Enterprise risk management (ERM) is a Components of Enterprise Risk

methodology that looks at risk management Management (IOERRCIM)

strategically from the perspective of the entire
I. Internal Environment
firm or organization.
Establishes a philosophy regarding risk
• It is a top-down strategy that aims to identify,
management. It recognizes that unexpected as
assess, and prepare for potential losses, well as expected events may occur. This
dangers, hazards, and other potentials for includes activities like a risk management
harm that may interfere with an organization's policy, setting of risk appetite and risk tolerance
operations and objectives and/or lead to levels.
losses.
II. Objective Setting
• Enterprise risk management (ERM) is a firm-
• As a company determines its purpose, it must
wide strategy to identify and prepare for
set objectives that support the mission and
hazards with a company's finances, operations,
goals of a company. These objectives must
and objectives.
then be aligned with a company's risk appetite.
Understanding Enterprise Risk Management
• For example, an ambitious company that has
(ERM)
set far-reaching strategic plans must be aware
• Enterprise risk management takes a holistic there may be internal risks or external risks
approach and calls for management-level associated with these lofty goals. In response,
decision- making that may not necessarily a company can align the measures to be taken
make sense for an individual business unit or with what it wants to accomplish such as hiring
segment. additional regulatory staff for expansion areas it
is currently unfamiliar with.
• It also often involves making the risk plan of
action available to all stakeholders as part of III. Event Identification
an annual report. Industries as varied as
• Positive events may have a great impact on a
aviation, construction, public health,
company. On the other hand, negative events
international development, energy, finance, and
may have detrimental outcomes on a
insurance all have shifted to utilize ERM.
company's ability to continue to operate.
• ERM, therefore, can work to minimize firm
ERM guidance recommends that companies
wide risk as well as identify unique firm wide
identify important areas of the business and
opportunities. Communicating and coordinating
associated events that may have dire
between different business units is key for
outcomes. These high risk events may pose
ERM to be successful, since the risk decision
risks to operations (i.e. natural disasters that
coming from top management may seem at
force offices to temporarily close) or strategic
odds with local assessments on the ground.
(i.e. government regulation outlaws the
Firms that utilize ERM will typically have a
company's primary product line).
dedicated enterprise risk management team
that oversees the workings of the firm.

IV. Risk Assessment

In addition to being aware of what may happen,
the ERM framework details the step of
assessing risk by understanding the likelihood
and financial impact of risks.
This includes not only the direct risk (i.e. a Control activities are the actions taken by a
natural disaster yields an office unusable) but company to create policies and procedures to
residual risks (i.e. employees may not feel safe ensure management carries out operations
returning to the office). Though difficult, the while mitigating risk. Control activities, often
ERM framework encourages companies to referred to as internal controls, are broken into
consider quantifying risks by assessing the two different types of processes:
percent change of occurrence as well as the
1. Preventative control activities are in place to
dollar impact.
stop an activity from happening. These controls
V. Risk Response aim to mitigate risk by disallowing certain
events from happening.
• A company can respond to risk in the
following four ways: An example of a preventative control is a
keypad or physical lock preventing all
1. The company can avoid risk. This results in
employees from entering into a sensitive area.
the company leaving the activity that causes
the risk as the company would rather forgo the 2. Detective control activities are in place to
benefits of the activity than incur the risk. recognize when a risky action has taken place.
Although the event is allowed to happen (or
An example of risk avoidance is a company
was not supposed to happen but still did),
shutting down a product line and discontinuing
detective controls may alert management to
selling a specific good.
ensure appropriate follow-up steps occur.
2. The company can reduce risk. This results in
• An example of a detective control is an alarm
the company staying engaged in the activity
for the room
but putting forth effort in minimizing the
likelihood or magnitude of the risk. VII. Information and Communication
• An example of risk reduction is a company Information systems should be able to capture
keeping the product line above open but data useful to management to better
investing more in quality control or consumer understand a company's risk profile and
education on how to property use the product management of risk.
3. The company can share risk. This results in By communicating with employees, there is
the company moving forward as-is with the more likely to be greater buy-in for processes
current risk profile of the activity. However, the and protection over company assets.
company leverages an independent third party
VIII. Monitoring
to share in the potential loss in exchange for a
fee. • A company can turn to an internal committee
or an external auditor to review its policies and
An example of risk sharing is purchasing an
practices. This may include reviewing what is
insurance policy.
actually performed compared to what policy
4. The company can accept risk. This results in documents suggest.
the company analyzing the potential outcomes
This may also entail getting feedback,
and determining whether it is financially worth
analyzing company data, and informing
pursuing mitigating practices.
management of unprotected risks
An example of risk acceptance is the company
keeping open the product line with no changes
to operations and risk sharing.
VI. Control Activities
Application of ERM at Jollibee (SIIU) Understanding and Managing Risks at All
Levels: Jollibee enables its organization and
Jollibee applies ERM through a comprehensive
employees at all levels to better understand
approach that promotes strategic thinking and
and manage risks. This means that risk
analysis, while integrating and maintaining the
management is not just the responsibility of a
highest ethical standards in the company’s
single department or team, but is integrated
core values and beliefs. The company’s risk
into the entire organization. Everyone within
management provides superior capabilities to
the organization has a role to play in identifying
identify, assess, and manage risks, enabling
and managing risks. This could involve training
the organization and its employees at all levels
staff to identify potential risks in their day-to-
to better understand and manage risks.
day work, or it could involve incorporating risk
Strategic Thinking and Analysis: This means management considerations into decision-
that Jollibee doesn’t just react to risks as they making processes at all levels of the
occur. Instead, they proactively identify organization.
potential risks and analyze their potential
Application of ERM at BDO (T3RMAI)
impact on the company. This involves
considering various scenarios and developing BDO applies Enterprise Risk Management
strategic plans to mitigate these risks. For (ERM) to identify, assess, and manage risks
example, they might conduct a risk assessment across its operations in a structured and
to identify potential threats to their supply chain comprehensive manner. Here's how BDO
and then develop a contingency plan to ensure applies ERM:
they can continue to operate if one of their
Top-Level Oversight: At the highest level,
suppliers is unable to deliver.
BDO's Board of Directors oversees the ERM
Integration of Ethical Standards: Jollibee process. The Board is responsible for
integrates ethical standards into their risk establishing and maintaining a sound risk
management practices. This means they management system, ensuring that risk
consider not just the financial implications of management practices align with the bank's
risks, but also the ethical ones. For example, strategic objectives.
they would not choose a supplier solely based
Risk Governance Structure: BDO has
on cost if that supplier has a history of
established a robust risk governance structure
unethical labor practices. By integrating ethical
that includes dedicated committees such as the
standards into their ERM, Jollibee ensures that
Risk Management Committee. This committee
their risk management practices align with their
is responsible for overseeing the bank's ERM
core values and beliefs.
program, setting risk appetite levels, and
Identification, Assessment, and approving policies and risk tolerance limits
Management of Risks: Jollibee has across various risk categories.
capabilities to identify, assess, and manage
Risk Identification and Assessment: BDO
risks. This involves identifying potential risks,
systematically identifies and assesses risks
assessing their potential impact and the
across different areas such as credit risk,
likelihood of them occurring, and then
liquidity risk, market risk, operational risk,
developing strategies to manage these risks.
compliance risk, and strategic risk. This
For example, they might identify a risk related
involves evaluating the potential impact and
to fluctuating food prices, assess the potential
likelihood of occurrence for each risk.
impact this could have on their profit margins,
and then develop a strategy to manage this Risk Mitigation and Controls: Once risks are
risk, such as securing long-term contracts with identified and assessed, BDO implements
suppliers at fixed prices. appropriate risk mitigation strategies and
controls to manage and reduce its exposure. The business unit heads are responsible for
This may include establishing internal controls, managing operational risks by implementing
diversifying investments, enhancing internal controls within their respective units.
cybersecurity measures, and implementing On a quarterly basis, the Board Risk Oversight
business continuity plans. Committee is updated on status of risk
management and improvement plans of the
Monitoring and Reporting: BDO continuously
Company.
monitors its risk exposures and performance
against established risk thresholds. Key risk Safety and Security Risk
indicators (KRIs) are used to track risk trends
The Customer Relations Service Department is
and deviations from expected levels. Regular
responsible for maintaining the safety and
reporting to senior management and the Board
security of all SM Malls through implementation
ensures transparency and accountability in risk
of access control system. Department
oversight.
personnel are also trained to respond to safety
Adaptation and Continual Improvement: and security incidents. The Company ensures
BDO adapts its risk management strategies in proper maintenance of facilities to minimize
response to changes in the business impact of physical security risks which may
environment, regulatory requirements, and affect its operations.
emerging risks. This involves regularly
Property Damage and Business Disruption
reviewing and updating risk management
Risk
practices to ensure they remain effective and
aligned with the bank's objectives. SM Prime has taken measures to optimize
operations and to include disaster resilience in
Integration with Business Processes: Risk
the design of its buildings to minimize
management is integrated into BDO's business
vulnerability, better safeguard physical assets,
processes at all levels, from individual
and reduce recovery expense. Further, the
transactions to strategic decision-making. This
Company promotes proactive risk
ensures that risk considerations are taken into
reduction/risk management measures such as,
account throughout the organization's activities
but not limited to, conduct of periodic
and decision-making processes.
engineering equipment maintenance, system
Overall, BDO's application of ERM enables the redundancies, etc.
bank to proactively identify, assess, and
Economic Risk
manage risks, thereby safeguarding its
operations, protecting stakeholders' interests, The Company strives to maintain competitive in
and supporting sustainable growth and value the industry by focusing on innovative
creation. developments and expanding market share
while maintaining a customer-centric approach.
Application of ERM at SM Prime (SPER)
In addressing inflation, the Company’s internal
SM Prime follows a Risk Management engineering group performs weekly
Approach, which starts from the identification construction review meeting, ensures
and prioritization of risks, to the assessment of continuous research for new materials,
risk interrelationship and analysis of the technologies and methodologies, implements
sources of risks, then to the development of owner supplied materials, continuous strong
risk management strategies and action plans, partnership with suppliers, phasing of project
and ultimately, to the monitoring and developments to manage the cash flow etc.
continuous improvement of the risk
Regulatory Compliance Risk
management process.
Corporate Compliance Group is responsible for • Monitoring and Reporting - All the
monitoring compliance with mall permits and risks and their treatments should continuously
licenses, environmental, other external need to be monitored and assessed. It is a
regulations and internal requirements. The proactive approach for the next time to control
Company has developed a permits handbook the risks and to save time and cost for next
for malls and automated onetime and yearly time. In this process not only the risk managers
government permits monitoring system. are involved but corporate governance also
Further, the Company conducts regular plays important part.
employee awareness and mandatory
Application of ERM at DEL MONTE (SOF)
compliance to Code of Ethics, Data Privacy Act
Del Monte Foods applies its Enterprise Risk
and other external regulations through e-
Management (ERM) framework across various
Learning modules.
aspects of its business operations. Here are
Application of ERM at FORD (3RM) some key ways Del Monte leverages ERM:
1.STRATEGIC PLANNING:
• Ford company institutionalized the
Del Monte integrates risk considerations into its
Enterprise Risk Management process, which
strategic planning process, evaluating how
includes Monthly Business Reviews and
potential risks could impact the achievement of
Monthly Business Reviews of Special Topics
its long-term business objectives.
where the senior leadership of the Company
2. OPERATIONAL RISK MANAGEMENT:
regularly reviews the status of the business,
Del Monte uses ERM to identify and mitigate
the risk and opportunities presented to the
operational risks across its supply chain,
business, and specific plans to address those
manufacturing, distribution, and other key
risks and opportunities.
business functions. This includes risks related
• Risk Identification - Risk that can affect to food safety, product quality, supply chain
the organization in any way can be identified by disruptions, and operational efficiency.
internal and external analysis of the company. 3. FINANCIAL RISKMANAGEMENT:
It is not limited to only negative factors (risks) ERM helps Del Monte manage financial risks
that can affect the company growth but also the such as commodity price fluctuations, currency
positive factors (opportunities) as well. Any exchange rate volatility, and credit/liquidity
negative or risk factor is usually characterized risks. The company uses various hedging
by its complete description, causes and strategies and financial controls to mitigate
consequences, qualitative and quantitative these financial risks.
assessment, and its mitigation plan.
• Risk Assessment - There are the two
types of risk assessments one is qualitative
and other is quantitative. Both assessment
tools are important for complete assessment of
risks
• Risk Treatment - For the treatment of
the risk, a company must first find out the
strategies for doing so by formulating a
treatment plan. The purpose of such treatment
plan is to decrease the possibility of occurrence
of risk and volume of its impact.