Summary ERM
,Table of contents
0. Introduction to risk management and control ................................................................................ 1
1. Part 1: Introduction to Risk Management ....................................................................................... 3
1.1. What is risk? ........................................................................................................................... 3
1.2. What is control? ..................................................................................................................... 8
1.3. Development of Enterprise Risk Management .................................................................... 11
1.4. Corporate governance and regulatory context .................................................................... 12
1.5. Control responsibilities ........................................................................................................ 13
2. Part 2: A closer look at ERM .......................................................................................................... 18
2.1. Major drivers of ERM development ..................................................................................... 18
2.2. Major benefits of ERM ......................................................................................................... 18
2.3. Risk management standards ................................................................................................ 20
2.4. Link between ERM and strategy development .................................................................... 34
3. Part 3: Risk Assessment ................................................................................................................. 37
3.1. Risk attitude and risk appetite ............................................................................................. 37
3.2. Inherent risk and residual risk .............................................................................................. 37
3.3. Risk assessment: definition and description ........................................................................ 38
3.4. Risk description and risk register ......................................................................................... 38
3.5. Risk assessment tools and techniques ................................................................................. 40
4. Risk response ................................................................................................................................. 45
4.1. Risk response or Risk treatment: ......................................................................................... 45
4.2. Summary figure ................................................................................................................... 46
5. Controls of selected risks ............................................................................................................... 47
5.1. Financial risk ........................................................................................................................ 47
5.2. Market risk ........................................................................................................................... 48
5.3. Credit risk ............................................................................................................................. 50
5.4. Operational risk .................................................................................................................... 51
5.5. Financial reporting and disclosure risk................................................................................ 52
5.6. Legal risk............................................................................................................................... 52
5.7. IT risk .................................................................................................................................... 53
6. What is fraud? ............................................................................................................................... 54
6.1. The definition of fraud ......................................................................................................... 54
6.2. Important components of fraud .......................................................................................... 54
6.3. Who commits Fraud ............................................................................................................. 54
6.4. Types of fraud....................................................................................................................... 54
6.5. The fraud triangle................................................................................................................. 57
,6.6. A Closer Look at Fraud Prevention & Detection................................................................... 64
,0. Introduction to risk management and control
= how to handle risks (don’t put head in the sand)
• The last 15 years we had a series of corporate scandals (Enron, WorldCom, Parmalat, L&H,
Société Générale, etc.) and the financial crisis.
• Also other risks:
o Technological: Year 2000 problem (millennium bug), cyber threats
o Disasters: weather, hurricane
o Terrorism
o Economic: the global financial crisis in 2008 demonstrated the importance of adequate
risk management.
▪ Some argue: financial crisis demonstrates the failure of risk management
▪ We do not agree: rather it demonstrates the failure of organizations to successfully
address the risks they face and need for better risk management
o As a consequence, risk management has become an increasingly important business
driver and shareholders/stakeholders have become much more concerned about risk –
not only financial risk, but also operational, strategic, ... risk.
→Integrate risk management with operational management & combine goals/strategy
with risks we’re facing.
• An enterprise-wide approach to risk management enables an organization to consider the
potential impact of all types of risks on all processes, activities, stakeholders, products and
services.
= enterprise risk management/integrated risk management (integrate all risks in a single
unified framework instead of having separate risks in separate silo’s)
• Implementing a comprehensive approach will result in an organization benefiting from what is
often referred to as the ‘upside of risk’. The last couple of years, there have been a lot of
evolutions with new standards, regulation, etc. New risk management standards have been
published, including the international standard, ISO 31000 ‘Risk management – Principles and
guidelines’.
→ 2 sides of a coin: don’t overdo it because not taking any risks isn’t beneficial for a
company.
1
,• In this course we will discuss in detail different types of risks and how to manage them
(controls).
o This course explores the emerging practice of “enterprise risk management” (ERM) or
“integrated risk management”– a new managerial outlook on managing risk
o Enterprise risk management considers all the risks faced by the firm and attempts to
integrate these disparate risks into a single unified analytical framework
o Traditionally, risk has been managed in the compartments of financial risk, operating risk,
credit risk, etc. Rather than allowing risk to remain in such “silos,” ERM insists that these
must be brought together into one system of risk management.
o As we will see, the methods of ERM are very much a work in progress.
2
,1. Part 1: Introduction to Risk Management
1.1.What is risk?
1.1.1. Definition
• Definition of risk (ISO Guide 73)
= “Risk is the effect of uncertainty on objectives”
= risk is something that makes it more difficult or impossible to achieve a certain goal set by a
company (negative connotation)
❖ Links risk to objectives (achieve a certain goal)
❖ Effect may be negative, positive or a deviation from expectations
o Therefore, risk may be considered to be related to:
▪ A loss
▪ An opportunity
▪ The presence of an uncertainty for an organization
o Every risk has its own characteristics that require particular management or analysis
o There are many definitions of risk and risk management. Risk is often defined in terms of
“harm and harmful events” (e.g. COSO).
⇔ Committee of Standards in Australia & New Zealand: (basis for new ISO standards)
concluded that we should not confine it to harmful events because outcomes can be
negative, but also positive.
➔ Therefore new definition, also included in ISO now: effect on objectives: thus a SHIFT
from “the event” (something happens) to “the effect” (in particular on objectives).
o Entrepreneurship/doing business requires accepting some risks!
⇔ However, entrepreneurship should be realized within the limits of acceptable risk.
Through the media we learn that this often not the case, with dramatic consequences for
everyone.
➔ Appropriate controls play an important role in avoiding these risks.
• An important part of analysing a risk is to determine the nature, source or type of impact of
the risk.
o Evaluation of risks in this way may be enhanced by the use of a risk classification system.
Risk classification system are useful for analysing/evaluating risks
▪ Risk classification systems are important because they enable an organisation to
identify accumulations of similar risks.
▪ A risk classification system will also enable an organisation to identify which
strategies, tactics and operations are most vulnerable.
3
, ▪ Risk classification systems are usually based on the division of risks into those
related to financial control, operational efficiency, strategic and regulatory
activities, as well as hazard risks
o However, there is no risk classification system that is universally applicable to all types of
organizations.
➔ Select/develop an appropriate one
o ISO Guide 73: risks are divided into three categories (based on impact):
▪ Hazard (or pure) risks: mainly operational risks, day-to-day going concern risk
▪ Control (or uncertainty) risks: risks associated with projects that have beginning
and ending such as for example setting up a new system that has uncertainties.
▪ Opportunity (or speculative) risks: mainly financial such as call/put options
1.1.2. Hazard or pure risks
= Risk events that can only result in negative outcomes
❖ Are associated with a source of potential harm or situation with the potential to
undermine objectives in a negative way
❖ Often thought of as operational risks: backups, locks, etc…. → leads to typical internal
controls
❖ Often insurable
❖ Normal efficient operations may be disrupted by loss, damage, breakdown, theft, and
other threats
• The application of risk management tools and techniques to manage hazard risks is the best
and longest-established branch of risk management
• May include:
o People:
▪ Lack of skilled people and resources
▪ Unexpected absence of key personnel
▪ Ill-health, accident or injury to people
o Premises:
▪ Inadequate or insufficient premises
▪ Damage to and contamination of premises
o Assets:
▪ Breakdown of plant or equipment
▪ Theft or loss of physical assets
o Suppliers
▪ Disruption caused by failure of supplier
▪ Delivery of defective goods or components
o Inefficient operation
▪ Transport failure or disruption
4
, o IT
▪ Failure of IT systems
▪ Disruption by hacker or computer virus
▪ Inefficient operation of computer software
• Hazard “tolerance”
= Companies will have a “tolerance” of hazard risks
o Need to manage these risks within these levels of tolerance
o Examples:
▪ Theft
Office environment: some theft of stationary, including paper, envelops and
pens may be tolerated because the cost of eliminating these risks may be very
large, so it becomes cost-effective to accept that these losses occur
Jewel shop: high security cost to eliminate impact of theft
o Health and safety risks
Generally accepted: take all appropriate actions to eliminate them. It is
generally accepted that companies should be intolerant and should take all
appropriate actions to eliminate them.
In practice: it is not possible so manage safety risks to the lowest level that is
cost effective and in compliance with law
o OFTEN: trade-of between preventive and corrective measures
➔ You need to know what the tolerance is. As a management you need to make sure you
stay within this tolerance. It’s the maximum loss you can have as a company. You need
to manage those risks
1.1.3. Control or uncertainty risks
= Risk that give rise to uncertainty about the outcome of a situation
❖ Uncertainty represents a deviation from the required or the expected outcome
❖ Extremely difficult to quantify: are associated with unknown and unexpected events
❖ Frequently associated with project management: difficult to predict and control
These risks are more sudden and unexpected. They are difficult to quantify because of the uncertainty.
Example: project management, it’s not on a going concern basis it’s something that happens and
disturbs. You don’t know what the outcome will be and it’s very hard to quantify this. It’s hard to make
calculations about what the financial effect is. What we usually do in practice is put percentages on it
for example, ‘% chance that situation X happens’.
• Control management
= is concerned with reducing the uncertainty and minimizing the potential consequences of
these events: is concerned with reducing the uncertainty and minimizing the potential
consequences of these events
o In general: companies have an aversion to control risks. If you can push the control risks
out of the window, then the chance that you will see those will be limited.
5