RISK MANAGEMENT AND

INTERNAL CONTROL
Jazmaine Z. Fortuna, CPA
Faculty

1
 rce/3rdrevision/7-27-20

MODULE 1
Introduction to Risk Management

Module Learning Objective/Outcome :

At the end of the module, the learners should be able to:

LO1. Explain the concept of risk, its different types, and the significance of risk management in
organizations.

Topic Intended Learning Outcomes

ILO1. Explain the concept of risk, its different types,
1. Introduction to Risk Management and the significance of risk management in
organizations.

6
Introduction to Risk Management

Introduction:
Other than change, there is that one thing that has always been constant in our lives.
From the time we were conceived to now as we journey through adulthood, it has always
been a part of every decision that is being made - big or small. Think of the many instances
you thought twice over something, the many situations you faced that demands a decision.
It has been right at every pedestal we found ourselves in, and has always been something
we always considered right before we stepped in to a decision. This something is what we
call risk. In so many different settings and different circumstances, risk reveals itself very
differently each time. While it is not entirely uncontrollable, it is definitely unavoidable.

Definition and Concept of Risk

A risk is an effect of uncertainty on objectives. As risk presents itself and behaves
differently in various situations, there is no unified definition of risk concepts. Originating
from the Italian word risicare, risk means "to dare". Risk is a choice rather than fate. It
is all about the actions we dare to take which can either take us closer to something or
force us to take a step back.
While they are something we encounter every time or often see around us happening, it
can mean very differently to everyone. Some of the varied definitions of risk are:
➢ "effect of uncertainty on objectives" - ISO 31000
➢ "possibility of loss or injury; someone or something that creates or suggests a
hazard; to expose to hazard or danger; to incur the risk or danger of." - Merriam-
Webster Dictionary
➢ "implies future uncertainty about deviations from expected outcomes." - The
Economic Times
➢ "a probability or threat of damage, injury, loss or any other negative occurrence
that is caused by external or internal vulnerabilities, and that may be avoided
through preemptive action" - Business Dictionary

7
 ➢ "the possibility of something bad happening; involves uncertainty about the
effects/implications of an activity with respect to something that humans value." –
Wikipedia
➢ "the chance an outcome or investment's actual gain will differ from the expected
outcome or return" - Investopedia
Everytime we decide over something, and before decisions are made, risk presents itself.
Sometimes they give clarity to decisions, most of the time they present a bigger problem.
To better understand them, take these situations, for example:
▪ A teenager knows that she will be grounded if she chooses to invite friends over
after school instead of doing her homework. But she also knows that the likelihood
of her parents finding out she did so is slight. If the teenager chooses to invite her
friends over she is taking a risk of getting in trouble with her parents.
▪ A gambler decides to take all of his winnings from the night and attempt a bet of
"double or nothing." The gambler's choice is a risk in that he could lose all that he
won in one bet.
▪ A driver is approaching a yellow light and must choose whether to brake in order
to stop in time for the light to turn red or to accelerate to make it through the light
before it turns red. If the driver accelerates, he is risking going through the light
which could result in an accident or a speeding ticket.
When people hear the word risk, most often they will each think of something different
depending on their objectives. It may be about their insurance, investments, bets, or a
potential loss. It could also be something as personal as career, health or relationships.
Whatever it is, risk can mean and weigh very differently for all. They can be perceived not
just negatively for its downsides or threats, but also positively for its upside opportunities.
In a situation of life and death, risk can be a silver lining or a reason to give up for some.
In a business setting, risk can potentially make way for a breakthrough or drag it to a
breakdown. Either way, risk is something that is not entirely uncontrollable. And if one
dares to take it, one should know his/her way around it.

Types of Risks
Risk is unavoidable. Depending on the setting, circumstances and objectives that add up
with it, risk is varied and its weight different. Despite that, there are risks that appear very
commonly in a particular setting. Such as in business or financing, most of the risks
apparent in transactions within this industry have been identified, and its behavior studied
by experts in that field. A lot of risks can be named as it appears. In various industries,
risks are characterized by reference to the potential events or consequences such as loss,
harm or negative impact, or to what is affected by it. Usually, they are often expressed in
terms of combination of the consequence of an event, including any change in
circumstances, and the associate likelihood of occurrence.
In a particular business setting, it is imperative that every decision made is the right
decision. But before a decision is locked in for action, there is a contemplation of this
balance between the risks and the expected outcome or benefits. To arrive to the best
decision, the variables in that balance must be identified, especially the risks. In order to
do that, we must know what are the different types of risk there is, identify those that are
apparent or that can occur when a particular risk action is made.

8
Identified risks that can affect a business or organization include the following:
1) Business risk - this risk arises out from an uncertainty in profit due to events such
as change in customer tastes and preferences, employee strikes, increased
competition, changes in government policies, obsolescence and others. Risks are
also identified within this type:
2) Strategic risk - the risk that a particular business strategy can fall back (e.g.
introducing a new product that is not accepted by the market)
3) Operational risk - the uncertainties and hazards in the day-to-day business
activities of a particular company. (e.g. breakdowns in internal procedures, people
and systems)
4) Reputational risk - the threat or danger to the good name or standing of a
business or entity which may arise from a direct action by the organization or from
its employees.
5) Compliance risk - the risk of an organization to be exposed to legal penalties
resulting from failure to comply with regulations.
6) Competitive risk - the risk that a market competitor gains advantages that will
prevent the business from achieving a goal.
7) Legal risk - the risk that new regulations will disrupt the business or expenses and
losses get incurred due to a legal dispute.

9
Financial risk - this is the risk that involves financial loss to entities or that hamper financial
growth and a company's profitability. Similarly, this is also the possibility of losing money
on an investment or business venture. Some of the risks that fall under this type of risks
are:
1) Market risk - the risk arising from changing market conditions (e.g. consumers
choice to shop online affects negatively traditional retail businesses)
2) Credit risk - the risk that a borrower fails to repay a loan or meet contractual
obligations.
3) Liquidity risk - the risk that the business fails to meet its short-term financial
obligations.
4) Solvency risk - the risk that the business cannot meet its financial obligations as
they come due.
5) Operational risk as defined above.

10
Economic risk - this risk arises out from an uncertainty in economic outcomes in which
macroeconomic conditions such as exchange rates, government regulation or political
stability can affect an investment or a company's prospects. In a particular country, there
are identified economic risk factors, the severity of which varies per country. Five of these
economic risk factors include unemployment or underemployment, cyber attacks, foreign
exchange risk, failure of national governance, and fiscal crises. From these factors, the
following risk are commonly identified:
1) Exchange rate risk - the risk that volatilities in foreign exchange rates impacts
negatively the value of the business.
2) Country risk - the risk that the business gets affected by conditions in the
countries which it operates such as political events and the economy.
3) Interest rate risk - the risk that an asset or investment declines in value from
unexpected fluctuations in interest rates.
4) Inflation risk - the risk of significant losses due to the increasing cost of goods
and services.
5) Sovereign risk - the risk that the government is unable to pay its debts. This
affects businesses a lot due to the political unrest in the country.

In Accounting and Auditing, risks likewise persist especially in an environment with very
minimal controls. There is what we call a financial reporting risk which relates to the
recording of transactions and the presentation of the financial data in an organization's
financial statements. And there is audit risk which is the risk that the auditor may give an
unqualified opinion on materially misstated financial statements. Audit Risk is best
described in the audit risk model as it implies the responsibilities of both the management
and the auditors in proclaiming that the financial statements are free of material
misstatements. Contrary to the financial reporting risk, this risk is determined and
managed by the auditor. The audit risk model, which is expressed as AR = IR X CR X DR
stands for the three components which is inherent risk, control risk and detection risk.
1) Inherent Risk (IR) is the initial susceptibility of a transaction or accounting
adjustment to be recorded in error, or for the transaction not to be recorded in the
absence of internal controls.
2) Control Risk (CR) is the risk that the client's internal control system will fail to
prevent or detect a misstatement.
3) Detection Risk (DR) is the risk that the audit procedures will fail to detect a
material misstatement.
With all these risks that a business has to look out for and anticipate for every action and
decision, it is not enough to just know they exist. Good businesses will definitely take a
side action to address them and lose some of the weight of those risks from the balance
between its expected rewards or outcomes.

Definition and Concept of Risk Management

Things do not stop from just knowing what risks are possible or apparent. Due to the
differing behaviors of these risks, it is important that all effort is done to either mitigate
or lessen them, especially on how much it affects or can potentially affect the business
when a particular action or decision is made. The efforts attributed to studying and
managing these risks is called risk management.

11
Risk management is a process that allows risks to be understood and managed proactively.
It is made up of coordinated activities that direct and control organizational risks. It is
more than just identifying risks, analyzing them or responding to them. Effective risk
management can very much optimize success by minimizing threats and maximizing the
opportunity outcomes. It offers both the potential to reduce the possibility of the risk
occurring as well as its potential impact. To put it simply, risk management is focused on
anticipating those that might not go to plan and putting in place actions to reduce that
uncertainty and put it into a tolerable level.
Risk management is an integral part of management and decision-making. For it to be so,
it has to be integrated into the organization's structure, operations and processes and
applied not just in the strategic level but also on operational, programme or project levels.
Along with the risks which it seeks to address and manage, the kind of risk management
that is done by businesses also coincides with it. This means that for each type of risk, the
considerations to be done in risk management can differ. For example, now with the
pandemic, workers who need to report onsite to keep working are taking risks. And with
every change in the level of restrictions imposed in the city, companies all have to consider
and manage health and safety risks for its employees and customers. The variables to be
considered in this type of risk management differ from the kind of risk management a
company does for its finances. This another form of risk management is what we very well
know as financial risk management which is a broad topic with a broad range of identified
risks in itself. Regardless of these differences, the overall goal is always to minimize those
risks and keep them in a tolerable level while making the most of the best opportunity
outcome available.
Various principles have been developed by bodies and organizations to guide businesses
in the conduct of risk management. These principles are to be applied as a foundation for
managing risks and considered during the establishment of an organization's risk
management framework and processes. Provided for by the International Organization for
Standardization (ISO) specifically for risk management (ISO 31000), these are the
principles that are to be sworn by the management when conducting risk management.

12
 ▪ Integrated - risk management is integrated into the organization's processes. It
is part of the decision-making in every department. It is not to be separated from
its main activities and processes, rather, embedded and is part of the
management's responsibilities;
▪ Structured and Comprehensive - systematic approach to risk management
contributes to efficiency and consistency of results while also promoting
comprehension for everyone involved. Guidelines and procedures are structured
for the organization to follow to maintain productivity and efficacy.
▪ Customized - the risk management process must be customized based on the
internal and external context of the organization to properly capture the objectives.
▪ Inclusive - risk management should allow consideration of knowledge and views.
It is transparent and easy to understand which allows for stakeholders to be
included in the framework.
▪ Dynamic - risk management must be open and anticipatory to changes in context
and knowledge within the organization including the risks to maintain efficiency of
results
▪ Best available information - an organization will not have all the information
needed, but action must be taken from the best available data with due
consideration of current and historical information, including its limitations.
▪ Human and cultural factors - human behavior and culture significantly influences
risk management. To inhibit the goals of the business, the organization's
capabilities and the goals of the people in it must be recognized.
▪ Continual improvement - improvement applied through experience ensures the
organization's resiliency. Properly adapting to the results allows exponential growth
of the organization.
All eight (8) principles are the foundations of managing risks. Without these principles, the
framework for risk management would not be sound. The consistent application of these
principles in risk management promotes consistent and reliable results.
The reasons for risk management are varied and complex. The structures of risk
management are tailored to do more than just identifying what risks are existing, because
risk management done well can tell the business the level of uncertainty and predict their
influence to the business. Some of the perceived benefits of conducting risk management
includes:
Increase risk awareness: This answers the questions "What could affect the
achievement of objectives? What could change? What could go wrong? What could
go right?"
Increase understanding of risk-sensitivities: "What makes my risk
increase/decrease/disappear?"
Is proactive...not reactive: This allows you to prepare for risks before they
happen. You identify the risks and come up with appropriate risk mitigating
strategies.
Improves outcomes or achievement of objectives: it helps the organization
get the best possible outcome they can get from the risk they are able to take.
Facilitates good management: actions and decisions are well thought of,
including anticipation and control of possible repercussions.
Promotes accountability, responsibility and transparency: there is a
dedicated team to focus on ensuring that risks are properly managed and
controlled.
May even mean survival: risks, when ignored, can be fatal, but when properly
managed, can save a business from huge losses.

13
 Minimize negative effects: allows business to shrink the potential risks to a
tolerable level.
Maximum use of opportunities as they arise: helps businesses make sound
decisions for present opportunities
With these data made available, the business can contemplate with more clarity whether
accept the risk or reject them. But before all this, the business shall have defined for itself
the level of risk they can justifiably take or their tolerable level. This tolerable level is what
we call a business' risk appetite. Risk appetite denotes the level or amount of risk an
organization is willing to accept or requires to bear in pursuit of its strategic objectives.
The resources of the business available for managing risks are finite and so, determining
the risk appetite is important in order for the business to be able to achieve optimum
response to risk taken.
The risk action or risk response initiated within the organization is its internal control. This
response may involve tolerating the risk, treating the risk appropriately as a way to
constrain it to a tolerable level, transferring the risk, or it can go down to actually
terminating an activity that is giving rise to the risk. However, internal control, no matter
how good, cannot ultimately eradicate risk events, as it is also not perfect in the first place.
Even with a good internal control in place, a level of risk will still remain. This risk is called
residual risk which should be in an acceptable level and within the risk appetite.
Risk management is indubitably a very important process. This is the best way to prepare
for events that may appear in the way of a business' growth and goals. Where risk
management is set up in the business as a disciplined and continuous process for
identifying and resolving risks, this structure can be utilized as a good support that will
empower businesses to adequately and proactively deal with potential risks; and
consequently, undertake sound decision-making.

14
 Self-Check Activity:
Relate your understanding of the concept of risk to a scenario in your life and discuss the
risk management process you have undertaken to address it. (20 points)

Rubric:
Grading Scale
Criteria Pts
2 Not Evident 3 Needs Improvement 4 Proficient 5 Exemplary
Includes most of the Includes all of the main
Does not include
Includes some of the main elements and elements and
Criterion 1 any of the main
5 main elements and requirements and cites requirements and cites
Main Elements elements and
requirements many examples to multiple examples to
requirements
illustrate each element illustrate each element
Provides in-depth Provides in-depth Provides in-depth
Criterion 2 analysis that analysis that analysis that
Does not provide
Inquiry and 5 demonstrates complete demonstrates complete demonstrates complete
in-depth analysis
Analysis understanding of understanding of some understanding of
minimal concepts concepts multiple concepts
Criterion 3 Does not
Some of the course Some of the course All of the course
Integration correctly apply
5 concepts are correctly concepts are correctly concepts are correctly
and any of the course
applied applied applied
Application concepts
Draws insightful
Draws logical
Criterion 4 Does not draw Draws logical conclusions that are
conclusions, but does
Critical 5 logical conclusions, but does not thoroughly defended
not defend with
Thinking conclusions defend with evidence with evidence and
evidence
examples

15