1.

Regardless of what aspect of corporate governance is accepted, the corporate governance structure
should be based on the following premises. Briefly explain each.
a. The primary purpose of corporate governance is to create and enhance sustainable and enduring
shareholder value while protecting the interests of other shareholders.
- The primary objective of corporate governance is to ensure that companies are run in a responsible
and sustainable manner, with the best interests of all stakeholders - including shareholders,
employees, customers, and the community - taken into consideration. This is achieved through the
establishment of clear lines of accountability and communication between different levels of
management, as well as the creation of effective performance metrics and monitoring mechanisms.

b. The Board of directors, as representatives of investors, has direct authority and responsibility to
govern business affairs of the company and is ultimately accountable to investors for the
company’s strategic performance, achievement of goals, and prevention of surprises.
- The Board of Directors have a direct authority and responsibility to govern business affairs of the
company. Direct authority of the Board of Directors is crucial for maintaining effective collaboration,
transparency, and accountability or in simpler terms, for the betterment of the company.

c. The board of directors delegates the authority of managing the company to the top management
team (senior executives, CEO, CFO) and holds senior executives accountable for their decisions,
actions, and performance without micromanaging business affairs and decisions.
- Inside the corporate structure, the board of directors, which also includes the general manager or
CEO, has well defined works and responsibilities. Basically, the board of directors is in charge of
selecting the CEO or general manager of the company and examining the general direction and
strategy of the company. The CEO or general manager is responsible for hiring all other employees
and managing the organization's daily operations. When these guidelines have been violated, issues
typically arise. Conflict starts to develop when the directors get involved in the day-to-day
management of the organization. However, management is not responsible for the company's
overarching strategic choices.

d. The CEO is directly responsible for managing the company and is ultimately accountable to the
board for the assigned managerial functions and decisions.
- It is true that the CEO is responsible for managing the company and is accountable to the board
for the assignment of managerial functions and decisions, this is to ensure that there is an effective
management of the Company, and for conformity with policies agreed upon by the Board.

e. Corporate governance participants’ roles (e.g. oversight, managerial, compliance, internal audit,
advisory, external audit, monitoring) should be viewed as “value added”.
- Corporate governance is designed to support efficient, innovative, and responsible management that
can ensure the long-term success of the business. Corporate governance is the framework for
managing and directing businesses. The governance of companies is the responsibility of the boards
of directors.

f. Corporate governance should promote and facilitate shareholder democracy through majority
voting and shareholders’ access to proxy materials for the nomination and election of directors.
- In accordance with existing laws, all shareholders must be given the opportunity to nominate
candidates for the Board of Directors. The Board is expected to have a thorough discussion of the
nomination process procedures. The company is encouraged to fully and promptly disclose all
information regarding the candidates' experience and background so that shareholders can study and
conduct their own background checks on the candidates' qualification and credibility.
 Shareholders are also encouraged to participate when sufficient information is provided prior to voting
on major corporate changes. Poll voting, rather than a show of hands, is highly encouraged. Proxy
voting, including electronic distribution of proxy materials, is also a good practice.

g. Directors’ and officers' accountability should be achieved through a proper evaluation system
that rewards good and ethical performance while punishing poor performance and misconduct.
- Operant conditioning, a method of learning through rewards and punishments, was created by B.F.
Skinner. According to this theory, there is a connection between a certain activity and a
consequence—a reward or a punishment—which results in learning. A more productive and efficient
workplace can be achieved by setting up a system that encourages moral behavior and penalizes
dishonest behavior.

h. The board of directors should have a proper executive succession plan and appropriate strategies
to deal with potential crisis management.
- The board of directors creates a succession plan to foresee and be prepared for a sudden and
substantial unfavorable event. The ability to recruit top talent for the team is one of the many reasons
boards pursue adequate board succession planning. It ensures a diversified team composition,
resulting in more inclusive thinking. It preserves the balance of power on the board. Additionally,
various strategies are also planned to shield the organization against other crises.

2. OECD Principles of Corporate Governance. Describe each.

a. Ensuring the basis for an effective corporate governance framework.
- The corporate governance framework should promote transparent and efficient markets, be
consistent with the rule of law and clearly articulate the division of responsibilities among different
supervisory, regulatory and enforcement authorities.

b. The rights of shareholders and key ownership functions

- ‘The corporate governance framework should protect and facilitate the exercise of shareholders’
rights and ensure the equitable treatment of all shareholders, including minority and foreign
shareholders. All shareholders should have the opportunity to obtain effective redress for violation of
their rights.’
Basic shareholder rights should include the right to: (SCOPES)
1. Secure methods of ownership registration;
2. Convey or transfer shares;
3. Obtain relevant and material information on the corporation on a timely and regular basis;
4. Participate and vote in general shareholder meetings;
5. Elect and remove members of the board; and
6. Share in the profits of the corporation.

c. The equitable treatment of shareholders.

- ‘The corporate governance framework should provide sound incentives throughout the investment
chain and provide for stock markets to function in a way that contributes to good corporate
governance.’
- All shareholders of the same series of a class should be treated equally
- Insider trading and abusive self-dealing should be prohibited
- Members of the board and key executives should be required to disclose to the board whether they,
directly, indirectly or on behalf of third parties, have a material interest in any transaction or matter
directly affecting the corporation.
 d. The role of shareholders in corporate governance.
- The corporate governance framework should recognize the rights of stakeholders established by law
or through mutual agreements and encourage active cooperation between corporations and
stakeholders in creating wealth, jobs, and the sustainability of financially sound enterprises.

e. Disclosure and transparency

- The corporate governance framework should ensure that timely and accurate disclosure is made on
all material matters regarding the corporation, including the financial situation, performance,
ownership, and governance of the company.

f. The responsibilities of the board.

- The corporate governance framework should ensure the strategic guidance of the company, the
effective monitoring of management by the board, and the board’s accountability to the company and
the shareholders.

3. What are internal governance mechanisms?

The internal governance mechanisms primarily focus on boards of directors, ownership and control, and
managerial incentive mechanisms. Examples are board structure, executive compensation and ownership
structure.

4. Define oversight and provide situationer examples.

- “Oversight” is derived from the words “over,” which means “above,” and “sight,” which means “looking
but not touching.” Therefore, those in charge of oversight functions are entrusted with looking down from
a higher level at a process, program, or project but avoiding becoming involved in its day-to-day
management. Say for example, the function of the Board of Directors (BOD) as one of the oversight
bodies; they play a more active role in guiding management than others but are or are not involved in the
day-to-day management of the organization’s operations.

5. What are external governance mechanisms?

- External governance mechanisms cover issues related to the external market and laws and regulations.
Examples are market factors, intermediaries, goods and services prevailing in the market, managers of
labor market etc.

6. What types of managerial failures prevent management from acting in the best interest of the
shareholders?
- Failure of managerial competence resulting from unintentional mistakes or negligence in discharging
fiduciary duties.
- Failures of managerial integrity caused by willful or opportunistic behaviors (fraudulent activities,
fabrications, embezzlement, illegitimate earnings management) that have detrimental effects on the value
of the firm’s assets

7. What is corporate governance resilience, and how is it maintained?

- Corporate governance resilience refers to a company's capacity to withstand and adjust to both internal
and external changes while maintaining efficient governance principles. It involves identifying risks,
minimizing them, and establishing an effective governance framework. Companies need to manage risks
proactively, encourage accountability and transparency, and maintain flexible governance practices in
order to maintain it.
 a. What is an independent director?
An independent director is a member of the board of directors who (1) does not have a material
relationship with the company, (2) is not part of the company's executive team, and (3) is not involved
with the day-to-day operations of the company.

8. Corporate governance reforms are intended to reduce many potential conflicts of interest among
corporate governance participants, including directors, management, auditors, financial analysts,
corporate counsels, and investors. What conflicts of interest are possible among these groups?
● Pecuniary or Non-pecuniary - A pecuniary interest is one where a board member directly benefits
financially from it. A non-pecuniary interest does not result in a financial benefit for the board member
personally.

● Real/Actual or Perceived/Potential - When a person's objectivity or capacity to carry out his or her
duties to the company are jeopardized by financial or other incentives, there is an actual or real conflict
of interest. When a board member, their family, or friends have financial ties to another person or
organization, there may be perceived or actual conflicts of interest. As a result, the board member's
actions may appear to be biased against the company due to those ties or financial interests.

9. Are internal or external corporate governance mechanisms more influential to the effectiveness of
corporate governance? Defend your answer.
Both the internal and External corporate governance mechanisms are crucial for the effectiveness of
corporate governance. It is crucial to have a balance between those two mechanisms to make sure that they
complement every part the other mechanism is lacking. So, choosing between one may be ineffective
because it may create a conflict in the corporation since both mechanisms focus on different fields.

10. Why are investors in favor of separation of the positions of CEO and chairperson?
The shift away from combining the two roles stems from a philosophy of accountability and corporate
responsibility. By separating them, a company can clearly distinguish management authority from board
authority and empower the chairman and CEO to pursue their respective duties without concern that interests
in one position might negatively influence the other. The separation also enables each person to devote 100%
of their time to their respective roles.

11. What are the advantages of having a CEO who was formerly a CFO?
A CEO who was formerly a CFO can bring valuable financial expertise to a company. They may be skilled
in managing financial resources, developing financial strategies, and making financial decisions. Additionally,
their operational knowledge and results-oriented focus can benefit the company's overall strategic goals.

12. What are the requirements and criteria for being designated as an audit committee financial expert?
- To be designated as an audit committee financial expert, a person should possess the following
requirements and criteria:
1. Education and experience: The person should have a strong educational background in finance,
accounting, economics, or business administration, and relevant professional experience in
financial accounting, auditing, or financial analysis.
2. Knowledge of accounting and auditing principles: The person should have a thorough -
understanding of generally accepted accounting principles (GAAP) and auditing standards. They
should have experience in applying these principles in a variety of business contexts.
3. Understanding of financial statements: The person should be able to read and interpret financial
statements, including balance sheets, income statements, and cash flow statements.
 4. Familiarity with internal controls: The person should be knowledgeable about internal control
systems and the role they play in financial reporting and disclosure.
5. Experience with complex financial transactions: The person should have experience with complex
financial transactions, such as mergers and acquisitions, debt financing, and equity offerings.
6. Communication skills: The person should be able to communicate complex financial information
effectively to non-financial stakeholders, such as board members, management, and investors.

13. Board independence is essential for what purposes?

- Board independence is crucial for effective decision-making, accountability, avoiding conflicts of interest,
and building investor trust. Independent board members can question the status quo and also contribute
new ideas, which improves decision-making. They can ensure that the business runs in the best interest
of all stakeholders by assuring that the management and the CEOs are accountable for their decisions.
It also helps that independent board members can offer unbiased advice as they are not tied or bound to
anyone, hence it builds investor trust since they are often not affiliated with the company.

14. Why is it important for the members of the board of directors to have business knowledge and
financial expertise?
- The members of the board of directors are responsible for supervising the management and direction of
a company, making significant judgments that influence the business's overall success. Having said that,
it is crucial that board members possess business knowledge and financial expertise to make efficient
decisions that will drive the organization forward. Additionally, financial expertise enables them to
comprehend the financial health of the company, thereby optimizing the allocation of resources efficiently.
Bottomline, business knowledge and financial expertise are important for members of the BOD to manage
risks and ensure ethical corporate governance. Without these skills, they may encounter challenges in
fulfilling their obligations, resulting in adverse outcomes for the organization.

15. Explain the following Audit Committee Roles and Duties.

a. Ensuring the organization’s financial statements are understandable and reliable.
- The audit committee is responsible for overseeing the financial reporting process and ensuring that
the organization's financial statements are prepared in accordance with applicable accounting
standards and are understandable and reliable. The committee should review the financial
statements, including the management discussion and analysis, and ensure that they fairly present
the organization's financial position, results of operations, and cash flows.

b. Ensuring the organization establishes a thorough risk management process and effective internal
controls.
- The audit committee is also responsible for overseeing the organization's risk management process
and internal controls. The committee should ensure that the organization has established an effective
system of internal controls that can identify and manage risks, including financial, operational, and
compliance risks. The committee should also review the organization's risk assessment process and
ensure that it is thorough and comprehensive.

c. Reviewing the organization's policies, particularly in areas such as ethics, conflict of interest and
fraud.
- The audit committee should review the organization's policies, particularly in areas such as ethics,
conflict of interest, and fraud. The committee should ensure that the organization has established
appropriate policies and procedures to prevent and detect fraudulent activities, and that employees
are trained to understand and comply with these policies. The committee should also ensure that the
organization has established a system for reporting suspected or actual fraud, and that this system
 is communicated effectively to employees and other stakeholders. Additionally, the committee should
review the organization's code of conduct and ensure that it is comprehensive and aligned with the
organization's values and culture.

d. Reviewing the organizations litigation and regulatory proceedings.

- The audit committee should also review the organization's litigation and regulatory proceedings to
ensure that they are adequately disclosed in the financial statements and that the organization is
taking appropriate steps to address them. The committee should also ensure that the organization
has established a process for identifying and managing legal and regulatory risks.

e. Selecting and implementing a direct reporting relationship with the public accounting firm that
serves as the organization’s external auditor.
- The audit committee is responsible for selecting the public accounting firm that will serve as the
organization's external auditor, and for overseeing their work. The committee should ensure that the
external auditor is independent, competent, and has the necessary expertise to audit the
organization's financial statements. The committee should also establish a direct reporting
relationship with the external auditor, and ensure that they communicate effectively with the auditor
throughout the audit process.

f. Establishing communication with the organization’s internal auditor and reviewing all audit
findings.
- The audit committee should establish a relationship with the organization's internal auditor and
ensure that they have the necessary resources to perform their duties effectively. The committee
should review all audit findings and ensure that appropriate action is taken to address any
deficiencies identified. The committee should also ensure that the internal auditor has access to all
relevant information and has the necessary independence to perform their duties objectively.

16. Organizational Governance is a system by which an organization makes and implements decisions
in pursuit of its objectives. Expound.
- An organization must develop specific policies in various areas of operation that will bring consistency to
procedures by explicitly outlining the business approach. Corporate governance is a set of processes,
conventions, rules, regulations, and instructions that determine how a corporation is directed,
administered, or regulated, and is thus essential to the organization’s existence. Good corporate
governance systems attract investment from worldwide investors, resulting in better financial sector
efficiencies. Corporate governance structures must be credible, well understood across borders, and
adhere to internationally accepted norms in order to realize the full benefits of the global capital market
and attract long-term investments.

17. Distinguish corporate governance and organizational governance

- Corporate governance often refers to the system of laws, customs, and procedures by which a business
is managed and governed, with an emphasis on the needs of its shareholders and other stakeholders. It
involves a board of directors' monitoring and is focused on maintaining accountability and transparency
at the highest levels of an organization. Meanwhile, the management and leadership of an organization,
including decision-making, resource allocation, and performance management, fall under the umbrella of
organizational governance. It focuses on creating efficient management structures across the entire
organization and making sure that every part of it runs successfully, efficiently, and morally.
18. Describe a two-tiered governance structure.
- In the two-tier system (dualistic governance model), there is a separation between management and
supervisors. In a two-tiered system, strategy and service are executed by the management board while
the control is handled by the supervisory board. Moreover, a two-tier board structure is used to develop
a non-biased decision-making process for the company and to build a more balanced, positive outlook
on production. It also prevents a single board from getting overwhelmed with handling the
management, system and function of a business. Instead, the management board can handle the
system and function of a business, while the supervisory board can handle the general management of
the business

19. What are the functions and responsibilities of internal auditors? How do they differ from external
auditors?
- An internal auditor (IA) is a certified expert entrusted with delivering independent and objective
assessments of a company's financial and operational business activities. These professionals are of the
utmost significance in an organization as they are responsible for (1) measuring and evaluating the
effectiveness of an organization's operations; (2) ensuring that all laws, rules, and regulations governing
the organization's operations are followed; and (3) identifying risks and suggesting remedial measures,
thereby acting as a catalyst for change and action. While an internal audit focuses on the significant risks
facing the business and how the firm is effectively managing those risks, an external audit focuses on
finance and the key risks related to the business's financial operations. External auditors will analyze all
internal controls put in place to manage financial risk to determine their effectiveness.

20. What is a technical error in Operational risk?

- A technical error in operational risk is a breakdown or failure of a company's technical systems or
procedures that causes costs to be incurred or has other unfavorable effects. Any industry or sector can
experience this kind of error, but those that heavily rely on technology, like financial services, healthcare,
and transportation, experience it more frequently. System failures, software bugs, data breaches, and
hardware issues are a few examples of technical errors. These mistakes may result in a variety of
unfavorable consequences, such as monetary losses, reputational damage, regulatory fines, and even
legal liability.

21. What is gap in flow as a type of operational risk?

- Sometimes, information is missing from the source itself because of data lag or restrictions. In such
cases, the output gets affected. The required production varies from that desired and may put the
process at risk.

22. Risk Reduction is an action that reduces the severity of the loss or the likelihood of the loss from
occurring. What are the ways to implement the reduction of severity?
There are several ways to implement the reduction of severity of a potential loss. As what Group 5 has
reported last time, some of the most common methods include:
1. Avoidance Method - an approach that declines to accept a risk, not best for financial institutions
(deprivation of profits & opportunities) an option to be taken when the extent of risk is known
2. Elimination Method - elimination is the process of removing the hazard from the workplace. It is the
most effective way to control a risk because the hazard is no longer present. It is the preferred way to
control a hazard and should be used whenever possible.
3. Outsourcing method - hiring a professional business process outsourcing company to assess, monitor
and manage various risks companies face.
23. Differentiate strategic risk versus operational risk.
- Strategic risk relates to the overall strategy and direction of the organization and involves external factors
that may impact the organization's long-term existence, while operational risk involves internal factors
that may impact the organization's ability to provide goods or services in the day-to-day operations.
Strategic risk is associated with senior management and board decisions, while operational risk is
associated with middle management and employees who oversee processes and systems.

24. Explain why the following are considered strategic risks.

Note: the events that may make it difficult, or even impossible, for an organization to achieve their
objectives and strategic goals
a. Senior management turnover.
It affects the organization’s internal management and culture because it changes how people
behave and work together, and how well they function as a team. It also influences the workflow and
decision-making system of the business. Hence, turnover can cause things organizations want to avoid
such as poor progress in achieving one's objectives, additional expenses, lower productivity levels and
poor customer satisfaction.
b. Merger integration.
Also called as merger or acquisition, it is a major corporate restructure, so there is a challenge in
the integration of the organization. Integration is a complicated process that requires many levels of
coordination, but ultimately the risks of not integrating are far more severe. It may cause leadership
issues, lack of alignment for the new unified entity, company culture, poor internal management, loss of
information, and insufficient communication.
c. Stakeholder pressure
Although stakeholders can provide valuable resources, guidance, and feedback, they can also
create stress, conflict, and unrealistic expectations. These can be challenging to the organizational
culture which results in missed delivery dates, reduced work quality, Higher staff turnover and a high
tendency to have confusion about objectives and strategies of the organization.
d. Competitive pressure
The competitive pressure can lead to considerable tension and stress on the organization. Instead
of reacting with innovation and creativity, members of the organization or its employees may feel anxious
and threatened. Competitive pressure can also create a negative and hostile environment resulting in a
divisive workplace that can affect employees’ mental health and increase turnover.
e. Consumer demand shifts
It affects the decision of the business on how much of a product it should produce. The risk for a
business is that it may produce too much or too little product to meet demand, resulting in lost profits and
wasted sales opportunities.
f. Consumer preferences changes
Businesses have to increase their capabilities to keep up with the changing preferences of
customers since we know that the balance of power has shifted in favor of customers today. They are
the ones who determine the success or failure of a company. For instance, one of its risks is when
customers are being overtaken by competitors because they understand the customer’s preferences
better. This will result in loss on customers which then affects revenue.
g. Regulatory changes
It is a risk because a change in regulations or legislation will affect a security, company, or
industry. Companies must abide by regulations set by governing bodies that oversee their industry.
Therefore, any change in regulations can cause a rippling effect across an industry. Regulations can
increase costs of operations, introduce legal and administrative hurdles, and sometimes even restrict a
company from doing business.
25. What impacts are caused by reputational risk?
Reputational risk can cause significant negative impacts on a business or entity, including loss of
revenue, business partners, and employees, as well as a reduction in customers, falling stock prices, and
market capitalization. It can also lead to vulnerability to lawsuits and force companies to compensate those
affected. Ultimately, reputational damage can cause consumers to lose confidence, negatively impacting all
aspects of the business. It is a serious threat that can potentially wipe out millions or billions of dollars in
market capitalization or potential revenues, even for well-run companies.

26. What is compliance risk? Why is it associated with integrity risk?

Compliance risk refers to the potential legal and financial consequences an organization may face if it
fails to comply with laws, regulations, and internal policies. It's associated with integrity risk because non-
compliance can negatively impact the organization's reputation and the integrity of the markets. Compliance
risk is often linked to other types of risks, such as legal, reputational, and operational risks, and can lead to
reputational damage, loss of business opportunities, and reduced valuation.

27. What is risk tolerance? Is this the same as risk appetite? Why, or why not?
Risk tolerance and risk appetite are related but different concepts. Risk appetite is the amount of risk an
organization is willing to accept to achieve its objectives, while risk tolerance is the acceptable deviation from
that appetite. Risk appetite is a strategic philosophy, while risk tolerance is a tactical concept. Risk appetite
is expressed in aggregate, while risk tolerance is per individual risk. So, risk appetite and risk tolerance are
related and complementary concepts in risk management, but they are not the same.

28. Internal fraud is done by internal parties or people in the organization. What situation or scenario
allows internal fraud to happen?
- Lack of appropriate controls: It is simpler for an employee to conduct fraud without being caught if
there aren't enough internal controls in place at a company, such as checks and balances.
- Weak ethical culture: Employees may feel more at ease engaging in fraudulent activities if a business
does not have a strong ethical culture that promotes the value of honesty and integrity.
- Financial strain: Workers who are struggling financially may be more likely to commit fraud, including
stealing from the business or falsifying financial documents.
- Lack of consequences: If a company has a history of not disciplining staff members who commit fraud,
it could foster a culture where staff members believe they can get away with it without being held
accountable.

29. Modern organizations and global organizations have employed the position item known as CRO, or
Chief Risk Officer. What are the functions of the CRO? How is this function different from those of the
Controller or Chief Financial Officer?
A senior executive who is in charge of discovering, evaluating, and managing risks within an organization
is known as the Chief Risk Officer (CRO). As modern, international businesses face more hazards that could
affect their operations, reputation, and financial performance, the function of the CRO has grown in
significance. Responsibilities of a CRO includes:
1. Developing and implementing risk management strategies: The CRO is responsible for
developing and implementing risk management strategies that align with the organization's overall
goals and objectives.
2. Risk identification and evaluation: The CRO is in charge of recognizing and evaluating all of the
risks that the organization confronts, including the reputational, operational, legal, and regulatory risks.
 3. Monitoring risk exposure: The CRO is in charge of keeping track of how exposed the company is to
risks and seeing any possible problems that require attention.
4. Implementing risk controls: The CRO is in charge of carrying out risk controls that lessen risks'
effects and stop them from happening in the first place.
5. Reporting on risk: The CRO is in charge of informing senior management, the board of directors,
and other stakeholders of the organization's risk profile.
The functions of the CRO are different from those of the Controller or Chief Financial Officer (CFO) in
several ways. While the CFO is primarily responsible for managing the financial operations of the organization,
the CRO is responsible for managing all types of risks. Additionally, while the Controller is responsible for
overseeing the accounting and financial reporting functions of the organization, the CRO is responsible for
identifying and assessing risks across all areas of the organization. The CRO also works closely with other
executives, including the CFO and Controller, to ensure that risks are managed effectively and that the
organization's overall goals and objectives are achieved.

30. Note the following: “What risks is the company in business to accept and what risks will it not accept
– e.g., is the organization prepared to accept minor losses of physical inventory from pilferage but
not willing to accept large losses of physical inventory from spoilage, obsolescence, or natural
disasters?” - This scenario determines the _____________________.
The risk appetite of the organization is established by this scenario. The level and type of risk that a
company is willing to take on in order to achieve its strategic goals is referred to as risk appetite. It is the
amount of risk that a company is willing to accept, and it depends on a number of things, including the
company's culture, values, and business plan. The scenario's example illustrates how an organization's risk
appetite can vary based on the nature and seriousness of the risk involved. An organization can build proper
risk management methods and set rules for decision-making by defining its risk appetite. This will help to
control risks to acceptable levels.

31. What is risk culture? How influential is risk culture in the overall organizational governance?
Risk culture refers to the shared values, beliefs, attitudes, and behaviors related to risk management
within an organization. It is the way that an organization’s employees perceive and approach risk, and how
they make decisions regarding risk management. An organization’s risk culture can have a significant impact
on its overall performance and success. It helps to promote a risk-aware culture and encourages employees
to be proactive in identifying, assessing, and managing risks. It also helps to ensure that risks are identified
and addressed at all levels of the organization, from frontline employees to senior management, which can
result in better decision-making, improved operational efficiency, and reduced losses from risks that are not
properly managed.

32. Give three (3) examples of ERM frameworks and describe each framework?
1.) COSO ERM Framework
The COSO ERM Framework is one of the most widely used ERM Frameworks. It was developed by the
Committee of Sponsoring Organizations of the Treadway Commission (COSO) and provides a
comprehensive framework for managing risks across an organization. The framework consists of eight
components, including internal environment, objective setting, risk assessment, risk response, control
activities, information and communication, monitoring, and reporting.

2.) ISO 31000

ISO 31000 is an international standard for risk management that provides a systematic approach to
managing risks across an organization. The standard emphasizes the importance of risk assessment, risk
treatment, and risk communication, and provides guidelines for integrating risk management into an
organization’s overall management system.
 3.) NIST Cybersecurity Framework
The NIST Cybersecurity Framework is a framework for managing cybersecurity risks. It was developed
by the National Institute of Standards and Technology (NIST) and provides a set of standards, guidelines,
and best practices for managing cybersecurity risks. The framework consists of five functions, including
identify, protect, detect, respond, and recover, and is designed to help organizations manage cybersecurity
risks in a comprehensive and integrated manner.

33. What is enterprise risk management? How is it different from generic risk management?
Enterprise risk management (ERM) is a process that enables organizations to identify, assess, and
manage risks in a comprehensive and integrated manner. ERM provides a framework for managing risks
across an entire organization, taking into account the relationships between different risks and their potential
impact on the organization’s objectives. On the other hand, Generic risk management refers to the process
of identifying, assessing, and managing risks within a specific area or function of an organization. So, the
difference between Enterprise risk management and Generic risk management is that Enterprise risk
management has a comprehensive and integrated approach to managing risks across an organization,
while Generic risk management focuses on managing risks within a specific area or function of the
organization. ERM takes a broader view of risks, considering how they are interrelated and how they may
impact the organization as a whole, and is closely aligned with the organization’s strategy and objectives.

34. Enumerate the objectives of the ERM – and briefly describe each objective.
(1) Identify and assess risks: ERM aims to identify and evaluate potential risks that could affect an
organization's ability to achieve its goals and objectives.
(2) Measure and prioritize risks: After identifying risks, ERM seeks to measure and prioritize them based on
their potential impact on the organization's operations and objectives.
(3) Develop risk management strategies: ERM aims to develop and implement effective risk management
strategies to mitigate or avoid identified risks.
(4) Monitor and report on risks: ERM continuously monitors identified risks and provides regular reporting to
senior management and other stakeholders to ensure that the organization remains aware of and prepared
for potential risks.
(5) Improve overall risk management effectiveness: Ultimately, the objective of ERM is to improve overall risk
management effectiveness within an organization by integrating risk management into its overall strategy
and operations.

35. One of the key elements in ERM are: (i) internal environment and, (ii) risk assessment. Describe each.
(i) Internal environment refers to the culture, values, and operating style of an organization, which shapes its
risk management practices.
(ii) Risk assessment is the process of identifying and evaluating potential risks that could affect an
organization's ability to achieve its objectives.

36. Describe the usefulness and applications of the COSO framework.

The COSO framework is a widely recognized and adopted standard for ERM, providing a comprehensive
approach to managing risk in organizations. It offers a useful tool for identifying, assessing, and managing
risks across a wide range of industries and sectors, enhancing overall risk management effectiveness and
contributing to the achievement of organizational objectives.
37. The following are typical causes of internal control failure. Explain why these areas create internal
control failures.
a. Poor judgment in decision-making
- Internal control failures can sometimes arise from individual decisions being made based on
inadequate information provision or by inexperienced staff. Aside from that, there are instances when
leaders have poor decision-making skills that whenever adversities occur, they do not have concrete
plans to solve the problem. Remember, poor decision making, skipping necessary steps or simply a
lack of decision making is a sign of lack of leadership. If there is poor leadership, the organization will
most likely fail as well.
b. Human error
- Errors may occur due to employee carelessness, distraction, or fatigue. Decisions are often made
under time pressures, based on limited information, and rely heavily on human judgment. Additionally,
management may fail to anticipate certain risks and ultimately fail to design and implement appropriate
controls to mitigate those risks.
c. Control processes being deliberately circumvented
- The reason why this certain reason for failure of internal control exists is because there will sometimes
be cases of employees intentionally circumventing the internal control process because of some
reasons, most of the cases being personal. An example of such a case is the belief that it would earn
them a bonus or other reward.
d. Management overriding controls
- The term “management override” refers to the ability of management and/or those charged with
governance to manipulate accounting records and prepare fraudulent financial statements by
overriding these controls, even where the controls might otherwise appear to be operating effectively.
To be clear, management override is not an inherently bad thing. Circumstances can arise where
overriding internal controls might be in the best interests of the company. For example, if corporate
policy is never to pay an invoice before onboarding a vendor, but the company urgently needs a critical
component before a system failure – then management might decide to skip onboarding for now and
pay a vendor immediately for that component. The issue is management abuse of its override
authority. Such overrides can affect any organization and result in, say, financial statement fraud, even
if the controls are well-designed and effective. In fact, most major corporate scandals of the past half
century resulted from management overriding internal controls and manipulating financial or operating
results.
e. The occurrence of unforeseeable circumstances
- Control systems are designed to cope with a given range of variables and when an event happens out
with that range, the system may be unable to cope. There are times that people will not be able to
foresee certain circumstances, especially if not experienced yet. Hence, if these things happen, there
will be no concrete plans to be applied; thus, the reason for internal control failure.

38. What is the relationship between internal control and corporate governance?
Corporate governance is the system of rules, practices, and processes that direct and control a company.
Internal control is part of corporate governance and manages risks and ensures compliance with laws and
regulations. The relationship between internal control and corporate governance is critical as effective internal
control is necessary for good corporate governance, enabling a company to conduct its core business in an
orderly manner and comply with laws and regulations. Therefore, internal control and corporate governance
are interrelated and work together to ensure the success and sustainability of a company.
39. Rationalize the following means which are considered basic internal control functions:
a. Active and Informed Board
Plays an active role in providing oversight and guidance to the organization. Primarily composed
of individuals with diverse skills and expertise who are committed to the organization's mission and have
a deep understanding of its operations, risks, and opportunities. They help ensure that the organization
has effective governance practices in place, and can make informed decisions that are in the best interest
of the organization and its stakeholders.
b. Strong Audit Committee comprised of Outside Directors
Primarily responsible for overseeing the organization's financial reporting, and external audit
processes. A strong audit committee composed of outside directors can bring an objective and impartial
perspective to the organization's financial reporting and internal control systems. They provide an
additional level of scrutiny to ensure that the organization's financial statements are accurate and comply
with applicable accounting standards.
c. Segregation of Duties
Segregation of duties is a fundamental internal control function that involves separating tasks
among different individuals to minimize the risk of fraud or error. By dividing responsibilities, an
organization can ensure that no single individual has complete control over a particular process or asset.
This helps prevent unauthorized transactions, errors, and fraud.
d. Rotation of Personnel
Rotating personnel is another internal control function that can help prevent fraud and error. By
rotating employees among different tasks and departments, an organization can ensure that no individual
becomes too comfortable with a particular process or asset. This can help prevent fraud by making it
more difficult for an employee to conceal their actions, and can help identify errors or weaknesses in the
organization's processes.
e. Accurate Accounting Information System
An accurate accounting information system is critical for ensuring that an organization's financial
reporting is accurate and reliable. It should be designed to capture all financial transactions, process
them accurately, and provide timely and accurate financial information to decision-makers. The system
should have appropriate internal controls in place to prevent errors, fraud, and unauthorized transactions.
An accurate accounting information system can also help an organization comply with applicable
accounting standards and regulations.

40. Would succession planning be categorized under strategic planning or operational planning? Why?
- Strategic planning involves setting long-term goals and objectives, while operational planning deals with
short-term tasks and activities. Thus, succession planning, which is a long process that ensures that a
company has appropriate leadership to achieve its long-term objectives, falls under the category of
strategic planning. Unlike operational planning, which concentrates on short-term undertakings,
succession planning demands a strategic mindset to identify the talents, knowledge, and experience
required for future leadership roles and to create a plan to prepare current employees for those positions.
In fact, succession planning is considered to be one of the most important strategic planning a business
must undertake.

41. How do you differentiate recovery planning from crisis management planning?
Recovery planning and crisis management planning are related but distinct concepts. Disaster recovery
planning is done before a disaster strikes, and it involves procedures and steps to recover from a disaster.
On the other hand, crisis management is the process of responding to, planning for, and mitigating emergency
events. It has a planning process and distinct teams that are responsible for managing the crisis. While
disaster recovery planning focuses on restoring operations after a disaster, crisis management planning
focuses on managing the crisis as it unfolds and minimizing its impact on the organization
42. What consists of (what are the components of) financial planning?
There are five essential components of a financial plan
- Insurance Planning: This involves purchasing the necessary insurance policies to cover any financial
losses caused by various risks such as life, medical emergencies, disability, and tangible assets.
- Investment Planning: This involves investing savings generated over time in various types of investment
categories such as stocks, bonds, cash, etc., to meet financial goals.
- Retirement Planning: This involves carefully evaluating the lifestyle required at the time of retirement
and planning accordingly to maintain the current standard of living even in the absence of regular income.
- Tax Planning: This involves using allowable strategies to reduce tax liabilities as part of the overall
financial strategy.
- Estate Planning: This involves planning for the legal and financial aftermath of death to bequeath the
wealth to legal heirs and provide for one's family over the long term.

43. How do you differentiate financial planning from forecasting? Forecasting vs. projections?
- Financial planning, forecasting, and projections are interrelated financial concepts, but they are employed
differently in financial management to aid decision-making. Financial planning is a comprehensive
approach to designing a financial strategy that addresses a company's long-term and short-term needs.
In contrast, forecasting entails using historical data and other pertinent information to estimate future
financial performance. The goal of forecasting is to foresee forthcoming trends and outcomes to make
informed decisions regarding resource allocation and strategic planning. Projections are comparable to
forecasting, but they are frequently utilized in a more particular context. These are specific predictions of
future financial performance based on certain assumptions and are commonly used to evaluate the
potential impact of various scenarios.

44. The current condition of pandemic crisis has direct effects on governance practices, particularly on
decision-making process. Hypothetically, when the company or organization exercises good
governance practices, its vulnerability to crisis events such as the pandemic crisis, is generally
manageable. Comment.
Personally, I agree that good governance practices can help organizations better manage crisis events
such as the pandemic. When an organization has an effective decision-making process established, crisis
events such as the pandemic are generally manageable as the company would be better equipped and ready
to respond to these unexpected events and adapt to changing circumstances. A good decision-making
process involves knowing the crisis and its implications to the organization as well as figuring out effective
and efficient ways to either minimize its overall effects or to turn the crisis into an opportunity. Good
governance practices, such as transparency, accountability, and stakeholder engagement, can help
organizations make informed and responsible decisions during a crisis. For example, effective risk
management can help organizations identify and mitigate potential threats and be able to evaluate the effects
it can have on the organization.