RISK MANAGEMENT

 As defined by International Organization of Standardization (ISO 31000), is the

identification, assessment and prioritization of risk followed by coordinated and
economical application of resources to minimize, monitor and control the
probability and/or impact of unfortunate events and to maximize the realization
of opportunities. 
 process of measuring or assessing risk and developing strategies to manage it. 

Basic Principles of Risk 

1. to create value 
2. address uncertainty and assumptions 
3. be an integral part of organizational process and decision-making. 
4. create capability of continual improvement and enhancement considering the
best available information and human factors. 
5. be dynamic, iterative, transparent, tailorable and responsive to change 
6. be systematic, structured and continually or periodically reassessed 

Risk Management Process includes the following steps: 

1. Establishing the Context which involves 
a. Identification of risk in a selected domain of interest. 
b. Planning the remainder of the process. 
c. Mapping out of the following: 
i. The social scope of risk management 
ii. The identity and objectives of stakeholders 
iii. The basis upon which risk will be evaluated, constraints. 
d. Defining a framework for the activity and an agenda for identification. 
e. Developing an analysis of risk involved in the process. 
f. Mitigation or Solution of risk using available technological, human and
organizational resources. 
2. Identification of Potential Risk – can start with the analysis of the source of the
problem or the problem itself. Common methods are: 
a) Objective-based risk 
b) Scenario-based risk 
c) Taxonomy-based risk 
d) Common-risk checking 
e) Risk charting 
3. Risk Assessment – assessing its potential severity and probability of occurrence. 

Elements of Risk Assessment 

Assessing overall risk can be difficult, therefore manpower and other
resources should be spent at its minimum while minimizing effect of risk.
The performance of Risk Assessment method should include the
following elements: 
1. identification, characterization and assessment of threats.
 2. assessment of the vulnerability of critical assets to specific
threats. 
3. determination of the risk. 
4. identification of ways to reduce those risk 
5. prioritization of risk reduction measures based on a strategy.

Risk can be associated to: 

1. Risk associated with Investment 
 Business risk -uncertainty on rate of return caused by nature of business 
 Default risk- probability that some or all initial investment will not
return. 
 Financial risk-financial leverage cause by firm’s capital structure
and financing source. o Interest risk-fluctuation in interest rate due
to fluctuation on the value of investment. o Liquidity risk –
uncertainty of selling the investment quickly for cash. 
 Management risk – risk faced by investors from the management
decision and BOD. Purchasing power risk – decline of investment
as result of inflation (deflation) 
2. Risk associated with Manufacturing, Trading and Service Concerns 
 Market Risk -product risk (obsolescence, R&D, packaging, warranties),
competitor risk (pricing, market strategy, marker share) 
 Operations risk -process stoppage, health & safety, integrity,
technological obsolescence, management fraud, employee fraud,
illegal act) 
 Financial Risk- interest volatility, derivative, viability, foreign currency 
 Business Risk – regulatory change, regulation, credit rating, business
interruption, political

3. Risk associated with Financial Institutions 

 Financial Risk -liquidity risk, market risk, credit risk, market liquidity
risk, hedge position risk, portfolio exposure risk, derivative risk,
accounting information risk, financial reporting risk. 
 Non-Financial Risk – Operational risk, regulatory risk, environment
risk, Integrity risk and leadership risk. 

Potential Risk Treatments 

Risk Management techniques fall into four categories: 

 Risk Avoidance-avoidance of activity that could carry risk which means
losing out on potential
 Risk Reduction –optimizing risk by finding balance between the
negative risk and benefit of the operation or activity; between risk
reduction and effort applied. 
 Risk Sharing – sharing with another party the burden of loss or benefit
of gain. 
 Risk Retention – accepting loss or benefit of gain when occurs.
Most Commonly encountered areas of risk 
1. Enterprise -risk management 
2. Risk management activities as applied to project management 
3. Risk management for megaprojects 
4. Risk management of information technology 
5. Risk management techniques in petroleum and natural gas 

SEC Requires ERM for Publicly-listed companies.  

1. Under SEC Governance Recommendation 2.1 “The Board should
oversee that a sound enterprise risk management framework is in place to
effectively identify, monitor, assess and manage key business risks. The risk
management framework should guide the Board in identifying
units/business lines and enterprise-level risk exposures, as well as the
effectiveness of risk management strategies. 

Risk Management policy is part and parcel of corporation’s corporate

strategy. The Board is responsible for identifying the company’s level of risk
tolerance and providing oversight over its risk management policies and
procedures.”

2. Under Principle 12 of Strengthening the Internal Control System and

Enterprise Risk Management Framework, “To ensure the integrity,
transparency and proper governance in the conduct of its affairs, the
company should have a strong an effective internal control systems and
enterprise risk management framework.” 

Board Risk Oversight Committee – responsible for the oversight of company’s ERM
system to ensure its functionality and effectiveness. Requirement for BROC as follows: 
1. Should composed of at least 3 members, majority should be
independent directors, including chairman. 
2. Chairman should not be chairman of the board or any other
committee. 
3. at least one member has a thorough knowledge and experience on risk
and risk management.

Steps in the Risk Management Process

1. Set up a separate risk management committee chaired by a board

member. 
 creation of a risk management committee as a board level will
demonstrate the firm’s commitment to adopt an integrated
companywide risk management. 

2. Ensure that a formal comprehensive risk management system is in place. 

  should provide a clear vision of the board’s desire for an effective
company-wide risk management as well as awareness of internal
and external risk. 

3. Assess whether a formal system possesses the necessary elements. 

 Key element of company-wide risk management should
possess goals and objectives 
 risk language identification 
 organizational structure 
 risk management process documentation 
 risk organizational structure should include formal charters, level
of authorization reporting lines and job description. 
 risk management process should include 
 Assessment of risk; Identification;
Determination of their source 
 Development action plans: Reduce, retain, avoid,
transfer or exploit 
 Implementation 
 Monitoring and reporting risk management performance 
 Continuous improvement risk management capabilities 

4. Evaluate the effectiveness of the various steps in the assessment of the

comprehensive risks faced by a business firm. 

 risk identification and determination of sources and measurement

represents foundation for the rest of procedures and performed
by responsible managers, finance officers, production marketing
managers and human resources managers. 
 provides risk map to the board of directors 

5. Assess if management has developed and implemented the suitable

risk management strategies and evaluate their effectiveness. 
 Risk Profile highlights all significant possible risks identified,
prioritized and measured by risk management system. 
 Strategies are developed to manage and resolve identified risks. It
includes people, process, management feedback methodologies
and systems.
 Strategies may include avoidance, transfer, reduction,
exploitation and retention of risk. 

6. Evaluate if management has designed and implemented risk management

capabilities.

 Directors must continue to monitor and assess if management has

been implementing designed risk management capabilities. 
 components (people, process, management feedback methodologies
and systems) should be complete and aligned for the risk
management to function effectively. 

7. Assess management’s efforts to monitor overall company risk

management performance and to improve continuously the firm’s
capabilities. 
 performance must be monitored on a continuing basis and must
be ready to innovate their approaches. 
 monitoring is done by all concerned parties such as senior
managers, process owners and risk owners. 
 an independent reviewer can also be appointed to validate results. 

8. See to it that best practices as well as mistakes are shared by all. This
involves regular communication of the results and feedbacks to all
concerned. 
 There’s an open communication channel to ensure that
participants are informed of risk incidents or threat.  

9. Assess regularly the level of sophistication of the firm’s risk management. 

10. Hire experts when needed.