ACAUD 2348

Chapter 4
Introduction to
Risk Management
“What Can Go Wrong?”
Introduction
§ CH 1 – Introduction to Corporate Governance
§ CH 2 – Corporate Governance: What is a Well-governed Organization?
§ CH 3 – Applying Ethics in Business
§ CH 4 - Introduction to Risk Management: “What Can Go Wrong?”
§ CH 5 – Assessment of Risks and Selection of Risk Strategies
§ CH 6 – Concept of Internal Control
§ CH 7 – Internal Control in Action
Learning Objectives
At the end of the chapter, the students will be able to:
§ describe risk and its characteristics;
§ identify the different types of risk;
§ articulate the need for risk management;
§ describe the steps in managing risks; and
§ identify globally-recognized risk management frameworks.
Definition of Risk
§ Risk - the possibility of an occurrence of an event that adversely could affect the
achievement of business objectives.

§ Risk is asking yourself, “what can go wrong?”

Examples of Risk
Internal Events
External Events
Categories of Risk
§ Financial risks - the likelihood that the company might incur a financial loss, or suffer a
decline in profit, capital, investment, or cash flows, on account of the occurrence of
events or transactions.

§ Nonfinancial risks – a type of risk, other than financial risks, that can negatively affect
the company (e.g., breakdown of machines, loss of raw materials)
Credit Risk
§ Credit risk - the risk that a counterparty such as a customer or a borrower might fail to
pay its account on the due date
§ For instance, there is a possibility that a borrower of a bank will be unable to pay his or
her loan on the maturity date.
§ Sometimes referred to as default risk
§ Credit risk is present in all activities where there is an expectation of repayment.
Liquidity Risk
§ Liquidity risk - the risk that the business will be unable to meet its financial obligations
as they fall due because of insufficient cash.

§ Liquidity risk also includes the possibility that the business may not be able to:
§ Convert its noncash assets into cash on short notice.
§ Borrow funds from banks and other creditors with reasonable interest and payment terms.
Interest Rate Risk
§ Interest rate risk - the potential decline in earnings due to changes in interest rates

§ If the company has variable rate loan payable, increase in the market rate of interest will
increase total interest expense resulting to lower profit.

§ Occurs because the business may have a disproportionate amount of fixed and variable
interest rate instruments
Foreign Currency Risk
§ Foreign currency risk - the risk that fluctuations in exchange rates could affect the profit
of the business.

§ For example, a weakening of the Philippine peso will result to a foreign currency loss to
a Philippine importer of goods.

§ The Philippine importer will have to convert more Philippine pesos into dollars to pay
off the transaction.
Other Price Risk
§ Other price risk - the risk that changes in specific prices (stock price, purchase price,
index) could affect the profit or cash flow of the business.

§ For instance, a decline in the price of shares owned by the company traded in the stock
exchange will result to a decrease in the value of the stock investments.
Business Risk
§ Business risk - possibility that the business may not be able to generate sufficient
revenue, or the chance that operating costs will increase

§ For example, an increase in raw material cost will result to a decline in the gross profit
margin of the company.

§ When the company is unable to achieve its sales target, revenues will not be enough to
cover operating costs.
Operational Risk
§ Operational risk - the risk that business operations will be disrupted due to inadequate
or failed systems, processes, people, breaches in internal controls, or other unforeseen
catastrophes

§ The company uses internal controls (e.g., business continuity plans, preventive
maintenance) to mitigate the effect of operational risks.
Legal Risk or Compliance Risk
§ Legal or compliance risk - the risk that the company might fail to comply with applicable
laws and regulations

§ This risk also includes the possibility of not complying with contractual obligations to
other entities.

§ This type of risk may result to fines and penalties as well as possible criminal
prosecution of erring company officers and employees.
Health and Safety Risk
§ Health and safety risk - the risk that unforeseen events could result to injuries, illnesses,
or even loss of lives

§ Examples include injuries sustained by workers in the factory, transmission of COVID-

19 virus to company staff.

§ This kind of risk increases the medical costs that will be incurred by the company.
Environmental Risk
§ Environmental risk - the risk that the company may fail to control or minimize factory
wastes, emissions, and other pollutants arising from its business activities.

§ Failure to remedy this negative contribution of the company to the environment could
result to possible government sanctions such as huge amounts of fines and penalties, or
even business closure.
Strategic Risk
§ Strategic risk - the risk of selecting an inappropriate corporate strategy or the failure of
implementing an appropriate strategy

§ This type of risk may result to failure to achieve long-term strategic goals, loss of market
share, and shrinkage in corporate value.
Reputational Risk
§ Reputational risk - the risk that reputation or image of the company will be damaged
due to reasons such as improper acts of corporate officers, poor financial performance,
bad news about the company, among others

§ This risk reduces the confidence of investors, customers, creditors, and other entities
with respect the status of the business.

§ Reputational risk could result to the collapse of the company.

Financial Reporting Risk
§ Financial reporting risk - the possibility that the financial statements of the company
will be incorrect due to errors, lapses, or failure to apply accounting standards such as
the International Financial Reporting Standards (IFRS).

§ Unreliable financial statements could result to erroneous financial analysis affecting the
business decisions of investors and creditors.
Fraud Risk
§ Fraud risk - the risk arising from deceptive and intentional acts that results to loss of
company assets, resources, and reputation

§ Examples of fraud include theft of cash and inventories, bogus deliveries, ghost
employees, window dressing of the financial statements, and the like.
Enterprise Risk Management, defined
§ Enterprise risk management - a process, effected by an entity’s board of directors,
management, and other personnel, applied in strategy setting and across the enterprise,
designed to identify potential events that may affect the entity, and manage risk to be
within its risk appetite, to provide reasonable assurance regarding the achievement of
entity objectives.
§ from COSO ERM Framework, 2004
Role in Risk Management: BOD
§ The Board of Directors conducts an oversight of the effectiveness of the company’s risk
management process.

§ Risk oversight pertains to the periodic review and monitoring of the process being used
by management in addressing and controlling risks.

§ It is common for large companies to have separate risk oversight committees within the
board.
Role in Risk Management
§ Management implements specific risk mitigation and control procedures in managing
the various types of risks affecting the company.

§ Management also identifies and assesses risks prior to selecting the appropriate risk
response or controls.

§ Many companies have risk managers who are the ones tasked to manage risks in a
professional and technical manner.
Role in Risk Management:
Internal Auditors
§ Internal auditors - conduct examination of the risk management and internal control
processes for the purpose of determining their effectiveness.

§ Audit findings (e.g., weak risk processes) as well as their recommendations for
improvements are communicated to the Board of Directors, or to the Risk Oversight
Committee.
Risk Appetite
§ Risk appetite - the level of risk that the company can accept in pursuit of its objectives

§ Operating a business naturally involves the taking of risks.

§ But risks must be kept to within acceptable or manageable levels.

§ This is one of the aims of the risk management process - to keep risks within the
company’s risk appetite.
Steps in the Risk Management Process
1. Setting of business objectives
2. Identify risks to those objectives.
3. Assess the risks identified in terms of likelihood and impact.
4. Respond to the assessed risks (accept, mitigate, share, avoid, transfer).
5. Implement the risk response (specific action plans or controls).
6. Monitor.
Categories of Business Objectives
§ Strategic objectives - are high-level goals, aligned with and supporting the organization's
mission and long-term vision.

§ Operational objectives - are goals that are related to the effective and efficient use of
corporate resources.
Categories of Business Objectives
§ Reporting objectives - are goals relating to the reliability and transparency of corporate
reports such as financial and nonfinancial reports.

§ Compliance objectives - are goals relating to compliance and conformity with applicable
laws and regulatory requirements.
Examples of Business Objectives
Examples of Risks to Business Objectives
Assessing Risks in terms of
Likelihood and Impact
§ “Likelihood” - the probability that the event will occur

§ “Likelihood” is often classified into “high,” “moderate,” or “low.”

§ “Impact” - the significance of the negative effect of the risk to the company

§ The “impact” of a risk is also classified into “high,” “moderate,” or “low.”

§ Analyzing risk in terms of “likelihood” and “impact” is known as risk assessment.

Risk Responses
§ Accept - Accepting the risk is permissible only if it is of minor effect to the business or if
its likelihood is “remote.”

§ Reduce - Risks that are likely to happen or those that are expected to have a significant
impact to the business cannot be simply accepted.
§ These risks should be mitigated or reduced to tolerable levels.
§ Reducing risks can be done through implementing controls.
Risk Responses
§ Share - In some situations, the appropriate response might be to share or transfer the
risks to some other entity such as an insurance company.
§ Example: Some risks of the company may be transferred or shared to an insurance company.
Risk Responses
§ Avoid - Avoiding a risk may be the right response when management thinks that mere
reducing it is not enough.
§ Examples:
§ The company may terminate one of its product lines if it assesses that operating it has become
too risky.
§ The company may totally avoid entering into dollar-denominated transactions to eliminate
foreign currency risk.
Implementing the Risk Response
Monitor Risks and the
Risk Management Process
§ The risk management process must be continuously monitored to determine if it
remains to be effective and efficient over time.

§ Management cannot make the erroneous assumption that an effective risk management
process will remain to be effective over time.

§ A risk management process that is effective today may no longer be effective for the next
period. This is because risks are always changing.
Risk Management Frameworks
§ Committee of Sponsoring Organizations (COSO) Enterprise Risk Management
framework (2004)

§ ISO 31000 - Risk Management is a series of risk management standards formulated by

the International Organization for Standardization.
§ Provides a set of principles and guidelines for the design, implementation, and evaluation of the
risk management process for companies across different industries
Basic Steps – ISO 31000
1. Identification of all risks that could prevent the company from achieving its business
objectives
2. Analysis of risks including an understanding of their causes and effects
3. Determination whether identified risks are tolerable or not
4. Treatment of significant risks by way of mitigating procedures and thereby reduce impact
and/or the likelihood of the risks
5. Monitoring risk management strategy and implementation to determine gaps that should be
addressed
6. Communication of information pertaining to the risk management process of the company