CHAPTER 4

INTRODUCRION TO RISK MANAGEMENT:

WHAT CAN GO WRONG?

LEARNING OBJECTIVES:
a. describe risk and its characteristics
b. identify the different types of risk
c. articulate the need for risk management
d. describe the steps in managing risk
e. identify globally recognized risk management frameworks

INTRODUCTION
• Risk are inherent in every business
• Risk can be describe as "things that can go wrong”
• Risk can also be describe as an event that can adversely affect the operating profit cash flows , capital
and even the reputation of the company

“Managing risk is central to corporate governance”

DEFINITION AND NATURE OF RISK

 The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines risk
as "the possibility that an event will occur and adversely affect the achievement of enterprise
objectives.
TABLE 4. EVENTS AFFECTING THE ACHIEVEMENT OF BUSINESS OBJECTIVES
Business Objectives Event
1. Generating 10M profit -Increase in production and operating cost
2. Manufacturing 20, 000 units of the product -Loss of supply of raw materials needed in
production
3. Producing reliable financial statements -Clerical errors in recording transactions
4. Reducing bad debts by 20% -Bankruptcy of major customer
5. Uninterrupted computer processing of business -Brownouts, computer breakdown, flood in the
transactions office etc.

There are many events that attest the business. These events can either be internal or external.
 TABLE 5. INTERNAL EVENTS AND THEIR POTENTIAL IMPACT TO THE COMPANY
Event Potential impact
1. Internal fraud -Financial lost
-Damage to the reputation of the company
2. Machine breakdown -Disruption in the production process
-Failure to deliver finished goods to customers
3. Accident in the factory -Physical injuries, loss of lives
-Increase of medical costs
4. Violation of laws and regulation -Fines and penalties
-Potential criminal prosecution of erring corporate
officers and employees

TABLE 6. EXTERNAL EVENTS AND THEIR POTENTIAL IMPACT TO THE COMPANY

EXTERNAL EVENTS
Event Potential impact
1. Economic Recession -Decline in sales revenue and operating profit
-Possible closure of the business
2. Entry of more competitors in the market -Loss of market share
-Decline in sales revenue
3. Bankruptcy of a major customer -Failure to collect receivables
-Decline in cash balance
4. Pandemic (e.g., COVID-19,SARS) and natural -Disruption in business operations
calamities (flood earthquakes, volcanic eruption) -Decline in revenue and profit
-Possibility of closure of the business

TYPES OF RISK
Financial Risks Non-financial risk
Financial risk is the Likelihood that the company Non-Financial Risk do not have an immediate
might incur a financial loss , or suffer a decline in direct financial impact to the However, their
profit, capital, investment or cash flows, on consequences business may be serious and can
account of the occurrence of events Or Transaction later affect the well being of the business if not
properly mitigated.

KINDS OF FINANCIAL RISKS

CREDIT RISK CREDIT RISK LIQUIDITY RISK

The risk that counter-party The risk that the business will be unable
LIQUIDITY RISK such as customer or a financial obligations as they fall due
borrower might fail to pay because of insufficient cash, inability to
its account on the due date. liquidate assets or adequate funding
MARKET RISK
given a short period of time

Market risk is the risk of volatility in the market brought about by factors of interest rate, foreigncy,
and market prices
a. Interest rate risk
 the potential decline in earnings and capital arising from changes in interest rates in the market.
b. Foreign currency risk
 the risk that fluctuations in exchange rates could affect the profit of the business.
c. Price Risk
 the risk that changes specific prices (stock price, price of other investment could affect the profit
or cash flow of the business.

BUSINESS RISK -A business risk is the possibility that the business may not be able to generate
sufficient revenue or an increase in production and increase operating cost might occur.

NON-FINANCIAL RISKS
Operational Risk
 The risk that business operations will be disrupted due to inadequate or failed systems, processes,
people, breaches in internal controls, or other unforeseen Catastrophes
Legal or compliance risk
 the risk that the company might fail to comply with applicable laws and regulations such as tax
laws, labor laws, corporation law, anti-money laundering law, and environment laws among
others.
Health and safety Risk
 the risk that unforeseen events could result to injuries,illnesses,or even loss of lives.
Environmental Risk
 May fail to control or minimize factory wastes, the risk that the company emissions, and other
pollutants arising from its business activities.
Strategic Risk
 the risk of selecting an inappropriate corporate strategy or the failure of implementing an
appropriate one
Reputation Risk
 The risk that reputation or image of the company will be damaged due to reasons such as
improper acts of corporate officers, poor financial performance, and bad news about the company
among others.

 The two important risks that are related to the work of professional accountants are financial
reporting risk and fraud risk.

FINANCIAL REPORTING RISK Financial reporting risk is the possibility that the financial
statements of the company will be incorrect due to errors, lapses, or failure to apply accounting
standards such as the International Financial Reporting Standards (IFRS)
FRAUD RISK
Fraud risk on the other hand, is the risk arising from deceptive and intentional act that result to loss of
company assets resources, and reputation.

Definition and Nature of Risk Management

COSO defines enterprise risk management as:

Enterprise risk management is a process, effected by an entity's board of directors, management, and
other personnel, applied in strategy setting and across the enterprise, designed to identify potential
events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives.

Risk Management as a process

Risk management- is not an isolated activity within the company. It is composed of a set of interrelated
components that operate in an integrated manner in order to address the various risks affecting the
company. The components of risk management will be discussed in the next chapter.

Roles in the Risk Management Process

1. Board of directors - conducts an oversight of the effectiveness of the company's risk management
process.
2. Management - implements specific risk mitigation and control procedures in managing the various
types of risks affecting the company.
3. Internal auditors - conduct examination of the risk management process for the purpose of
determining its effectiveness over time.
4. Other personnel- implement specific tasks and duties pertaining to the processes within their
departments.
Risk appetite is the level of risk that the company can accept in pursuit of its Risk Appetite
objectives.

Steps in the Risk Management Process :

1. Setting of business objectives.
The risk management process starts with the setting of business objectives. In this regard, the COSO
Risk Management framework categorizes business objectives into strategic, operational, reporting, and
compliance. Descriptions of the four business objectives are shown below:
 Strategic objectives - are high-level goals aligned with and support the organization's mission and
long-term vision.
 Operational objectives are goals that are related to the effective and efficient use of corporate
resources.
 Reporting objectives - are goals relating to the reliability and transparency of corporate reports
such as financial and non-financial reports.
 Compliance objectives - are goals relating to compliance and conformity with applicable laws and
regulatory requirements.
Table 7: The Four Categories of Objectives are shown below:

Category of Objectives Specific Example

Strategic Increase market share of the company to 40% through

business expansion

Operational Achieve profit after tax of 100 million

Reporting Generate financial statements that are reliable and

compliant with International Financial Reporting
Standards

Compliance Compute, file , and pay taxes based on the requirement

of tax laws and BIR regulations

2. Identify the Risks

 After setting the various objectives of the business, the risks or threats to the achievement of those
objectives are identified. This is the process called risk identification.
 The aim is to produce a comprehensive listing of all risks affecting the company. This risk is often
called a risk matrix. These are the "known risks".

Table 8. Examples of business objectives and risk in achieving them

Business Objectives Risk

Increase market share of the company to -Possible entry of more competitors in the market
 40% through business expansion -Change in the state and preference of customers

Achieve profit after tax of 100 million -Potential decline in the sales revenue of the company
-Increase in production and operating costs

Generate financial statements that are -Complexity in applying complex accounting requirements
compliant with the International Financial -Changes in IFRS
Reporting Standards

Compute, file, and pay taxes based on the -Error in computing taxable income and tax due
requirements of tax laws and Bureau of -Intentional understatement of taxable income to reduce the tax
Internal Revenue Regulations due

3. Assess the Risk

I. Any Risk has two dimensions:
1. The probability that something can go wrong
2. The negative consequence or impact if that event occurs
II. Hence, identified risk should be assessed in terms of;
1. Likelihood of occurrence
2. Impact

4. Respond to the Assessed Risk

Respond to the assessed risk are listed as follows:
 Management will select the appropriate risk response depending on the result 0ne risk assessment
which can be "high"moderate", or “low." Possible response to assessed risks are listed as follows:

• Accept - Tolerating or accepting the risk is permissible only if it is of minor effect to the business or
if its likelihood is "remote" such that it is not worth the money or effort to do anything about it.
•Reduce- Risks that are likely to happen or those that are expected to have b. a significant impact to the
business cannot be simply accepted.
• Share - In some situations, the appropriate response might be to share or C transfer the risks to some
other entity such as an insurance company. An insurance company manages other people's risks.
• Avoid- Avoiding a risk may be the right response when management thinks d that mere reducing it is
not enough.

5. Implement the Risk Response

6. Monitor the Risk Management Process
 The risk management process must be continuously monitored to determine if it remains to be
effective and efficient overtime.
 A risk management process that is effective today may no longer be effective for the next period.
 There must be a periodic evaluation of the risk management process. This is usually done through
an internal audit process.

RISK MANAGEMENT FRAMEWORKS

1SO 31000- Risk Management is a series of risk management standards formulated by the International
Organization for Standardization.
ISO 31000- Provides a set of principles and guidelines for the design, implementation, and evaluation
of the risk management process for companies across different industries.
ISO 31000- follows a structured approach toward the systematic application of management policies
and procedures to the activities of communication, consulting, establishing the context, and identifying,
analyzing, evaluating, treating, monitoring, and reviewing risk.

THE STEPS UNDER ISO 31000 ARE SUMMARIZED BELOW:

 Identification of all risks that could prevent the company from achieving its business objectives.
 Analysis of risk including an understanding of its causes and effects.
 Determination whether identified risks are tolerable or not.
 Treatment of significant risks by way of mitigating procedures and thereby reducing the impact
and/or the likelihood of the risks.
 Monitoring risk management strategy and implementation to determine gaps that should be
addressed.
 Communication of information pertaining to the risk management process of the company

Another global framework is COSO Enterprise Risk Management (C0so ERM).

 The COSO organization Was originally established in order to study the causes of fraudulent
financial reporting during the Latter part of the 1980s. It was also tasked to make
recommendations on how to prevent such improper accounting practices.