CITY COLLEGE OF SAN FERNANDO The levels of risk faced by business firms have increased

ACCOUNTING INFORMATION SYSTEM because of the fast-growing sophistication of organization,

globalization, modern technology and impact of corporate
GBERMIC – scandals. In addition therefore to compliance with legal
MODULE 11 requirements, top management should consider adequate
KC GUTIERREZ, knowledge of risk management.
CPA
Learning Objectives

Course Code – Title: After studying the chapter, you should be able to...
1. Define risk management
GBRMIC-Governance, Business Ethics, Risk Management and Internal 2. Explain briefly the basic principles of risk management
Control 3. Describe the elements of risk management
4. Define the relevant risk terminologies
Course Description: 5. Describe the potential treatments or approaches in managing
risks
Governance, Business Ethics, Risk Management and Internal Control 6. Explain the areas of risk management
Accounting aims to equip accountancy students the basic knowledge, 7. Describe the steps in the risk management process
skills and perspective that are necessary in facing the challenge in the 8. Familiarize yourself with the SEC requirements in dealing
continuously changing business environment whether it be in the public with enterprise wide risk management
practice sector, accounting practice, internal audit or accounting
information system management. Content/Discussion

Module No – Title : MO11 – Risk Management CHAPTER 11: RISK MANAGEMENT

Time Frame : 1 week – 3 hrs

Introduction Risk Management Defined

Effective corporate governance cannot be attained without the Risk management is the process of measuring or assessing risk and developing
organization mastering the art of risk management. And risk strategies to manage it. Risk management is a systematic approach in
identifying, analyzing and controlling areas or events with a potential for
management is recognized as one of the most important
causing unwanted change. It is the act or practice of controlling risk. It
competencies needed by the board of directors of modern includes risk planning, assessing risk areas, developing risk handling options,
organization, large as well as small and medium-sized business monitoring risks to determine how risks have changed and documenting
firms. overall risk management program.
As defined in the International Organization of Standardization (ISO 31000), Risk identification can start with the analysis of the source of problem
Risk Management is the identification, assessment, and prioritization of risks or with the analysis of the problem itself. Common risk identification
followed by coordinated and economical application of resources to minimize, methods are:
monitor and control the probability and/or impact of unfortunate events and to a. Objective-based risk
maximize the realization of opportunities. b. Scenario-based risk
c. Taxonomy-based risk
BASIC PRINCIPLES OF RISK MANAGEMENT d. Common-risk checking
e. Risk charting
The International Organization of Standardization (ISO) identifies the basic
principles of risk management. 3. Risk Assessment.
Once risks have been identified, their potential severity of impact and
Risk management should: the probability of occurrence must be assessed. The assessment
1. Create value – resources spent to mitigate risk should be less than the process is critical to make the best educated decisions in prioritizing
consequence of inaction, i.e., the benefits should exceed the costs. the implementation of the risk management plan.
2. Address uncertainty and assumption
3. Be an integral part of the organizational processes and decision- ELEMENTS OF RISK MANAGEMENT
making
4. Be dynamic, iterative, transparent, tailorable and responsive to change For the most part, the performance of assessment methods should
5. Create capability of continual improvement and enhancement consist of the following elements:
considering the best available information and human factors 1. Identification, characterization, and assessment of threats
6. Be systematic, structured and continually or periodically reassessed 2. Assessment of the vulnerability of critical assets to specific threats
3. Determination of the risk (the expected likelihood and
PROCESS OF RISK MANAGEMENT consequences of specific types of attacks on specific assets)
1. Establishing the Context. 4. Identification of ways to reduce those risks
This will involve: 5. Prioritization of risk reduction measures based on a strategy
a. Identification of risk in a selected domain of interest
b. Planning the remainder of the process RELEVANT RISK TERMINOLOGIES
c. Mapping out the following:
i. The social scope of risk management 1. Risks Associated with Investments
ii. The identity and objectives of stakeholders
iii. The basis upon which risks will be evaluated, constraints BUSINESS RISK
d. Defining a framework for the activity and an agenda for It refers to the uncertainty about the rate of return caused by the nature
identification of the business. The most frequently discussed causes of business risk
e. Developing an analysis of risks involved in the process are uncertainty about the firm’s sales and operating expenses. Clearly,
f. Mitigation or solution of risks using available technological, the firm’s sales are not guaranteed and will fluctuate as the economy
human and organizational resources fluctuates or the nature of the industry changes. A firm’s income is
also related to its operating expenses. If all operating expenses are
2. Identification of potential risks. variable, then sales volatility will be passed directly to operating
income. Most firms, however, have some fixed operating expenses
(depreciation, rent, salaries). These fixed expenses cause the operating often more difficult to recognize that the purchasing power of the
income to be more volatile than sales. Business risk is related to sales return you have earned on an investment has declined (risen) as a
volatility as well as to the operating leverage of the firm caused by result of inflation (deflation).
fixed operating expenses.
2. Risk Associated with Manufacturing, Trading, and Service
DEFAULT RISK concerns
It is related to the probability that some or all of the initial investment
will not be returned. The degree of default risk is closely related to the A. MARKET RISK
financial condition of the company issuing the security and the Product Risk
security’s rank in claims on assets in the event of default or  Complexity
bankruptcy. For example, if a bankruptcy occurs, creditors, including  Obsolescence
bondholders have a claim on assets prior to the claim of ordinary  Research and Development
equity shareholders.  Packaging
 Delivery of Warranties
FINANCIAL RISK Competitor Risk
The introduction of financial leverage causes the firm’s lenders and its  Pricing Strategy
stockholders to view their income streams as having additional
 Market Share
uncertainty. As a result of financial leverage, both investment groups
 Market Strategy
would increase the risk premiums that they require for investing in the
firm.
B. OPERATIONS RISK
INTEREST RATE RISK  Process Stoppage
Because money has time value, fluctuations in interest rates will cause  Health and Safety
the value of an investment to fluctuate also.  After Sales Service Failure
 Environmental
LIQUIDITY RISK  Technological Obsolescence
It is associated with the uncertainty created by the inability to sell the  Integrity
investment quickly for cash. An investor assumes that the investment o Management Fraud
can be sold at the expected price when future consumption is planned. o Employee Fraud
o Illegal Acts
MANAGEMENT RISK
Decisions made by a firm’s management and board of directors C. FINANCIAL RISK
materially affect the risk faced by investors. Areas affected by these  Interest Rates Volatility
decisions range from product innovation and production methods  Foreign Currency
(business risk) and financing (financial risk) to acquisitions.  Liquidity
 Derivative
PURCHASING POWER RISK
 Viability
It is perhaps, more difficult to recognize than the other types of risk. It
is easy to observe the decline in the price of a stock or bond, but it is
 D. BUSINESS RISK  Operation Risk
 Regulatory Change o Systems (Information Processing, Technology)
 Reputation o Customer Satisfaction
 Political o Human Resources
 Regulatory and Legal o Fraud and Illegal Acts
 Shareholder Relations o Bankruptcy
 Credit Rating  Regulatory Risk
 Capital Availability o Capital Adequacy
 Business Interruptions o Compliance
o Taxation
3. Risk Associated with Financial Institutions o Changing laws and policies
 Environment Risk
A. FINANCIAL RISK o Politics
 Liquidity Risk o Natural disasters
 Market Risk o War
o Currency o Terrorism
o Equity
 Integrity Risk
o Commodity o Reputation
 Credit Risk  Leadership Risk
o Counterparty o Turnover
o Trading o Succession
o Commercial (Loans, Guarantees)
 Market Liquidity POTENTIAL RISK TREATMENTS
o Currency Rates ISO 31000 also suggests that once risks have been identified and assessed,
o Interest Rates techniques to manage the risks should be applied. These techniques can fall
o Bond and Equity Prices into one or more of these four categories:
 Hedged Positions Risk 1. Avoidance
 Portfolio Exposure Risk 2. Reduction
 Derivative Risk 3. Sharing
 Accounting Information Risk 4. Retention
o Completeness
o Accuracy a. Risk Avoidance
This includes performing an activity that could carry risk. An example
 Financial Reporting Risk
would be not buying a property or business in order not to take on the
o Adequacy
legal liability that comes with it. Avoiding risks, however, also means
o Completeness
losing out on the potential gain that accepting (retaining) the risk may
B. NON-FINANCIAL RISK
 have allowed. Not entering a business to avoid the risk of loss also 7. Assess management’s efforts to monitor overall company risk
avoids the possibility of earning profits. management performance and to improve continuously the firm’s
capabilities.
b. Risk Reduction 8. See to it that best practices as well as mistakes are shared by all.
Risk reduction or optimization involves reducing the severity of the This involves regular communication of results and feedbacks to
loss or the likelihood of the loss from occurring. Optimizing risks all concerned.
means finding a balance between the negative risk and the benefit of 9. Assess regularly the level of sophistication of the firm’s risk
the operation or activity; and between risk reduction and effort applied. management system.
10. Hire experts when needed.
c. Risk Sharing
It means sharing with another party the burden of loss or the benefit of
gain, from a risk, and the measures to reduce a risk.
- - - end - - -
d. Risk Retention
It involves accepting the loss or benefit of gain from a risk when it
occurs. Self-insurance falls in this category. All risks that are not
avoided are transferred or retained by default.

AREAS OF RISK MANAGEMENT

1. Enterprise risk management
2. Risk management activities as applied to project management
3. Risk management for megaprojects
4. Risk management techniques in petroleum and natural gas

STEPS IN THE RISK MANAGEMENT PROCESS

1. Set up a separate risk management committee chaired by a board
member.
2. Ensure that a formal comprehensive risk management system is in
place.
3. Assess whether the formal system processes the necessary
elements. Course Code – Title:
4. Evaluate the effectiveness of the various steps in the assessment of
the comprehensive risks faced by the business firm. GBRMIC-Governance, Business Ethics, Risk Management and Internal
5. Assess if the management has developed and implemented the Control
suitable risk management strategies and evaluate their
effectiveness. Course Description:
6. Evaluate if management has designed and implemented risk
management capabilities.
Governance, Business Ethics, Risk Management and Internal Control
Accounting aims to equip accountancy students the basic knowledge, PRINCIPLES AND TECHNIQUES
skills and perspective that are necessary in facing the challenge in the
continuously changing business environment whether it be in the public Understand the Nature of Risk
practice sector, accounting practice, internal audit or accounting
The willingness and readiness to take personal and financial risks is a defining
information system management. characteristic of the entrepreneurial decision maker. In late 90’s a study
commissioned by an internationally known accounting firm found that while in
continental Europe strategies focus on avoiding and hedging risk. Anglo-
Module No – Title : MO12 – Practical Guidelines in Reducing and American companies view risk as an opportunity and accept risk management
Managing Business Risks as necessary to achieving their goals. In 2017, this relative attitude to risk
Time Frame : 1 week – 3 hrs among European and US companies remains broadly the same, the result of
long-standing cultural experiences and history as well as recent events.
Introduction Successful businessmen and decision-makers make sure that the risks resulting
from their decisions are measured, understood and as far as possible
Practical Guidelines in Reducing and Managing Enterprise-wide eliminated. They also go beyond the direct financial perspective and actively
Business Risks inherent in business activity is best achieved by applying the manage risk as it affects the whole organization.
principles and techniques appropriate for the situation.
Accepting the risks exist is a starting point for the other actions needed, but the
Learning Objectives most important is to create the right climate for risk management. People need
to understand why control systems are needed; this requires communication
and leadership, skills so that standards and expectations are set and clearly
After studying the chapter, you should be able to... understood.
1. Know the basic approach in reducing enterprise-wide
risks Identify and Prioritize Risks
2. Understand the nature of risk
3. Identifying an prioritizing risks Identification of significant risks both within and outside the organization is
4. Considering the acceptable level of risk crucial and allows to make informed decisions. This makes it easier to avoid
5. Understanding why risks become reality unnecessary surprises. Examples of significant risks might be the loss of a
6. Applying a simple risk management process major customer, the failure of a key supplier or the appearance of a significant
competitor.

Consider the human factor into account. People behave differently and
Content/Discussion
inconsistently when making decisions involving risk. They may be exuberant
or different, overconfident, or overly concerned. They may simply overlook
the issue of risk.
CHAPTER 12: Practical Guidelines in Reducing and Managing
Business Risks
Risk surrounds and continues to be with us. A former British primer minister  Technology. New hardware, software or system configurations can
once said: “To be alive at all involves some risk.” When identifying risks, it trigger risks, as can new demands on existing information systems and
helps to define the categories into which they fall. This allows for a more technology. In early 2010, Metro Manila Development Authority
structured analysis and reduces the Chair introduced a congestion change for traffic using the center of the
chances of a risk being overlooked. city; the greatest threat to the scheme’s success (and his tenure as
Some of the most common areas of chair) was posed by the use of new technology. It worked and the
risk affecting business are shown in scheme was widely seen as a success.
Table 12.1.
 Organizational change. Risks are triggered by, for example, new
management structures or reporting lines, new strategies and
commercial agreements (including merges, agency or distribution
Table 12.1 Typical Areas of agreements).
Organizational Risk
 Processes. New products, markets and acquisitions all cause change
and can trigger risks. The disastrous launch of “New Coke” by Coca-
Consider the Acceptable Level of Cola was an even bigger risk than anyone at the company had realized;
Risk it outraged Americans who felt angry that an iconic US product was
being changed. That Coca-Cola eventually turned the situation to its
As earlier mentioned, the usual first step is to determine the nature and extent advantage shows that risk can be managed and controlled, but such
of the risks the business will accept. This involves assessing the likelihood of success is rare.
risks becoming reality and the effect they would have if they did. Only when
this is understood can measures be taken to minimize the incidence and impact
 People. Hiring new employees, losing key people, poor succession
of such risks.
planning or weak people management can all create dislocation, but
There is also an opportunity cost associated with risk: avoiding a risk may the main danger is behavior: everything from laziness to fraud,
mean avoiding a potentially big opportunity. People can be too cautious and exhaustion and simple human error can trigger this risk.
risk averse even though they are often at their best when facing the pressure of
risk deciding to take a more audacious approach. Sometimes the greatest risk is  External factors. Changes to regulation and political, economic or
to do nothing. social developments can all affect strategic decisions by bringing to
the surface risks that may have lain hidden. The economic disruption
Understand Why Risks Become Reality caused by the sudden spread of the SARS epidemic from China to the
rest of Asia in 2003 highlights this risk.
Once risks are identified they can be ranked according to their potential impact
and the likelihood of them occurring. This helps to highlight not only where
things might go wrong and what their impact would be, but also how, why and APPLY A SIMPLE RISK MANAGEMENT PROCESS
where these catalysts might be triggered. The five most significant types of risk
catalyst are as follows: The stages of managing the enterprise-wide risk inherent in decisions are
simple.
 control over the risk or to mitigate its potential impact. Risks falling
 First, assess and analyze the risks resulting from a decision by into the top-right quadrant require urgent action, but those in the
systematically identifying and quantifying them. bottom-right quadrant (total/significant control, major/critical impact)
 Second, consider how best to avoid or mitigate them. should not be ignored because complacency, mistakes and a lack of
 Third, in parallel with the second stage, take action to manage control can turn the risk into a reality.
control and monitor the risks.

A. Risk Assessment and Analysis

It is more difficult to assess the risks inherent in a business decision

than to identify them. Risks that lead to frequent losses, such as an
increasing incidence of employee-related problems or difficulties with
suppliers, can often be solved using past experience. Unusual or Table 12.1 Assessing and Mapping Risk
infrequent losses are harder to quantify. Risks with little likelihood of
occurring in the next five years are not important to a company
focused on meeting shareholders’ shorter-term expectations. Thus, it is
sensible to quantify the potential consequences of identified risks and
then define courses of action to remove or mitigate them.

Each category of risk can be mapped in terms of both likely frequency

and potential impact, with the potential consequences being ranked on
a scale ranging from inconvenient to catastrophic (see Figure 12.1)

B. Risk Management and Control

Risk should be actively managed and given a high priority across the
whole organization. Risk management procedures and techniques
should be well documented, clearly communicated, regularly reviewed
and monitored. To successfully manage risks, you have to know what
they are, what factors affect them and their potential impact.

If you plot the ability to control a risk against its potential, as shown in
Figure 12.1, you can decide on actions either to exercise greater
Once the inherent risks in a decision are understood, the priority is to exercise
control. All employees must be aware that unnecessary risk-taking is
unacceptable. They should understand what the risks are, where they lie and
their role in controlling them. To achieve this, share information, prepare and
communicate clear guidelines, and establish control procedures and risk
measurement systems.
 - - - end - - -

References:

Corporate Governance, Business Ethics, Risk Management

and Internal Control
2019-2020 Edition by Ma. Elenita Balatbat Cabrera, Gilbert
Anthony B. Cabrera