CHAPTER 4

RISK MANAGEMENT
LEARNING OBJECTIVES:
• What is risks and Enterprise Risk
Management (ERM)?
• Clarify the relationship between governance
and ERM.
• The roles and responsibilities in ERM of
individuals in the organization.
• The roles of Internal Audit function in ERM.
• PRELUDE TO CHAPTER:
• Business is like life which is full of
uncertainties
• In life for your day-to-day activities, you are
not sure what would be the outcome of your
action in advance.
• Your dealing with those uncertainties depends
on the success of your life.
• Operating business is no different
• Organizations face uncertainties in various
aspects of conducting business
• And their success is depending how well they
manage these uncertainties and turn those
adverse uncertainties into opportunities.

• In this aspect, Internal Audit plays an integral

role in risk management by providing
objective assurance to the board that business
risks are being managed appropriately and that
system of internal controls is operating
effectively.
• DEFINITION OF RISK
• It comes from an Italian word “ rasicare” means to dare: a
choice under uncertain conditions
• RISK: THREATS, DANGER, HAZARD
• Risks refer to uncertainties, fears, worries that would be
hindrance to achieve plans
• COSO DEFINITION: Risk has the possibility that event
will occur and adversely affect the achievement of
objectives
• These are chances leading to problem and might affect
the achievements of company’s objective if failure to
mitigate, to tone down, or to lessen its impact.
• SAMPLE OF BUSINESS RISK: Possibility of bad
weather; Interest rate fluctuation; Inventory spoilage or
theft, poor collection of receivables, etc.
• HOW TO MANAGE RISKS?
• Since risks are inevitable to happen in the
organization, and in order to prevent it to
explode and become big problem, management
should apply strategies and design a system in
order to identify, measures, assess, and
ultimately manage it and provide assurance to
achieve organization’s objectives.
• That is now called Enterprise Risk
Management ( ERM ).
• It is defined as the process conducted by
management to understand and deal with
uncertainties ( risks and opportunities ) that could
affect the organization’s ability to achieve its
objectives.

• Risks cannot be easily eliminated but the

management should enable to put it within risks
appetite ( the amount of acceptable risks in pursuit
of business objectives ) of the business.
WHAT ARE THE STEPS IN MANAGING
RISKS?
• Set an objective. What are the objectives you
want to accomplish?
• Identify the risks: assess how bad they could be,
and how likely are they to occur? What could stop
you from accomplishing it?
• Apply strategies: What options, strategies, and
actions you need to implement for making sure
that those risk will not happen?
• Do you have the ability to execute those
options, strategies, and actions? Do the
company have designed and executed control
activities to carry out risk management
strategies?

• How will we know that we have to

accomplish what we wanted to accomplish?
Can we monitor performance to verify that
success?
• SET AN OBJECTIVE:
• To reduce inventory loss on acceptable level at 2% of
sales revenue.
• IDENTIFY THE RISK:
• Personnel Factor: Fraudulent activities
• Technology Factor: Insufficient Storage Capacity,
Manual Inventory System Processing
• RISK ASSESSMENT:
• How much is fraudulent activities related loss in
inventory?
• How big is the cause of insufficient storage capacity?
• How will computer system helps the inventory
management?
• Locate what branches have big losses?
• RISK RESPONSE:
• Having assessed relevant risks, how are you going to
respond with it?
• Responding could be RISK AVOIDANCE, RISK
REDUCTION, and RISK SHARING
• RISK AVOIDANCE means escaping or evading
activities that give rise to that risk. Like shutting down
branches with high level of inventory loss.
• RISK REDUCTION means action is taken to reduce risk
impact. Like putting CCTV in the branches or other
inventory control mechanism.
• RISK SHARING: reducing risk impact by sharing
portion of the risk. Like covering the loss through
insurance policies, asking bonds from employees, etc.
• CONTROL ACTIVITIES:
• This is by making sure that all responses to risks
are being implemented and executed by the risks
owners, employees at all levels and in all
functions.
• RISK OWNERS: Individuals who have day-
today responsibility for ensuring that risk
management activities effectively manage risk
within the organization’s risk appetite.
• Control activities like performance review and
physical control
• INFORMATION AND COMMUNICATION:
• Information about how to implement and the
development of risk management activities must
be timely, accurate and reliable.
• Employees must be well advised on their
respective roles in the implementation process of
how risks will be mitigated
• There are many different forms of communication
such as policy manuals, memoranda, e-mails,
intranet, and the most important is meetings.
• MONITORING:
• Internal auditors are typically form part of the
monitoring activities.
• They assessed the effectiveness of the related risk
management activities
• They will recommend any substantial actions that
need to be taken farther in order to improve the
process.
• Evaluation against target is analyzed and
deficiencies are noted if within risk tolerance.
• RISK TOLERANCE: The acceptable levels of
risk size relative to achievement of objectives.
ROLES OF INTERNAL AUDIT IN ERM
• Giving assurance on the risk management process
• Giving assurance that the risks are correctly evaluated
• Evaluating risk management process
• Evaluating the report of key risks
• Reviewing the management on key risks
• Providing advisory and related services on risk
management like facilitating identification and
evaluation of risks, coaching how to respond with
risks, maintaining and developing the ERM
framework, Developing ERM strategies, etch.