a. Quantitative KRIS - These focus on provable facts and numerical data based on findings from mathematical models,
system outputs, and analysis methods
b. Qualitative KRIS- These types of KRIs focus on predicting probability-based outcomes to support things like
sensitivity analysis.
 Leading Indicator – predictive in nature and forecast future occurrences
 Lagging Indicator- reactive in nature, Historical measures and measure past performance

Types of KRI (FOTH)

a. Financial KRI - give information about the different events that affect the financial health of a firm.
 b. Operational KRI - impact of risks ranging from failed internal strategy execution processes to ineffective
internal management.
c. Technological - manage various risks involved in running the technological aspects of the company’s business
d. Human Resources- Staffing and recruitment agencies, as well as human resource departments
 KPI - A type of performance measurement that indicates the risk. Evaluate the success of an organization or of a
particular activity in which it engages. It serves as a way to periodically assess the performances of organizations,
business units, and their division, departments, and employees.
a. Customer-focused KPIs: These are generally centered on per-customer efficiency, customer satisfaction, and
customer retention.
b. Process-focused KPIs: Aim to measure and monitor operational performance across the organization

REFRESH AND RESET

a. Refresh - refers to updating or revising existing risk management processes, strategies, or frameworks to ensure they
remain effective and relevant to current circumstances. This may involve adjusting risk assessments, updating policies
and procedures, or enhancing risk monitoring mechanisms
b. Reset - a more comprehensive overhaul or reevaluation of the entire ERM program. It may involve starting from scratch
or fundamentally redefining the approach to managing risks within the organization.

TYPES OF REPORT

Risk Reporting - is the regular provision of appropriate risk-related information to stakeholders and decision-makers within an
organization to support understanding of risk management issues and to assist stakeholders in performing their duties within the
organization. Risk reporting provides a regular mechanism to direct updates to key stakeholders, ensuring the right information
is given to the right people, at the right level, at the right time. (ATTNICOT)

a. Annual Report Attestation - Persons who are accountable for the risks of their organizations are required to attest in the
annual report that organizations have risk management processes in place and that: (a) These processes are effective in
controlling risks to a satisfactory level and (b) A responsible body or audit committee verifies that view.
b. Top Risks/ Strategic Risk - These reports contain a prioritized list of the top 10 to 20 risks based on consequence and
likelihood scores
c. Risk Trends- Contains trends on risks such as which risks are getting worse or which treatments are reducing risk
exposures, risk areas that need additional attention, target risk levels for key risks, and demonstrate trends on the
potential success of treatment plans.
d. New/ and emerging risks - A report that sorts risks according to when they were identified making it easier to highlight
new risks that may still need to be fully considered and understood.
e. Risk with ineffective controls - A report that identifies significant and extreme risks with ineffective controls, allowing
the Board and Executive to identify potential points of business failure that need urgent interventions or resource support.
f. risk categories/ risk types - A risk report that groups all risks that have not been allocated to a responsible person for
follow-up and response, allowing management to identify key risks that are not being effectively monitored and
managed.
g. risk owner/ person responsible - A risk report that filters risk by risk owner.
h. risk treatments due or overdue - A report that sorts risk according to due dates for treatment plans/responses.

DESIGN OF RISK REPORT (COFCAR)

 Comprehensive Report: The CRO prepares a detailed report covering all aspects of risk management within the
organization. This comprehensive view provides in-depth information for the Board.
 Focus on Outliers: Alternatively, the CRO highlights specific outliers—unusual or critical risks. These stand out and
require immediate attention.
 Capsulized Version: When time is limited, the CRO presents a condensed version using a monitoring dashboard or
template. This concise format ensures essential information is efficiently communicated.
 Risk Analysis and Treatment Template: The template shows the story of the risk, how it was defined during the
identification process, how it was analyzed (interrelationship and sourcing) and the options and action plans that were
developed to manage the risk. If a risk becomes a significant concern, the CRO may present a detailed risk analysis and
treatment plan. This includes assessing the impact, root causes, and specific actions to address the risk effectively.
Four (4) Key Audiences for Risk Reporting (BORRS)

Board of Directors and Risk Committee: The board of directors ensures the company meets its annual objectives. The risk
report should have a similar focus, detailing how potential risks could get in the way of set goals.
Senior Management: It includes executives as well as the CEO, all of whom need more detail than the board. A risk report for
senior management often involves reporting up; they want a list of risks and accompanying mediation plans from their ERM staff.
Risk Owners: These are the ERM staff on the front line, including middle managers. These individuals act on the mitigation
recommendations from senior management and the board.
Regulators: Regulatory agencies are the primary external audience for risk reports. ERM reporting for regulators requires a
careful balance; they must help the regulator understand the risks and assure that the organization meets regulatory requirements
without providing so much detail that it will attract further review.

OTHER TOPICS

TYPES OF RISK MONITORING

A. VOLUNTARY - Involves companies proactively learning from past events to improve risk management practices and
enhance overall organizational resilience.
B. OBLIGATORY – Mandated by law, ensures compliance with specific standards or requirements
C. REASSESSMENT - Involves periodic reviews and adjustments of risk management strategies in response to
changing circumstances, new information, or emerging threats.
D. CONTINUAL - Monitoring which is always ongoing, allowing for real-time identification and response to
emerging threats or opportunities.

GROUP 5

PERSONS IN CHARGE

BOARD OF DIRECTORS (BEST-PERFORMING INVOLVED ALL DIRECTORS)

- regularly receive reports on the status of risk management, perform monitoring of risk management, deliberate and
decide on important fundamental matters relating to risk management.
- provides an oversight role to risk management activities including the periodic review and approval of the ERM Policy,
ERM Framework and ERM Process through the BROC.

BOARD RISK OVERSIGHT COMMITTEE (3 members)

(Philippine SEC, in its Memorandum Circular No. 19, Series of 2016, discussing the Code of Corporate Governance for Publicly-
Listed Companies)

- performs an oversight of the risk management activities of the organization and system to ensure its functionality and
effectiveness
- Assists the Board in fulfilling its responsibility for oversight of the organization’s risk management activities.
- Sets the risk appetite of the organization

CHIEF EXECUTIVE OFFICER

- overall/ ultimate risk management executive responsible for ERM priorities, strategies, and policies (ultimate risk owner)
- ensuring that critical risks faced by the organization are being managed and mitigated to acceptable levels
- heads of the RMET that sets the direction and leads the decision-making
- ensures that sufficient resources are allocated to pursuing ERM initiatives, strategies and action plans.
- Reports to the BROC on a regular basis on ERM related matters.

RISK MANAGEMENT EXECUTIVE TEAM (think-tank)

- assists the CEO

- defines risk priorities
- Aligns risk policies and strategies with overall company plan.
- They are the primary risk owners.
1. Chief Risk Officer
 required to have a broad and independent view of the organization and be a strategic thinker, with an ability to anticipate
potential disruptions and influence decisions.
 reports to the CEO (or to the BROC)
 champion of the ERM process in the organization (owner of process not the risks)
 make sure that all these risk owners are collaborating, coordinating, and working together to identify, prioritize, and
manage the risks.
 Develops, implements risk management process, frameworks, policies, tools and methodologies;
 Analyzes, develops and executes policies and report risks;
 offers valuable insights and recommendations regarding emerging risks that could affect the organization
 play a crucial role in embedding a culture of risk awareness and resilience throughout the organization
 Developing risk maps and strategic action plans to address primary threats effectively.
 Monitoring and tracking the progress of risk mitigation efforts undertaken by the organization.
 Generating and disseminating risk analyses and progress reports to executives, board members, and employees.
 Integrating strategic risk management priorities into the company's overarching strategic plan.
  Formulating and executing information assurance strategies to safeguard against and manage risks associated with data
usage, storage, and transmission.
 Evaluating potential disruptions to business processes resulting from employee errors or system failures and devising
strategies to minimize associated risks.
 Identifying and quantifying the level of risk that the company should accept, known as risk appetite.
2. Chief Financial Officer
 Sometimes double as the CRO
3. Chief Operations Officer
4. Chief Information Officer
5. Chief Legal Officer
6. Chief Compliance Officer

RISK MANAGEMENT UNIT

- Composed of the different Risk Leaders and Risk Owners that support and incorporates the ERM process with the RMET
(second in command, CRO, risk leaders, and owners in the implementation of the ERM process.
- designed to carry out the activities in the ERM approach with guidance provided by their superiors (members of the
RMET) and other members of their teams.
- Suggest to the RMET the development of additional ERM Policies and other related guidelines.
- Gathers and evaluates the risk reports provided by the Risk Leaders and Risk Owners and monitors the status of risk
management strategies and action plans.
- Drives the continuous improvement of the organization’s current ERM Process.

RISK LEADERS - performs the risk process

- Leads the risk owners and constantly reviews and INTERNAL AUDIT- Performs an independent validation of
provides updates in the behavior of the critical risk. the effectiveness of the risk management process and
guides the risk owners in making reports to be monitors the effectiveness of the risk management
forwarded to CRO/RMET treatment.

RISK OWNERS

GROUP 6

HOW TO DIVERSIFY PORTFOLIO BENEFITS OF ERM

a. Assess Your Risk Tolerance 1. Increasing the range of opportunities

b. Asset Allocation 2. Identifying and managing risk entity wide
c. Diversification within asset classes 3. Increasing positive outcomes and advantages while
d. Regular Rebalancing reducing negative surprises
e. Consider Costs 4. reducing performance variability
f. Monitor and Adjust 5. improving resource deployment
6. enhancing enterprise resilience

EXAMPLE OF QUALITATIVE AND QUANTITATIVE METHOD

Qualitative Risk Assessment Method - do not have specific numerical or financial data associated with the risk of loss, but
organizations still can identify the risk of loss associated with these events.

1. Risk map – definition sa baba

2. Risk ranking - requires the organization to assign a relative ranking to prioritize risks and assign resources to address the
risks in order of importance.

Quantitative Method - assign specific metrics or financial measurement to risk events.

1. VAR - This measure indicates potential loss by a firm due to its trading activities.
2. Sensitivity analysis - can show how events such as a change in interest rates or a delay in a product introduction can
affect earnings or cash flow at risk.
3. Earnings Distributions - show the effect of risk management on reducing the volatility of earnings associated with an
event.
4. Earnings at risk - show how a particular event will cause earnings (or cash flow) to vary around an expected amount.

DEFINITION AND ELEMENTS OF ERM PROCESS

1. RISK IDENTIFICATION - seeks to identify as many threats as possible without evaluating them

Elements:

 Risk framework- can be helpful to facilitate the risk identification process

  provides guidance to the risk assessment participants and helps them organize the identified threats.
 Categories/ Structural Element (People Process Strategy, Technology, data) (POPSTED)
 Business Process (Revenue cycle, disbursement cycle, cash management, and treasury, financial reporting, operations
(REDCAFO)
2. RISK ASSESSMENT - It’s also process of analyzing the potential effects of identified risks. forward-looking survey
of the business environment to identify anything that could prevent the accomplishment of organizational objectives. It
involves identifying as many potential threats as possible and evaluating them to determine the proper response.

Elements:

 Risk Map- enables an analysis of risks not only on an individual level but also in relation to one another.
 Impact- effect the risk occurrence would have on the organization's objective if it were to occur.
 Likelihood- probability or chance that the risk actually will occur.
 Risk Appetite
 Non-probabilistic models- use subjective assumptions to estimate the impact of events without quantifying an associated
likelihood.
 Probabilistic models associate a range of events and the resulting impact with the likelihood of those events based on
certain assumptions.
 Inherent risk - the risk to achieving entity objectives in the absence of any action management might take to alter the
risk's likelihood or impact.
 Residual risk is the risk of achieving objectives that remain after management's responses have been developed.

Risk assessment activities- are performed continuously by all employees within the organization.

3. RISK PRIORITIZATION - the overall set of identified risk events, their impact assessments, and their probabilities of
occurrences are "processed" to derive a most-to-least-critical rank order of identified risks.

Elements:

 Risk appetite
 Risk Tolerance
 Risk threshold- The level of uncertainty or impact at which a stakeholder will have a specific interest.
4. RISK RESPONSE FORMULATION
 reducing risks to an acceptable level by employing tactics (ARATS)

Financial risks may be lessened by adjusting the organization's capital structure to minimize the cost of capital. (KASAMA SA
QUIZ NAKARAAN)

Likelihood- Impact

1. Low-Low- Acceptance
2. Low- High – Transfer
3. High- Low- Reduction
4. High- High- Avoidance
5. RISK MONITORING AND CONTROL
 verifying compliance with the risk response decisions by ensuring that the organization implements the risk response
measures (and any information security requirements), determines the ongoing effectiveness of risk response
measures, and identifies any changes that would impact the risk posture.

BENEFITS OF IMPLEMENTATION OF ERM (RISK EXPLOITATION)

BENEFITS OF COSO 2017 AND SUBTOPIC COSO 2004

Objective of COSO 2017

1. More clearly connect ERM with a multitude of stakeholder expectations:

2. Position risk in the context of performance, rather than as an isolated exercise:
3. Enable organizations to better anticipate risk, not simply the potential for crises
4. Provide an understanding that change creates opportunities

LIMITATIONS COSO 2017 LIMITATIONS OF COSO ERM 2004

A. Complexity A. Judgment
B. Subjectivity In Risk Assessment B. Breakdowns
C. Resource Constraints C. Collusion
D. Limited Guidance on Implementation D. Costs versus Benefits
E. Management override
INSURANCE (SA TAAS)

Elements:

1. . The insured possesses an interest of some kind susceptible of pecuniary estimations, known as “insurable interest”;
2. The insured is subject to a risk of loss through the destruction or impairment of that interest by the happening of a
designated peril;
3. The insurer assumes that risk of loss;
4. Such assumption of risk is part of a generic scheme to distribute actual losses among a large group or substantial
member of persons bearing the same risk; and
5. As consideration for the insurer’s promise, the insured makes a ratable contribution called “premium,” to a general
insurance fund

Parties to the Insurance

1. Insurer - the party who assumes or accepts the risk of loss and undertakes for a consideration to indemnify the insured or
to pay him a certain sum on the happening of a specifies contingency or event.
2. Insured - the party in whose favor the contract is operative and who is indemnified against, or is to receive a certain sum
upon the happening of a specified contingency or event

Insurable Risks 3. Liability risks—those involving liability for the

injury to the person or property of others.
1. Personal Risks—they are those involving the
person. Primarily concerned with the time of death Types of Insurance
or disability.
2. Property Risks—those involving loss or damage 1. Life insurance
to property 2. Property Insurance
3. Liability Insurance

CEO - Chief Executive Officer: The highest-ranking executive in a company responsible for making major corporate
decisions, managing overall operations, and ensuring the company's success.

RMET - Risk Management Executive Team: A group of executives or senior managers within an organization responsible
for overseeing and managing the company's risk management processes and strategies.

RMU - Risk Management Unit: A department or team within an organization tasked with identifying, assessing, and
managing various risks that could impact the organization's objectives and operations.

CRO - Chief Risk Officer: A senior executive responsible for identifying, assessing, and managing risks within an
organization. The CRO typically oversees the implementation of risk management strategies and ensures compliance with
regulations and policies.