RISK MGMT PART 1_REVIEWER - FINALS.pdf

Full Transcript

RISK MANAGEMENT REVIEWER
ORIENTATION:
 Risk Management.:
 RISK — coordinated activities to direct and control an
- the probability of an outcome having a organization with regard to risk.
negative effect on people, systems, or — It is the identification, evaluation, and
assets. prioritization of risks (defined in ISO 31000
- typically depicted as being a function of the as the effect of uncertainty on objectives)
combined effects of hazards, the assets or followed by coordinated and economical
people exposed to hazard and the application of resources to minimize,
vulnerability of those exposed elements. monitor, and control the probability or impact
of unfortunate events or to maximize the
realization of opportunities.
MANAGING RISK IS… — started on 17th/18th century.

Iterative and assists organizations in setting  Stakeholder :
strategy, achieving objectives and making informed — a party that has an interest in a company and
decisions. can either affect or be affected by the
business.
Part of governance and leadership, and is — The primary stakeholders in a typical
fundamental to how the organization is managed at corporation are its investors, employees,
all levels. It contributes to the improvement of customers, and suppliers.
management systems.
 Risk sources:
Part of all activities associated with an — usual potential reasons and causes risks in
organization and includes interaction with the organization.
stakeholders. — an element which can be alone or in
combination that can potentially give risk.
Considers the external and internal context
of the organization, including human behaviour and  Event :
cultural factors. — occurrence or change of a particular set of
circumstances.
Based on the principles, framework and
process outlined in this document, as illustrated in  Consequences:
figure 1. These components might already exist in — an outcome or an effect of one action.
full or in part within the organization, however, they — the term consequence is used negatively or
might need to be adapted or improved so that used as a negative reasoning.
managing risk is efficient, effective, and consistent.
 Likelihood:
1. the probability of an event occurring whether
PRINCIPLES, FRAMEWORK, AND PROCESS assessed subjectively or objectively,
- Leaders qualitatively or quantitatively.
- Accountability 2. It can be described using general terms or
- Responsibility mathematical measures like probability or
frequency within a specified timeframe.

 Control:
TOPIC 1: KEY CONCEPTS IN RISK — something that measure that maintains
MANAGEMENT or modifies risk.
 Key Terms:
 RISK RESPONSE:
 Risk : o Risk Avoidance - Avoidance of risk entails
— The possibility of something negative to retreating from a risk scenario or choosing
happen. not to engage.
— Uncertainty of objectives is also known as o Risk Transfer - Sharing risk reduces or
risk. makes it more acceptable.
— It is something where actual gain is differ o Risk Mitigation - Take steps to reduce risk.
from what we expect, and more can affect o Risk Acceptance - Choose to accept the
more negatively. risk.
— the possibility that something bad or
unpleasant (such as an injury or loss) will  PRINCIPLES OF RISK MANAGEMENT
happen
— effect of uncertainty on objectives The purpose of risk management is the
— consequences can range from positive to creation and protection of value. It improves
negative. performance, encourages innovation and
— is an unplanned event with unexpected supports the achievement of objectives.
consequences.
— the probability or likelihood that harm will Below are the principles of risk management:
occur as a result of exposure to hazard,
where hazard is defined as anything that has
a potential to cause harm.

-- May every evil eye in your life go blind.
 RISK MANAGEMENT REVIEWER
— the organization must first define what is
"leadership and commitment"
— Top management is accountable for
managing risk while oversight bodies are
accountable for overseeing risk
management.

2. INTEGRATION
— relies on an understanding of organizational
1. INTEGRATED structural and context.
— Always part of the company — dynamic and iterative process.
— an integral part of all organizational — Risk management should be a part of, and
activities. not separate from, the organizational
purpose, governance, leadership and
2. STRUCTURED & COMPREHENSIVE commitment, strategy, objectives and
— systematic process operations.
— contributes to consistent and comparable
results. 3. DESIGN
— understanding the organization and its
3. CUSTOMIZED context.
— must be customized to the company — When designing the framework for managing
— are customized and proportionate to the risk, the organization should examine and
organization’s external and internal understand its external and internal context.
context related to its objectives. — Articulating risk management commitment
— Assigning organizational roles, authorities,
4. INCLUSIVE responsibilities and accountabilities
— Appropriate and timely involvement of — Allocating resources
stakeholders enables their knowledge, — Establishing communication and
views and perceptions to be considered. consultation.
— It results in improved awareness and
informed risk management. 4. IMPLEMENTATION
— create a suitable plan with allocated time and
5. DYNAMIC resources.
— flexibility and adaptability — recognize who, when, and how decisions are
— anticipates, detects, acknowledges and made throughout the organization.
responds to those changes and events in — adjust processes as needed
an appropriate and timely manner. — ensure clear understanding and
implementation of risk mgmt. protocols.
6. BEST AVAILABLE INFORMATION — engage and inform stakeholders effectively.
— gather information
— based on historical and current 5. EVALUATION
— information, as well as on future — regularly evaluate how well the risk
expectations management framework is working
— Information should be timely, clear and — determine if it still helps achieve the
available to relevant stakeholders. organization’s goals.

7. HUMAN & CULTURAL FACTORS 6. IMPROVEMENT
— Human behavior and culture significantly — Adapting
influence all aspects of risk management o Continual monitoring
at each level and stage. o Adapting to changes
o Improving value
8. CONTINUAL IMPROVEMENT
— continually improved through learning — Continually Improving
and experience. o Assessing framework effectiveness
o Enhancing integration
o Developing improvement plans
 FRAMEWORK OF RISK MANAGEMENT o Contributing to enhancement
o The framework is where policy, mandate,
organizational commitment, and structure
set the scene for the ongoing successful  RISK MANAGEMENT PROCESS
risk management application.
o It should provide guidance to the company. The risk management process involves the
o To assist the organization in integrating risk systematic application of policies, procedures, and
management into significant activities and practices to the activities of communicating and
functions consulting, establishing the context, and assessing,
treating, monitoring, reviewing, recording, and
1. LEADERSHIP AND COMMITMENT reporting risk.
— center of the framework clause
— ensuring risk mgmt. is integrated into all The risk management process should be an
organizational activities and should integral part of management and decision-making
demonstrate leadership and commitment by and integrated into the structure, operations, and
customizing and implementing all processes of the organization. It can be applied at
components of the framework strategic, operational, programme or project levels.

-- May every evil eye in your life go blind.
 RISK MANAGEMENT REVIEWER
There can be many applications of the risk o resources required, responsibilities and
management process within an organization, records to be kept;
customized to achieve objectives and to suit the o relationships with other projects,
external and internal context in which they are processes, and activities
applied. The dynamic and variable nature of human
behavior and culture should be considered 4. EXTERNAL & INTERNAL CONTEXT
throughout the risk management process. Although
the risk management process is often presented as The external and internal context is the
sequential, in practice it is iterative. environment in which the organization seeks to
define and achieve its objectives.
1. COMMUNICATION & CONSULTATION:
The context of the risk management process
This is to assist relevant stakeholders in should be established from the understanding of the
understanding risk, the basis on which decisions are external and internal environment in which the
made and the reasons why particular actions are organization operates and should reflect the specific
required. environment of the activity to which the risk
management process is to be applied.
— Communication seeks to promote
awareness and understanding of risk. Understanding the context is important because:
— Consultation involves obtaining feedback o risk management takes place in the context of
and information to support decision- the objectives and activities of the
making. organization;
o organizational factors can be a source of risk;
Close coordination between the two should o the purpose and scope of the risk management
facilitate factual, timely, relevant, accurate and process may be interrelated with the objectives
understandable exchange of information, taking into of the organization as a whole
account the confidentiality and integrity of
information as well as the privacy rights of 3. DEFINING RISK CRITERIA
individuals.
The organization should specify the amount
Communication and consultation with and type of risk that it may or may not take, relative
appropriate external and internal stakeholders to objectives. It should also define criteria to evaluate
should take place within and throughout all steps of the significance of risk and to support decision-
the risk management process. making processes. Risk criteria should be aligned
with the risk management framework and
Communication and consultation aims to: customized to the specific purpose and scope of the
o bring different areas of expertise together for activity under consideration.
each step of the risk management process;
o ensure that different views are appropriately Risk criteria should reflect the organization’s
considered when defining risk criteria and values, objectives, and resources and be consistent
when evaluating risks; with policies and statements about risk
o provide sufficient information to facilitate risk management. The criteria should be defined taking
oversight and decision-making; into consideration the organization’s obligations and
o build a sense of inclusiveness and ownership the views of stakeholders.
among those affected by risk.
While risk criteria should be established at
2. SCOPE, CONTEXT, & CRITERIA: the beginning of the risk assessment process, they
are dynamic and should be continually reviewed and
This customize the risk management amended, if necessary.
process, enabling effective risk assessment and
appropriate risk treatment. To set risk criteria, the following should be
considered:
This involve defining the scope of the o the nature and type of uncertainties that can
process, and understanding the external and affect outcomes and objectives (both tangible
internal context. and intangible);
o how consequences (both positive and negative)
3. DEFINING SCOPE and likelihood will be defined and measured;
o time-related factors;
It is important to be clear about the scope o consistency in the use of measurements;
under consideration, the relevant objectives to be o how the level of risk is to be determined;
considered, and their alignment with organizational o how combinations and sequences of multiple
objectives. risks will be taken into account;
o the organization’s capacity
When planning the approach, considerations
include:
o objectives and decisions that need to be  RISK ASSESSMENT
made; — revolve around the idea of proactively
o outcomes expected from the steps to be identifying and addressing potential risks
taken in the process; before they occur.
o time, location, specific inclusions and — a systematic approach to understanding and
exclusions; managing risks, rather than simply reacting
o appropriate risk assessment tools and to them when they arise.
techniques;

-- May every evil eye in your life go blind.
 RISK MANAGEMENT REVIEWER
1. RISK IDENTIFICATION Risk analysis provides input to risk
evaluation, to decisions on whether risk needs to
This involves identifying and documenting be treated and how, and on the most appropriate
potential risks that could impact the risk treatment strategy and methods. The results
organization's objectives. It includes both provide insight into decisions, where choices are
internal and external risks, such as operational, being made, and the options involve different
financial, strategic, and compliance risks. types and levels of risk.

Risk identification is the process of
documenting any risks that could keep an 3. RISK EVALUATION
organization or program from reaching its
objective. It's the first step in the risk The purpose of risk evaluation is to support
management process, which is designed to help decisions. Risk evaluation involves comparing
companies understand and plan for potential the results of the risk analysis with the
risks established risk criteria to determine where
additional action is required. This can lead to a
There are several situations for which you might decision to:
need to identify risks, including: o do nothing further;
o To support an investment decision o consider risk treatment options;
o To assess cost uncertainty or operational o undertake further analysis to better
costs understand the risk;
o To analyze multiple alternatives o maintain existing controls;
o To test a program before its acquisition o reconsider objectives.

 Decisions should take account of the wider
2. RISK ANALYSIS context and the actual and perceived
consequences to external and internal
The purpose of risk analysis is to stakeholders.
comprehend the nature of risk and its
characteristics including, where appropriate,
the level of risk. Risk analysis involves a detailed 4. RISK TREATMENT
consideration of uncertainties, risk sources,
consequences, likelihood, events, scenarios, The purpose of risk treatment is to select
controls and their effectiveness. An event can and implement options for addressing risk.
have multiple causes and consequences and
can affect multiple objectives. Risk treatment involves an iterative process of:
o formulating and selecting risk treatment
Risk analysis can be undertaken with varying options;
degrees of detail and complexity, depending on o planning and implementing risk
the purpose of the analysis, the availability and treatment;
reliability of information, and the resources o assessing the effectiveness of that
available. Analysis techniques can be treatment;
qualitative, quantitative or a combination of o deciding whether the remaining risk is
these, depending on the circumstances and acceptable;
intended use. o if not acceptable, taking further
treatment.
Risk analysis should consider factors such
as: Selecting the most appropriate risk treatment
o the likelihood of events and option(s) involves balancing the potential
consequences; benefits derived in relation to the achievement of
o the nature and magnitude of the objectives against costs, effort or
consequences; disadvantages of implementation.
o complexity and connectivity;
o time-related factors and volatility; Risk treatment options are not necessarily
o the effectiveness of existing controls; mutually exclusive or appropriate in all
o sensitivity and confidence levels. circumstances. Options for treating risk may
involve one or more of the following:
The risk analysis may be influenced by any
divergence of opinions, biases, perceptions of o avoiding the risk by deciding not to start
risk, and judgments. Additional influences are or continue with the activity that gives
the quality of the information used, the rise to the risk;
assumptions and exclusions made, any o taking or increasing the risk in order to
limitations of the techniques, and how they are pursue an opportunity;
executed. These influences should be o removing the risk source;
considered, documented, and communicated to o changing the likelihood;
decision makers. o changing the consequences;
o sharing the risk (e.g. through contracts,
Highly uncertain events can be difficult to buying insurance);
quantify. This can be an issue when analyzing o retaining the risk by informed decision.
events with severe consequences. In such
cases, using a combination of techniques The selection of risk treatment options
generally provides greater insight. should be made in accordance with the
organization’s objectives, risk criteria and available

-- May every evil eye in your life go blind.
 RISK MANAGEMENT REVIEWER
resources. The organization should also consider and outcomes. Ongoing monitoring and periodic
the values, perceptions and potential involvement of review of the risk management process and its
stakeholders and the most appropriate ways to outcomes should be a planned part of the risk
communicate and consult with them. Though equally management process, with responsibilities clearly
effective, some risk treatments can be more defined.
acceptable to some stakeholders than to others.
Monitoring and review should take place in
Risk treatments, even if carefully designed all stages of the process. Monitoring and review
and implemented might not produce the expected includes planning, gathering and analyzing
outcomes and could produce unintended information, recording results and providing
consequences. Monitoring and review need to be an feedback. The results of monitoring and review
integral part of the risk treatment implementation to should be incorporated throughout the
give assurance that the different forms of treatment organization’s performance management,
become and remain effective. Risk treatment can measurement and reporting activities.
also introduce new risks that need to be managed.
Monitoring and review is a critical aspect of
If there are no treatment options available or the risk management process. It ensures that
if treatment options do not sufficiently modify the everything within that process together with the risks
risk, the risk should be recorded and kept under that it is seeking to address are working effectively
ongoing review. and efficiently. Through monitoring and review, you
are able to iterate and improve the risk management
Decision makers and other stakeholders process through continual improvement and
should be aware of the nature and extent of the iteration on a periodic and ongoing basis through the
remaining risk after risk treatment. The remaining activities of planning, gathering, analyzing, recording
risk should be documented and subjected to results, and providing feedback on those results.
monitoring, review and, where appropriate, further
treatment.
6. RECORDING & REPORTING

 Preparing and implementing risk treatment Recording and reporting aims to:
plans o communicate risk management activities
and outcomes across the organization;
The purpose of risk treatment plans is to o provide information for decision-making;
specify how the chosen treatment options will be o improve risk management activities;
implemented, so that arrangements are understood o assist interaction with stakeholders,
by those involved, and progress against the plan can including those with responsibility and
be monitored. The treatment plan should clearly accountability for risk management activities
identify the order in which risk treatment should be
implemented. Decisions concerning the creation, retention
and handling of documented information should take
Treatment plans should be integrated into into account, but not be limited to: their use,
the management plans and processes of the information sensitivity and the external and internal
organization, in consultation with appropriate context.
stakeholders. Reporting is an integral part of the
organization’s governance and should enhance the
The information provided in the treatment quality of dialogue with stakeholders and support top
plan should include: management and oversight bodies in meeting their
o the rationale for selection of the treatment responsibilities.
options, including the expected benefits to
be gained; Factors to consider for reporting include, but
o those who are accountable and responsible are not limited to:
for approving and implementing the plan; o differing stakeholders and their specific
o the proposed actions; information needs and requirements;
o the resources required, including o cost, frequency and timeliness of reporting;
contingencies; o method of reporting;
o the performance measures; o relevance of information to organizational
o the constraints; objectives and decision-making.
o the required reporting and monitoring;
o when actions are expected to be
undertaken and completed.

5. MONITORING & REVIEW

Risk management is an ongoing process that
requires continuous monitoring and review. This
ensures that risks are effectively managed and new
risks are identified and addressed in a timely
manner.

The purpose of monitoring and review is to
assure and improve the quality and
effectiveness of process design, implementation

-- May every evil eye in your life go blind.
 RISK MANAGEMENT REVIEWER
TOPIC 2: STRATEGIC PLANNING FOR
ENTERPRISE RISK MANAGEMENT 2. Risk Awareness
By promoting a shared
SILO OR STOVE-PIPE RISK MANAGEMENT understanding of risks, strategic planning
— ‘silo’ means containers used to store grains. helps ensure that all stakeholders are
— organizations commonly managed risks by equipped to contribute to ERM efforts and
delegating responsibilities to particular make informed decisions that mitigate risks
business unit leaders who were tasked to and capitalize on opportunities.
oversee risks based on their respective
area. 3. Improve Decision-making
— each silo leader operates within their By systematically assessing risks
respective area to identify and address the and their potential impact on strategic
risks. objectives, organizations can make more
— They work independently within their own choices that balance risk and reward, leading
"silo," where they only focus on their to better outcomes and performance.
delegations’ tasks without collaborating with
others. 4. Resource allocation
By prioritizing risks based on their
ENTERPRISE RISK MANAGEMENT (ERM) significance and potential impact, strategic
planning ensures that resources are
This is a holistic approach employed across allocated to the most critical areas of risk,
the entire org to identify, assess, and manage maximizing the effectiveness of ERM efforts
various risks that an organization may encounter in and optimizing the use of resources.
pursuit of its objectives.
5. Continuous improvement
ERM OBJECTIVES: Strategic planning plays a crucial role
o Promoting a strong risk culture in ensuring business continuity by identifying
o Aligning with organizational strategy and mitigating risks that could disrupt
o Establishing risk governance operations or threaten organizational
o Safeguarding reputation resilience. By incorporating risk
o Ensuring legal compliance management strategies into strategic
planning processes, organizations can
This risk management helps organizations develop contingency plans, implement risk
increase their resilience to potential threats while mitigation measures, and establish
also allowing them to pursue opportunities more mechanisms for responding to and
confidently. recovering from potential disruptions.

 The implementation of an effective ERM 6. Enhanced stakeholder confidence
framework lies with the Chief Risk Officer
(CRO) of the organization. By embedding risk management
considerations into strategic planning
processes, organizations signal to
 STRATEGIC PLANNING stakeholders, including investors,
customers, regulators, and partners, that
The process of defining an organization’s they are proactive in identifying and
long-term vision, mission, goals, and objectives as mitigating risks that could impact
well as the resources and actions necessary to attain organizational performance and reputation.
them. This, in turn, enhances trust, credibility, and
long-term relationships with stakeholders,
It is crucial to Enterprise Risk Management contributing to organizational resilience and
and is a proactive response to risks in the business. sustainable growth.
It helps organizations prioritize the most important
risks first and address multiple risks simultaneously
instead of addressing them one at a time.  UNDERSTANDING RISKS IN ERM
Additionally, strategic planning helps organizations
better understand how different factors interact with  TYPE OF BUSINESS RISKS:
each other so they can make more informed
decisions about how best to allocate resources. 1. OPERATIONAL RISKS
— pertain to day-to-day challenges
 STRATEGIC ENTERPRISE RISK encountered during business
MANAGEMENT (SERM) operations, including internal process
inefficiencies, human errors,
This is an integrated approach that enables technological breakdowns, and supply
organizations to align their risk management chain disruptions.
processes with strategic decision-making, thereby — arise from internal processes, human
improving overall performance and resiliency. error, technology failures, or external
factors like supply chain disruptions.
IMPORTANT ASPECTS OF SERM:
2. FINANCIAL RISKS
1. Alignment with objectives — risks related to the overall financial health
Organizations can ensure that ERM and stability of the company.
efforts contribute directly to achieving long- — include factors like market volatility
term success and sustainability.

-- May every evil eye in your life go blind.
 RISK MANAGEMENT REVIEWER
— -encompass factors that jeopardize a 5. Proactivity
company's financial stability, such as — Traditional risk management predominantly
market volatility, credit defaults, liquidity involves reactive approaches to address
constraints, and currency fluctuations. problems as they arise.
— Effectively managing financial risks is — ERM emphasizes proactive risk identification
crucial for maintaining robust financial and mitigation, enabling organizations to
health and resilience against economic anticipate and preemptively manage risks
uncertainties. before they escalate into critical issues,
thereby enhancing resilience and agility.
3. STRATEGIC RISKS
— assist interaction with stakeholders,
including those with responsibility and  ROLES OF STRATEGIC PLANNING IN ERM
accountability for risk management
activities. 1. Objective Setting
— arise from uncertainties surrounding A company must set objectives that support
long-term objectives and plans, the mission and goals of a company. These
stemming from changes in the market objectives must then be aligned with a
landscape, competitive pressures, company's risk appetite.
regulatory dynamics, and shifting It involves establishing the strategic and
consumer preferences. operational goals of the organization. These
— Managing strategic risks entails adaptive objectives provide context for identifying and
strategies to seize opportunities and assessing potential risks that could hinder the
mitigate threats in a rapidly evolving achievement of these goals.
business environment.
2. Event Identification
Involves identifying potential events that
 Difference Of Traditional Risk Management might impact an organization; includes
and Enterprise Risk Management identifying factors - internal and external - that
influence how potential events may affect
1. Use of Data strategy implementation and achievement of
— Traditional risk management relies objectives.
predominantly on historical data to identify Could be positive or negative; explore the
and address potential risks. opportunities as well as the risks.
— In contrast, ERM adopts a holistic approach,
leveraging advanced analytics and diverse 3. Risk Assessment
information sources to anticipate and It is essential to determine the likelihood,
mitigate a broader spectrum of risks, severity and your ability to respond to the risk.
including emerging threats. It involves the evaluation of potential risks in
terms of likelihood and potential impact. It
2. Leadership helps prioritize risks and allocate resources
— Traditional risk management often operates effectively.
within siloed departments, managing risks
independently. 4. Risk Response
— ERM necessitates top-level leadership and Risk response strategies involve the
strategic alignment across the organization, development and implementation of actions
fostering a culture of risk awareness and to mitigate or respond to identified risks. This
accountability to integrate risk management component aims to reduce or eliminate
into strategic decision-making processes exposures to risk and enhance the
effectively. organization's ability to seize opportunities.

3. Risk Appetite Ways on how a company can respond to risk
— Traditional risk management tends to adopt include the following:
a conservative risk mitigation approach o Reduce – reduce the risks to minimize
within departmental boundaries, potentially its impact.
limiting innovation and growth opportunities. o Accept – accept the impact if it’s
— ERM considers the organization's overall risk negligent or minimal.
appetite and tolerance levels, enabling a o Avoid – eliminate or forego the risk.
balanced approach to risk management that o Transfer – assign the mitigation to a
facilitates strategic growth while mitigating competent third party.
potential threats.
5. Control Activities
4. Scope These are the actions taken by a company to
— Traditional risk management focuses on create policies and procedures to ensure
addressing risks within specific departments, management carries out operations while
overlooking interconnections between risks mitigating risk.
across the organization. Determining appropriate internal controls to
— ERM takes a comprehensive view of monitor and test your approach. This series of
organizational risks, identifying and checks and balances is designed to identify
addressing interconnected risks proactively any out-of-tolerance activity or results.
to prevent escalation into significant threats.
6. Information and Communication
Information systems should be able to capture
data useful to management to better

-- May every evil eye in your life go blind.
 RISK MANAGEMENT REVIEWER
understand a company's risk profile and organization's risk culture, risk appetite,
management of risk. Meanwhile, ethical values, and governance framework.
communication is the essence of any
business. 2. Objective Setting
This process will ensure that no risk is As a company determines its
overlooked. purpose, it must set objectives that support
Enterprise risk management requires a the mission and goals of a company. These
continual process of obtaining and sharing objectives must then be aligned with a
necessary information from both internal and company's risk appetite.
external sources, which flows up, down, and
across the organization. 3. Event Identification

7. Monitoring ERM guidance recommends that
This may include reviewing what is actually companies identify important areas of the
performed compared to what policy business and associated events that may
documents suggest. have dire outcomes.
We live in the age of market volatility, and the
fast-paced, changing trends put forth a 4. Risk Assessment
plethora of risks. These changing trends also One of the essential components of
change the nature of the risks you are about corporate risk management. You need to
to encounter. determine their likelihood, severity and your
ability to respond.
There are three distinct points where ERM
and the strategic planning process can support one 5. Risk Response
another to detect and manage different types of Risk response strategies involve the
strategic risk: development and implementation of actions
to mitigate or respond to identified risks.
1. Risks that inform development of the
strategic plan 6. Control Activities
Control activities are the actions
In this point, the focus is on taken by a company to create policies and
understanding the environment. These are the procedures to ensure management carries
risks from internal and external environment out operations while mitigating risk.
that help determine which goals and objectives
to choose in the first place. 7. Information and Communication
Information systems should be able
2. Risks to implementation of the strategic to capture data useful to management to
plan better understand a company's risk profile
and management of risk.
This points out the risks in building
the plan. These kinds of risk may prevent the 8. Monitoring
organization from achieving the goals and This may include reviewing what is
objectives defined in their plan. actually performed compared to what policy
documents suggest.
3. Risks generated from implementing the
strategic plan
 TOOLS & TECHNIQUES FOR STRATEGIC
These risks are encountered during ERM
the execution of the plan. These are the new
risks created by implementing the strategy 1. Key Risk Indicators
itself, or the unintended consequences of A Key Risk Indicator or a KRI is a
successfully executing the plan. measurable data that businesses use to provide an
immediate indication of potential risks to
accomplishing the objectives they have set. KRIs
Benefits of Integrating ERM into Strategic are unique to each company and are designed to
Planning: track and assess factors that are directly related to
- Businesses can enhance performance, the occurrence or development of risks. These
reduce costs, and increase profits. - assist organizations in proactively identifying,
Businesses can identify potential risks and monitoring, and managing potential risks. Once they
devise strategies to mitigate them to have discovered developing risks before they
maximize their success. escalate into major difficulties, it allows them to take
- Enables organizations to align their risk proactive action to reduce or manage these risks
management processes with strategic successfully.
decision-making, thereby improving overall
performance and resiliency. This differs from KPIs, or key performance
indicators, which are performance measurements
 COMPONENTS INVOLVED IN STRATEGIC used by organizations to assess how effectively they
PLANNING FOR ERM are reaching their objectives and goals and primarily
focus on positive outcomes, such as revenue
1. Internal Environment growth, customer happiness, and operational
The internal environment sets the efficiency. As opposed to KRIs, which are risk-
tone for how risk is viewed and addressed focused indicators designed to detect and monitor
within the organization. It includes the

-- May every evil eye in your life go blind.
 RISK MANAGEMENT REVIEWER
potential risks and vulnerabilities that may impact an Usually, the risk register is divided into
organization's operations and objectives. multiple significant sections which are the following:
a) Identification - A unique identification is
Key risk indicators can be positive or given to every risk in order to make
negative, indicating both increased risk and the monitoring and reference easier during the
effectiveness of the risk mitigation measures of the risk management process.
company. Although important risk indicators can b) Description - A thorough risk description is
show negative outcomes in an organization, they given, outlining the characteristics, origin,
should not be interpreted as loss; rather, they and possible consequences of the risk
demonstrate the transparency and efficiency of the occurrence.
company's risk management performance. c) Type - The risks may be more easily
analyzed and prioritized since they are
Key risk indicators come in two types which grouped according to their nature or source,
are the lagging and leading key risk indicators. such as financial, operational, technical, or
Leading Key Risk Indicators can be used to strategic concerns.
anticipate future outcomes. This is comparable to d) Impact and Probability - The assessments
forecasting, except that a forecast of this kind simply of each risk's impact and probability are
documents the risks associated with the company included in the risk register, which aids
reaching its goal, but a Lagging Key Risk Indicator stakeholders in understanding the possibility
measures the real performance or records the actual of a risk occurring as well as the possible
and current risks of the organization. outcomes should it materialize.
e) Risk Allocation - The risks are allocated to
To determine the appropriate course of designated owners who bear the task of
action to mitigate the risks, it is essential to overseeing, controlling, and minimizing
understand the distinctions between these major risk them, guaranteeing accountability and well-
indicators. While lagging indicators support reactive defined reporting channels.
response to risks that have already occurred or by f) Status - The risk register gives stakeholders
collecting historical data that may be used as a insight into the advancement of risk
reference for possible risks, leading indicators often management initiatives by listing each risk's
need proactive response and concentrate on the current state, including whether it is open,
components that can foresee future occurrences. closed, mitigated, or ongoing.
g) Contingency Plans - The risk register may
Before a company can start building their also contain information regarding
KRIs, they need to understand their company's contingency plans, continuous monitoring
mission, vision and objectives and brainstorm on the and review procedures, and risk mitigation
important and main risks that are common in the measures, allowing stakeholders to assess
operations of the company. For the company's main the efficacy of risk responses and modify
risk indicator to be useful in strategic enterprise risk their plans as necessary.
management, it should possess the following
qualities: The difference of a risk register to a risk
Measurable: KRIs can be expressed as matrix is that a risk register is more like a
percentages, figures, etc. document while a risk matrix is a visual tool to
Relevant: Since KRIs are used to influence help map out the risks. The risk matrix measures
decision-making, they should be significant to the likelihood of the risk occurring, from rare to
the company and its objectives. almost certain, and its severity, from insignificant to
Comparable: KRIs should be comparable to severe. It’s also color-coded to show the priority of
trends over time and can be compared both each of the risks charted on the matrix. This is also
internally and to the existing industry commonly known as a risk map.
standards.
The figure below is a risk matrix. It can vary
Aside from having key risk indicators that are depending on the company but it usually contains
effective, the company should also have an efficient the probability of the risk happening compared to the
way of tracking KRIs. Companies usually use a impact of it once it occurs.
measure similar to that of a stop sign with green,
yellow and red indicators which means the following: The impact is divided into 5 different rating levels
Green KRIs fall within reasonable risk which are as follows:
thresholds. Insignificant – This won’t cause any serious
Yellow KRIs indicate elevated risk that needs injuries or illnesses.
to be monitored. Minor – This can cause injuries or illnesses,
Red KRIs indicate that the company's risk only to a mild extent.
tolerance has been exceeded and that quick Significant – This can cause injuries or
action is required. illnesses that may require medical attention
but limited treatment.
2. Risk Register and Risk Matrix Major – This can cause irreversible injuries or
illnesses that require constant medical
Organizations use risk registers, which are attention.
documents or files, to track and manage risks related Severe – This can result in fatality.
to their initiatives, operations, and projects. It acts as
an overview for tracking, evaluating, prioritizing, and The probability is divided into 5 different
recognizing risks at any point in a project's or rating levels which are the following:
organization's history. a) Rare - It is unlikely to happen and/or have
minor or negligible consequences.

-- May every evil eye in your life go blind.
 RISK MANAGEMENT REVIEWER
b) Unlikely - It is possible to happen and/or to their controls, and actions. It's also often difficult to
have moderate consequences. map and interpret interdependencies and
c) Moderate - It is likely to happen and/or to commonalities, and any effort to create a risk map is
have serious consequences. entirely manual and prone to human error so using
d) Likely - It is almost sure to happen and/or to a software can help companies greatly.
have major consequences.
e) Almost certain - It is sure to happen and/or
have major consequences.

Creating a risk matrix helps the top
management and their teams to identify the risks
that could threaten the organization and rank their
possible impact and likelihood. The exercise can
clarify priorities for enterprise leaders and help them
get ahead of issues before they threaten the
organization's operations.

The risk matrix is used by assigning a
numeric value from 1 being the lowest and 5 being
the highest to the risk under the categories
probability and impact to determine the risk level of
each risk. The value of the impact multiplied to the
value of the probability is the risk level for the specific
risk. The meaning behind each risk level is
determined below:

1-4: Acceptable - no further action may be
needed and maintaining control measures is
encouraged.
5-9: Adequate - may be considered for further
analysis.
10-16: Tolerable - must be reviewed in a
timely manner to carry out improvement
strategies.
17-25: Unacceptable - must implement cease
in activities and endorse for immediate
action.

3. Scenario Analysis

Scenario Analysis is an assessment
technique that is used to identify and measure the
potential occurrence of operational risk events.
Scenario Analysis is designed to derive reasoned
assessments of the likelihood and impact of
plausible operational losses from business and risk
management experts.

It is often used to identify and measure
events with low frequency but high severity losses.
This is a tool that generates forward-looking “what-
if'' simulations for specified changes in market
factors.

There are different scenarios that can be
used in scenario analysis which are as follows:
o Base case scenario – It is the average
scenario, based on management
assumptions.
o Worst case scenario – Considers the most
serious or severe outcome that may happen
in a given situation.
o Best case scenario – It is the ideal projected
scenario and is almost always put into action
by management to achieve their objectives.

4. Risk Management Software
Companies can use risk management
software like resolver, oracle or sas to make their
risk management easier and standardized. Strategic
risk information is often held in Excel spreadsheets
making it difficult to identify, understand, and draw
relationships between causes, consequences and

-- May every evil eye in your life go blind.
 RISK MANAGEMENT REVIEWER
Topic 3: KEY CONCEPT IN RISK MANAGEMENT Population or society being affected by one risk is
listed under this.
 RISK CULTURE Cost Benefit Criteria - It is not a direct risk criteria
The purpose of establishing the scope, but yet is part of the risk criteria such that it allows
context, and criteria is to customize the risk the organization to determine the cost benefit in
management process, enabling effective risk terms of risk reduction. This aims to show the
assessment and appropriate risk treatment. acceptable cost for one risk management process to
impose through cost-benefit analysis (CBA).
Scope, context and criteria involve defining Qualitative Risk Criteria - shows the conditions in
the scope of the process, and understanding the an accepted risk of an organization such as
external and internal context. protocols, mitigations, standards and other
conditions an organization shall consider.
 SCOPE Setting Risk Criteria - This criteria is objectively
Consideration in determining the scope of Risk: decided by the people of the organization. They set
Expected Outcome of the Risk Process – all the the risk on a numerical basis whether it needs
possible outcomes a risk may cause. immediate action or not. In this criteria, the
Time and Location – contains the risks which can organization is the one to select risks that are
occur timely or on a specific location only. acceptable shall have proper and strategized risk
Inclusions and Exclusions – the personal choices management.
and decisions of an organization to include or Risk assessment
exclude on the Risk Management process in - is the process of identifying what hazards exist, or
response to one risk. may appear in the workplace, how they may cause
Risk Assessment Tools and Techniques – refers harm and to take steps to minimize harm.
to the tools and techniques which the organization - tells us the likelihood and severity of a harmful
can utilize in terms of assessing the risks presented event.
within the organization. The primary objectives of risk assessment are as
Resources, Responsibilities, and Records - follows:
Organizations must know their resources, their Identification of Risks
responsibilities, and important records which will Analysis of Risks
help in assessing the risk and properly select the Prioritization of Risks
most reliable risk management process. Mitigation and Control
Intersection with other Projects, Process, and Decision-Making
Activities - In this case, each risk management Resource Allocation
scope shall always consider other external things Compliance and Regulation
despite it not having any effects on the new strategy. Continuous Improvement
Communication
CONTEXT Transparency
- is the environment in which the organization seeks Loss Prevention
to define and achieve its objectives. Strategic Planning
Risk Management is the process of identifying,
External context includes but is not limited to social, assessing, and controlling potential threats to an
cultural, environmental (including natural hazards organization. It's a proactive approach to managing
and climate change), political, legal, financial, uncertainty by anticipating and planning for future
technological, security and economic factors. events.
Risk analysis is the process of identifying and
Internal context includes strategic objectives, analyzing potential issues that could negatively
values, standards, resources available, business impact key business initiatives or projects.
processes, organizational culture, relationships with Types of Risk Analysis
internal stakeholders, capacities, etc. Risk-benefit analysis
- Typically used for decision-making in the
RISK CRITERIA healthcare and environmental sectors
The amount and type of risk an organization may or - weighs the prospective benefits and risks of a
may not take choice or course of action.
Obligations and views of stakeholders - to make rational decisions by determining whether
The nature and type of uncertainties that can affect the potential benefits of a decision outweigh the
outcomes and objectives potential risks, or vice versa.
How you will define positive and negative Business impact analysis (BIA)
consequences and likelihood of risk occurrences Needs assessment analysis
The role and influence of time in response to the risk Root cause analysis
Consistency on your choice of how the risk is to be
measured
Criteria in determining the level of risk
Combination or sequence of multiply occurring risks
Capacity to respond to the risk
TYPES OF RISK CRITERIA
Risk Matrix Criteria – a matrix for risk to determine
the frequency and effects of a risk in an organization.
Individual Risk Criteria - allows the organization to
know the consequences of the risk to an individual
such as the severity of its effect on the overall being
of an individual.
Societal Risk Criteria - holistically view the risk
including the internal and external effects of it.

-- May every evil eye in your life go blind.
 RISK MANAGEMENT REVIEWER
TOPIC 4: “MANAGING, MONITORING AND
REPORTING RISKS”
Type 1 - are uncertainties where a lot of historical
data is available, mostly work-related accidents.
Type 2 uncertainties are where little or very little
historical data is available (e.g., internal domino
effects).
Type 3 are uncertainties where no historical data is
available (i.e., loss of lives, economic devastation,
natural disasters).

Risk Appetite – refers to the level of risk

Key Aspects of Risk Appetite
1. Strategic Alignment
2. Risk Tolerance Levels
3. Decision-making framework
4. Communication and alignment
5. Monitoring and review

Relationship of Risk Culture and Risk Appetite
Risk Culture
10 most important values
1. acts as an influential values

STRATEGIES TO IMPROVE RISK CULTURE
1. Start from the top power
2. Employee Risk Awareness Training
3. Increase Risk Visibility
4. Align risk performance metrics with incentive
system
5. Evaluate and Report Progress with Quantitative
and Qualitative metrics

RISK APPETITE AND ITS IMPORTANT
RISK APPETITE – amount and type of risk that the
org is willing to take to achieve their goal

Type of RA of Org
1. Risk appetite – “risk seekers” they believe that
the higher the risk, the hgher the rewards/ greater
the success.
2. Low risk appetite – “risk comers(?)” ex: utilities
companies
3. Risk Neutral – seeking risk or avoiding it ex:
insurance companies

FACTORS AFFECTING RISK APPETITE
1. INDUSTRY –
2. COMPANY CULTURE –
3. COMPETITORS – can provide insights to
companies…
4. NATURE OF OBJECTIVES – related to no. 2.
5. FINANCIAL STRENGTH

How to write a Risk Appetite?
1. Build a diverse team
2. Start with strategy
3. Include an executive summary
4. Define metrics in easily quantifiable terms.
5. Keep it fresh.

RISK APPETITE SCALE
- A tool that helps identify the level of risks that the
business is going to assume that they may
encounter in achieving their primary targets.

-- May every evil eye in your life go blind.