Education
Sr. No. |
Risk
management strategy |
Definition/Description |
1. |
Tolerate/Accept
the risk |
®
There may be certain risks which are considered minor as their impact
and probability of occurrence is low and such risks are accepted as a cost of
doing business. ®
These risks should be periodically reviewed to ensure its impact
remains low. |
2. |
Terminate/Eliminate
the risk |
® Certain
risks can be easily eliminated by addressing cause like if a risk is
associated with a technology then this risk can be eliminated by replacing
technology with better one. |
3. |
Transfer/Share
the risk |
® In
this risk is transferred or shared with trading partners, suppliers, insurers
etc. |
4. |
Treat/mitigate
the risk |
® It
involves implementing controls to prevent the risk from manifesting to
prevent the risk from manifesting itself or to minimize its effects. |
5. |
Turn
back |
® In
cases where the probability or impact of the risk is very low, then
management may decide to ignore the risk.
|
Implementation of controls requires us to
adapt a holistic and comprehensive approach. |
·
Ideally it should consider the overall
business objectives, processes, organization structure, technology deployed
and the risk appetite.
|
·
Overall risk management strategy has to be
adapted considering business objectives, processes, structure, and technology
and risk appetite.
|
·
Overall risk management strategy should be
designed and promoted by the top management and implemented at all levels of
enterprise operations as required in an integrated manner.
|
·
Regulations require enterprises to adapt a risk management strategy,
which is appropriate for the enterprise.
|
·
How controls are implemented would be
dependent on the overall risk management strategy and risk appetite of the management.
|
·
The type of controls implemented in
information systems in an enterprise would depend on this risk management
strategy.
|
·
In an IT environment, it is important to
understand whether the relevant IT controls are implemented.
|
·
The Sarbanes Oxley Act (SOX) in the US, which focuses on the
implementation and review of internal controls as relating to financial
audit, highlights the importance of evaluating the risks, security and
controls as related to financial statements.
|
Benefits |
Description |
1. Align risk
appetite and strategy:
|
·
Risk appetite is the degree
of risk, on a broad- based level that an enterprise
(any type of entity) is willing to accept in pursuit of its goals. ·
Management considers the entity’s risk
appetite first in evaluating strategic alternatives, then
in setting objectives aligned with the
selected strategy and in
developing mechanisms to manage the related
risks.
|
2. Link growth, risk
and return: |
·
Entities accept risk as part of value
creation and preservation, and they
expect return commensurate with the risk.
·
ERM provides
an enhanced ability to identify and assess risks, and establish acceptable
levels of risk relative to growth and return objectives.
|
3. Enhance risk
response decisions:
|
·
ERM provides the rigor to identify and select among alternative risk
responses – risk avoidance, reduction, sharing and acceptance. ·
ERM provides methodologies and techniques
for making these decisions.
|
4. Minimize
operational surprises and losses: |
·
Entities have enhanced capability to identify potential events, assess
risk and establish responses, thereby reducing the occurrence of surprises and related costs or
losses. |
5. Identify and
manage cross-enterprise risks: |
·
Every entity faces a myriad of risks
affecting different parts of the enterprise. Management needs to not only
manage individual risks, but also understand interrelated impacts.
|
6.
Provide integrated responses to multiple risks:
|
·
Business
processes carry many inherent risks, and ERM enables
integrated solutions for managing the risks.
|
7.
Seize opportunities: |
·
Management considers potential events,
rather than just risks, and by considering a full range of events, management
gains an understanding of how certain events represent opportunities.
|
8.
Rationalize capital: |
·
More robust information on an entity’s
total risk allows management to more
effectively assess overall capital needs and
improve capital allocation.
|
Components |
Description |
1.
Internal Environment:
|
·
The internal environment encompasses the
tone of an organization. ·
It sets the basis for how risk is viewed
and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which
they operate. ·
Management sets a philosophy regarding
risk and establishes a risk appetite. ·
The internal environment sets the
foundation for how risk and control are viewed and addressed by an entity’s people.
·
The core of any business is its people.
Their individual attributes, including integrity, ethical values and
competence and the environment in which they operate. They are the engine that drives the entity
and the foundation on which everything rests. |
2.
Objective Setting: |
· Objectives should be set before management
can identify events potentially affecting their achievement. · ERM ensures that
management has a process in place to
set objectives and
that the chosen objectives support and
align with the entity’s mission/vision and are
consistent with the
entity’s risk appetite. |
3.
Event Identification:
|
· Potential events that might have an impact on the entity should be identified. · Event
identification includes identifying factors internal and external that influence how
potential events may
affect strategy implementation and achievement of
objectives. · It includes distinguishing between
potential events that represent risks, those representing opportunities and
those that may be both. · Opportunities are channeled back to
management’s strategy or objective-setting processes. · Management identifies interrelationships
between potential events and may categorize events to create and reinforce a
common risk language across the entity and form a basis for considering
events from a portfolio perspective. |
4.
Risk Assessment:
|
· Identified risks are analyzed to form a
basis for determining how they should be managed. · Risks are associated with related objectives that may be affected. · Risks are assessed on both an inherent and
a residual basis,
and the assessment considers both risk likelihood and impact. · A range of possible results may be
associated with a potential event, and management needs to consider them together. |
5.
Risk Response: |
· Management selects an approach or set of
actions to align assessed risks with
the entity’s risk
tolerance and risk
appetite, in the
context of the strategy and
objectives.
· Personnel identify and evaluate possible
responses to risks, including avoiding, accepting, reducing and sharing risk. |
6.
Control
Activities:
|
· Policies
and procedures are established and executed to help
ensure that the risk responses management selected are effectively carried out.
|
7.
Information &
Communication |
Information; · Relevant information is identified,
captured and communicated in a form
and time frame
that enable people
to carry out their
responsibilities. · Information is needed at all levels of an
entity for identifying, assessing and responding to risk. Communication; · Effective
communication also should
occur in a broader sense, flowing down,
across and up the entity. · Personnel
need to receive clear communications regarding
their role and responsibilities. |
8. Monitoring:
|
· The entire ERM process should be
monitored, and modifications made as necessary. · The system can react dynamically, changing
as conditions warrant. · Monitoring is accomplished through ongoing
management activities, separate evaluations of the ERM processes or a
combination of the both. |