| ENTERPRISE RISK MANAGEMENT HANDBOOK |

Enterprise Risk Management Handbook

(Complete)

Produced by

FOREWORD
Risk comes from not knowing what youre doing. Warren Buffett
Risk has become an ever-present in our everyday life. Its ascent to become the buzzword of
the decade is nothing short of meteoric, thanks in large part to the furore over the accounting
scandals of Enron and WorldCom in 2002, and the subsequent enactment of the Sarbanes-Oxley Act.
The spotlight is cast on the enigmatic word, risk. What is risk? In an instant, the world appears much
more risky than it seems. Risk suddenly appears everywhere. Literature on risk multiplies
exponentially. But why has risk become such a popular topic?
Two main reasons have contributed to the popularity of risk: More risks, and ever more
complicated risks. With globalisation comes exposure. 20 years ago, companies welcomed
globalisation as they faced the prospects of greater profit, but not many prepared themselves for
the increased risks that came with it. Companies are not just faced with more risks, but the
consequences of these risks are also increasingly severe. An example: although Hurricane Andrew in
1993 was recorded as weaker than Hurricane Camille in 1969, Andrew caused USD 26.5 bn in
damage, almost 19 times as much as Camille, and 5 times as much damage inflation-adjusted. This
shows just how much greater the stakes have become.
As the business landscape broadens and changes over time, more complicated risks also
present themselves. Currency risk was not common to companies 20 years ago; now every company
has an active currency risk management policy. The failure to plan ahead had left many companies
vulnerable to all sorts of risks they may not even have heard of. The increasing complexity and
consequences of the risks have left an important message to all companies: Manage your risks, or
die.
Enterprise Risk Management - trend or fad?
Enterprise Risk Management (ERM) is playing an increasingly important role in helping
organisations worldwide manage their risks properly. Through a systematic and methodical way of
managing risks, organisations are better prepared to face the harsh and unpredictable business
conditions.
Yet, it was in risk of being a fad. ERMs popularity declined in the ensuing years from the
Sarbanes-Oxley Act, with it often being treated as a management policy or pet project, and not
carried out properly. Worse, it is commonly viewed by management as a cost centre, a dispensable
or even useless programme that does not value add to the organisation. This can be seen in the
amount of leverage and increasingly aggressive strategies taken by investment banks prior to the
financial meltdown in 2008.
Thankfully, the occurrence of the crisis has seen the return of ERM and some common sense.
Organisations are again placing greater weight on risk management, and they view ERM as a valuecreating process and an integral part of decision-making and business activities.

Enterprise Risk Management & You

At this point, you may be inclined to ask, so what does ERM have to do with me? The answer
is simply: Everything. Whether you are going to be an entrepreneur, a banker, an accountant or an
engineer, a sound knowledge of ERM equips you with the tools to help your future organisation
combat and mitigate risks. As an active participant in your respective CCAs, understanding ERM can
also help you better understand the risks that affect your CCA, and implement measures to manage
these risks.
This handbook is a useful primer to introduce you to ERM, and how the process of ERM is
carried out. We borrow heavily from widely used ERM frameworks such as the COSO ERM
Framework and ISO 31000. We hope this handbook will provide you with a different perspective of
risk, and an insight into the ingredients for creating a successful ERM programme. Enjoy reading!

1. DEFINITIONS
1.1

RISK VERSUS UNCERTAINTY

We all know that the world is full of uncertainty. Trends such as globalization, regulation and
rapid technological development are constantly changing and reshaping the business landscape.
These developments lead to unpredictability and the need for organisations to manage them.
What is uncertainty? Hubbard (2007) defines uncertainty as the existence of more than one
possibility. However, uncertainty is not risk. Knight (1921) differentiates the two terms as such: risk
is a measurable uncertainty. We adopt this differentiation in this handbook. Given that uncertainty
can be difficult, even impossible, to measure, organisations can only consider measurable
uncertainties. Such uncertainties present themselves as risks or opportunities, or both.
Hence, the management of risks thus becomes one of an organisations primary tasks in order
to achieve its goals and accumulate maximum value for its stakeholders. This is not only affected by
the nature of the uncertainty, but also affected by the objective and value of the organisation. Some
questions to ask, then: How much uncertainty is the organisation willing to accept as it seeks to
maximise stakeholder value? How does an organisation manage uncertainty?
1.2

VALUE

Value is created, preserved and eroded by the organisations operations. The development
and execution of these operations are guided by decisions made by the management. We can
summarise every organisations objective as to capture maximum value possible for its shareholders.
The difference, however, is the definition of value to each organisation.
The maximisation of shareholders value is far from straight-forward. Firstly, the organisation
has to deal with many different stakeholders with different motives. For example, regulators are
interested in ensuring the organisation abide by rules, suppliers want the organisation to make
payments on time, customers want quality at a reasonable price, the public wants a socially
responsible organisation. Many risks exist in the transactions between the organisation and its
stakeholders. These risks include credit risk of its customers, currency risk as it transacts in foreign
currencies, financial reporting and compliance risk in fulfilling regulatory requirements, the list
goes on and on. It is no mean feat for the company to satisfy the self-interested stakeholders, and
seek to maximise shareholder value at the same time.
Management of the organisations risks is of utmost importance in reducing the negative
impact of risks, and also to value-add. This benefit of risk management is sometimes neglected by
companies. However, proper risk management can indicate that the organisation provides better
quality to its customers. An example of value-adding can be seen by the implementation of Six
Sigma, a strategy designed to improve manufacturing efficiency. In doing so, the organisation
reduces defects and wastage, improving process efficiency. Six Sigma is but a strategy that manages
the risk in one aspect of an organisations operations. In order to manage, as far as possible, all risks

that affect the organisation, a comprehensive Enterprise Risk Management System is required to aid
management to allocate its resources to optimize the balance between value creation and risks.
1.3

TRADITIONAL DEFINITIONS OF RISK

In current literature, risk is inconsistently defined. Risk takes on a different meaning in a

different field. For example, in information technology, risk is the probable frequency and probable
magnitude of future loss, whereas in risk management, risk means simply the probability of
something happening. Such inconsistencies tend to lead to the misunderstanding and misuse of the
term risk. For example, risk is sometimes ascribed a negative connotation, and viewed in terms of
threats, losses and damage. In the Middle Ages, risk (risicum) was commonly used in sea
trade and the ensuing legal problems of loss and damage. Yet, risk needs not be viewed as purely a
threat. It can also be an opportunity.
1.4

RISK AND OPPORTUNITY

While a general definition of risk may not be possible, we should focus on what is important in
each field when defining risk. A good example can be found in finance. Risk, measured by volatility,
should not just focus on the probability of worse-than-expected returns, but also the probability of
better than expected returns. If option traders focus purely on downside risk, they are missing out
on opportunities created by risks on the upside, meaning the probability of better-than-expected
returns. Similarly, in managing risks, organisations should not restrict its view of risks to merely
threats, but also move swiftly to capitalise on any opportunities that arise. This ensures that the
organisation considers the broad risk universe that affects them. However, to reduce confusion over
terms, in this handbook we differentiate risks and opportunities in terms of the type of (positive and
negative) impact on the organisation.
1.5

EVENTS AS A CAUSE OF RISK AND OPPORTUNITIES

The management of risks have to start somewhere. Organisations study events as causes of
risk and opportunity. An event is an observable occurrence from an internal or external source that
affects the achievement of objectives. An events impact can be negative. These events are
considered as risks as they erode organisations value or prevent value creation. Examples of events
with negative impact include fire and machinery breakdown. According to the COSO Framework, risk
is defined as:
The possibility that an event will occur and adversely affect the achievement of objectives.
Events with a positive impact are events that support value creation or preservation. For
example, new government subsidy and tax reduction are likely to have positive impact on
organisations. These events are opportunities which are defined as:
The possibility that an event will occur and positively affect the achievement of objectives.

In reality, an event can sometimes have both positive and negative impact. Thus they can be
both a risk and an opportunity. For example, a sudden increase in demand can be an opportunity
the company can increase production and sales. If the resulting demand exceeds production
capability, a company may lose market share to its competitors. In this case, the event becomes a
risk.
The impact of an event also depends on the objective set by the organisation. Different
objectives will lead to different value that the organisation affixes to the occurrence of an event. For
instance, government intervention can be an opportunity for a charity group. The charity group may
be able to have an official stand, which improves public trust and donations. This helps the charity
group achieve its charity objectives. However, government intervention for private company may
indicate more supervision and regulations, decreasing the efficiency with which the company can
create wealth for stakeholders.
While the study of events constitutes a basic and important part of risk identification in
Enterprise Risk Management, one question to ask is: can all risks be identified through events? What
determines events that are worth studying, and events that are not? Are we missing out on events
that indirectly cause risk to the company?

2. INTRODUCING ENTERPRISE RISK

MANAGEMENT
2.1

DEFINITIONS OF ERM

There are currently several definitions of ERM proposed by different frameworks. The
Casualty Actuarial Society, in its 2003 publication An Overview of Enterprise Risk Management,
defined Enterprise Risk Management as
the discipline by which an organization in any industry assesses, controls, exploits, finances, and
monitors risks from all sources for the purpose of increasing the organization's short- and long-term
value to its stakeholders."
Alternatively, according to the COSO ERM Framework, Enterprise Risk Management is defined
as
a process, affected by an organisations board of directors, management and other personnel,
applied in strategy setting and across the enterprise, designed to identify potential events that may
affect the organisation, and manage risk to be within its risk appetite, to provide reasonable
assurance regarding the achievement of organisation objectives.
This definition encompasses several key elements for a successful ERM.
2.2

5 ELEMENTS OF A SUCCESSFUL ERM

A PROCESS
ERM consists of continuous and iterative actions taken to adjust the organisations risk
management system in the face of the changing risk landscape. ERM is not a knee-jerk response
towards a certain event. Neither is ERM an add-in towards daily activities such as the addition of a
quality control step in production line. ERM is most effective only if it is part of the essence of the
organization.
ERM is cultivated into the organizations model and directly affect objective and strategy
setting. Building in ERM this way also saves costs by focusing on existing processes and integrating
risk management into the basic processes, instead of adding new ones. This is especially important
in the present competitive markets.
EFFECTED BY PEOPLE
ERM is effected by the board of directors, management and other staff. They set the goals and
strategy for the organisation, and are responsible for designing, implementing and executing the
ERM mechanisms to accomplish them.

On the other hand, ERM also affects the people in the organization. It enables them to have a
clear understanding of the risks that the organisation faces. It establishes the linkage between the
peoples activities and the organisations goals, and guides them towards doing things the right way.
It is important to recognise that different people have different backgrounds and knowledge. These
cause people to have the different response to risk. ERM helps people identify, assess and respond
to risks in the organisations perspective.
APPLIED IN SETTING STRATEGY
Management should consider risk relative to different strategy alternatives. Different
strategies are associated with different level of risks. ERM helps the management identify risks for
different strategy alternatives and assemble risk profiles. In this way, ERM techniques also help
management evaluate and select the optimal strategy.
APPLIED ACROSS THE ENTERPRISE
ERM should be implemented across the entire organisation. ERM takes places at all levels the
organisation, from strategy setting to production and operation to customer communication. The
organisation needs to take a portfolio view of risk. This means considering the impact of risks on the
organisation as a whole, and not just individual departments. Risks should be assessed as interacting,
interdependent risks that may lead to differing consequences on the individual department and the
company as a whole. Thus, for a holistic view of the companys risks, it is recommended that the
manager at each business unit, functional or process level assesses the relevant risks at the
department level, and senior management will then consider risks at all levels to generate an overall
risk assessment for the organisation.
RISK APPETITE
Risk appetite is the amount of risk the organisation is willing to accept as it strives to maximise
returns. Risk appetite affects the organisations culture and operational philosophy. An organisation
with a high risk appetite is willing to allocate resources to high risk areas, whereas one with a low
risk appetite would prefer to invest only in low risk areas, for example.
Risk appetite greatly affects the organisations strategy setting and resource allocation. ERM is
instrumental in assisting management to set the optimal strategy in alignment with its risk appetite.
Resources are allocated according to the organisations risk appetite and desired return, as well as
the infrastructure required to monitor and respond to risks.
Risk tolerance is the acceptable variability relative to the achievement of a specific objective.
In setting risk tolerance, the management should consider the relative importance of the objective.
Operating within risk tolerances means that the organisation is within its risk appetite, and this
indicates that the organisation is well-placed to achieve its objective.

2.3

BENEFITS OF ENTERPRISE RISK MANAGEMENT

ERM is more than just a risk management activity; it is a value creation activity that is vital to
the proper functioning of an entire organisation to achieve its strategic objectives. The effects of
implementing ERM can be felt in all aspects of the organisation. Let us take a look at 5 benefits that
implementing a good ERM process can bring to you and your student club!
ALIGNMENT OF RISK AND STRATEGY
You wish to propel your club to be the largest club with the strongest following and influence
in your university. But how much risk are you willing to take? Consider the risk appetite of the
organisation, through assessing your clubs strategic alternatives and developing mechanisms
towards the control of the risks. The focus is on ensuring the club has a solid structure and sound
strategy in achieving its objectives, and ERM provides a systematic and methodical process to do just
that.
IMPROVEMENT FROM RISK-BASED DECISIONS
ERM provides alternatives in the case where a risk is detected risk avoidance, acceptance,
reduction and sharing. This allows you flexibility in making decisions according to the clubs risk
appetite and objectives.
REDUCTION IN SURPRISES
You can improve your ability to recognize possible events and to initiate counteractive
measures as well as to reduce surprises involved with them.
IDENTIFICATION AND MANAGEMENT OF MULTIPLE RISKS
This is especially pertinent to large student clubs. Sometimes, clubs may face risks in which
several divisions are concerned. Parallel to this, a club-wide risk management allows effective
reactions dependent on each other as well as on general measures with multiple risks.
IDENTIFICATION OF OPPORTUNITIES
ERM considers all possible events including opportunities, hence allowing you to recognize
and proactively capitalize on these opportunities.
2.4

COMMON MISCONCEPTIONS OF ERM

In the development of ERM over the past decade, it has not always been practised correctly.
In fact there are a number of misconceptions of ERM, which hinders its successful execution. In this
section, we attempt to dispel 5common misconceptions about ERM. Do not make the same
mistakes!
THE BIGGEST RISK AN ORGANISATION FACES IS FINANCIAL RISK.

In fact, the biggest risk that an organisation faces is strategic risks, in other words, failure of
organisational strategy. Organisations tend to view financial risks such as fraud most seriously, but
strategic failures and the inability to assess and mitigate risks in strategy have had the greatest
impact by way of share price declines.

Source: Corporate Executive Board Research

Figure 1: Strategic failures are the biggest risks
Source: Corporate Executive Board Research

ERM IS A ONE-OFF PROJECT.

Such a view will lead to a waste of resources, as the organisation will not be able to see the
returns on its investment in its ERM programme. To realise the benefits of ERM, an organisation
should follow through its ERM programme for a number of years, and reinforce the effects of ERM
with supporting factors such as a consistent organisational culture and risk philosophy that is in line
with the organisational strategy.
MY COMPANY IS SAFE BECAUSE WE REVIEW RISKS ON AN ANNUAL BASIS.
Reviewing risks and the implemented control system annually provides only a static view of
the risks. How can this allow the organisation to compete in a dynamic and unpredictable business
environment? 88% of senior executives in a 2009 Corporate Executive Board survey tagged agility
as important or extremely important to the overall business success at their companies. Thus,
for effective risk management, a company has to actively manage risks and make timely changes to
its risk management priority. In other words, organisational risk agility is paramount.

THE ORGANISATION IS WELL-PROTECTED IF IT HAS A STRONG QUANTITATIVE MODEL

TO MEASURE RISK.
Contrary to what many may think,
quantitative risk models are not the definitive cure
to enterprise risks. Current quantitative models,
such as the widely-used Value-at-Risk (VaR) model,
oversimplify risks and are also shown to have fallen
short in the recent financial crisis of 2008. Further,
such models are not totally objective, but require
the users subjective judgement and assumptions,
and are liable to backfire if the user exercises the
wrong judgement or the model is used blindly.

Figure 2: Companies satisfaction with VaR model

performance
Source: www.bfinance.co.uk

RISKS MUST BE QUANTIFIED.

Quantitative risk assessment is not the only available mode of assessment. Risks can also be
assessed qualitatively. It is not always worthwhile to quantify each and every risk. In fact, most of
the risks that are quantifiable are easily manageable, and the hard-to-quantify risks tend to be those
that may affect the organisation most severely. It is, however, important that in both quantitative
and qualitative risk assessments, proper judgement must be justified and exercised.

3. THE ERM FRAMEWORK

3.1

CATEGORISING OBJECTIVES

We have discussed the role of ERM in the organisation. ERM plays an important part in
enabling the organisation to achieve its objectives and mission. In order to do so, the COSO
Framework divides the objectives of the organisation into four categories:

Strategic:

Relating to high-level goals, aligned with and supporting the organisations mission.

Operations:

Relating to effective and efficient use of the organisations resources

Reporting:

Relating to the reliability of the organisations reporting

Compliance:

Relating to the organisations compliance with applicable laws and regulations

By categorising objectives, the management is in a better position to implement ERM

mechanisms to focus on and accomplish these objectives. It is good to note that an organisations
objectives may be specific and different but some are also widely shared. Thus, these categories
tend to be overlapping as well.
Risks are then analysed separately according to the objectives that they affect:

Strategic
Damage to reputation
Competition
Customer wants
Demographic and
social/cultural trends
Technological
innovations/patents
Capital investment
Shareholder
requirements
Regulatory and
political trends

Operations
Production capacity
Efficiency
Supply chain
management
Customer relationship
management
Change management
Leadership
IT

Figure 3: Sources of risk categorized

by type of objective
Source: Passenheim (2009)

Reporting
Valuation
Credit risk
Tax reporting
Budget reporting
Incomplete financial
reporting

Compliance
Regulation violation
Ethical practices

3.2

COMPONENTS OF ERM

ERM comprises of 8 distinct but interrelated components. Each component is vital to the
success of the ERM system. All of these components should be aligned with the objectives of
organisation. Implementation of the ERM system should take place at every level of the organisation
which includes the subsidiary, business unit, divisional and organisational level.
INTERNAL ENVIRONMENT
The internal environment strongly influences how
the people and the organisation perceives risk and ERM.
The internal environment consists of the organisational
culture, the way senior management views risk and ERM,
and the individual characteristics of the personnel their
integrity, competence, and ethical values. Organisations
should strive to create an internal environment that
reflects its risk appetite. This will better enable risks to
managed to the organisations accepted level.
OBJECTIVE SETTING
Figure 4: 8 Components of COSO ERM

ERM ensures that the organisation has a systematic

Framework
process to set objectives which are aligned with the
Source: COSO ERM Framework (2004)
organisations mission and its risk appetite. Setting
objectives, in turn, helps the management identify risk-causing events using ERM techniques.
EVENT IDENTIFICATION
Potential events that can affect the organisations objectives are identified. These events can
be from internal or external sources, and that may represent risk or opportunity, or both. Risks and
opportunities should be distinguished so that management can take appropriate action to mitigate
the risk or capitalise on the opportunity.
The COSO Framework identifies events as the main triggers of risk. However, having such a
narrow view of risk may obscure the organisations view of the entire universe of risks, and leave it
susceptible to risks which are not caused by a single triggering event, or those caused by events that
have no precedents.
RISK ASSESSMENT
The identified risks are assessed to determine how the organisation should respond to them.
This assessment should take into consideration the affected objectives, the impact and the
likelihood of the risk occurring.

RISK RESPONSE
Potential responses to the risk are identified. These include acceptance, sharing, reduction,
and avoidance. Risk responses should be aligned with the organisations risk appetite and tolerance.
CONTROL ACTIVITIES
Control activities constitute the policies and procedures instituted and implemented to
execute the risk response in a timely and proper manner.
INFORMATION AND COMMUNICATION
Relevant information is captured and communicated in a form and timeframe to enable
personnel to carry out their duties effectively. This includes clear communication to the personnel of
their roles and responsibilities. Information does not simply flow top-down, or bottom-up, but also
across the organisation at all levels. Unrestrained flow of information is pivotal for the organisation
to identify, assess and respond to risks on a timely basis.
MONITORING
The ERM system is monitored to ensure fast reaction to changing risks and dynamic risk
management. Monitoring can take the form of ongoing management activities or separation
evaluations, or a combination of the two.

4. THE ENTERPRISE RISK

MANAGEMENT PROCESS
We will skip the first two components of the ERM Framework, and delve straight into the
identification, assessment and control of risks. In this section, we will cover
1) Identification of potential sources of loss/gain;
2) Measurement of the consequences of the loss/gain occurring; and
3) Implementation of controls to minimize actual losses or their financial consequences,
which basically comprise the core part of the ERM system in organisations, the ERM process.
4.1

PARTICIPANTS OF THE ERM PROCESS

Generally the risk identification sessions should include as many of the following participants
as possible:
1.
2.
3.
4.
5.
6.

Risk management team

Subject matter experts from across all divisions and units of the company
Customer and end-user
Other project managers and stakeholders
External experts
Project teams

The risk management team should always be involved because they are dealing with risk every
day and therefore need fresh information at any instant. External stakeholders and experts could
provide objective and unbiased information for the risk identification step and are therefore an
essential part of the process.
4.2

OVERVIEW OF PROCESS

Risk identification has to be done on a continuous basis. If it is treated like a one-time event
then the whole company runs the risk of overlooking new emerging problems.
The process starts in the initiation phase where first risks are identified. In the planning stage
the team determines risks and mitigation measures and documents them. In the following stages of
resource allocation, scheduling and budgeting the associated reserve planning is also documented.
After the initial phase of risk identification, all risks have to be managed until each risk is closed or
terminated. New risks will occur as the company moves on and matures and the external and
internal environment of the company changes. In the case of the increased probability of a risk or if
the risk becomes real, the risk management team should respond immediately to mitigate it. The
managers have to rethink their strategies and possibly readjust their risk management priorities and
controls to manage the risk in accordance to the organisations risk appetite. The re-planning actions
could mean a change to the baseline of budget, schedule and resource planning.

A company should clearly define how it will deal with risks in the early stages, then
documented and executed appropriately during the planning cycle.

Figure 5: ERM Process

Source: Passenheim (2009)

4.3

RISK IDENTIFICATION

Risk identification is the fundamental step because it builds the foundation for all subsequent
steps. The risk identification step is very similar to a transformation process, where the initial inputs
together with the tools and techniques in the middle step produce an output at the end.

Figure 6: Risk Identification Process

Source: Passenheim (2009)

4.3.1 INPUT
With the first input for risk identification, external and internal factors of the project
environment have to be considered.
External factors could be described as the attributes of the environment whereas internal
factors are attributes of the organisation itself. Typical examples of each factor are shown in the
table below.

External Factors
Economic conditions
Social, legal or regulatory trends
Political climate
Competition - international or domestic
Fluctuation in demand
Criminal or terrorist activities

Internal Factors
Organisational culture
Staff capabilities/numbers
Capacity
Systems and technology
Procedures and processes
Communication effectiveness
Leadership effectiveness
Risk Appetite

Figure 7: Examples of external and internal factors that can affect an organisation
Source: Passenheim (2009)

Information from prior ERM projects are usually records about experience, developments,
hints, failures and risks that are now useful in identifying risks. The end documentation for recent
projects (lessons learnt) is a first step for gathering structured information in project management.
The risk identification step requires that every relevant stakeholder has a complete understanding
about the purpose of ERM. This ensures the screening of task from different perspectives and
identifying risks that would otherwise be overlooked.
4.3.2 TOOLS & TECHNIQUES
We can utilise a range of tools and techniques to organise and analyse the inputs to risk
identification. Documents reviews are carried out to analyse information from business plans or
other market indicators. The analysis will determine the feasibility of the business plan in terms of
budget, scope and schedule.

Elements of a Business Plan

Summary
Business concept
Current situation
Key success factors
Financial situation/needs

Vision
Vision statement
Milestones

Competitive analysis
Industry overview
Nature of competition
Changes in the industry
Primary competitors
Competitive products/services
Opportunities
Threats and risks
Strategy
Key competitive capabilities
Key competitive weaknesses
Implementing strategy

Market Analysis

Products/Services

The overall market

Changes in the market

Products/service description
Positioning of

Marketing and sales

Marketing strategy
Sales tactics
Advertising
Promotions/incentives
Publicity
Trade shows
Operations
Key personnel
Organisational structure
Human resources plan
Product/service delivery
Customer service/support
Facilities
Creating the financials of the
business plan
Assumptions and comments
Starting balance sheet

Market segments
Target market and customers
Customer needs
Customer buying decisions

products/services
Competitive evaluation of
products/services
Future products/services

Profit and loss projection

Cash flow projection
Balance sheet projection Ratios
and analysis

Figure 8: Elements of a Business Plan

Source: Passenheim (2009)

Information-gathering methods can be utilised to identify risks related to the project. The
major methods include:
1) Brainstorming | A general information-gathering and creativity technique that helps to
identify risks and possible solutions for them. Usually, this is carried out through facilitated
workshops, whereby cross-functional or multi-level individuals are brought together to
brainstorm about possible outcomes and sources of risk. They contribute different
perspectives and bring together different aspects of the organisations strategic, business
unit and process objectives. Ideas are generated under the leadership of a facilitator. The
goal of brainstorming is to obtain a comprehensive list of risks.
2) Interviews | Information can also be obtained through one-to-one or two-to-one interviews
with managers and employees. This provides a candid perspective from ground-level and
middle-level personnel, and is a rich source of information due to their local knowledge.
3) Internal Control Questionnaire | This questionnaire focuses on events that have resulted in,
or could give rise to, risks that are not addressed by the current control system. Questions
can be open-ended or closed, and can be directed not just to employees, but also to other
stakeholders such as customers, suppliers or other external parties.
4) Risk breakdown structure | This displays an organised description of any known risks,
arranged by a number of categories and their characteristics in vertical branches. Usually it
will show all of the risks and their possible causes.
5) Important structured methods of analysis to identify external and internal factors include
PESTLE analysis of the business environment, Porters Five Forces analysis of the industry
forces, and SWOT analysis, which summarises the internal environment and external
environment. A KPMG paper in 1997 also proposed the use of the Entity-Level Business
Model (ELBM). This is now one of the most widely used tools for understanding the
organisation, the business landscape and the fit between the organisations strategies and
the environmental forces. The ELBM allows a fundamental analysis of the potential risks that
can afflict the organisation through its relationships with its stakeholders.
6) Business Process Analysis | At the process level, it is also important to survey for risks in
detail through a process flow analysis. The following is a sample template created by KPMG.

Figure 9: Business Process Analysis Template

Source: COSO ERM Framework (2004)

These tools and techniques help management to gather relevant information and in the
analysis and identification of risks and opportunities for the company to achieve its aim for the
project, its scope, cost and budget. The information will then be stated on the risk report/register,
which is the main output of the risk identification step.
4.3.3 OUTPUT
The Risk Register includes all identified risks and their description, risk categories, their
causes, the probability of an occurrence, the single impacts of certain risks, the objectives affected,
possible responses, and their root causes. The whole risk identification process has four main entries
on the risk register.
1. Lists of identified risks | Identified risks with their root causes and risk assumptions are
listed.
2. List of potential responses | Potential responses identified here will serve as inputs to the
risk response planning process.
3. Root causes of risk | Root causes of risk are fundamental conditions that cause the
identified risk.

4. Updated risk categories | The process of identifying risks can lead to new risk categories
being added.
To ensure the completeness of the risk register, the above tools and techniques mentioned
are pivotal in providing detailed knowledge of the organisation and its business model, the market in
which it operates, the environment in which it operates, as well as the development of a clear
understanding of the strategic and operational objectives of the organisation, including its Critical
Success Factors and the threats and opportunities related to the achievement of these objectives.
Risks and opportunities should be clearly distinguished and separately documented.
Risk identification should be done in a methodical way. This has to be done to ensure that all
important activities and possible consequences related to those activities are identified. It is also
possible to outsource the whole risk management process, but an in-house approach is usually more
effective when some conditions are fulfilled. The communication channels should also be well
defined and consistent, and processes and tools should be well coordinated.
4.4

RISK ASSESSMENT

The basis of risk assessment is the previously explained risk identification. Risk assessment
covers a complete and continuous evaluation, which should be realised quantitatively as far as
possible, and if not, qualitatively for all identified risks. The goal is to detect possible interrelations
and enable the management to identify an order of importance, also called prioritizing.
Furthermore, the consequences for the company itself and its organisational goals can be identified.
4.4.1 INHERENT AND RESIDUAL RISKS
Inherent risk is the risk to an entity in the absence of current controls. Residual risk is the risk
that remains after managements response to the risk. Risk assessment is applied first to inherent
risks. Once risk responses have been developed, management then considers residual risk. If the
residual risk is still outside the organisations risk appetite, the management should devise controls
to further reduce the risk.

4.4.2 RISK ASSESSMENT TECHNIQUES

Risk assessment can be carried out using qualitative and quantitative techniques.
Qualitative techniques are used for risks that cannot be quantified adequately, when
insufficient credible data for quantitative assessment are practically available, or when quantitative
assessment is not cost-effective. Similar techniques to risk identification, such as workshops and
interviews, can be adopted. When qualitative techniques are used, it need not be common across
the organisation; different business units may use different qualitative techniques.
Quantitative techniques are usually preferred, as they tend to bring more precision and are
used in sophisticated and complex activities to supplement qualitative techniques. Quantitative
techniques usually require a higher level of rigour, and are hugely dependent on the quality of the
data input and the underlying assumptions of the models.

Examples of quantitative techniques include:

1) Benchmarking compares measures and results between organisations using common
metrics, and identifies improvement opportunities. Types of benchmarking include internal
(between divisions), competitive/industry (between similar competitors), and best-in-class
(across industry). Some organisations benchmark to assess the likelihood and impact of
potential risks across the industry.
2) Probabilistic models associate the impact of risks with the likelihood of occurrence based on
underlying assumptions. Historical or simulated data is analysed. Examples include Value-atrisk, Cashflow-at-Risk, credit loss distributions, etc. These models can be used to assess both
average outcomes as well as extreme impacts.
3) Non-probabilistic models use subjective assumptions to predict the impact of a risk without
quantifying an associating likelihood. Examples include stress tests and scenario analysis.
Perhaps the most commonly used technique for assessing risk is Scenario Analysis. It is used
to assess the impact of normal, or routine, changes in potential events. This consists of the
probability of the event and the impact this would have on the company.

4.4.3 METHODS OF REPRESENTING RISK

DESIGN OF SCALE RANGE
To properly perform a risk evaluation, it firstly should be defined the impact and likelihood
scales with which to evaluate the risks. For instance, there should be a range between 1 and 5 to
signify the impact or likelihood a certain size, with 1 referring to Insignificant impact/ Extremely
unlikely and 5 referring to Catastrophic/ Extremely likely for impact and likelihood respectively.
If one wants a more detailed evaluation the range could be extended to between 1 and 20. If one
requires a more exact evaluation, there could be a more exact classification of what a very low
impact means. This could be described by letters, and, for probability or affected costs percentages,
stated for the different evaluation levels.

Figure 10: Evaluation of Risks (Impact scale)

Source: Passenheim (2009)

The evaluation form can be filled in by management or with the help of an expert. Techniques
used are versatile and range from exact point estimations to workshops. Besides the most probable
case, the worst and best cases are also estimated.
RISK MATRIX
To make risk assessment more demonstrative, the organisation can use the risk matrix to
show the importance of several risks. The matrix indicates two aspects of the considered risks: the
impact it would have and the probability of its occurrence. An often-used matrix has 5 5 fields,
each with another value of probability and impact (see Figure 5).
As each combination has another meaning for the project, accordingly the matrix is divided
into light grey, white and dark grey zones. White stands for moderate risks and green for minor risks.
The dark grey coloured zone is arranged on the right the white zone on the left, where the impact is
lower. In between the white can be found the dark grey zone, which is very low in the probability
menu because the impact is still so high although the probability is low.

Figure 11: Risk matrix

Source: Passenheim (2009)

With the help of this matrix, management can act to prioritize the risks so that they know
which risks should be addressed particularly and at first. Prioritization also helps to adopt the given
means reasonably, which is very important, as all resources in management such as material,
financials, human resources and time are highly limited.
FAILURE MODE AND EFFECTS ANALYSIS
The FMEA (Failure Mode and Effects Analysis) model is a procedure used in product
development and operations management, and, while similar to the matrix, extends the impact and

probability by the detection possibility, meaning how hard it is the actually realise the occurring risk.
The equation enlarged with detection is:
Impact X Probability X Detection = Risk Value
To make the equation work, each dimensions has to be evaluated by a five-point scale.
Detection describes the ability of the project team to detect that the risk is threatening. At the 1- 5
scale, 1 would mean easy to detect and 5 that the detection would probably only take place
when it is too late to react.
The product of the data would have a range between 1 and 125. 1 shows the risk has a low
probability, with an impact of level 1 and would be easy to detect. At the other extreme the result
125 would show that the team has to handle a high-impact risk with high probability and which is
nearly impossible to detect.
This would require the management to think about whether or not to start the project if the
risk could not be mitigated or transferred. All in all, the range between 1 and 125 can be used to
define the hazardous nature of a risk.
PROGRAM EVALUATION AND REVIEW TECHNIQUE
The Program Evaluation and Review Technique (PERT) is used for projects with high
uncertainty and little experience. PERT is utilised to compute the probability of meeting different
project durations. It is useful as it provides the expected project completion time and the probability
of the completion before a specified date. In addition, it helps in ascertaining which activities have
slack time and those that can lend resources to critical activities. Disadvantages are that the
estimates can be somewhat subjective and also depend upon the experience of the project
members.
4.5

RISK RESPONSE

After having collected all data for the risk control, a risk might occur. As a result, management
has to decide how to react to it. There are five main ways one can choose to respond to a risk are
summarized in the table below.
Risk Response
Reduce

Avoid

Transfer

Share

Description of Response
To reduce the impact and risk of occurrence.
The probability of the occurrence of the risk can be reduced or the impact
of the risk, having occurred, could be minimized.
A more drastic approach, it requires the change of the entire business plan
to avoid a particular risk.
One should consider carefully whether such a risk is so important that
changes to the plan are warranted.
The risk is moved but not eliminated or dampened.
One common approach for risk transfer is outsourcing the particular
project(s). The contractor has to take the risk. Risk transfer is costly as the
contractor may include the risk premium in his pricing.
Different parties share the risk of the same business plan, thereby
allocating the risk between them and reducing individual risk.

Accept

The company accepts the obligation to pay for part or all of the losses due
to risk. The company will pay retained losses using either internal or
external funds.

Figure 12: Risk response & descriptions

Source: Passenheim (2009)

4.5.1 CONTINGENCY PLANNING

A contingency plan provides a safety net if one of the known risks becomes reality. With the
help of that plan the action that should be followed is already made clear before the risk appears.
This helps one to stay calm and find a step-by-step solution that can even reduce or weaken the
impact of the event. The contingency plan should say what, when and where actions are to be taken.
With the help of the contingency plan, the manager who has responsibility for dealing with such
problems does not have to hastily invent a solution that in all likelihood would be a low quality
solution.
It is much easier if one can look into the contingency plan where the steps to be taken are
described after having been well thought out during the project-planning phase. The availability of a
contingency plan can significantly increase the chances for project success.
There are some conditions one must consider. First of all, proper documentation of the steps
to be taken is absolutely necessary. Within that documentation cost estimations and the probable
source should be named. Furthermore, the teams involved should agree upon the plan and the
allocation of tasks should be made clear. All these steps should be followed to ensure all team
members know what they are to do and are committed to the work, especially in the case of an
emergency.
One simple way to follow all these instructions is to make a note of the information within a
risk response matrix. There is a more extreme possibility one has to take into account during risk
contingency planning: There is the possibility that risk remains after a risk response is made in
accordance with the contingency plan.
4.5.2 OPPORTUNITIES IN RISK RESPONSE
In addition, organisations should not be too engrossed in reducing risks, and overlook
opportunities that arise from events with positive impact. Hence, risk response considerations
should also include fitting new opportunities into the organisations strategy. Such opportunities
may surface when conventional risk reduction measures yield little effect. An example is the creative
response by an automobile insurance company to the high number of accidents at certain road
intersections it decided to fund enhancements to traffic signal lights, reducing accident claims and
improving margins.

4.6

RISK CONTROL

The final step in the ERM process is the implementation of the risk control activities designed
to carry out the risk responses. Included in this step are the execution of the risk response strategy,
monitoring and triggering events, initiating contingency plans, and remaining alert to new risks.
Control activities are the policies, procedures, techniques, and mechanisms that help ensure
that management's response to reduce risks identified during the risk assessment process is carried
out. They are actions taken to minimize risk. The need for a control activity is established in the risk
assessment process. When the assessment identifies a significant risk to the achievement of an
agency's objective, a corresponding control activity or activities is determined and implemented.
4.6.1 CONSIDERATIONS IN IMPLEMENTING CONTROLS
Control activities occur at all levels and functions of the agency. Management should establish
control activities that are effective and efficient. The control activities should carry out the risk
response in a timely and proper manner. When designing and implementing control activities,
management should aim to get the maximum benefit at the lowest possible cost. Consideration
should be given to the following:
1. The cost of the control activity should not exceed the cost that would be incurred by the
agency if the undesirable event occurred.
2. Management should build control activities into business processes and systems as the
processes and systems are being designed. Adding control activities after the development of
a process or system is generally more costly.
3. The allocation of resources among control activities should be based on the likelihood and
impact of the risk.
4. For any given risk, there may be multiple appropriate control activities that can be put into
place, either individually or in combination with other control activities.
5. Excessive use of controls could impede productivity.
4.6.2 TYPES OF CONTROL ACTIVITIES
Control activities can be preventive, detective, or corrective in nature.
1. Preventive controls are designed to pre-empt the occurrence of risks. This includes credit
checks, segregation of duties, dual check signatory, etc.
2. Detective controls are designed to search for and identify risks. This includes audit trail,
passwords, physical inventory count, etc.
3. Corrective controls are designed to mitigate the risks after they have occurred, and to prevent
their recurrence. Quality control and budget variance reports are examples of corrective
controls.
In terms of information system controls, control activities can be classified as general or
application controls.
1. General controls are controls which apply to many if not all application processes, and enable
their continued smooth operation. Examples include Information Technology management,

Information Technology infrastructure, security management and software acquisition and

maintenance.
2. Application controls are controls which consist of computerised steps in applications to
control the processing. Examples include passwords, balancing control activities, data
reasonableness tests and logic tests.
Internal control activities can be incorporated into the following:
1.
2.
3.
4.
5.
6.

Policies
Procedures
Sequences or combinations of procedures
Assignments of duties, responsibilities, and authorities
Physical arrangements or processes
Combinations of the above

4.6.3 COMMON CONTROL ACTIVITIES

Some of the commonly used control activities include:
Authorization | Control activities in this category are designed to provide reasonable assurance that
all transactions are within the limits set by policy or that exceptions to policy have been granted by
the appropriate officials.
Top-level review | Senior management reviews actual performance versus budgets, forecasts, prior
periods, and competitors. Major initiatives are tracked such as marketing campaigns, improved
production processes, and cost containment programs to measure the extent to which targets are
being reached. Implementation of plans is monitored for new product development, joint ventures,
or financing.
Direct functional or activity management | Managers review the performance reports for their unit.
For example, a manager responsible for a banks consumer loans reviews reports by branch, region
and loan (collateral) type, checking summarizations and identifying trends, and relating results to
economic statistics and targets. In turn, branch managers receive data on new business by loanofficer and local-customer segment. Branch managers also focus on compliance issues, reviewing
reports required by regulators on new deposits over specified amounts. Reconciliations are made of
daily cash flows, with net positions reported centrally for overnight transfer and investment.
Information processing | A variety of controls are performed to check accuracy, completeness, and
authorization of transactions. Data entered are subject to on-line edit checks or matching to
approved control files. A customers order, for example, is accepted only after reference to an
approved customer file and credit limit. Numerical sequences of transactions are accounted for, with
exceptions followed up and reported to supervisors. Development of new systems and changes to
existing ones are controlled, as is access to data, files, and programs.
Performance planning and evaluation | Control activities in this category establish key performance
indicators for the agency that may be used to identify unexpected results or unusual trends in data
which could indicate situations that require further investigation and/or corrective actions.

Evaluations may be done at multiple levels within the agency, as appropriate: the agency as a whole;
major initiatives; specific functions; or specific activities. Performance reviews may focus on
compliance, financial or operational issues. For example, financial reviews should be made of actual
performance versus budgets, forecasts and performance in prior periods.
Reconciliation | Control activities in this category are designed to provide reasonable assurance of
the accuracy of financial records through the periodic comparison of source documents to data
recorded in accounting information systems.
Physical security over assets | Control activities in this category are designed to provide reasonable
assurance that assets are safeguarded and protected from loss or damage due to accident, natural
disaster, negligence or intentional acts of fraud, theft or abuse.
Segregation of duties | Control activities in this category reduce the risk of error and fraud by
requiring that more than one person is involved in completing a particular fiscal process.
Education, training and coaching | Control activities in this category reduce the risk of error and
inefficiency in operations by ensuring that personnel have the proper education and training to
perform their duties effectively. Education and training programs should be periodically reviewed
and updated to conform to any changes in the agency environment or fiscal processing procedures.

4.6.4 LIMITATIONS OF CONTROLS

Control activities, no matter how well designed and executed, can provide only reasonable
assurance regarding achievement of objectives. The likelihood of achievement is affected by
limitations inherent in all control systems. These limitations include the following:
Judgment | The effectiveness of controls will be limited by the fact that decisions must be made
with human judgment in the time available, based on information at hand and under the pressures
to conduct business.
Breakdowns | Even if control activities are well designed, they can break down. Personnel may
misunderstand instructions or simply make mistakes. Errors may also stem from new technology and
the complexity of computerized information systems.
Management override | Even in an effectively controlled agency, high-level personnel may be able
to override prescribed policies or procedures for personal gain or advantage. This should not be
confused with management intervention, which represents management actions to depart from
prescribed policies or procedures for legitimate purposes.
Collusion | Collusion between two or more individuals can result in control failures. Individuals
acting collectively often can alter financial data or other management information in a manner that
cannot be identified by the control system.
Costs versus benefit | In determining whether a particular control activity should be established, the
cost of establishing the control must be considered along with the risk of failure and the potential
impact. Excessive control is costly and counterproductive. Too little control presents undue risk.
Agencies should make a conscious effort to strike an appropriate balance.
Resource limitations | Every agency must prioritize control activities because resources are not
available to put every control activity into practice.

5. MONITORING, COMMUNICATION &

AUDIT
To complete the review of ERM, we discuss the importance of monitoring, communication and the
role of the Internal Auditor in ensuring the proper implementation of the risk management system.
5.1

MONITORING

5.1.1 IMPORTANCE OF MONITORING

The purpose of monitoring all risks is to increase the value of every single activity within the
organisation. The potential benefits and threats of all factors connected with these activities have to
be ordered and documented. If all employees are aware of the importance of the risk management
process, the probability of success will be increased while at the same time failure will become
unlikely.
In addition, the risks faced by an organisation evolve over time. Entity objectives may change,
the likelihood and impact of risks may worsen, and the effectiveness of controls may reduce. These
changes could be caused by changes in organisational structure, strategy and personnel. In order to
ensure that ERM is functioning effectively, the management needs to consistently monitor and
review the risks it faces and the ERM system it has instituted.
5.1.2 TYPES OF MONITORING MECHANISMS
There are two mechanisms to monitor ERM Ongoing Monitoring and Separate Evaluation.
Through Ongoing monitoring, people can continually assess the effectiveness of the components of
ERM and detect changes which affect the effectiveness promptly. They can also provide timely
feedback which can help the management modify the controls to increase the effectiveness.
On the other hand, Separate Evaluation is for management to review the ERM system from
time to time, such that it can bring in fresh perspectives and assess the effectiveness of the ERM
components taking into account the changes in the internal and external environment.
ONGOING MONITORING
Ongoing monitoring is generally done by managers, who make decisions based on the
information they receive from daily activities. They focus on relationships, inconsistency or other
possible information which indicates a change in efficiency. This information can usually be obtained
from regular management activities, such as variance analysis, comparison of reports from different
sources, and communication with other internal and external parties. On the other hand, activities
carried out according to policies in business processes, such as quality control, are more likely to be
described as internal controls.

In order for Ongoing Monitoring to be effective, management has the duty to put in place
mechanisms conducive to the continual assessment of risk. For example, risk assessment and
updating should be part of every status meeting and progress report system. In addition,
management and all employees should always be aware that unpredictable risks might occur. The
management should also create an environment in which all employees feel free to raise concerns
and admit mistakes. This should be the standard aimed for in every business, because hiding risks
and/or denying problems can inhibit the future success of the organisation. Everyone should be
encouraged to identify problems and new risks and therefore the project manager must have a
positive attitude toward risk.
In a very complex and huge organisational environment, the risk identification and assessment
step has to be repeated on a regular time basis. External stakeholders and experts could be brought
into the discussion so that they can review the actual risk profiles and offer a different assessment of
the current ERM system.
Another useful key success factor is the assignment of responsibility for every identified risk.
This step can be very complicated in the case of multiple organisations being involved. Without
responsibility being assigned for each identified risk, nobody really feels responsible or takes
responsibility for dealing with that occurred risk. The responsibility is then passed from one to
another, leading to its non-fulfilment. Therefore it is very important that responsibility for each
identified risk is assigned by mutual agreement between all relevant stakeholders so that everyone
knows who is dealing with each risk.
SEPARATE EVALUATION
Ongoing monitoring can be effective, but Separate Evaluations at regular time periods
provides a good alternative through fresh and direct assessments to ERM effectiveness. Separate
evaluation also tests the efficiency and effectiveness of ongoing monitoring. What determines how
we carry out Separate Evaluations?
Elements
Scope and frequency?

Who evaluates?

Evaluation process?

Methodology

Determinants
Frequency depends on risk profile and risk priorities of the organisation.
The more significant the risk, the higher the frequency.
The scope is usually small. Assessing the entire ERM system only occurs
when there are major changes, such as change in strategy, acquisitions or
dispositions, major economic or political changes, etc.
Usually through assessment. The person in charge of a certain function or
unit will assess the ERM effectiveness of their activity. However this
requires a great deal of information and experience to ensure accuracy.
Evaluation techniques can vary with different evaluators but certain basic
principles should be followed.
Evaluator should understand the organisations operations and how each
component of ERM functions i.e. the ERM process design.
The evaluator should also analyze the ERM system design and test results
and compare against the standards established by the management.
Various methodologies can be used including checklist, questionnaire, and
flowchart techniques.
The organisation can benchmark their ERM system with that of other

Documentation

Sources of
information

To whom to report?

Reporting directives

organisations with the reputation for having particularly good ERM. It is

important to keep in mind, though, that differences will always exist due to
differences in the objectives of each organisation, and the management
should not read too much into trivial differences.
An appropriate level of documentation makes evaluation more effective
and efficient. It is difficult to say, however, what the appropriate level of
documentation is, as it varies with the organisations size, structure and
other factors.
In any case, if the management wants to impress on external parties the
effectiveness of its ERM system, proper documentation would greatly
support its statement.
Sources include
1) Ongoing Monitoring activities, which provide important insight
from people directly involved in the activities
2) Communication with external parties, whose feedback can indicate
deficiencies in certain processes
3) Reports from external sources, which could suggest improvements
to, or point out loopholes in, the current ERM processes being
adopted.
4) Previous Evaluations, which could provide comparison for the
effectiveness of the ERM activities, or new risks that have surfaced.
Findings of ERM deficiencies or opportunities should be communicated to
the individual responsible for the activity involved, and also at least one
level of management above that person.
Reporting protocols should be well defined. Usually, deficiencies in ERM
activities would be reported in increasing levels of detail, as one moves
down the organisational structure.
Certain directives may be set such that only deficiencies above a specified
threshold of importance would be reported.

Figure 13: Elements of a Separate Evaluation

Source: Passenheim (2009)

PROS AND CONS OF THE TWO MONITORING MECHANISMS

Ongoing Monitoring is carried out on a real-time basis and allows the organisation to react
dynamically to changes. In addition, it is ingrained in the organisations operations and working
culture. Thus, Ongoing Monitoring is usually regarded as more effective than separate evaluation.
However, Ongoing Monitoring is also more costly to carry out than Separate Evaluation. Ongoing
Monitoring is also not sufficient alone. A balanced ERM system should implement both the Ongoing
Monitoring mechanism as well as conduct Separate Evaluations at regular intervals.

5.2

COMMUNICATION & INFORMATION SYSTEMS

Having discussed at length the importance and mechanisms of monitoring, you would have
realised that successful monitoring depends heavily on one factor, and that is information.
Information is required at all levels of the organisation, and it is the basis upon which decisions are
made. This can include financial information which is used in budgeting, pricing and assessing vendor
performance; operating information which is used in assessing process efficiency, production and
inventory valuations; as well as information required for compliance and financial reporting.
Effective communication is the key to ensuring that the right information is relayed to the relevant
decision makers.
5.2.1 INFORMATION QUALITY
Relevant information needs to be captured and presented to decision makers in a timely
manner such that they are able to carry out their responsibilities effectively. We discuss two key
characteristics of information quality that ensures smooth and efficient functioning of the ERM
depth and timeliness.
Depth | Depth of information refers to the level of detail. The amount of detail required at different
management levels tend to differ, as senior management maintains a broad but general
understanding of issues affecting the entire organisation, while ground level employees and
managers need to possess a greater level of detail in order to manage the risks effectively. In
developing information infrastructure, it is important to avoid information overload, and provide the
right amount of details to the right people at the right time.
Timeliness | The level of data timeliness should be consistent with the firms required speed of
response to risks. As most information infrastructure are now real-time, the main consideration
then is the accessibility and timely provision of information that is usable and actionable.
5.2.2 INTEGRATED INFORMATION SYSTEMS
The design of information system architecture is an important aspect of an organisations
strategy, and also serves to drive its business strategy. Information systems are usually fully
integrated with operations. Many organisations adopt Enterprise Resource Planning, which enables
the organisation to maintain a real-time, shared database, hence enabling easy access to
information, and changing the way organisations operate from groups of individual functional or
departmental silos to seamless entities.
New innovations in information systems provide for better ERM processes. Managers can
access historical data to track actual performance to targets, forecast performance and identify
trends. Real-time information also provides managers with a better picture of the current risk profile
and whether the organisation is presently within its risk tolerances.
However, as information technology continues to evolve, the organisation also becomes
susceptible to additional unknown risks, as has been the case in the past with the rise of cyber
crimes and information security breaches. Hence, these risks have to be accounted for as well in the
organisations ERM system.

5.2.3 COMMUNICATION
Information systems provide a mode for communication. However, communication is taking
place constantly through many different channels. In this section, we explore other avenues of
communication in an organisation.
INTERNAL COMMUNICATION
Communication within the company should not merely be top-down, or bottom-up, but
across all levels of the organisation. The management has the duty to provide clear and specific
communication that addresses behavioural expectations and responsibilities to the personnel. It is
important to convey the right organisational culture and risk management philosophy to the
employees, to ensure everyone speaks a common risk language, and understands his/her role in
ensuring ERM is carried out effectively.
Front-end personnel also have the responsibility to communicate problems that they come
across to their managers to allow for timely resolutions. They will need to have channels for them to
communicate their findings, and the right culture to encourage them to do so. Managers should also
contribute to a positive risk culture by being receptive to feedback to their employees and
encourage personnel to challenge the norms.
With regard to sensitive information such as illegal acts, separate communication channels
may be set up to encourage personnel to report them under the cover of anonymity. Management
should make it clear that personnel should not be subject to reprisal in the case of whistle-blowing.
Most importantly, the management should establish regular communication with the board,
updating them on the performance, risk and effectiveness of the ERM system, as well as other
relevant issues. This helps the board carry out its oversight responsibility effectively. Of course,
communication should also be two-way. The board should also provide feedback, advice and
direction for the management.
EXTERNAL COMMUNICATION
There also needs to be appropriate communication between the organisation and its external
stakeholders, including the customers, suppliers, regulators, shareholders, members of the public,
etc. Open communication channels with external stakeholders allow them to provide useful
feedback that enables the company to stay on top of changes in the external environment.
Open communication about the organisations risk appetite and risk tolerances is also
advantageous, as it helps the management consider how the risk appetite and risk tolerances are
aligned with that of the external partners, and enable them to decide the amount of risk to take.

5.3

INTERNAL AUDIT

Audits usually are an important part of risk response control. Audits can be defined as
systematic and independent analyses. The areas of auditing include the reliability of reporting,
effectiveness and efficiency of operations, and compliance with laws and regulations. Through audits
one can check whether quality-related work and results gained through such work conform to the
standards and to the planned requirements.
An audit checks whether the work is done economical and rational. The main aim of audit is to
discover weaknesses and risks inside an organisation or project. A big advantage of audits is the
ability to check quality-related issues and workflow in a very good way. On the other hand, a
disadvantage is the amount of preparation and the time demand for preparation of the paperwork
and training of employees. However, audits only allow a short snapshot of the situation.
5.3.1 THE INTERNAL AUDITOR
The internal auditor (IA) has the important responsibility of evaluating the effectiveness of
ERM. The IA has an important responsibility of carrying out monitoring and evaluation activities of
the process workflow, and hence should be objective with regard to the activity that they audit.
There are major challenges to the role of the auditor. One challenge is that the objectives of
the auditor may appear to be polar opposites to that of the other employees. Employees tend to
distance themselves away from the IA as they feel their work under scrutiny. Some employees may
also consider that it is a critique about the work they did and may develop a grudge against the IA.
Hence it could be difficult for the IAs to form positive working relationships with other employees,
and to obtain the information they need to carry out their audit work effectively.
Another challenge is the organisational culture and structure, which may inhibit the
effectiveness of the IA. Some organisations cultures may be less receptive to criticism, and the
management may not like to hear about deficiencies in the ERM system. This makes the job of the IA
difficult, and he/she may be discouraged from reporting negative findings that would render the
audit work ineffective. Reporting lines that are direct to the CEO, Chairman of the board, or an
independent Audit Committee is preferred. Some organisations set up reporting lines to senior
management, but that may be counter-productive, as management are less inclined to take negative
feedback constructively, and the advice of the IA may fall on deaf ears.

6. CONCLUSION AND FUTURE

OUTLOOK
We have seen how ERM contributes to the organisation, how the ERM process works and what
constitutes good ERM practices. Indeed, ERM is a vital tool for companies to manage its strategy and
operations. Yet, many organisations view ERM as a regulatory requirement or an unnecessary
expense. The fact that unmitigated or poorly controlled risks are likely to cost the organisation much
more than a well-designed ERM system appears well-hidden from them, for some reason or
another. This could explain why the 2010 COSO ERM Survey showed that only 3.4% of 460 ERM
leaders considered their organisations ERM process as very mature.
However, the 2008 financial crisis has revived interest in ERM and there is growing evidence
provided by US insurers that proper ERM does minimise the impact of risk. A strong trend has
emerged towards a more systematic and more formal approach in implementing ERM processes.
ERM is now being seen as a value-creating activity, enabling not just an entity-wide portfolio
management of the risks, but also helping the organisation capitalise on opportunities. With this
shift in perspective, ERM has evolved from a good-to-have to a must-have. In fact, Singapore is
closely following the trend, with KPMG reporting an almost 50% increase in ERM adoption among
the companies surveyed, from 35% in 2006 to 51% in 2010. The future for ERM remains bright
indeed.

REFERENCES
Casualty Actuary Society, 2003. Overview of Enterprise Risk Management.
http://www.casact.org/research/erm/overview.pdf
Committee of Sponsoring Organizations of the Treadway Commission, 2004. The COSO Enterprise Risk
Management Integrated Framework.
Committee of Sponsoring Organizations of the Treadway Commission, 2004. The COSO Enterprise Risk
Management Integrated Framework: Application Techniques.
Committee of Sponsoring Organizations of the Treadway Commission, 2004. COSOs 2010 report on ERM.
http://www.coso.org/documents/COSOSurveyReportFULL-Web-R6FINALforWEBPOSTING111710.pdf
Corporate Executive Board India, 2010. Six Myths on how to assess and mitigate risk.
http://www.scribd.com/doc/26301480/Six-Risk-Management-Myths
Germond, N., 2010. Enterprise Risk Management a Must in 2011 and Beyond.
http://www.allbusiness.com/company-activities-management/company-strategy/15377913-1.html
Husdal, J., 2009. Book review: Enterprise-wide risk management. http://www.husdal.com/2009/04/15/bookreview-enterprise-wide-risk-management/
Jaspal, S., 2010. Highlights of COSO ERM survey. https://soniajaspal.wordpress.com/2010/12/14/highlights-ofcoso-erm-survey/
KPMG, 2010. Charting a safe and sustainable growth journey: Singapore Enterprise Risk Management Survey
2010.
Office of Financial Management, 2008. Chapter 20: Internal Control and Auditing.
http://www.ofm.wa.gov/policy/20.htm
Passenheim, O., 2009. Enterprise Risk Management.
http://ebooklink.net/g/download/8776816841/Enterprise%20Risk%20Management,%20Prof.%20Dr.%20Olaf
%20Passenheim/
Towers Watson, 2009. Risk appetite: The foundation of Enterprise Risk Management.
http://www.towerswatson.com/assets/pdf/625/ERM_Risk_Appetite_12-28-09.pdf

Disclaimer
The information set forth herein has been obtained or derived from sources generally available to the public and believed
by the author(s) to be reliable, but the author(s) does not make any representation or warranty, express or implied, as to
its accuracy or completeness. The information is not intended to be used as the basis of any investment decisions by any
person or entity. This information does not constitute investment advice, nor is it an offer or a solicitation of an offer to
buy or sell any security. This report should not be considered to be a recommendation by any individual affiliated with NTU
Risk Management Society.