Guidelines:

1. Choose 9 main topics per member. Put your name in red letters beside the topic to
claim (ex: MAIN TOPIC [ALLI] )
2. For the exam guide, please refer to this link
3. Topics listed in this reviewer are already condensed based on the exam guide.
4. MAIN TOPICS are in bold and capital letters.
5. DEADLINE: May 20, Monday, 11:59 PM

———

BENEFITS OF ERM AND IMPLEMENTATION OF ERM SYSTEM [DAS]

[TOPIC 7] One of the benefits of having a formal ERM process is Accountability, that is,
clarity on who will be on top of these risks.

[TOPIC 8] COSO has stated that organizations that integrate ERM throughout the
organization can realize many benefits, including, but not limited to:

1. Increasing the range of opportunities

2. Identifying and managing risk entity-wide
3. Increasing positive outcomes and advantages while reducing negative surprises
4. Reducing performance variability
5. Improving resource deployment
6. Enhancing enterprise resilience

COSO has stated that organizations need to identify the best framework for optimizing
strategy and performance in order to integrate ERM throughout the organization to achieve
benefits, including

1. Improved Decision-Making Processes

2. Enhanced Ability to Achieve Strategic Objectives
3. Strengthened Stakeholder Trust
4. Better Preparedness for Unexpected Events

DIFFERENT TYPES AND EXAMPLES OF QUALITATIVE AND QUANTITATIVE

METHODS [DAS]

[Risk Identification and Assessment: Risk Assessment Tools]

1. Qualitative Risk Assessment Methods - do not have specific numerical or financial data
associated with the risk of loss, but organizations still can identify the risk of loss associated
with these events.

Types/ Examples:

a. Risk ranking - requires the organization to assign a relative ranking to prioritize

risks and assign resources to address the risks in order of importance.
 b. Risk maps - allow organizations to classify events into a variety of risk levels.

2. Quantitative Risk Assessment Methods - assign specific metrics or financial

measurement to risk events. Organizations can use several methods to assess quantitative
risk.

a. Earnings distributions - show the effect of risk management on reducing the

volatility of earnings associated with an event.

b. Earnings at risk - show how a particular event will cause earnings (or cash flow)
to vary around an expected amount. (Cash flow at risk is a very similar method.)

c. Sensitivity analysis - can show how events such as a change in interest rates or
a delay in a product introduction can affect earnings or cash flow at risk.

d. A common risk measure is Value at Risk (VaR). This measure indicates potential
loss by a firm due to its trading activities.

DEFINITION AND EXAMPLES OF ARATS [FRANZ]

[LECTURE 2 (FROM SIR)]

AVOIDANCE
● Risk is avoided when the organization refuses to accept it. The exposure is not
permitted to come into existence. This step is accomplished by simply not engaging
in the action that gives rise to risk.
● High Likelihood, High Impact = Avoidance

REDUCTION
● Sometimes called as risk retention.
● Conscious risk retention takes place when the risk is perceived and not transferred or
reduced. When the risk is not recognized, it is unconsciously retained—the person
retains the financial risk without realizing that he or she is doing so.
● Voluntary risk retention is when the risk is recognized, and there is an agreement
to assume the losses involved.
● Involuntary risk retention occurs when risks are unconsciously retained or cannot
be avoided, transferred, or reduced.
● High Likelihood, Low Impact = Reduction

TRANSFER
● Risk may be transferred to someone more willing to bear the risk.
● The transfer may be used to deal with both speculative and pure risk.
● Low Likelihood, High Impact = Transfer
● Examples:
○ Hedging is a method of risk transfer accomplished by buying and selling for
future delivery so that dealers and processors protect themselves against a
 decline or increase in market price between the time they buy a product and
sell it.
○ Pure risks may be transferred through contracts, like a hold-harmless
agreement where one individual assumes another's possibility of loss.
○ Insurances
SHARING
● Distributing or transferring the risk among various parties.

DEFINITIONS/STATEMENTS/ELEMENTS REGARDING THE ERM PROCESS (5 STEPS)

[FRANZ]

[LECTURE 2 (FROM SIR)]

Step 1: Risk Identification

Risk identification seeks to identify as many threats as possible without evaluating them.
Internal Risk Factors
• Communication methods
• Risk assessment activities
• Appropriateness of internal control activities
• Labor relations
• Training and capability of the employees
• Degree of supervision of employees
• Operational risks
• Financial risks
• Strategic risks

External Risk Factors

• Regulatory changes
• Industry competition
• Relationships with key suppliers
• Relationships with customers
• Recruiting and hiring activities
• International risk
• Hazard risks

Tools, diagnostics, and processes that may be used to support risk identification include:
• Brainstorming
• Interview
• Checklists
• Flowcharts
• Scenario analysis
• Value chain analysis
• Business process analysis
• Systems engineering
• Process mapping
 • Computed cash flow at risk
• Projected earnings at risk
• Projected earnings distributions
• Projected EPS distributions

Step 2: Risk Assessment

Risk assessment is the process of analyzing the potential effects of identified risks. Risks are
analyzed, considering likelihood and impact, as a basis for determining how they should be
managed.

1. Impact. The effect the risk occurrence would have on the organization's objective if it were
to occur. For example, what loss would happen if a particular risk factor occurred and was
not detected and corrected?
2. Likelihood. The probability or chance that the risk actually will occur.

Step 3: Risk Prioritization

In the risk prioritization step, the overall set of identified risk events, their impact
assessments, and their probabilities of occurrences are "processed" to derive a
most-to-least-critical rankorder of identified risks.

a) Risk Appetite
The degree of uncertainty an entity is prepared to accept in pursuit of its objectives.
b) Risk Tolerance
The degree, amount, or volume of risk impact that an organization or individual will
withstand
c) Risk Threshold
The level of uncertainty or impact at which a stakeholder will have a specific interest.
Below the risk threshold, the stakeholder will accept the risk. Above the risk threshold, the
stakeholder will not accept the risk.

Step 4: Risk Response Formulation

Risk response involves reducing risks to an acceptable level by employing the ARATS.

Step 5: Risk Monitoring and Control

The purpose of this is to address how risk will be monitored. This includes verifying
compliance with the risk response decisions by ensuring that the organization implements
the risk response measures (and any information security requirements), determines the
ongoing effectiveness of risk response measures, and identifies any changes that would
impact the risk posture.

DEFINITION AND EXAMPLES OF RISK EXPLOITATION [DAS]

[TOPIC 5]
Definition: It refers to the strategic utilization or leveraging of risks to achieve potential gains
or advantages. Unlike traditional risk management approaches that focus solely on risk
mitigation or avoidance, risk exploitation involves identifying opportunities within certain risks
and actively capitalizing on them.

Examples of Risk Exploitation (CRREDiT):

1. Create
2. Redesign
3. Restructure
4. Expand
5. Diversify
6. Take Advantage

SITUATIONS REGARDING RISK EXPLOITATION AND RISK AVERSE [ALLI] [can’t find
so ni-differentiate na lang]

Risk exploitation means taking actions to ensure that an opportunity will happen or have a
greater impact. For example, if you have a chance to win a new contract, you may exploit it
by offering a competitive price, delivering a high-quality proposal, and negotiating favorable
terms.

Risk averse is the tendency of people to prefer outcomes with low uncertainty to those
outcomes with high uncertainty, even if the average outcome of the latter is equal to or
higher in monetary value than the more certain outcome. For example, a risk-averse investor
might choose to put their money into a bank account with a low but guaranteed interest rate,
rather than into a stock that may have high expected returns, but also involves a chance of
losing value.

RISK RANKING [ALLI] [Google, Topic 2]

Risk ranking is a risk assessment that relies on qualitative, usually subjective, estimates of
likelihoods and consequences. It avoids the technical demands of more formal techniques
and may use quantitative information where it is available.
PROBABILITIES (WITH COMPUTATION) [ALLI] [Topic 2]

Assessing risk generally involves the use of probabilities. For example, if there is a
40% chance that a company will suffer a 1,000,000 loss and a 60% chance that the
company will suffer a 300,000 loss, the expected loss can be estimated as 580,000 ((4 ×
1,000,000) + (.6 x 300,000)]. Determining the estimated amounts and their probabilities
involves experience, information, and judgment.

DEFINITION AND DIFFERENT TYPES OF KRIs [FRANZ]

Key Risk Indicator (KRI)

- A quantifiable measurement to monitor and manage potential risks that could impact
the organization’s objectives and operations.
- This indicator is in conclusion to the reported performances or events to provide
results through performing analytical procedures like trends, ratios, correlations, and
other appropriate analyses for the qualitative KRIs.
- Types of KRI
a. Mean time to detect (MTTD) – the average length of time it takes to discover
incidents in their environment. This helps monitor the effectiveness of an
organization's risk management process especially in the area of detecting risks.
Example: Average time it takes for the inventory management system to detect when
stock levels have fallen below a certain threshold; indicating potential stockouts.

b. Mean time to respond/remediate (MTTR) – the amount of time it takes to

respond and remediate an identified threat or failure. This helps monitor the
 organization’s ability to react and mitigate risks effectively once they have been
identified.
Example: The average duration between identifying the need to replenish inventory
and actually initiating the replenishment process.

c. Mean time between failure (MTBF) – the average time between failures of a
critical components, systems, or processes within an organization. This helps
monitor the reliability and performance of assets/systems/processes in an
organization.
Example: The average time between system failures or downtime events. By utilizing
MTBF as a KRI in inventory management, organizations can identify vulnerabilities,
prioritize maintenance efforts and implement proactive measures to minimize the risk
of equipment failures, system downtime, and disruptions in inventory operations.

DEFINITION AND DIFFERENT TYPES OF KPIs [FRANZ]

Key Performance Indicator (KPI)

- A type of performance measurement that indicates the risk.
- Evaluate the success of an organization or of a particular activity in which it engages.
- It serves as a way to periodically assess the performances of organizations, business
units, and their division, departments, and employees.
Two Main Focus of Key Performance Indicators
Customer-focused KPIs: These are generally centered on per-customer
efficiency, customer satisfaction, and customer retention.
Process-focused KPIs: Aim to measure and monitor operational
performance across the organization

MAIN DIFFERENCE BETWEEN KRIs and KPIs [FRANZ]

The definitions provided by different sources on KRI and KPI are constantly
overlapping and sometimes the same. But in the use of the RAT template, KPI is the
actual performance seen or realized by the immediate personnel in the specific area
or department of the organization while KRI is derived from the reports of the
performance evaluation producing a quantified result.

RISK APPETITE DEFINITION, STATEMENTS/FRAMEWORK [ALLI] [Topic 3/Group 1]

Risk Appetite Definition

● Risk appetite is the amount of risk that an organization is willing to seek or accept in
the pursuit of long-term objectives. - Institute of Risk Management (2011)
● Risk appetite is the amount and type of risk that an organization is willing to pursue or
retain. -International Organization for Standardization Guide 73 (2009)
 ● Risk appetite is The amount of risk that an organization is prepared to accept, tolerate,
or be exposed to at any point in time. – Orange Book (2004)
● Risk appetite is the e level of risk that is acceptable to the board or management. This
may be set in relation to the organization as a whole, for different groups of risks, or
at an individual risk level.- Chartered Institute of Internal Auditors (2005)

In a nutshell, risk appetite is defined as "The degree of uncertainty an entity is prepared to

accept in pursuit of its objectives."

Another definition comes into focus: Risk appetite is the level of risk that the organization
is willing to take in its value creation activities, particularly in its investing activities. In
which, value creation refers to the process of generating additional worth or benefit for
stakeholders through various activities such as innovation, efficient operations, and strategic
decision-making.

Five Core Elements of Risk Appetite Framework

a) Stakeholder Objectives - Project stakeholders may include corporate management,

customers, employees, communities participating or affected by a project, regulatory
bodies, and many more. Their interests will determine the required payoff between the
strategic direction, resource investment and risks.

b) Corporate Risk Appetite - Chosen risk appetite and risk tolerances need to be
reviewed and approved by the senior management.

c) Business Unit And Department Risk Appetite - Risk appetite and risk tolerance
decisions made at the corporate level will determine targets and project portfolios that
will be chosen on the business unit or department level based on the project risk and
return comparison.

d) Capabilities - Certain capabilities need to be in place to ensure that the organization

is able to support its risk appetite framework. These include a set of performance
indicators, procedures for monitoring and reporting performance, documented policies
and guidelines for risk management, and clear accountabilities for implementing the
processes.

e) Risk Appetite Process - The risk appetite process itself needs to be documented and
continuously reviewed to make sure that it meets the needs of an organization. A
sample process can include four steps: setting the risk appetite, embedding it,
continuous risk mitigation, and reviewing the risk appetite.
COMMON RISK LANGUAGE [GAB]
[TOPIC 3]
Common Risk Language refers to a standardized set of terms, definitions, and
concepts used to communicate risks within an organization. Having a Common Risk
Language ensures that everyone involved in risk management processes speaks the same
language when discussing risks and their potential impacts.

Guidelines in Creating the Common Risk Language [ FICS your definition! ]

● Focused - The definition should focus solely on the nature of the risk without delving
into factors or causes that contribute to it.
● Impact - The definition should briefly describe the immediate significant effect of the
risk.
● Concise - The definition should be specific, clear, and simple. It should not exceed 30
words to ensure clarity.
● Standard Format - The definition should state the nature of the risk first, followed
by the impact. This uniformity aids in easy comprehension and comparison of
different risks.
Additional Guidelines:

● In developing a risk definition, avoid using words that are already mentioned in
the risk.
● Avoid a definition that is wordy and not clear.
● The risks below are usually perceived to be the same.
● Avoid combining two risks

DISCUSSION ABOUT RISK PRIORITIZATION [DAS]

[TOPIC 4 pg 13]

[TOPIC 8 pg 29]

DIFFERENT KINDS OF RISK [ALLI] [Additional notes to Module 1]

While risk is a general concept, it can be broken down into numerous sub-concepts that help
define and understand what the risk is. The following are a few of the most common types of
risk:

1. Business risk—The possibility that an organization either will have a lower profit
than expected or will experience a loss instead of a profit.
2. Hazard risk—The risk that the workplace environment or a natural disaster can
disrupt the operations of an organization.
3. Financial risk—The risk that an organization's cash flow will not satisfy the
shareholders' ability to recover the cash invested in the business, particularly when
the organization carries debt.
4. Operational risk—The risk of loss for an organization occurring from inadequate
systems, processes, or external events.
 5. Strategic risk—The risk that a company's strategy will not be sufficient for the
organization to achieve its objectives and maximize shareholder value.
6. Legal risk—The risk that litigation (either civil or criminal) can negatively affect the
organization.
7. Compliance risk—The risk associated with the organization's ability to meet rules
and regulations set forth by governmental agencies.
8. Political risk—The risk that political influence and decisions may impact the
profitability and effectiveness of an organization
9. Inherent risk— Broad term for all the risk a firm faces without any controls applied to
business activities or processes.
10. Residual risk—Broad term for the level of risk a firm faces after controls are applied
and assumptions about their effectiveness are made.
11. Liquidity risk - a type of financial risk that refers specifically to a firm's inability to
meet its cash flow needs without affecting the daily operations or financial condition
of the firm

N/3 FILTERING RULE (DEFINITION, HOW DOES IT WORK) [GAB]

[TOPIC 4]
Definition:
N/3 filtering rule is a method used to narrow down a list of risks by
selecting a subset of the most critical ones for further consideration or
prioritization.

How it works:
1. Identify the Total Number of Tier 1 Risks: Determine the total number of
risks categorized as Tier 1.
2. Apply the Rule: Divide the total number of Tier 1 risks by 3 (n/3). This
calculation provides a guideline for each participant in the Risk
Management Unit (RMU) to select a subset of the most critical risks.
3. Select Top Risks: Each RMU participant can then choose their top n/3
risks from among the identified Tier 1 risks. For example, if there are 30
Tier 1 risks, each participant can select their top 10 risks (30/3).
4. Aggregate Selections: Once all RMU participants have made their
selections, the individual choices are aggregated to identify the most
commonly selected risks, which can then be prioritized for further action
or resource allocation. The n/3 filtering rule helps streamline the decision-
making process by ensuring that each participant's perspective is
considered while focusing on the most critical risks as determined
collectively by the RMU.
5. Alignment with Risk Management Priorities: The selected risks align with
the organization's risk management priorities, focusing on those with the
greatest threat to strategic goals or significant negative impact.
 6. Documentation and Communication: The selected subset and rationale
are documented and communicated to stakeholders, ensuring
transparency and accountability.
7. Review and Validation: The selected risks undergo review and validation
by stakeholders to ensure accuracy and alignment with the organization's
risk profile, addressing any concerns through collaborative discussion.

METHODS OF RISK ANALYSIS (BOW TIE, SENSITIVITY, RISK REGISTER, ETC)

[FRANZ]
1. Bow Tie Evaluation
- a method that visually represents potential risks and their
consequences, similar to a bow tie shape. It identifies the causes or
threats (left side of the bow tie), consequences or impacts (right side
of the bow tie), and preventive and mitigative barriers (middle of the
bow tie) to manage risks effectively.

- The event’s causes are listed on the left, while the consequences are
on the right. This method treats each cause and consequence
separately, helping to mitigate the probability of the risk occurring and
limit its impact.

- The bowtie analysis is a tool used to evaluate the risk of specific events,
detailing both the causes and the consequences while focusing on
preventive and mitigative controls.

- Example: a kitchen fire, with the left side outlining the sources of risk
leading to the event, and the right side detailing the consequences
and impacts. The center of the bowtie represents the event itself, with
preventive controls on the left aimed at stopping the event from
occurring and response controls on the right designed to mitigate the
impact should the event occur.

- Performing a Bow Tie Analysis

 Step 1: Defining the Risk Event - Bowtie analysis begins with
identification of a risk event, sometimes referred to as a “top
event.” The risk event provides everyone a workshop with a
clear starting point and context for the assessment. Once
you’ve identified the risk event you want to analyze, place it in
the center of the bowtie diagram.

Step 2: Charting Risk Causes and Impacts - Once you’ve

identified the risk event, you can begin to chart potential causes
and impacts of that risk event. To the left side of the diagram, all
the potential causes of a risk event are listed. To the right side, all
the potential impacts of the event are listed.

Step 3: Assigning Risk Controls - Once you’ve identified all

potential risk causes and impacts, you can then begin
developing and assigning the appropriate risk controls to
eliminate or reduce them.

Step 4: Identify and Control Escalation Factors - After you’ve

assigned risk controls, bowtie analysis allows to you to further
analyze and control risks by identifying conditions that could
negatively affect control reliability. These conditions are called
escalation factors.

- Existing controls, also known as barriers, are crucial components that

help manage risks.

On the left side of the bow-tie, which represents the causes or threats

of a risk, controls are preventive measures put in place to mitigate

these threats and prevent the top event (the central risk event) from

occurring. These controls are designed to stop the causes from leading

to the risk.

On the right side of the bow-tie, which represents the potential

consequences of the top event, controls are mitigative measures

designed to reduce the impact or severity of these consequences.

These controls provide appropriate responses to consequences being

felt or create barriers to the consequences developing.

ORMI
 Opportunities for Risk Management Improvement in Controls are

essentially areas where the existing risk management strategies can be

enhanced. They can be identified at various points in the Bow-Tie

Analysis (BTA):

● Preventive Controls: Are the existing preventive controls

effective? Are there gaps or weaknesses that need to be
addressed? Could new technologies or practices enhance
these controls?
● Mitigative Controls: Are the mitigative controls sufficient to limit
the consequences of the top event? Are there opportunities to
improve these controls or implement additional ones?

Consequences

In a Bow-Tie Analysis (BTA), consequences are the potential outcomes

or impacts of the top event. They are depicted on the right side of the

bow-tie diagram. Here’s how they work:

After the top event (the central risk event) occurs, there can be

multiple potential consequences. These consequences are identified

and placed on the right side of the bow-tie diagram.

2. Risk Analysis Matrix

- The risk analysis matrix is a tool used to assess and prioritize risks based
on their likelihood and impact. It typically categorizes risks into levels
such as low, medium, and high, helping organizations allocate
resources and prioritize risk management efforts accordingly.
3. Sensitivity Analysis
- Sensitivity analysis involves assessing how changes in input variables or
assumptions impact the outcomes of a decision or project. It helps
identify which factors have the most significant influence on risk and
informs decision-making by exploring various scenarios.
4. SWIFT Evaluation
- SWIFT (Structured What If Technique) evaluation is a systematic method
used to identify and assess potential risks by asking "what if" questions. It
encourages structured brainstorming sessions to explore different
scenarios and their potential consequences, helping organizations
anticipate and mitigate risks effectively.
 5. Risk Register
-A risk register is a document used to record and track identified risks
throughout the risk management process. It typically includes
information such as the risk description, likelihood, severity, impact,
mitigation strategies, and responsible parties. The risk register serves as
a central repository of risk-related information for ongoing monitoring
and management.
6. Fault Tree Analysis
- FTA is a method used to analyze the causes of failures or risks by
constructing a logical diagram of events leading to undesirable
outcomes. It helps identify the root causes of risks and potential
preventive measures.

DIFFERENT APPROACHES [DAS]

[TOPIC 3]

Types of Approaches

a. Interrelationship Approach

- you identify interdependencies among a group of risks.

- considers the interconnection of the different prioritized risks to identify the highly
leveraged risks, or the risks that when the organization manages, will also manage
some other risks. It involves identifying how different risks are connected or
dependent on each other.

b. Direct Approach

- the Chief Risk Officer(CRO) immediately considers the prioritized risks to be the
ones that will go to the treatment stage or where the risk owners will now develop the
risk management strategies and action plans to prevent the risks from happening.

- a simple approach where there is no need to go through the interrelationship of

risks. Accordingly, all the identified risks will undergo the risk response options also
called risk treatment. The Chief Risk Officer (CRO) immediately considers certain
risks and the risk owners will now develop risk management strategies and action
plans. It offers a simpler and more straightforward method of risk treatment,
especially when time or resources are limited.

DIVERSIFICATION (DEFINITION, DIFFERENT KINDS) [DAS]

[TOPIC 5]
Definition: Diversification is a strategic approach to exploiting risk by spreading investments
or exposures across multiple assets, sectors, or geographic regions. This practice helps
individuals or organizations mitigate the impact of adverse events in any single area, thus
reducing overall risk exposure.

Types:

1. Financial diversification - by investing in different asset classes to manage risk

and optimize returns.
2. Physical diversification - entails expanding the firm's presence across various
locations or broadening its product offerings to appeal to diverse markets and
consumer segments.
3. Customer diversification - focuses on attracting a wider customer base or
segmenting existing ones to reduce reliance on any single revenue source.
4. Employee and supplier diversification - involves building relationships with a
diverse pool of talent and suppliers to enhance operational flexibility and resilience.
5. Organizational diversification -encompasses fostering adaptability and
innovation within the firm's structure and processes to effectively navigate changing
market conditions.
[TOPIC 8]
1. Cultural Diversification - Embracing employees from different cultural
backgrounds to foster a more inclusive workplace.
2. Product Diversification - Expanding the range of products or services offered to
reduce dependency on a single product line.
3. Market Diversification - Entering new markets to protect the organization from
market-specific risks.
4. Investment Diversification - Allocating resources across different financial
instruments or projects to minimize risks.
5. Workforce Diversification - Hiring individuals with diverse skill sets, experiences,
and perspectives to enhance creativity and problem-solving.

RISK TRANSFER TECHNIQUE [DAS]

[TOPIC 5]
Transfer (ReIn-Out-CHA)

Description: A common risk management technique involves shifting the potential loss of
an adverse outcome from an individual or entity to a third party. It involves one party paying
another to take responsibility for mitigating specific losses.

Techniques:

1. Reinsure
2. Insure
3. Outsource
4. Contracts
5. Hedge
6. Alliance
RISK MANAGEMENT OPTIONS [GAB]
[TOPIC 5]
Risk Options, also known as risk response, are strategic choices available to
organizations for managing specific risks. These options include risk acceptance,
avoidance, reduction, transfer, or sharing. Chosen risk options form the basis for
developing action plans and implementing risk management strategies.

TOPICS MNEMONICS STANDS FOR

● Transfer
Risk Acceptance Options TEARS ● Exploit
● Accept/Retain
● Reduce
● Sharing

● No Action - Inherent in the

Retain/Accept - It involves
the deliberate decision to
assume and retain a
certain level of risk rather
than avoid, reduce, or
transfer it to another party
through insurance or
other means.
No PORes business but the current
level of residual risk is
acceptable.
● Premium Price - In the
context of risk retention,
Premium Price refers to
adjusting the prices of
products or services based
on the level of risk involved,
considering the risk and
reward concept.
● Offset - It refers to
compensating for potential
negative impacts of
accepted risks through
alternative strategies.
● Reserve - A risk reserve is
essentially a pool of funds
set aside by an
organization to address
potential losses or expenses
associated with risks that it
chooses to accept.

Reduce - It refers to the ManS ● Management/Control - It is a

implementation of systematic process of
 strategies and measures
aimed at decreasing the
likelihood or impact of
potential risks on
individuals, organizations,
or systems. It involves
identifying, assessing, and
mitigating risks to protect
assets, resources, and
stakeholders from
adverse outcomes.
Exploit - It refers to the
strategic utilization or
leveraging of risks to
achieve potential gains or
advantages.
identifying, assessing,
prioritizing, and mitigating
risks to minimize their
potential impact on
individuals, organizations,
or systems.
● Spread - A strategy used in
risk management to
reduce exposure to
potential losses by
spreading investments,
resources, or activities
across different assets,
sectors, or geographic
regions.
● Create - This process entails
identifying unmet needs
CRREDiT that traditional competitors
may overlook or
opportunities in the market,
conducting thorough
research and
development, and
designing solutions that
address those needs
effectively.
● Redesign - This process
entails reassessing and
refining various elements
such as resources,
capabilities, processes,
and technologies to
enhance operational
efficiency, reduce costs,
and improve overall
performance.
● Restructure - Restructuring
involves overhauling the
company's processes and
serves as a strategic tool
for organizations to
effectively exploit risk by
 adapting to changing
market conditions,
enhancing operational
efficiency, and seizing
opportunities for growth
and innovation.
● Expand - By expanding the
business portfolio in this
manner, organizations can
capitalize on the potential
benefits of diversification
while mitigating the risks
associated with
over-reliance on a single
market or customer base.
● Diversify - Diversification is a
strategic approach to
exploiting risk by spreading
investments or exposures
across multiple assets,
sectors, or geographic
regions.
● Take Advantage - Make the
risk work for the company
rather than against it by
proactively identifying
opportunities that arise
from the risk.

● Reinsure & Insure -

Transfer Reinsurance is an
ReIn-Out-CHA
agreement between the
reinsured and the reinsurer
wherein the latter agrees
to accept a certain fixed
share of the reinsured's risk
upon terms set out in the
agreement. Insurance
provides protection to
individuals against
unexpected risks When
buying insurance, they pay
a premium to the insurer,
who offers compensation
 based on the policy terms.
● Outsource - Outsourcing
offers several key benefits
to businesses, including,
cost and time efficiency,
crisis prevention planning,
future risk projections,
access to expert
knowledge and resources,
and strengthened
cybersecurity.
● Contacts - Involving parties
agreeing on the terms and
conditions of their
relationship and assigning
responsibilities and liabilities
for potential outcomes.
● Hedge - hedging focuses on
financial risks such as
fluctuations in commodity
prices, exchange rates, or
interest rates.
● Alliance - Establishing a
business relationship with
another party to pursue a
specific venture, sharing
both the risks and rewards.
This includes forming a joint
venture or participating in
a consortium where
multiple entities
collaborate on a project or
endeavor.

Sharing - The practice of Pooling - Several parties

distributing the financial
consequences of
potential losses among
multiple parties. This
encompasses strategies
aimed at lessening the
impact of adverse events
by spreading the
come together to pool
their resources and share
risks among themselves.
This helps distribute the risk
burden among all
participants, reducing
individual exposure to any
single risk.
 potential burden across
several stakeholders.

RISK MONITORING [GAB]

[TOPIC 6]
Monitoring is vital because risk is not static. Within ERM, monitoring risks is a
collaborative effort involving senior management and risk owners. It's crucial to
integrate risk management discussions into key meetings like those with the Board of
Directors (BOD) and Management Committee (ManCom). Oversight by the Chief Executive
Officer (CEO), supported by the Chief Risk Officer (CRO) and the Risk Management
Executive Team (RMET), ensures continuous monitoring of both existing priority risks and
new emerging risks. This process also evaluates how well risk management strategies
are performing and ensures adherence to policies and procedures at both enterprise
and business function levels.

Thus, in essence, monitoring of the ERM process covers the following:

a. Existing priority risks - Risk monitoring aids organizations in systematically tracking
the status of risks that have been identified as significant threats to the organization's
objectives and operations and their impact over time.
b. New emerging risks - Together with changes in the business environment is the
emergence of new risks. Some risks can be considered as interrelated. By the
process of risk monitoring, the organization might be able to find new risks in relation
to the risks they have identified and they will now have a means to proactively
manage them.
c. Risk management performance - It is important to note that having risk
management strategies in place is not a guarantee that risks would be mitigated. By
monitoring risks, management can discern whether risk management measures are
implemented appropriately and whether they are achieving the desired outcome for
which they were created in the first place.
d. Specific policies and procedures both at the enterprise and business function
levels - Risk management is a process that is taken on by the organization as a
whole - it is not the sole job of the management nor the employees to perform risk
management. By monitoring risks, organizations could also gain insights as to how
risk management plans are implemented at various levels in the organization and
discern its effectiveness and alignment to organizational goals across the
organization.

RISK REPORTING (TARGET AUDIENCE, CONTENTS OF RISK REPORT) [ALLI] [Topic

6/Group 4]

Four (4) Key Audiences for Risk Reporting:

● Board of Directors and Risk Committee: The board of directors ensures the
company meets its annual objectives. The risk report should have a similar
focus, detailing how potential risks could get in the way of set goals. Boards can
 then use this report to act or adapt their strategy, ideally before the risk can
impact the bottom line.
● Senior Management: It includes executives as well as the CEO, all of whom
need more detail than the board. A risk report for senior management often
involves reporting up; they want a list of risks and accompanying mediation plans
from their ERM staff. This helps senior management ensure that the proper
management strategies are in place for the risks in the report, which can feature
as many as 15 possible issues.
● Risk Owners: These are the ERM staff on the front line, including middle
managers. These individuals act on the mitigation recommendations from senior
management and the board. Reports for risk owners require a high level of detail
on each risk, including performance metrics and assessments.
● Regulators: Regulatory agencies are the primary external audience for risk
reports. ERM reporting for regulators requires a careful balance; they must help
the regulator understand the risks and assure that the organization meets
regulatory requirements without providing so much detail that it will attract further
review.

Contents of a comprehensive risk report typically include the following:

● Executive Summary: This section briefly summarizes the most critical risks
identified in the report, providing an overview for senior management.
● Risk Profile: The report elaborates on each identified risk, describing its nature,
potential impact, and likelihood of occurrence, thereby providing a detailed
understanding of the risks facing the organization.
● Risk Capacity: Details about the organization's financial resilience and its ability
to withstand potential losses without compromising its operations or viability.
● Tolerance Levels: The report would include information on the organization's
risk tolerance levels, specifying the acceptable thresholds for various types of
risks based on the organization's risk appetite and objectives.
● Key Risk Indicators: The specific metrics tracked to monitor the identified risks,
along with the corresponding threshold values that trigger risk management
actions.
● Effective Risk Management: This section would outline the organization's
strategies, policies, and procedures for managing and mitigating risks effectively,
demonstrating a proactive approach to risk management.

Additionally, incorporating visual aids such as charts, graphs, and tables can help
illustrate complex data and trends, enhancing the clarity and impact of the report.

ROLES AND RESPONSIBILITIES OF PEOPLE IN A ORGANIZATIONAL STRUCTURE

(AND THE PROCEDURES) [FRANZ] [GROUP 5]

Stakeholders Responsibilities

1. Board of Directors (BOD) ● Provides an oversight role to risk management


2. Board Risk Oversight
Committee (BROC)
3. Chief Executive Officer
(CEO)
4. Risk Management
Executive Team (RMET)
5. Chief Risk Officer (CRO)
6. Risk Management Unit
(RMU)
activities including the periodic review and
approval of the ERM Policy, ERM Framework
and ERM Process through the BROC.
● Provides strategic guidance aligned with the
organization's objectives and values, monitors
performance, and adjusts the risk management
framework as needed to address changing
circumstances and emerging risks.
● Assists the Board in fulfilling its responsibility for
oversight of the organization’s risk management
activities.
● Sets the risk appetite of the organization.
● Evaluates the effectiveness of existing risk
management practices, identifies emerging risks,
and recommends appropriate strategies for
mitigating identified risks
● The ultimate risk executive and is essentially
responsible for ERM priorities, strategies and
policies.
● Heads of the RMET that sets the direction and
leads the decision-making as they relate to:
○ Recognition of risk priorities;
○ Alignment of business objectives and risk
strategies, action plans and policies;and
○ Settlement of conflicts regarding ERM
strategies and action plans.
● Ensures that sufficient resources are allocated to
pursuing ERM initiatives, strategies and action
plans.
● Reports to the BROC on a regular basis on ERM
related matters.
● He is the ultimate “risk owner” of all the critical
risks.
● The ERM think tank;
● Defines risk priorities; and
● Aligns risk policies and strategies with overall
company plan.
● They are the primary risk owners.
● Is the champion of the ERM process in the
organization;
● Develops, implements risk management
process, tools and methodologies;
● Analyzes, develops and executes policies and
report risks;
● Submits risk report to the RMET and BROC; and
● Monitors the implementation of the risk
management strategies and action plans.
● Composed of the different Risk Leaders and Risk
Owners that support the Risk Management
 Executive Team (RMET) in the implementation
of the ERM process.
● Suggest to the RMET the development of
additional ERM Policies and other related
guidelines.
● Supervises, supports, and incorporates the ERM
processes across the organization in
coordination with the RMET, Risk Leaders, and
Risk Owners.
● Gathers and evaluates the risk reports provided
by the Risk Leaders and Risk Owners and
monitors the status of risk management
strategies and action plans.
● Ensures tha
● Organizes the sharing of best practices across
the organization
● Supports the Chief Risk Officer (CRO) in
preparing the ERM reports and materials to be
presented to the RMET and the Board Risk
Oversight Committee (BROC)
● Drives the continuous improvement of the
organization’s current ERM Process.

7. Risk Leaders ● Leads the Risk Owners under each identified risk
in the consistent execution and continuous
improvement of the risk mitigation strategies in
the ERM processes.
● Constantly reviews and provides updates in the
behavior of the critical risk and ensures that
emerging risks are identified and included.
● Guides the Risk Owners in making reports to be
forwarded to the CRO and RMET.

8. Risk Owners ● Has the responsibility for and ownership of the

assigned risk and interrelated risks.
● Actively participates in the risk identification
process of the organization.
● Performs risk prioritization, analysis,
development of strategies and action plans, and
coordinates with other Risk Owners
● Assesses and communicates the progress of the
risk management strategies and action plans to
the Risk Leaders and CRO.

9. All Personnel ● Maintains awareness of and the consciousness

about ERM, as well as how the identified risks
will impact their roles and responsibilities in the
organization.
● Embeds risk management as part of their
everyday activities.
● Executes the formulated risk management
strategies to ensure the achievement of the
organization’s objectives and the successful
execution of its strategies.
 ● Communicate to their immediate superiors any
risk that they cannot manage.
● Reports emerging risks/opportunities to the Risk
Leader in the course of the risk management
execution.

10. Internal Audit ● Provides an independent assessment of the

effectiveness of the ERM framework, processes,
and the strategies formulated to treat the risks
identified.
● Gives assurance to the risk management
process and assurance that the risks are
correctly evaluated.

BENEFITS OF COSO 2017 FRAMEWORK [GAB]

[TOPIC 8]
1. Increasing the range of opportunities: By considering all possibilities—both
positive and negative aspects of risk—management can identify new
opportunities and unique challenges associated with current opportunities.
2. Identifying and managing risk entity-wide: Every entity faces myriad risks that
can affect many parts of the organization. Sometimes a risk can originate in
one part of the entity but impact a different part. Consequently,
management identifies and manages these entity-wide risks to sustain and
improve performance.
3. Increasing positive outcomes and advantages while reducing negative
surprises: Enterprise risk management allows entities to improve their ability to
identify risks and establish appropriate responses, reducing surprises and
related costs or losses, while profiting from advantageous developments.
4. Reducing performance variability: For some, the challenge is less with
surprises and losses and more with variability in performance. Performing
ahead of schedule or beyond expectations may cause as much concern as
performing short of scheduling and expectations. Enterprise risk
management allows organizations to anticipate the risks that would affect
performance and enable them to put in place the actions needed to
minimize disruption and maximize opportunity.
5. Improving resource deployment: Every risk could be considered a request for
resources. Obtaining robust information on risk allows management, in the
face of finite resources, to assess overall resource needs, prioritize resource
deployment, and enhance resource allocation.
 6. Enhancing enterprise resilience: An entity's medium- and long-term viability
depends on its ability to anticipate and respond to change, not only to
survive but also to evolve and thrive. This is, in part, enabled by effective
enterprise risk management. It becomes increasingly important as the pace
of change accelerates and business complexity increases.
Other benefits:
1. Improved Decision-Making Processes
2. Enhanced Ability to Achieve Strategic Objectives
3. Strengthened Stakeholder Trust
4. Better Preparedness for Unexpected Events

OBJECTIVES OF COSO 2004 FRAMEWORK [GAB]

[TOPIC 8]
• Strategic Objectives – these are the high-level goals, aligned with and
supporting the entity’s mission/vision. Strategic objectives reflect
management’s choice as to how the entity will seek to create value for its
stakeholders.

• Operations Objectives – these pertain to the effectiveness and efficiency of

the entity’s operations, including performance and profitability goals and
safeguarding resources against loss. They vary based on management’s
choices about structure and performance.

• Reporting Objectives – these pertain to the reliability of reporting. They

include internal and external reporting and may involve financial and
non-financial information.

• Compliance Objectives – these pertain to adherence to relevant laws and

regulations. They are dependent on external factors and tend to be similar
across all entities in some cases and across an industry in others.

LIMITATIONS BETWEEN COSO 2004 AND COSO 2017 (COMPARATIVE TABLE;

DISTINCTION) [GAB]
[TOPIC 8]
Comparison of COSO ERM cube (2004) and COSO framework (2017)

COSO ERM Cube (2004) COSO Framework (2017)

ERM as defined It defined enterprise risk Defines enterprise risk
management as a process management as the culture,
influenced by the board of capabilities, and practices
directors, managers, and all integrated with strategy-setting
employees to identify events that and performance that
have the potential to affect the organizations rely on to manage
institution and manage risk within risk in creating, preserving, and
the framework of risk appetite. realizing value.

Structure Had eight (8) components: Consists of five interrelated

• Internal environment components:

• Objective setting • Governance and culture

• Event identification • Strategy and objective

• Risk assessment setting

• Risk response • Performance

• Control activities • Review and revision

• Information and • Information,

communication, and
communication
reporting
• Monitoring

Principles Did not have underlying It has 20 principles that define

principles. each five interrelated
components.
1. Governance and Culture
a. Exercises Board Risk
Oversight
b. Establishes Operating
Structures
c. Defines Desired Culture
d. Demonstrates
Commitment to Core
Values
e. Attracts, Develops and
Retains Capable
Individuals
2. Strategy and
Objective-Setting
f. Analyses Business Context
g. Defines Risk Appetite
h. Evaluates Alternative
Strategies
i. Formulates Business
Objectives
3. Performance
j. Identifies Risk
k. Assesses Severity of Risk
l. Prioritize Risk
m. Implements Risk
Responses
n. Portfolio View of Risk
4. Review and Revision
o. Assesses Substantial
Change
p. Review Risk and
Performance
q. Pursues Improvement in
ERM
5. Information, Communication,
and Reporting
r. Leverages Information
and Technology
s. Communicates Risk
Information
t. Reporting on Risk, Culture
and Performance
Purpose Value Preservation: the primary Value creation: Recognized
purpose was to help the ERM as a facilitator for value
organizations preserve value by creation, not just risk avoidance.
identifying and managing risks.
Forward-Looking Perspective:
Risk avoidance: it emphasized risk Encouraged organizations to
mitigation and compliance, consider risks during strategy
often adopting a defensive setting processes.
approach.

Scope Focus on Internal Control –It Broader Scope - It recognizes

views ERM as an extension of that risk management extends
internal control, including risk beyond internal control and
management within internal compliance. The framework
control processes. The considers risk management as a
framework emphasizes the holistic process that
significance of analyzing and encompasses all levels of the
managing risks in order to organization and involves
establish effective internal various stakeholders.
controls.
It aimed to provide a more
The ERM Cube emphasized a detailed and structured
structured approach to approach to ERM, with a focus
identifying, assessing, and on enhancing the
managing risks, with a focus on organization’s ability to
integrating risk management anticipate and
into

the organization’s strategic respond to risks in pursuit of its

planning and decision-making objectives. It places greater
processes. emphasis on governance,
culture, and integration of risk
management into decision—
making.
Representation Used a cube representation to Uses a rainbow double helix
illustrate the relationship between diagram that intertwines the five
components, objectives, and components throughout an
structure. organization's life cycle.

Limitations In considering limitations of

1. Complexity
enterprise risk management,
2. Subjectivity in Risk
three distinct concepts must be
Assessment
recognized:
3. Resource Constraints
● First, risk relates to the 4. Limited Guidance on
future, which is inherently Implementation
uncertain.
● Second, enterprise risk
management – even
effective enterprise risk
management – operates
at different levels with
respect to different
objectives.
● Third, enterprise risk
management cannot
provide absolute
assurance with respect to
any of the objective
categories.

Limitations of the COSO

ERM-Integrated framework
includes the following:

1. Judgment
2. Breakdowns
3. Collusion
4. Costs versus Benefits
5. Management Override
PROCESS OF DOING DIVERSIFIED PORTFOLIO [ALLI] [Topic 8/Group 6]

Firms can construct a portfolio of different activities, products, services, and

strategies to mitigate the impact of a single event on the overall risk management
program.

Constructing a diversified portfolio to mitigate risk involves several key steps:

1. Assess Your Risk Tolerance: Determine your comfort level with risk and
investment goals.
2. Asset Allocation: Decide on the right mix of asset classes (e.g., stocks,
bonds, cash) based on your risk assessment.
3. Diversification Within Asset Classes: Within each asset class, choose a
variety of instruments to spread risk.
4. Regular Rebalancing: Periodically adjust your portfolio to maintain the
desired asset allocation.
5. Consider Costs: Be mindful of the costs and fees associated with different
investments.
6. Monitor and Adjust: Keep an eye on market conditions and adjust your
strategies accordingly.

By following these steps, firms can create a robust risk management program that
can withstand various market conditions and help in achieving its financial
objectives. Remember, diversification is not just about spreading investments, but
also about choosing assets that behave differently from one another to reduce
overall portfolio risk.

WHAT IS INSURANCE IN GENERAL [GAB]

[Latest module from sir]
Definition:
Insurance is defined as a contract or agreement whereby one undertakes for
a consideration to indemnify another against loss, damage or liability arising from an
unknown or contingent event.

In the concept of business enterprise, insurance helps to maintain commercial and

industrial organizations. Verily, in modern world, enterprise could hardly function
without the transference of many of its risks to insurers. Moreover, the natural result
of the elimination of risk is an increase in business efficiency. Through insurance,
enterprise can obtain financial security against risks, instead of continuously creating
a freezing capital to guard against various contingencies.
ELEMENTS OF INSURANCE AND ITS DEFINITIONS [GAB]
[Latest module from sir]
The concept of insurance is revolving around the following elements:
1. The insured possesses an interest of some kind susceptible of
pecuniary estimations, known as “insurable interest”;
2. The insured is subject to a risk of loss through the destruction or
impairment of that interest by the happening of a designated peril;
3. The insurer assumes that risk of loss;
4. Such assumption of risk is part of a generic scheme to distribute actual
losses among a large group or substantial member of persons bearing
the same risk; and
5. As consideration for the insurer’s promise, the insured makes a ratable
contribution called “premium,” to a general insurance fund.
DIFFERENT CONTROLS [DAS]
[TOPIC 8]
Types of Control Activities:

1. Top-level reviews - Senior management reviews actual performance versus budgets,

forecasts, prior periods, and competitors. Major initiatives are tracked – such as marketing
thrusts, improved production processes, and cost containment or reduction programs – to
measure the extent to which targets are being reached.

2. Direct functional or activity management - Managers running functions or activities

review performance reports. A manager responsible for a bank’s consumer loans reviews
reports by branch, region, and loan (collateral) type. In turn, branch managers receive data
on new business by loan-officer and local customer segment. Branch managers also focus
on compliance issues, reviewing reports required by regulators on new deposits over
specified amounts

3. Information processing - A variety of controls are performed to check accuracy,

completeness, and authorization of transactions. Data entered are subject to online edit
checks or matching to approved control files.

4. Physical controls - Equipment, inventories, securities, cash, and other assets are
physically secured and periodically counted and compared with amounts shown on control
records.

5. Performance indicators – Relating different sets of data − operating or financial − to one

another, together with analyses of the relationships and investigative and corrective actions,
serves as a control activity.

6. Segregation of duties - Duties are divided, or segregated, among different people to

reduce the risk of error or fraud. Responsibilities for authorizing transactions, recording
them, and handling the related asset are divided.
DIFFERENT TYPES OF REPORTS [FRANZ] [GROUP 4]

Type Description
Boards / CEOs and Secretaries who are accountable for the risks
of their organizations are required to attest in the annual report
Annual Report that organizations have risk management processes in place and
Attestation that: (a) These processes are effective in controlling risks to a
satisfactory level and (b) A responsible body or audit committee
verifies that view.
These reports contain a prioritized list of the top 10 to 20 risks
Top Risks / based on consequence and likelihood scores. Typically, these
Strategic Risks include details about the risk, information on key controls and their
effectiveness and additional treatments needed, with time frames.
Contains trends on risks such as which risks are getting worse or
which treatments are reducing risk exposures, risk areas that need
Risk Trends
additional attention, target risk levels for key risks, and
demonstrate trends on the potential success of treatment plans.
A report that sorts risks according to when they were identified
New and / or
making it easier to highlight new risks that may still need to be fully
Emerging Risks
considered and understood.
A report that identifies significant / extreme risks with ineffective
Risk with Ineffective controls, allowing the Board and Executive to identify potential
Controls points of business failure that need urgent interventions or
resource support.
A risk report that groups all risks that have not been allocated to a
Risk Categories / responsible person for follow-up and response, allowing
Risk Types management to identify key risks that are not being effectively
monitored and managed.
Risk Owner / A risk report that filters risks by risk owner. It allows those
Person responsible to view risk treatments that they need to oversee or
Responsible develop.
A report that sorts risks according to due dates for treatment plans
/ responses. It allows Risk Managers, Project Managers and
Risk Treatments
others to identify critical time frames for responding to key risks as
Due or Overdue
well as identify and manage potential delays and/or
non-performance in responding to risk.

DIFFERENT TYPES OF ANALYSIS AND KRIs [DAS]

[TOPIC 5] Types of Risk Analysis (BuRN FaR)

1. Business Impact - planning for operational disruptions caused by external factors.

2. Risk Benefit & Cost Benefit - weighing the pros and cons (benefits and risks) of an
action.
3. Needs Assessment - identifying and evaluating organizational needs and gaps.
4. Failure Mode & Effect - anticipating potential failures and mitigating their impact.
5. Root Cause - identifying and eliminating root causes to solve problems
[TOPIC 3] Types of KRIs used across a range of industries and sectors.

1. Financial KRIs
2. Human Resource KRIs
3. Operational KRIs
4. Technological KRIs

INVOLVED PEOPLE IN ERM [ALLI] [Topic 7/Group 5]

The roles and responsibilities of the members in the structure are usually part of the overall
risk management policy and are included in the ERM Manual.

Stakeholders Responsibilities

1. Board of ● Provides an oversight role to risk management activities including

Directors the periodic review and approval of the ERM Policy, ERM
(BOD) Framework and ERM Process through the BROC.
● Provides strategic guidance aligned with the organization's
objectives and values, monitors performance, and adjusts the risk
management framework as needed to address changing
circumstances and emerging risks.

2. Board ● Assists the Board in fulfilling its responsibility for oversight of the
Risk organization’s risk management activities.
Oversight ● Sets the risk appetite of the organization.
 Committe ● Evaluates the effectiveness of existing risk management practices,
e (BROC) identifies emerging risks, and recommends appropriate strategies
for mitigating identified risks

3. Chief ● The ultimate risk executive and is essentially responsible for ERM
Executive priorities, strategies and policies.
Officer ● Heads of the RMET that sets the direction and leads the
(CEO) decision-making as they relate to:
○ Recognition of risk priorities;
○ Alignment of business objectives and risk strategies, action
plans and policies;and
○ Settlement of conflicts regarding ERM strategies and
action plans.
● Ensures that sufficient resources are allocated to pursuing ERM
initiatives, strategies and action plans.
● Reports to the BROC on a regular basis on ERM related matters.
● He is the ultimate “risk owner” of all the critical risks.

4. Risk ● The ERM think tank;

Managem ● Defines risk priorities; and
ent ● Aligns risk policies and strategies with overall company plan.
Executive ● They are the primary risk owners.
Team
(RMET)

5. Chief Risk ● Is the champion of the ERM process in the organization;

Officer ● Develops, implements risk management process, tools and
(CRO) methodologies;
● Analyzes, develops and executes policies and report risks;
● Submits risk report to the RMET and BROC; and
● Monitors the implementation of the risk management strategies
and action plans.

6. Risk ● Composed of the different Risk Leaders and Risk Owners that
Managem support the Risk Management Executive Team (RMET) in the
ent Unit implementation of the ERM process.
(RMU) ● Suggest to the RMET the development of additional ERM Policies
and other related guidelines.
● Supervises, supports, and incorporates the ERM processes
across the organization in coordination with the RMET, Risk
Leaders, and Risk Owners.
● Gathers and evaluates the risk reports provided by the Risk
Leaders and Risk Owners and monitors the status of risk
management strategies and action plans.
● Ensures tha
● Organizes the sharing of best practices across the organization
● Supports the Chief Risk Officer (CRO) in preparing the ERM
reports and materials to be presented to the RMET and the Board
Risk Oversight Committee (BROC)
● Drives the continuous improvement of the organization’s current
ERM Process.

7. Risk ● Leads the Risk Owners under each identified risk in the consistent
Leaders execution and continuous improvement of the risk mitigation
 strategies in the ERM processes.
● Constantly reviews and provides updates in the behavior of the
critical risk and ensures that emerging risks are identified and
included.
● Guides the Risk Owners in making reports to be forwarded to the
CRO and RMET.

8. Risk ● Has the responsibility for and ownership of the assigned risk and
Owners interrelated risks.
● Actively participates in the risk identification process of the
organization.
● Performs risk prioritization, analysis, development of strategies
and action plans, and coordinates with other Risk Owners
● Assesses and communicates the progress of the risk management
strategies and action plans to the Risk Leaders and CRO.

9. All ● Maintains awareness of and the consciousness about ERM, as

Personnel well as how the identified risks will impact their roles and
responsibilities in the organization.
● Embeds risk management as part of their everyday activities.
● Executes the formulated risk management strategies to ensure the
achievement of the organization’s objectives and the successful
execution of its strategies.
● Communicate to their immediate superiors any risk that they
cannot manage.
● Reports emerging risks/opportunities to the Risk Leader in the
course of the risk management execution.

10. Internal ● Provides an independent assessment of the effectiveness of the

Audit ERM framework, processes, and the strategies formulated to treat
the risks identified.
● Gives assurance to the risk management process and assurance
that the risks are correctly evaluated.

DISTINCTION OF ERM REFRESH (?) AND ERM RESET [FRANZ] [GROUP 4]

ERM Refresh refers to updating or revising existing risk management processes,

strategies, or frameworks to ensure they remain effective and relevant to current
circumstances. This may involve adjusting risk assessments, updating policies and
procedures, or enhancing risk monitoring mechanisms.
● Typically involves updating existing risk management strategies, methodologies, and
frameworks to adapt to changing internal and external factors. It may involve
revisiting risk appetite, identifying new risks, reassessing existing risks, and refining
risk mitigation strategies.
● In simple terms, ERM Refresh means updating how we deal with risks when things
change inside or outside a company. This could include looking again at how much
 risk we’re okay with, finding new risks, thinking about risks we already know about,
and making our plans for dealing with them better.

Example: A small restaurant that’s been doing well, but then a new competitor opens up next
door. To adapt to this change, the restaurant owner might refresh their risk management
approach by reassessing their risk appetite (how much competition they’re willing to handle),
identifying the new risk posed by the competitor, reassessing existing risks like food safety or
staffing issues, and refining their risk mitigation strategies, such as offering new menu items
or improving customer service. This helps the restaurant stay competitive and successful
despite the new challenge.

BENEFITS OF ERM REFRESH

● Keep Up with Changes: Change is constant. The world is always changing, so the
risks a company faces change too. Refreshing ERM helps make sure the company is
ready for new challenges.
● Learn from Mistakes: Looking back at what went wrong in the past helps the
company do better in the future. Refreshing ERM lets the company learn from its
mistakes and improve how it handles risks.
● Follow the Rules: Laws and rules about risk management can change, so the
company needs to update its ERM to stay on the right side of the law. The
organization must be updated to the government laws and regulations that are
implemented to ensure its compliance and avoid penalties and more threats.

ERM Reset suggests a more comprehensive overhaul or reevaluation of the entire ERM
program. It may involve starting from scratch or fundamentally redefining the approach to
managing risks within the organization. This could be prompted by significant changes in the
business environment, regulatory requirements, or internal factors that necessitate a
complete reset of the risk management framework.
● This goes a step further and involves a comprehensive overhaul of the entire risk
management framework. Additionally, includes redefining risk tolerance levels,
restructuring risk governance, and sometimes even implementing new technology or
processes to enhance risk management capabilities.

TRIGGER EVENTS THAT NECESSITATE AN ERM RESET:

1. Changes in Business Environment: External factors such as economic shifts,
market disruptions, or geopolitical events can necessitate an ERM reset.
Organizations must reassess risks considering these changes to adapt their
strategies and operations accordingly.
2. Alignment with Strategic Objectives: ERM aims to align risk management
practices with the organization's strategic goals. When strategic objectives evolve or
change, ERM may need to be reset to ensure risks are managed in line with the new
direction of the business.
3. Mergers and Acquisitions: Merger and acquisition activities introduce new risks
and complexities to an organization's risk profile. ERM reset is essential to integrate
risk management processes and address the unique risks associated with the
consolidation of business entities.
 4. Regulatory Requirements: Updates in regulations or compliance standards can
impact the risk landscape for organizations. ERM reset ensures that risk
management practices remain aligned with the latest regulatory requirements,
reducing the risk of non-compliance and associated penalties.

Particulars ERM Refresh ERM Reset

update and enhance existing risk

Purpose management processes and
strategies.
focuses on refining specific
aspects of the ERM program,
Scope
such as risk assessments,
policies, or procedures.
ensure that the organization's risk
management practices remain
Objective effective and aligned with current
business needs and evolving
risks.
- involves reviewing and
updating risk registers
- reassessing risk appetite
and tolerance levels
Activities
- improving risk monitoring
and reporting mechanisms
- incorporating lessons
learned from past
enhanced effectiveness and
relevance of the ERM program
Outcome
without completely overhauling the
existing framework.
comprehensive reassessment and
restructuring of the entire ERM program.
involves a fundamental re-evaluation of
the organization's approach to risk
management, potentially from the ground
up.
address significant deficiencies, adapt to
substantial changes in the business
environment, or respond to major internal
or external factors that require a fresh
perspective on risk management.
- include redefining risk
management objectives and
strategies
- redesigning risk governance
structures
- reevaluating risk appetite and
tolerance levels
- implementing new tools or
methodologies
revitalized and more robust ERM
framework that better aligns with the
organization's current risk profile and
strategic objectives.

Frequency annually or semi-annually every three years

DIFFERENT METHODS UNDER RISK ANALYSIS [ALLI] [Topic 5/Group 3]

Methods of risk analysis

1. Bow Tie Evaluation
- Bow tie evaluation is a method that visually represents potential risks and their
consequences, similar to a bow tie shape. It identifies the causes or threats
(left side of the bow tie), consequences or impacts (right side of the bow tie),
 and preventive and mitigative barriers (middle of the bow tie) to manage
risks effectively.

2. Risk Analysis Matrix

- The risk analysis matrix is a tool used to assess and prioritize risks based on their
likelihood and impact. It typically categorizes risks into levels such as low,
medium, and high, helping organizations allocate resources and prioritize risk
management efforts accordingly.

3. Sensitivity Analysis
- Sensitivity analysis involves assessing how changes in input variables or
assumptions impact the outcomes of a decision or project. It helps identify
which factors have the most significant influence on risk and informs
decision-making by exploring various scenarios.

4. SWIFT Evaluation
- SWIFT (Structured What If Technique) evaluation is a systematic method used
to identify and assess potential risks by asking "what if" questions. It
encourages structured brainstorming sessions to explore different scenarios
and their potential consequences, helping organizations anticipate and
mitigate risks effectively.

5. Risk Register
- A risk register is a document used to record and track identified risks
throughout the risk management process. It typically includes information
such as the risk description, likelihood, severity, impact, mitigation strategies,
and responsible parties. The risk register serves as a central repository of
risk-related information for ongoing monitoring and management.

6. Fault Tree Analysis (FTA)

- FTA is a method used to analyze the causes of failures or risks by constructing
a logical diagram of events leading to undesirable outcomes. It helps identify
the root causes of risks and potential preventive measures.