CHAPTER 4: Introduction to Risk Management: "What safeguarding of corporate assets, and ensuring compliance

Can Go Wrong?" with applicable laws and regulations among others.

Risks are inherent in every business. No profit will be earned Table 4. Events Affecting the Achievement of Business
without taking a certain degree of risk. It can be said that Objectives
"doing business" is indeed a risk-taking activity.
Nevertheless, risks must be properly managed and be kept Business Objective Event
within manageable levels. Too high levels of risks can result 1. Generating 10 million Increase in production and
profit operating costs
to operational bottlenecks, financial losses, poor corporate
2. Manufacturing 20,000 Loss of supply of raw
reputation, and, worst of all, closure of the business.
units of the product materials needed in
Consequently, the economic and personal well-being of production
investors, creditors, and other stakeholders will be adversely 3. Producing reliable Clerical errors in recording
affected. financial statements transactions
4. Reducing bad debts by Bankruptcy of a major
Risk can simply be described as "things that can go wrong."
20% customer
In the sphere of managing risk, it is not right to say "let's just
5. Uninterrupted Brownouts, computer
cross the bridge when we get there." On the contrary, risks
computer processing of breakdown, flood in the
should be identified before they even happen so that the business transactions office, etc.
company will be in a better position and time to prepare for
them.
There are many events that can affect the business. These
Risk can also be described as an event that can adversely events can either be internal or external. Those events that
affect cash flows, capital, and even the reputation of a occur within the company are called internal events and those
company. An example of risk is credit risk, the possibility that that happen outside are external events.
customers of the company may not be able to pay on the due
date. Another example is operational risk, the possibility of a The following table shows examples of internal and external
disruption in the operations of the business due to machine events as well as their potential impacts to the company.
breakdowns, natural calamities, and other causes.
Table 5. Internal Events and Their Potential Impact to the
Company

Event Potential Impact

1. Internal fraud • Financial loss
• Damage to the
reputation of the
company
2. Machine breakdown • Disruption in the
production process
• Failure to deliver
finished goods to
customers
Managing risks is central to good corporate governance.
3. Accident in the factory • Physical injuries, loss
In a well-governed company, risk managers must properly
of lives
control and manage the various risks affecting the business.
On the other hand, corporate boards and risk committees must • Increase in medical
actively perform their oversight function pertaining to risks. costs
Internal auditors must conduct evaluation of the risk 4. Violation of laws and • Fines and penalties
management process in order to determine its effectiveness regulations • Potential criminal
over time. All of these must be done in order to ensure that prosecution of erring
risks are kept within tolerable levels. This is the essence of corporate officers and
risk management. employees
Definition and Nature of Risk

The Committee of Sponsoring Organizations of the Table 6. External Events and Their Potential Impact to the
Treadway Commission (COSO) defines risk as "the Company
possibility that an event will occur and adversely affect the
achievement of enterprise objectives." Event Potential Impact
1. Economic recession • Decline in sales
Based on the definition, risk is the likelihood that an event revenue and operating
will occur. Such event can prevent the company from profit
achieving its business objectives. These objectives may • Possible closure of the
include, for instance, achieving a specific amount of revenue business
or profit, manufacturing the required quantity of products,
 2. Entry of more • Loss of market share b. Foreign currency risk - the risk that fluctuations in
competitors in the • Decline in sales exchange rates could affect the profit of the business.
market revenue For example, weakening of the Philippine peso will
3. Bankruptcy of a major • Failure to collect result to foreign currency loss to a Philippine
customer receivables importer of goods when the transaction is
• Decline in cash denominated in US dollars.
balance c. Price risk - the risk that changes in specific prices
4. Pandemic (e.g., • Disruption in business (stock price, price of other investments) could affect
COVID-19, SARS) operations the profit or cash flow of the business. For instance,
and natural calamities • Decline in revenue and a decline in the price of shares owned by the
(flood, earthquakes, profit company traded in the stock exchange will result to
volcanic eruption) • Possibility of closure a decrease in the value of the stock investments.
of the business
Closely related to financial risks are business risks. A
business risk is the possibility that the business may not be
Types of Risk
able to generate sufficient revenue, or an increase in
Because of the increasing complexity of business, there are production and increased operating costs might occur. For
different kinds of risk that the company may encounter. There example, an increase in raw material cost will result to a
is no single standard manner for classifying risks. At the decline in the gross profit margin of the company. In the same
minimum, however, risks can be categorized into two broad manner, when the company is unable to achieve its sales
groups: financial risks and nonfinancial risks. target, revenues will not be enough to cover operating costs
and provide a reasonable profit margin to shareholders.
Financial Risks
Nonfinancial Risks
Financial risk is the likelihood that the company might incur
a financial loss, or suffer a decline in profit, capital, Nonfinancial risks do not have an immediate direct financial
investment, or cash flows, on account of the occurrence of impact to the business. However, their consequences may be
events or transactions serious and can later affect the financial well-being of the
business if not properly mitigated. Many risks belong to this
Specific risks included under the financial risk category are category. The following are some examples:
credit risk, liquidity risk, and market risks. Market risks can
be further subdivided into interest rate risk, foreign currency ➢ Operational risk
risk, and price risk. ➢ Legal or compliance risk
➢ Health and safety risk
These risks are defined as follows: ➢ Environmental risk
➢ Strategic risk
1. Credit risk - the risk that a counter-party such as a
➢ A Reputation risk
customer or a borrower might fail to pay its account on
the due date. For instance, there is a possibility that a
1. Operational risk - the risk that business operations will
borrower of a bank will be unable to pay his/her loan on
be disrupted due to inadequate or failed systems,
the maturity date. This is sometimes referred to as default
processes, people, breaches in internal controls, or other
risk. Credit risk is present in all activities where there is
unforeseen catastrophes.
an expectation of returns or repayment.
2. Legal or compliance risk - the risk that the company
2. Liquidity risk - the risk that the business will be unable
might fail to comply with applicable laws and regulations
to meet its financial obligations as they fall due because
such as tax laws, labor laws, corporation law, anti-money
of insufficient cash, inability to liquidate assets, or obtain
laundering law, and environment laws among others.
adequate funding given a short period of time. This also
This risk also includes the possibility of not complying
includes the possibility that the business may not be able
with contractual obligations to other entities. This type of
to convert noncash assets such as investments into cash
risk may result to fines and penalties as well as possible
on short notice.
criminal prosecution of erring company officers and
3. Market risk - is the risk of volatility in the market
employees.
brought about by factors of interest rate, foreign
3. Health and safety risk - the risk that unforeseen events
currency, and market prices.
could result to injuries, illnesses, or even loss of lives.
a. Interest rate risk - is the potential decline in
Examples include injuries sustained by workers in the
earnings and capital arising from changes in interest
factory and transmission of COVID-19 virus to company
rates in the market. This risk generally occurs
staff. These examples will increase medical costs that
because an entity may have a disproportionate
will be incurred by the company.
amount of fixed and variable interest-rate
4. Environmental risk - the risk that the company may fail
instruments on either side of the balance sheet. For
to control or minimize factory wastes, emissions, and
instance, a company will pay a higher interest cost
other pollutants arising from its business activities.
to the bank for its variable rate-loan when market
Failure to remedy this negative contribution of the
interest rates increase. Higher interest expenses will
company to the environment could result to possible
result to lower profit.
government sanctions, fines, and penalties.
5. Strategic risk - the risk of selecting an inappropriate management in addressing and controlling risks. It
corporate strategy or the failure of implementing an is common for large companies to have risk
appropriate one. This type of risk may result to failure to oversight committees within the board of directors.
achieve long- term strategic goals, loss of market share, 2. Management - implements specific risk mitigation
and shrinkage in corporate value. and control procedures in managing the various
6. Reputation risk - the risk that reputation or image of the types of risks affecting the company. Management
company will be damaged due to reasons such as also identifies and assesses risks prior to selecting
improper acts of corporate officers, poor financial the appropriate risk response.
performance, and bad news about the company among
others. 3. Internal auditors - conduct examination of the risk
management process for the purpose of determining
The two important risks that are related to the work of its effectiveness over time. The results of their
professional accountants are financial reporting risk and examination are communicated to either the board of
fraud risk. directors or the risk oversight committee.
Financial reporting risk is the possibility that the financial
statements of the company will be incorrect due to errors, 4. Other personnel - implement specific tasks and
lapses, or failure to apply accounting standards such as the duties pertaining to the processes within their
International Financial Reporting Standards (IFRS). departments.

Unreliable financial statements could result to erroneous Risk Appetite

financial analysis affecting the business decisions of investors Risk appetite is the level of risk that the company can accept
and creditors. in pursuit of its objectives. As previously mentioned,
Fraud risk, on the other hand, is the risk arising from operating a business naturally involves the taking of risks.
deceptive and intentional acts that result to loss of company However, these risks must be kept to within acceptable or
assets, resources, and reputation. Examples of fraud include manageable levels. This is one of the aims of the risk
theft of cash and inventories, bogus deliveries, ghost management process-to keep risks within the company's risk
employees, and window dressing among others. appetite.

Definition and Nature of Risk Management Steps in the Risk Management Process

As previously discussed, many risks affect a business. If these 1. Setting of business objectives.
risks are not properly managed, it will be "game over" The risk management process starts with the setting of
because the business objectives of the company will not be business objectives. In this regard, the COSO Risk
achieved. A formal risk management process, therefore, Management framework categorizes business objectives into
becomes imperative in order to address and manage risks. strategic, operational, reporting, and compliance.
COSO defines enterprise risk management as: Descriptions of the four business objectives are shown below:
Enterprise risk management¹ is a process, effected by an a. Strategic objectives - are high-level goals aligned
entity's board of directors, management, and other personnel, with and support the organization's mission and
applied in strategy setting and across the enterprise, designed long-term vision.
to identify potential events that may affect the entity, and b. Operational objectives - are goals that are related
manage risk to be within its risk appetite, to provide to the effective and efficient use of corporate
reasonable assurance regarding the achievement of entity resources.
objectives. c. Reporting objectives - are goals relating to the
Risk Management as a Process reliability and transparency of corporate reports such
as financial and nonfinancial reports.
Risk management is not an isolated activity within the d. Compliance objectives - are goals relating to
company. It is composed of a set of interrelated components compliance and conformity with applicable laws and
that operate in an integrated manner in order to address the regulatory requirements.
various risks affecting the company. The components of risk
management will be discussed in the next chapter. Examples of business objectives in the four categories are
shown below:
Roles in the Risk Management Process
Table 7. The Four Categories of Objectives with Specific
Everyone has a role to play in the company's risk management Examples
process. The following summarizes the duties of key people
pertaining to the management of risks: Category of Specific example
objective
1. Board of directors - conducts an oversight of the Strategic Increase market share of the
effectiveness of the company's risk management company to 40% through business
process. Risk oversight pertains to the periodic expansion.
review and monitoring of the process being used by
 Operational Achieve profit after tax of P100 taxable income to
million reduce the tax due
Reporting Generate financial statements that
are reliable and compliant with the
International Financial Reporting 3. Assess the risks.
Standards (IFRS)
Any risk has two dimensions: (1) the probability that
Compliance Compute, file, and pay taxes based
on the requirements of tax laws and something can go wrong and (2) the negative consequence or
BIR Regulations impact if that event occurs. Hence, identified risks should be
assessed in terms of (1) likelihood of occurrence and (2)
impact. "Likelihood" pertains to the probability that the
2. Identify the risks. event will occur. In other words, "likelihood" means the
chance of occurrence. "Likelihood" is often classified into
After setting the various objectives of the business, the risks
"high", "moderate", or "low."
or threats to the achievement of those objectives are
identified. This is the process called risk identification. To On the other hand, "impact" refers to the significance or
reiterate, risks are events that can prevent the company from magnitude of the negative effect of the risk to the company.
achieving its business objectives. The "impact" of a risk is also classified into "high",
"moderate", or "low." Analyzing risk in terms of "likelihood"
Risks are not that easy to spot. To be able to identify risks,
and "impact" is known as risk assessment.
risk managers must possess a comprehensive understanding
of the company, the way it operates and corporates mission 4. Respond to the assessed risks.
and vision, major transactions, products and services,
suppliers and customers, and regulatory environment among Management will select the appropriate risk response
others. depending on the result of the risk assessment which can be
"high", "moderate", or "low." Possible responses to assessed
It is a common practice for a company to hold workshops or risks are listed as follows:
te where key people from different departments participate.
The aim is to produce a comprehensive listing of all risks a. Accept - Tolerating or accepting the risk is permissible
affecting the company. This list is often called a risk matrix. only if it is of minor effect to the business or if its
These are the known risks. It should be mentioned, however, likelihood is "remote" such that it is not worth the money
that there are also "unknown" risks. These are the more or effort to do anything about it.
dangerous kind of risks since they are yet to be identified even b. Reduce - Risks that are likely to happen or those that are
though they can occur anytime. expected to have a significant impact to the business
cannot be simply accepted. These risks should be
The table below shows risks that can prevent business mitigated or reduced to tolerable levels. Reducing risks
objectives: can be done through implementing controls or specific
risk mitigation plans.
Table 8. Examples of business objectives and risks in
c. Share - In some situations, the appropriate response
achieving them
might be to share or transfer the risks to some other entity
Business objective Risk such as an insurance company. An insurance company
Increase market share of • Possible entry of more manages other people's risks.
the company to 40% competitors in the d. Avoid - Avoiding a risk may be the right response when
through business market management thinks that mere reducing it is not enough.
expansion • Change in the taste and For instance, the company may terminate one of its
preference of product lines if it assesses that operating it has become
customers too risky.
Achieve profit after tax of • Potential decline in the
P100 million sales revenue of the
company 5. Implement the risk response.
• Increase in production
and operating costs Implementing the risk response is done through deploying
Generate financial • Complexity in specific risk mitigating plans or management action plans to
statements that are applying complex control the risks. The following are examples of specific
compliant with the accounting action plans or controls needed to address assessed risks:
International Financial requirements
Reporting Standards Table 9. Examples of risks and the corresponding risk
• Changes in the IFRS
(IFRS) mitigating action of management
Compute, file, and pay • Error in computing
taxes based on the taxable income and the
requirements of tax laws tax due
and Bureau of Internal • Intentional
Revenue Regulations understatement of
 ➢ Treatment of significant risks by way of mitigating
procedures and thereby reducing the impact and/or the
likelihood of the risks.
➢ Monitoring risk management strategy and
implementation to determine gaps that should be
addressed.
➢ Communication of information pertaining to the risk
management process of the company.

Another global framework is COSO Enterprise Risk

Management (COSO ERM). The original framework was
6. Monitor the risk management process. published in 2004. The COSO organization was originally
established in order to study the causes of fraudulent financial
The risk management process must be continuously reporting during the latter part of the 1980s. It was also tasked
monitored to determine if it remains to be effective and to make recommendations on how to prevent such improper
efficient over time. Management and corporate boards cannot accounting practices.
make the erroneous assumption that an effective risk
management process will simply remain to be effective. A
risk management process that is effective today may no
longer be effective for the next period. This is because risks
are always changing. There are even new and emerging risks
such as cybercrime risk and the risk of pandemics. Therefore,
there must be a periodic evaluation of the risk management
process. This is usually done through an internal audit
process.

Risk Management Frameworks

Strategies for managing risks can only operate well if they are
based on an appropriate framework for managing risks. A
framework is used as a guide in formulating a company's risk
management process. COSO Enterprise Risk Management
and ISO 31000-Risk Management are the two leading risk
management frameworks today.

ISO 31000-Risk Management is a series of risk

management standards formulated by the International
Organization for Standardization. ISO 31000 provides a
set of principles and guidelines for the design,
implementation, and evaluation of the risk management
process for companies across different industries.

The International Organization for Standardization is an

independent, nongovernmental organization that develops
voluntary international standards and is comprised of 165
member-countries as of 2020. It was founded in 1947.

ISO 31000 follows a structured approach toward the

systematic application of management policies and
procedures to the activities of communication, consulting,
establishing the context, and identifying, analyzing,
evaluating, treating, monitoring, and reviewing risk.

The steps under ISO 31000 are summarized below:

➢ Identification of all risks that could prevent the company

from achieving its business objectives.
➢ Analysis of risk including an understanding of its causes
and effects.
➢ Determination whether identified risks are tolerable or
not.
Definition of Terms Price risk - the risk that changes in specific prices (stock
price, price could affect the profit or cash flow of the business.
Business risk - the possibility that the business may not be of other investments)
able to generate sufficient revenue, or an increase in
production and operating costs might occur. Reputational risk - the risk that reputation or image of the
company will be damaged due to reasons such as improper
Compliance risk - the risk that the company might fail to acts of corporate officers, poor performance, and bad news
comply with applicable laws, regulations, and contractual about the company among others.
obligations to other entities.
Risk - the possibility that an event will occur and adversely
Credit risk - the risk that a counter-party such as a customer affect the achievement of enterprise objectives.
or a borrower will fail to pay his/her account on the due date.
Risk appetite - the level of risk that the company can accept
Enterprise Risk Management - a process effected by an in pursuit of its objectives.
entity's board of directors, management, and other personnel;
applied in strategy setting and across the enterprise, designed Risk assessment - the process of analyzing the identified
to identify potential events that may affect the entity, to risks in terms of "likelihood" and "impact."
manage risk to be within its risk appetite, and to provide
reasonable assurance regarding the achievement of entity Risk identification - the process of identifying risks that can
objectives. prevent the business objectives of the company.

Environmental risk - the risk that the company may fail to Risk response - the process of selecting the appropriate risk
control or minimize factory wastes, emissions, and other response or action based on the result of the risk assessment.
pollutants arising from its business activities. Strategic risk - the risk of selecting an inappropriate
Financial reporting - the possibility that the financial corporate strategy or the failure of implementing an
statements of the company will be incorrect due to errors, appropriate one.
lapses, or failure to apply accounting standards.

Financial risk - the likelihood that the company might incur

a financial loss, or suffer a decline in profit, capital,
investment, or cash flows on account of the occurrence of
events or transactions.

Foreign currency risk - the risk that fluctuations in exchange

rates will affect the profit of the business.

Fraud risk - the risk arising from intentional and deceptive

acts that result to loss of company assets, resources, and
reputation.

Health and safety risk - the risk that unforeseen events could
result to injuries, illnesses, or even loss of lives.

Impact - the significance or magnitude of the risk on its effect

to the company.

International Financial Reporting Standards (IFRS) - a

set of internationally accepted accounting standards intended
to promote quality and transparent financial reporting.

Interest rate risk - the potential decline in earnings and

capital arising from changes in interest rates in the market.

Likelihood - the probability that the event will occur.

Liquidity risk - the risk that the business would be unable to

meet its financial obligations as they fall because of
insufficient cash and inability to liquidate assets or obtain
adequate funding on short notice.

Operational risk - the risk that business operations will be

disrupted due to inadequate or failed systems, processes,
people, breaches in internal controls, or other unforeseen
catastrophes.