1. TO STUDY ENTERPRISE RISK MANAGEMENT
A COMPETITIVE EDGE FOR THE COMPANY
AND
HOW IT ADDS VALUE TO ITS
SHAREHOLDERS
This term paper is submitted in partial completion of MBA
SUBMITTED TO:
SUBMITTED BY:
Faculty Guide: Mr. C.T. Sunil
Student: Ms. Anu Damodaran
Assistant Prof - Finance & Accounts
Registration No: AUD0260
Amity University, Dubai, U.A.E.
Program: MBA - General (Semester 2)
Year: 2012 to 2014
Page 1 of 48

2. CERTIFICATE FROM FACULTY GUIDE
This is to certify that Ms. Anu Damodaran, Reg. No. AUD0260, a 1st Year MBA –
General, 2nd semester student of Amity University, Dubai, UAE, has carried out her term
paper - “To study ERM - A competitive edge for the company and how it adds value to
its shareholders” from 01-Apr-2013 to 12-May-2013.
She has completed the term paper successfully. She has done this term paper work
independently and submitted the same on 19-May-2013.
Mr. C.T. Sunil, Faculty Guide,
Assistant Professor of Finance & Accounts,
Amity University, Dubai, UAE
Page 2 of 48

3. ACKNOWLEDGEMENT
I, Ms. Anu Damodaran, sincerely thank and acknowledge the valuable inputs and guidance
extended to me by Mr. C.T. Sunil, Assistant Professor of Finance and Accounts at Amity
University, Dubai, U.A.E. toward successful completion of this term paper “To study ERM
- A competitive edge for the company and how it adds value to its shareholders”.
I extend my sincere thanks to Mr. Chandrashekar Salla & Mr. Jitendar Kumar for the
guidance toward completion of this term paper.
Thanking you,
Yours sincerely,
Ms. Anu Damodaran
Reg. No. AUD0260,
1st Year MBA – General, 2nd Semester
Amity University, Dubai, U.A.E.
Page 3 of 48

4. TABLE OF CONTENTS
No.
TOPIC
PAGE
NO
EXECUTIVE SUMMARY
OBJECTIVE
9
10
11
1.3 – SCOPE OF ENTERPRISE RISK MANAGEMENT
13
1.4 – RELEVANCE OF ERM
13
1.5 – VALUE PROPOSITION FOR IMPLEMENTING ERM - PROTECT AND
ENHANCE ENTERPRISE VALUE
14
1.6 – WHAT IF THERE IS NO ERM
14
CHAPTER 2 – REVIEW OF LITERATURE
15
2.1 - DEFINING RISK, RISK ASSESSMENT, RISK TOLERANCE AND RISK
APPETITE AND EVENT
16
2.2 – INDUSTRY SPECIFIC EXAMPLES
26
2.3 – HEALTH CARE ORGANIZATION
30
2.4 – AEROSPACE SUPPLIER
31
2.5 - INTERNATIONAL REGULATORY FRAMEWORK FOR BANKS (BASEL III)
3
CHAPTER 1 – INTRODUCTION
1.2 – RELATED INFORMATION
2
8
1.1 – BACKGROUND
1
7
32
CHAPTER 3 – EXPLORATION COMMENT ON ERM
33
3.1 - RISK MAPPING
33
3.2 - THE CAPABILITY MATURITY MODEL
37
3.3 - RISK MANAGEMENT SOFTWARE PRODUCTS TO ASSIST COMPANIES
WITH IMPLEMENTING ERM
40
3.4– ADVANTAGES
42
3.5 – SUITABILITY
44
3.6 – LIMITATIONS
45
CONCLUSION
47
REFERENCES
48
Page 4 of 48

5. TABLE OF TABLES
No.
TABLE NAME
PAGE
NO
Table 1
DIFFERENCE BETWEEN RISK MANAGEMENT, BUSINESS RISK
MANAGEMENT AND ENTERPRISE RISK MANAGEMENT
23
Table 2
TRADITIONAL RM V/S ERM: ESSENTIAL DIFFERENCES
23
Table 3
EFFECTIVE WAY FOR AN ORGANIZATION TO CONDUCT A RISK
ASSESSMENT
26
Table 4
STRATEGIC DRIVERS OF RISK IN HIGHER EDUCATION
27
Table 5
OPERATIONAL AND COMPLIANCE RISK DRIVERS IN HIGHER
EDUCATION
28
Table 6
LIST OF RISKS SEPARATED BY CATEGORY
29
Table 7
A RISK MODEL
34
Table 8
SUMMARY OF CAPABILITIES AROUND MANAGING PROCUREMENT
RISK
37
Table 9
PRIORITIZATIONS OF FUNCTIONALITY
41
Page 5 of 48

6. TABLE OF FIGURES
No.
FIGURE NAME
PAGE
NO
Fig.1
THE COSO ENTERPRISE RISK MANAGEMENT FRAMEWORK
13
Fig.2
CONSOLIDATED RISK PROFILE
33
Fig.3
A RISK DRIVERS MAP
35
Fig.4
A BASELINE OVERSIGHT STRUCTURE TO UNDERSTAND HOW
POTENTIAL ELEMENTS ARE INTEGRATED WITHIN THE EXISTING
ORGANIZATION
36
Fig.5
KEY QUESTIONS A BUSINESS CASE MUST ADDRESS
44
Page 6 of 48

7. EXECUTIVE SUMMARY

ENTERPRISE RISK MANAGEMENT (ERM) is a strategy organizations can use to manage
the variety of strategic, market, credit, operational and financial risks they confront.

ERM calls for high-level oversight of risks on a portfolio basis, rather than discrete
management by different risk overseers.

ERM has given rise to a question: Who should head the risk management process internal
audit or a chief risk officer? Some believe internal audit should take a back seat to preserve
the checks and balances the audit function provides. Others say risk leadership should
depend on what a company is comfortable with.

Using ERM enables an entity to assess risk across the enterprise instead of looking at it on a
per-project basis.

ERM also gives the company a means to assess the controls in place to handle each risk and
identify any gaps. This consistent approach also offers businesses an opportunity to
determine authority and responsibility and allocate resources appropriately.

To Extract Risk Data, Many Organizations use business intelligence software. Many
packages feature "traffic-light" systems that show a red light if risk exceeds acceptable
levels. The chief risk officer then can "drill down" to see the reasons and make more
informed decisions.

Overall responsibility for enterprise risk is changing because of new standards from the
Institute of Internal Auditors. They require the internal audit function in a company to
monitor and evaluate the effectiveness of the organization's risk management and control
systems.

ERM can help CPAs (Certified Public Accountants) determine the right amount of capital
companies should direct toward risk by gathering or otherwise polling risk overseers to
identify the threats to the organization, their financial impact and the effectiveness of risk
mitigation options.

By mapping major risks on a matrix, companies can align their business processes to ensure
they are routinely collecting and storing related information in a database the chief risk
officer or executive risk committee can monitor. This will make it easier to identify
exception risks extending beyond the company's tolerance or threshold levels.
Page 7 of 48

8. OBJECTIVE
To understand what Enterprise Risk Management is, why it is important for any business
and how it can be measured.
To know whether by measuring and managing the risks consistently and systematically can
a company strengthen its ability to carry out its strategic plan.
To understand the methods/ tools used by firms to manage Enterprise Risk.
To study the processes and challenges in implementing Enterprise Risk Management and to
identify how much risk can be retained and how much should be laid off.
Page 8 of 48

9. CHAPTER 1 – INTRODUCTION
Enterprise Risk Management (ERM) is a data intensive process that measures all of a
company's risks. Enterprise Risk Management (ERM) is an integrated approach to
enterprise-wide risk management intended to protect and increase value for all parties with
an interest in the organization. Businesses have always faced a variety of risks, but these are
times when the pace of change and the resulting consequences to a business seem to be
greater than ever.
Example:
1. Globalization has increased exposure to international events
2. The need for increased and escalated efficiency, innovation and differentiation
3. Cost of strategic error is rising in the global marketplace
4. Understanding and responding to customer wants in this demanding era of
increasingly focused niche markets
5. Outsourcing raises questions about clarifying the retention and transfer of risk
6. The unthinkable can happen
7. Due to highly publicized public fiascos and high demands on certifying officers,
financial reporting is now a significant risk area as companies focus on sustainability
of their disclosure process and internal control structure
At most institutions today, the responsibility for enterprise risk management ultimately falls
to the chief executive officer since many of the senior people in the company who manage
risk on a day-to-day basis already report to him or her, including the CFO and chief lending
or credit officer. But institutions need to consider appointing a chief risk officer and forming
a management level risk committee."
The risk management function should be as independent as possible. However, true
independence would require the use of parallel structures where one team of individuals
would be responsible for a business unit like small business banking or an activity like
regulatory compliance, while a separate team of individuals would be focused solely on
Page 9 of 48

10. managing risk. "To be successful, the business units must view the risk management
function as a partner and a facilitator, rather than being in charge of saying no. There is a
danger, if ERM looks interchangeable with internal audit, that the business units will view it
as either an impediment or redundant, but one size does not fit all."
1.1 – BACKGROUND
Enterprise Risk Management is a relatively new term that is quickly becoming viewed as the
ultimate approach to risk management. Risk management has been practiced for thousands
of years. One can imagine a risk manager burning a fire at night to keep wild animals away.
Lenders learned to reduce the risk of loan defaults by limiting the amount loaned to any one
individual and by restricting loans to those considered most likely to repay them. Individuals
and firms learned to manage the risk of fire through the choice of building materials and
safety practices, or after the introduction of fire insurance, by shifting it to an insurer.
Robert Mehr and Bob Hedges are widely acclaimed as the fathers of risk management.
They enumerated the following steps for the risk management process:

Identifying loss exposures

Measuring loss exposures

Evaluating the different methods for handling risk assumption

Risk transfer

Risk reduction

Selecting a method

Monitoring results
Initially, the risk management process focused on what has been termed “pure risks”. Pure
risks are those in which there is either a loss or no loss. A typical example of a pure risk is
that your house may burn down or be hit by an earthquake. If none of these occur then you
are in the no loss position.
Beginning in the 1970s, financial risk became an important source of uncertainty for firms
and, shortly thereafter, tools for handling financial risk were developed. These new tools
Page 10 of 48

11. allowed financial risks to be managed in a similar fashion to the ways that pure risks had
been managed for decades.
Although financial risk had become a major concern for institutions by the early 1980s,
organizations did not begin to apply the standard risk management tools and techniques to
this area. The reason for this failure was because risk managers had built a wall around their
specialty, called pure risk, within which they operated. Thus, the refusal to expand into other
areas of risk has simply delayed by a number of decades.
1.2 – RELATED INFORMATION
The US 'Committee Of Sponsoring Organizations Of Treadway Commission' (COSO)
defines Enterprise Risk Management as, "a process, effected by an entity's board of
directors, management and other personnel, applied in strategy setting and across the
enterprise, designed to identify potential events that may affect the entity, and manage risks
to be within its risk appetite, to provide reasonable assurance regarding the achievement of
entity objectives.
“COSO divides ERM process into eight components:
(1) Internal environment,
(2) Objective setting,
(3) Event identification,
(4) Risk assessment,
(5) Risk response,
(6) Control activities,
(7) Information and communication,
(8) Monitoring.
Page 11 of 48

12. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a
joint initiative of five private sector organizations, including the Institute of Management
Accountants (IMA), the American Accounting Association (AAA), the American Institute
of Certified Public Accountants (AICPA), the Institute of Internal Auditors (IIA) and
Financial Executives International (FEI) established in the United States, dedicated to
providing thought leadership to executive management and governance entities on critical
aspects of organizational governance, business ethics, internal control, enterprise risk
management, fraud, and financial reporting.
1.2.1 - ENTERPRISE RISK MANAGEMENT — INTEGRATED FRAMEWORK
In 2001, COSO initiated a project, and engaged PricewaterhouseCoopers, to develop a
framework that would be readily usable by managements to evaluate and improve their
organizations' enterprise risk management. High-profile business scandals and failures (e.g.
Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom) led to calls for
enhanced corporate governance and risk management. As a result the Sarbanes-Oxley act
was enacted. This law extends the long-standing requirement for public companies to
maintain systems of internal control, requiring management to certify and the independent
auditor to attest to the effectiveness of those systems. In 2004 COSO published Enterprise
Risk Management - Integrated Framework. COSO believes this framework expands on
internal control, providing a more robust and extensive focus on the broader subject of
enterprise risk management.
Four categories of business objectives

Strategic: high-level goals, aligned with and supporting its mission

Operations: effective and efficient use of its resources

Reporting: reliability of reporting

Compliance: compliance with applicable laws and regulations
Page 12 of 48

13. Fig.1
1.3 – SCOPE OF ENTERPRISE RISK MANAGEMENT
The scope of ERM is much broader than protecting physical and financial assets. With an
ERM approach, the scope of risk management is enterprise wide and the application of risk
management is targeted to enhancing as well as protecting the unique combination of
tangible and intangible assets comprising the organization’s business model.
1.4 – RELEVANCE OF ERM
1. Reduce unacceptable performance variability
2. Align and integrate varying views of risk management
3. Build confidence of investment community and stakeholders
4. Enhance corporate governance
5. Successfully respond to a changing business environment
6. Align strategy and corporate culture
Page 13 of 48

14. 1.5 – VALUE PROPOSITION FOR IMPLEMENTING ERM PROTECT AND ENHANCE ENTERPRISE VALUE
1. Optimize Risk Management Cost
2. Improve Business Performance
3. Establish Competitive Advantage
1.6 – WHAT IF THERE IS NO ERM
ERM doesn’t guarantee the success of a business. It provides better information to managers
and a more robust process for them to deploy, but does not necessarily transform a poor
manager into a good manager. All organizations face business risk, regardless of size.
Organizations ignore risk at their own peril. No organization can afford to stand pat with its
existing risk management capabilities; therefore, every organization should evaluate how it
can improve its risk management.
Page 14 of 48

15. CHAPTER 2 – REVIEW OF LITERATURE
Although many companies have used ERM over the last decade, the economic downturn of
2008 showed that some companies had not done well when it came to managing their risks
(Korolov, 2009; McDonald, 2009). In some of these situations it is entirely possible that
corporate executives were not taking newly developed models of risk analysis as seriously
as they should have (Lenckus, 2009). However, the attention paid to risk analysis and the
ERM concept is changing as more and more companies attempt to recover from the
downturn and better plan for the future (Hofmann, 2009). There is also a growing advocacy
base for using ERM to help manage companies through all phases of business cycles (Van
der Stede, 2009)
After Enron, WorldCom, Tyco, and other large business failed, the United States Congress
passed the 2002 Sarbanes-Oxley Act. Sarbanes-Oxley addressed risks related to financial
reporting issues. Sections 302 and 404 of the act have spurred considerable interest in ERM.
Section 302 mandates disclosure controls and procedures so that companies could disclose
developments and risks of the business and section 404 requires an assessment of the
effectiveness of internal control over financial reporting (Barton, Shenkir & Walker, 2009).
The United States Securities and Exchange Commission (SEC) has also implemented
requirements for publicly traded companies to disclose risk factors in section lA of their 10Ks. The SEC and Public Company Accounting Oversight Board (PCAOB) also developed
Section 404 guidance that supports top-down risk assessment that holds boards of directors
more accountable for oversight of company operations (Stein, 2005; Barton, Shenkir &
Walker, 2009).
The types of risks that companies face:
1. External risk is the risk of events that may strike organizations or individuals
unexpectedly (from the outside) but that happen regularly enough and often enough
to be generally predictable.
Page 15 of 48

16. 2. Manufactured risk is a result of the use of technologies or even business practices
that an organization chooses to adopt.
3. A technological risk is caused or created by technologies that can include trains
wrecking, bridges falling, and planes crashing (Giddens, 1999).
4. Business practice risk is caused or created by actions which the company takes
which could include investing, purchasing, sales, or financing customer purchases.
2.1 - DEFINING RISK, RISK ASSESSMENT, RISK TOLERANCE AND
RISK APPETITE AND EVENT
Risk is defined as “the possibility that an event will occur and adversely affect the
achievement of objectives.”
Risk assessment is a systematic process for identifying and evaluating events (i.e. possible
risks and opportunities) that could affect the achievement of objectives, positively or
negatively. Such events can be identified in the external environment (e.g., economic trends,
regulatory landscape, and competition) and within an organization’s internal environment
(e.g., people, process, and infrastructure).
Risk assessments can be mandated by regulatory demands for example, anti-money
laundering, Basel III, and Sarbanes-Oxley compliance all require formalized risk
assessment, and focus on such processes as monitoring of client accounts, operational risk
management, and internal control over financial reporting. Risk assessments can also be
driven by an organization’s own goals, such as business development, talent retention, and
operational efficiency.
Risk tolerance is the acceptable level of variation relative to the achievement of a specific
objective, and should be weighed using the same unit of measure applied to the related
objective.
Risk appetite is the amount of risk, on a broad level; an organization is willing to accept in
pursuit of value.
Page 16 of 48

17. An event and a risk are related concepts. Events can have either a negative or a positive
impact. An event with a negative impact represents a risk whereas an event with a positive
impact represents an opportunity.
2.1.1 - THE PROCESS
The ERM process begins with risk identification. This creative wide-open process may
have a tendency to produce a large and unwieldy list. To keep things organized, a
computerized risk register is often recommended. Once a list has been created and
organized, the cause and effect of each item should be considered and the appropriate
experts consulted. Each risk should be assessed to separate minor risks from more serious
risks and should be assigned a score.
For example, a number from one to ten can be determined for each of the two dimensions:
Probability and severity. A zero score may mean a risk almost never happens or is of
trivial consequence. On the other hand, a score of ten may mean that a particular risk almost
always happens or carries potentially catastrophic consequences. These scores can then be
multiplied together to generate a final risk score that can be used to communicate the
magnitude of impact posed by a risk and the urgency required. The scores along with a
detailed description and evaluation can be placed in a risk register. That risk register creates
a record on which to base future action and strategy.
Participation of stakeholders is critical to the success of an ERM program and good
communication is important to maintaining interest in the program. Unless an initiative has
the support of the top management and the CEO, it would very difficult to get a program off
the ground. It may be difficult for separate units to effectively communicate with one
another. Accordingly, a company that wishes to implement an ERM may consider defining a
common risk language or glossary that defines and implements a risk ranking system to
prioritize risk both within and across departments. To address implementation issues related
to responsibility, a company may establish a risk committee or chief risk officer to
coordinate the activities across function areas and assign ownership for particular risks and
responses.
Page 17 of 48

18. 2.1.2 - RISK ASSESSMENT CAN BE CONDUCTED AT VARIOUS LEVELS OF
THE ORGANIZATION
Frequently performed risk assessments include:
Strategic risk assessment - Evaluation of risks relating to the organizations mission and
strategic objectives, typically performed by senior management teams in strategic planning
meetings, with varying degrees of formality
Operational risk assessment - Evaluation of the risk of loss (including risks to financial
performance and condition) resulting from inadequate or failed internal processes, people,
and systems, or from external events.
Compliance risk assessment - Evaluation of risk factors relative to the organization’s
compliance obligations, considering laws and regulations, policies and procedures, ethics
and business conduct standards, and contracts, as well as strategic voluntary standards and
best practices to which the organization has committed
Internal audit risk assessment - Evaluation of risks related to the value drivers of the
organization, covering strategic, financial, operational, and compliance objectives. The
assessment considers the impact of risks to shareholder value as a basis to define the audit
plan and monitor key risks.
Financial statement risk assessment - Evaluation of risks related to a material misstatement
of the organization’s financial statements through input from various parties such as the
controller, internal audit, and operations.
Fraud risk assessment - Evaluation of potential instances of fraud. This is typically
performed as part of Sarbanes-Oxley compliance or during a broader organization-wide risk
assessment, and involves subject matter experts from key business functions where fraud
could occur (e.g., procurement, accounting, and sales) as well as forensic specialists.
Market risk assessment - Evaluation of market movements that could affect the
organization’s performance or risk exposure, considering interest rate risk, currency risk,
option risk, and commodity risk. This is typically performed by market risk specialists.
Page 18 of 48

19. Credit risk assessment - Evaluation of the potential that a borrower or counterparty will fail
to meet its obligations in accordance with agreed terms
Customer risk assessment - Evaluation of the risk profile of customers that could potentially
impact the organization’s reputation and financial position. This assessment weighs the
customer’s intent, creditworthiness, affiliations, and other relevant factors.
Supply chain risk assessment - Evaluation of the risks associated with identifying the inputs
and logistics needed to support the creation of products and services, including selection and
management of suppliers (e.g., up-front due diligence to qualify the supplier, and ongoing
quality assurance reviews to assess any changes that could impact the achievement of the
organization’s business objectives).
Product risk assessment - Evaluation of the risk factors associated with an organization’s
product, from design and development through manufacturing, distribution, use, and
disposal. This assessment aims to understand not only the revenue or cost impact, but also
the impact on the brand, interrelationships with other products, dependency on third parties,
and other relevant factors.
Security risk assessment - Evaluation of potential breaches in an organization’s physical
assets and information protection and security. This considers infrastructure, applications,
operations, and people, and is typically performed by an organization’s information security
function.
Information technology risk assessment - Evaluation of potential for technology system
failures and the organization’s return on information technology investments. This
assessment would consider such factors as processing capacity, access control, data
protection, and cybercrime.
Project risk assessment - Evaluation of the risk factors associated with the delivery or
implementation of a project, considering stakeholders, dependencies, timelines, cost, and
other key considerations.
Page 19 of 48

20. Every organization should consider what types of risk assessments are relevant to its
objectives. The scope of risk assessment that management chooses to perform depends upon
priorities and objectives.
For risk assessments to yield meaningful results, certain key principles must be considered.
They are:
1. Begin and end with specific business objectives that are anchored in key value
drivers.
2. Governance over the risk assessment process must be clearly established
3. Risk rating scales are defined in relation to organizations’ objectives in scope
4. Capturing leading indicators enhances the ability to anticipate possible risks and
opportunities before they materialize.
5. Management forms a portfolio view of risks to support decision making.
6. Interpret the results of their risk assessment process to set a foundation for
establishing an effective enterprise risk management (ERM) program
7. Determine risk tolerance.
8. Risk appetite must be clearly defined and reflected in risk tolerances and risk limits
to help ensure that organizational objectives can be achieved.
2.1.3 - COMMON CHALLENGES TO EFFECTIVE RISK ASSESSMENT

Risk assessment is viewed as an episodic initiative providing limited value.

The owner of a risk assessment must clearly communicate its purpose, process, and
expected benefits.

The right parties must be engaged to ensure relevant input, informed assessment, and
meaningful and actionable results.

The assessment must be a repeatable process that integrates into regular business
practices, adapts to change, and delivers more than one-time value.

The amount of information and data gathered is difficult to interpret and use.

Failure to effectively organize and manage the volume and quality of assessment
data makes interpreting that data a challenge.
Page 20 of 48

21. 
Tools, templates, and guidance are necessary to ensure consistency in data capture,
assessment, and reporting.

Results of the risk assessment are not acted upon.

Lack of an effective risk assessment process and defined risk tolerance could result
in an organization over controlling a risk, which could place an excessive cost
burden on the organization and/or stifle its ability to seize opportunities.

Risk assessments become stale, providing the same results every time.

Without refreshing their data capture, process, and reporting from time to time, risk
assessments may lose relevance.

Breakdowns may occur without triggering key risk indicators to management.

Risk assessment is added onto day-to-day responsibilities without being integrated
into business processes.

Too many different risk assessments are performed across the organization.

Risk assessment will not prevent the next big failure.

Risk assessments need to invoke the right subject matter experts and consider not
only past experience but also forward-looking analysis.
2.1.4 – FORMS OF RISK ASSESSMENTS
Qualitative assessments are the most basic form of risk assessment, categorizing potential
risks based on either minimal or ordinal scales. External validation should be obtained to
guard against potential management biases.
Rigorous quantitative techniques ranging from benchmarking to probabilistic and nonprobabilistic modeling can be used for assessing risk as more data becomes available
through tracking of internal events (e.g., transaction errors, customer complaints, litigation)
and external events (e.g., loss events recorded by peer organizations and made available
through subscription to services such as the ORX or Fitch First databases).
Such data enables greater analysis of potential risk exposures, development of relevant
indicators that can be tracked regularly, and more rapid and efficient responses to risk
Page 21 of 48

22. situations. Risk categories, loss-event data, and key risk indicators are often refined through
iterative efforts to support issue and trend analysis.
Analysis is often enriched by various modeling techniques using assumptions regarding
distributions. Probabilistic models (e.g., “at-risk” models, assessment of loss events, back
testing) measure both the likelihood and impact of events, whereas non-probabilistic models
(e.g., sensitivity analysis, scenario analysis, stress testing) measure only the impact and
require separate measurement of likelihood using other techniques. Non-probabilistic
models are relied upon when available data is limited. Both types of models are based on
assumptions regarding how potential risks will play out.
The more mature risk assessment processes yield quantitative results that can be used to
allocate capital based on risk, as required by regulation in certain industries (e.g., Basel II or
III for the financial services industry). For organizations in industries not subject to such
requirements, the best approach should be determined based on a cost/benefit analysis of the
process for enabling timely and relevant discussion of risks, monitoring predictive
indicators, escalating information on increased risk exposures, and making risk-informed
decisions in an integrated manner.
Page 22 of 48

23. 2.1.5 – DIFFERENCE BETWEEN RISK MANAGEMENT, BUSINESS RISK
MANAGEMENT AND ENTERPRISE RISK MANAGEMENT
RM
BRM
ERM
Focus
Finance, hazard,
internal controls
Business, internal
controls
Business, internal controls,
taking entity – level
portfolio view of risk
Objective
Protect enterprise
value
Protect enterprise value
Protect and enhance
enterprise value
Scope
Treasury, insurance
and operations
Business managers
Across the enterprise, at
every level and unit
Emphasis
Finance and
operations
Management
Strategy – setting
Application
Selected risk areas,
units and process
Selected risk areas, units
and process
Enterprise wide to all
sources of value
Vision
“Current State” Capabilities
“Future State”
Table 1
2.1.5. A - TRADITIONAL RM V/S ERM: ESSENTIAL DIFFERENCES
Risk as individual hazards
Risk identification and assessment
Focus on discrete risks
Risk mitigation
Risk limits
Risks with no owners
Haphazard risk quantification
"Risk is not my responsibility"
Risk in the context of business strategy
Risk portfolio development
Focus on critical risks
Risk optimization
Risk strategy
Defined risk responsibilities
Monitoring and measuring of risks
“Risk is everyone's responsibility"
Table 2
Page 23 of 48

24. 2.1.6 - APPLICATION OF ERM ACROSS INDUSTRIES
The nature of the industry will drive the value of the risks and the risk management practices
the organization adopts to manage those risks. For example, a bank will focus on managing
market and credit risk to a greater extent than other institutions because the assumption of
those risks is the essence of its business model. A pharmaceutical company will focus on
managing its research and development pipeline because that is the lifeline to its future
revenue streams. Regardless of the industry the components of the framework as defined by
COSO still apply.
2.1.7 – RISK MANAGEMENT REPORT
These reports serve the purpose of providing information for decision making to executive
management.
1. A summary of the enterprise’s risks, broken down by operating unit, geographic
location, product group.
2. A summary of existing gaps in the capabilities for managing the priority risks.
3. A summary of the top and worst performing investments and reasons why?
4. From an “environment scan” process or early warning system, a report of emerging
issues or risks that warrant immediate attention.
5. Value at risk reports to assess the sensitivity of existing portfolio positions to market
rate changes beyond specified limits and consider the exposure of earnings or cash
flow to severe losses.
6. Summary of scenario analyses evaluating the impact of changes in other key
variables beyond management’s control (e.g. inflation, weather, competitor acts and
supplier performance levels) on earnings, cash flow, capital and the business plans.
7. Operational risk reports summarizing exceptions that have occurred versus policies
or established limits (i.e. limit breaches), including any significant breakdowns,
errors, accidents, incidents, losses (as well as lost opportunities) or “close calls” and
“near misses”
Page 24 of 48

25. 8. Specific studies or targeted analyses to evaluate questions about specific events or
anticipated concerns that could “stop the show”
9. Summary of significant findings of business process audits performed by internal
audit or reviews conducted by other independent parties such as the organization’s
regulators.
10. Summary of the status of the improvement initiatives.
Good governance facilitates implementation of ERM because ERM is built on transparency.
Conversely, an effectively functioning ERM infrastructure would provide greater confidence
to the board and to executive management that risks and opportunities are being
systematically identified, rigorously analyzed and effectively managed on an enterprise wide
basis.
2.1.8 - INTERNAL AUDIT
The Institute of Internal Auditors (IIA) regards internal auditing as an independent, objective
assurance and consulting function while objective reporting is the primary value of an
auditor from outside the company. Accordingly, the IIA identifies suitable activities for the
internal auditor in the ERM process. This is accomplished by advising upon the accuracy of
the company's risk evaluation, evaluating the ERM processes and the method employed for
reporting those risks, and reviewing the management of risk. The IIA considers activities
such as facilitating, coaching, coordinating, educating, integrating, evaluating and
developing an ERM framework as appropriate activities for internal auditors. However, the
IIA considers setting risk appetite, imposing the ERM process, decision-making or
implementation of risk response as roles an internal auditor should not undertake.
Page 25 of 48

26. 2.1.9 – EFFECTIVE WAY FOR AN ORGANIZATION TO CONDUCT A RISK
ASSESSMENT
Description
Interviews
Individual
stakeholder
interviews
to identify
potential
events and
prioritize
associated
risk
Online
surveys
Paper
surveys
Document
review
Consisting
of either a
checklist of
events or
risks or an
open –
ended
request
Hard copy
survey
consisting of
either a
checklist of
events or
risks or an
open –
ended
request
Review of
existing
public
documents,
regulatory
reviews,
audit reports,
special
purpose
studies and
other
materials
Facilitated
workshops
Targeted
reviews
An in –
person or
online
workshop
attended by
key
stakeholders
Special
studies to
evaluate
questions
about
specific
events or
anticipated
concerns or
targeted
analyses
Table 3
Any combination of these options is appropriate.
2.2 – INDUSTRY SPECIFIC EXAMPLES
2.2.1 – COMPONENTS
FRAMEWORK
OF
A
HIGHER
EDUCATION
SPECIFIC
ERM
Internal environment – organization’s code of conduct, management’s leadership,
communication and decision making style. Training should begin at the level of academic
deans, department heads, business managers and administrators
Objective setting – suppose the institution wants to build a new science and technology
block.
The proposal should consider the return on investment risk in qualitative and
quantitative terms
Event identification – requires the institution to identify activities that may impact its
ability to achieve objectives
Page 26 of 48

27. Risk assessment and risk response – Low probability/ high impact events or high
probability/ high impact situations
Control and monitoring activities – adherence to policies and procedures that reduce risk,
follow up activity which ensures that the policies and procedures have been carried out as
intended
Information and communication – Administrators and other members of the campus need
to have access to accurate information that is communicated widely.
2.2.2
-
WHY
IS
ERM
RELEVANT
IN
THE
HIGHER
EDUCATION
ENVIRONMENT?
The higher education system operates in an inherently risky environment. By strategically
managing risk, they can reduce the chance of loss, create greater financial stability and
protect their resources so that they can support the university's mission of supporting
teaching, research and public service.
2.2.3 – STRATEGIC DRIVERS OF RISK IN HIGHER EDUCATION
Risk driver
Stakeholders
Students, faculty, executive management,
staff, accrediting agencies
Emerging educational delivery systems
Inability of governance processes to support
strategic objectives
Increasing opportunities to leverage intellectual
capital
Trustees, executive management, faculty
Executive management, faculty
Excess physical capacity
Trustees, executive management, donors
Quality of academic program
Students, faculty, executive management
Increasing customer expectations (e.g.
financial aid, student life, access, capacity)
Students, parents
Table 4
Page 27 of 48

28. 2.2.4 – OPERATIONAL AND COMPLIANCE RISK DRIVERS IN HIGHER
EDUCATION
Risk driver
Stakeholders
New technologies
Trustees, executive management, staff (for
selected issues)
Reimbursement and financial issues
Dean, faculty, regulators, trustees
Increased regulatory scrutiny and
accountability
Trustees, executive management, internal
audit, public
Research and intellectual property
Executive management, research
Human resource management
HRM, unions, staff
Decentralized responsibility
Staff, faculty, auditors
Security, internet access, electronic records
Students, executive management, faculty,
staff
New construction
Real estate office, executive management,
donors
New business creation (international
operations)
Staff, faculty
Increased competition
Trustees, executive management, faculty
Student behavior and community
Alumni, parents, students, faculty, president
Contracting and related processes
Attorneys and executive management
Endowment management
Trustees, staff, alumni, other donors
Table 5
Page 28 of 48

29. 2.2.5 - LIST OF RISKS SEPARATED BY CATEGORY
Risk category
Hazard risks
Financial risks
Information
technology risks
Human resource
risks
Research risks
Contract and
grant risks
Student life risks
Facilities and
maintenance risks
Sample risks
Domestic terrorism
Catastrophic natural events
Pandemic
Laboratory safety
Facilities and ground safety
Conflicts of interest in financial transactions and agreements
Budget impairment
Ineffective service center, auxiliary management
Non – compliant cost transfers
Insufficient oversight over third party vendors
Improper governmental activities including fraud, embezzlement or
misuse of university resources
Unauthorized modification of data
Decentralization of systems leading to data inconsistencies and
fragmentation
Disclosure of confidential information
Obsolescence of systems/technology
Lack of common data definitions
Inability to recover from system loss
Lack of comfort with third party vendor system security
Personal issues or workplace violence
Professional liability claims
Workers compensation claims
Employee recruitment and retention
Falsification of data or results
Intellectual property infringement
Unethical or unapproved research
Inadequate lab practices and processes for the promotion of
environmental health and safety
Threat to safety of researchers
Regulatory fines or penalties
Non - compliance with sponsoring agency terms and conditions and
agreement
Funds used but agreement terms and conditions not followed
Failure to maintain equipment inventories in accordance with grant
requirements
Sub – recipients not managed properly
Sports or public event disturbances
Student mental health
Safety and security of students on and off campus
Deferred maintenance
Increase in energy costs
Equipment/ facility malfunction
Table 6
Page 29 of 48

30. 2.2.6 – ERMIS
As a key support, a University can develop the ERM information system (ERMIS) to
provide management with current information in minutes in the form of key performance
indicators (KPIs). ERMIS reduces the cost of risk by improving the efficiency of
retrospective reviews and monitoring the effectiveness of controls to prevent reoccurrences.
The ERMIS includes:
1. Dashboard reporting on major risks
2. Risk assessment tools
3. Control and accountability tracking platform
4. Risk mitigation and monitoring tools
5. Survey capabilities
2.3 – HEALTH CARE ORGANIZATION
Specific objectives:
1. Quality of customer care
2. Attracting and retaining high quality physicians
3. Building sustainable levels of profit to provide access to needed capital and fund
existing activities
Statement of risk appetite:
The organization’s lowest risk appetite relates to safety and compliance objectives,
including employee health and safety, with a marginally higher risk appetite towards its
strategic, reporting and operations objective.
Page 30 of 48

31. 2.4 – AEROSPACE SUPPLIER
A high level objective is to work with customers to improve products and market share.
There is a low risk appetite for allowing the capital structure to be leveraged that it hinders
the company’s future flexibility or ability to make strategic acquisitions.
Operations tolerances:
1. Near zero risk tolerance for product defects
2. Low risk tolerance for sourcing products that fail to meet the company’s quality
standards
3. Low risk tolerance for meeting customer orders on time
4. High risk tolerance for potential failure in pursuing research that will enable the
company’s product to better control and increase the efficiency of energy use
Reporting tolerances:
1. Low risk tolerance concerning the quality, timing and accessibility of data needed to
run the business
2. Very low risk tolerance concerning the possibility of material deficiencies in internal
control
3. Low risk tolerance related to financial reporting quality (timeliness, transparency,
Generally accepted accounting principles)
Compliance tolerances:
1. Near zero risk tolerance for violations of regulatory requirements or the company’s
code of ethics.
Page 31 of 48

32. 2.5 - INTERNATIONAL REGULATORY FRAMEWORK FOR BANKS
(BASEL III)
The Basel Accords are a set of rules on banking regulations in regards to capital. Basel III is
a series of additions to the existing accords designed to limit the likelihood and impact of a
future financial crisis. It requires banks to hold more higher-quality capital against more
conservatively calculated risk weighted assets (RWAs). It also looks to ensure sufficient
liquidity during times of stress and to reduce excess leverage.
Capital: A minimum of 7 per cent of a bank’s RWAs must be core tier one to act as a buffer
against losses. This compares with the 2 per cent required under Basel II. The definition of
which liabilities can be classified as core tier one will narrow. There is a counter-cyclical
buffer of 0 to 2.5 per cent, which is to be built up when the economy is strong so that it can
be called upon in tougher times. Additional requirements will also be introduced for large
banks deemed vital to the global financial system. Important Financial Institutions (G-SIFIs)
– to hold an extra 1 to 2.5 per cent of core tier one capital.
Risk Weighted Assets: In addition to increasing the quality and quantity of capital, Basel
III also updates the risk weighted asset (RWA) calculation for counterparty credit risk. This
will see the introduction of the Credit Valuation Adjustment (CVA) capital charge, which
increases the capital, held against the risk that the mark-to-market value of derivatives will
deteriorate due to a change in counterparty credit worthiness. The Financial Institution Asset
Value Correlation (FI AVC) will be amended to increase the RWAs for banks’ exposures to
large and / or unregulated financial institutions.
Liquidity: The Liquidity Coverage Ratio (LCR) defines the amount of unencumbered, low
risk assets (such as cash or gilts) that banks must hold to offset forecast cash outflows during
a 30-day crisis. Outflows are estimated, based on the nature of the customer relationship and
the type of product Leverage. A new leverage ratio of 3 per cent is due to become
mandatory in 2018. This seeks to ensure banks apply adequate capital to all their exposures,
including those off balance sheets, and without applying any risk weightings.
Timing: Basel III requirements are being introduced from 2013 but some areas are still
subject to change and total compliance is not expected until 2019. The long lead-in is
designed to prevent sudden lending freezes as banks improve their balance sheets.
These measures aim to: Improve the banking sector's ability to absorb shocks arising from
financial and economic stress, whatever the source improve risk management and
governance to strengthen banks' transparency and disclosures.
Page 32 of 48

33. CHAPTER 3 – EXPLORATION COMMENT ON ERM
3.1 - RISK MAPPING
Risk mapping is probably the most common tool used by companies to identify and
prioritize the risks associated with their business activities. It is a directional tool.
Consolidated risk profile
Manageable
Major
Critical
Critical
Impact
Remote
Possible
Likely
Likelihood
Fig.2
Page 33 of 48

34. A RISK MODEL
Environment risk
Competitor
Customer wants
Technological
innovation
Sensitivity
Shareholder
expectations
Capital availability
Sovereign/Political
Legal
Regulatory
Industry
Financial matters
Catastrophic loss
Information for
decision making risk
Process risk
Financial
Price
Interest rate
Currency
Equity
Commodity
Financial
Instrument
Liquidity
Cash flow
Opportunity
cost
Concentration
Empowerment
Leadership
Authority/Limit
Outsourcing
Performance
incentives
Change
readiness
Communications
Information
Technology
Integrity
Access
Availability
Infrastructure
Governance
Organizational
culture
Ethical
behavior
Board
effectiveness
Succession
planning
Reputation
Image and
Branding
Stakeholder
relations
Credit
Default
Concentration
Settlement
Collateral
Integrity
Management
fraud
Employee
fraud
Third party
fraud
Illegal acts
Unauthorized
use
Operations
Customer
satisfaction
Human
Resources
Knowledge
capital
Product
development
Efficiency
Capacity
Scalability
Performance gap
Cycle time
Sourcing
Channel
effectiveness
Partnering
Compliance
Business
interruption
Product/service
failure
Environmental
Health and
safety
Trademark/
brand erosion
Strategic
Environment scan
Business model
Business portfolio
Investment
valuation/evaluation
Organization
structure
Measurement
(strategy)
Resource allocation
Planning
Life cycle
Public reporting
Financial reporting
evaluation
Internal control
evaluation
Executive
certification
Taxation
Pension fund
Regulatory reporting
Operational
Budget and planning
Product/service
pricing
Contract
commitment
Measurement
(operations)
Alignment
Accounting
information
Table 7
Page 34 of 48

35. A RISK DRIVERS MAP
Company decides to
restructure
Competition
for talent
increases
Top and experienced
performers conclude
company not as
attractive
 Company
expectations are
unrealistic
Job security
declines resulting
in good people
leaving
 Industry demand
declines due to
Environmental
protection age
issues
Cost of retaining top
and experienced
performer increases
HUMAN
RESOURCES
RISK
External factors
Higher costs
of expatriates
due to
transfers
Loss of
morale
 Performance
measurement and
reward system is
not aligned with
performance
expectations
Internal factors
 Executive
management is not
perceived as
committed
High
turnover
occurs at
remote
locations
 Career or
succession plan is
poorly defined
Fewer
entrants
into higher
education
programs
Loss of reputation due to
poor financial results
Market
demand for
company
products
significantl
y declines
Increased
costs due to
inflexible
union rules
People are
hired with
dubious or
questionable
histories
Hiring
process
 Teamwork
contradicts
acceptance of
individual
accountability
 Compensation
levels are not
competitive
Hiring practices
lack background
checks
Fig.3
Page 35 of 48

36. A BASELINE OVERSIGHT STRUCTURE TO UNDERSTAND HOW POTENTIAL
ELEMENTS ARE INTEGRATED WITHIN THE EXISTING ORGANIZATION
Board of Directors
CEO
Executive committee
Risk management executive
committee
Business
risk
Business units
Chief risk
officer
Unit A
Unit B
COO
Unit C
CFO
Risk units
CIO/CLO
Unit A
Program
Management
Unit B
Support units
Functional support
Shared services
Assurance units
Internal audit
Risk management
compliance
Legal and regulatory
compliance
Fig.4
Page 36 of 48

37. 3.2 - THE CAPABILITY MATURITY MODEL
The Capability maturity model is a tool for assisting management in thinking more clearly
about questions such as:
1. How capable do we want our risk management to be?
2. Do we vary the rigor and robustness of our risk responses and related control
activities?
3. Do we rely on a few well – qualified individuals in an ad hoc manner and regularly
put out fires?
4. Do we improve our capabilities?
3.2.1 - SUMMARY OF CAPABILITIES AROUND MANAGING PROCUREMENT
Management
reports
Purchases not
leveraged, no
strategic
partnerships
No leadership and
lack of qualified
staff
Critical
information not
available and
no internet
auditing
Repeatable
Occasional
strategic focus
on sourcing and
informal
policies
Occasional
supply
leverage, few
strategic
partnerships
Some
procurement
professionals as
staff, limited
training
Defined
Annual
procurement
plans, strategic
sourcing for key
commodities
Defined
processes,
strategic
partnerships in
place
Accounts payable
centralized,
training offered
and special
purpose teams
Managed
Increased
execution of
strategic
sourcing
Effective use
of formal risk
management
technique
Consolidated
leveraged supply
base in place,
trained
commodity teams
Aligned
strategic plans,
defined and
integrated
policies and
responsibilities
Integrated and
effective
procurement
processes and
continuous
benchmarking
Ability to adapt
to changing
environments and
customer
demands,
outsourcing of
non – core
competencies
Initial
People and
organizations
Optimizing
RISK
Business
policies
Procurement not
addressed as a
strategic
opportunity, no
direction or
policies
Business
processes
Key internal
procurement
information
available with
audits
occurring
Key suppliers
tracked,
standard
benchmarks
and internal
audits
High quality
procurement
information,
self assessment
commonplace
Fully
developed
automated,
consistent
function and
planning
Methodologies
No models,
reliance on
people
Systems and
data
Disparate,
inefficient,
purchasing and
accounts
payable
systems
Simple models
are used
inconsistently
Suite of fairly
effective
systems,
procedure
manual
Well –
developed
models
available for
decision
making
Organization
operates with
contracts
Sophisticated
robust models
and tools
Procurement
data warehouse
in place and
utilized, P –
cards and
automation
Aligned
strategic
methodologies
that emphasize
continuous
improvement
Complete suite
of systems
across the
supply chain
for analysis
Table 8
Page 37 of 48

38. 3.2.2 - RISK MEASUREMENT TECHNIQUES AT EACH STATE OF CAPABILITY
MATURITY MODEL
Initial state: Simple and straightforward methodologies
1. Self - assessment techniques
2. Facilitated assessments
3. Risk indicator analysis
4. Position reports
5. Gap analyses
Repeatable state: Basic
1. Risk rating or scoring
2. Claims exposure and cost analysis
3. Sensitivity analysis
4. Deterministic stress testing
5. Parametric value at risk
6. Uncertainty measures
Defined state: Refined methodologies
1. Surrogate performance measures
2. Historical simulation value at risk
3. Scenario analysis
Managed state: Managed quantitatively and aggregated at the corporate level
1. Monte Carlo value at risk
2. Earnings at risk
3. Integrated measurement methodologies
4. Risk – adjusted performance measurement
Optimizing state: Organization is focused on continuous improvement. Risks are aggregated
and managed as a portfolio; the quantitative means to transfer and scrutinize risk are
developed.
Page 38 of 48

39. 3.2.3 - WAYS TO AGGREGATE MULTIPLE RISK MEASURES USING A
COMBINATION OF A RIGOROUS METHODOLOGY AND THE APPLICATION
OF JUDGMENT
1. Risk pooling - positively and negatively correlated
2. Risk appetite and risk tolerances
3. Hurdle rates - Discounted cash flow
4. At risk frameworks - Value at risk, earnings at risk, gross margin at risk and cash
flow at risk
5. Risk adjusted performance measurement - Risk adjusted return on capital
3.2.4 - RISK MEASUREMENT CAPABILITIES ACHIEVE
1. More robust risk reporting
2. Greater investment confidence
3. Greater integration and alignment
4. Higher valuation
The most important contribution of ERM to improving business performance is to help
managers make better choices in protecting and enhance the enterprise value.
Shareholder value is generally accepted measure of value and is therefore an example of a
useful context for defining enterprise value. Economic value added (EVA) is such a
measure.
The basic formula for calculating EVA is:
EVA = NOPAT less WACoC
NOPAT = Net operating profit after tax
WACoC = Weighted average cost of capital
Page 39 of 48

40. 3.2.5 - APPLYING AN ERM PERSPECTIVE
Identify several opportunities for enhancing risk management processes to improve business
performance using the application of EVA
1. Create new opportunities
2. Improve performance
3. Harvest existing value
4. Adjust and align cost of capital
3.3 - RISK MANAGEMENT SOFTWARE PRODUCTS TO ASSIST
COMPANIES WITH IMPLEMENTING ERM
1. ERA – Enterprise risk assessment tools (decision support, survey and risk registers)
2. ORM – Operational risk management tools (qualitative and quantitative)
3. IA - Integrated compliance and risk management platform solutions
Page 40 of 48

41. 3.3.1 - PRIORITIZATIONS OF FUNCTIONALITY
Feature
COSO ERM component
Solution
Entity definition and
objectives
Internal environment, objective setting
ERA, ERM, ORM
Risk identification
Event identification, risk assessment
ERA, ERM, ORM
Framework support
Various
ERA, ERM, ORM
Risk control and
monitoring
Risk assessment, risk response, control activities
ERM, ORM
Risk workflow scheduling
and notification
Risk assessment, risk response, control activities,
monitoring
ERM, ORM
Risk and audit issue
tracking
Risk response, control activities, information and
communication, monitoring
ERM, ORM
Data collection, event
tracking
Information and communication, monitoring
ORM
Risk and control self assessment
Risk assessment, risk response
ERA, ERM, ORM
KPI definition and tracking
Risk response, control activities, information and
communication, monitoring
ERM, ORM
Frequency and severity
estimation and other
statistical analyses
Risk assessment
ORM
Exposure calculation
Risk assessment, risk response, information and
communication, monitoring
ORM
Scenario analyses
Risk assessment, risk response, information and
communication, monitoring
ORM
Capital calculation
Risk response, information and communication,
monitoring
ORM
RAROC analysis
Risk response, information and communication,
monitoring
ORM
VaR model
Risk assessment, risk response, information and
communication, monitoring
ERM
Internal reporting
Internal environment, information and
communication, monitoring
ERA, ERM, ORM
Regulatory reporting
Internal environment, information and
communication, monitoring
ORM
Risk response
Risk response
ERM
Compliance templates
Various
ERM
Audit planning
Risk assessment, monitoring
IA
Project management
Monitoring
IA
Table 9
Page 41 of 48

42. 3.3.2 - CHARACTERISTICS OF SUCCESSFUL ERM SOFTWARE VENDORS:
1. In – depth RM knowledge
2. Ability to educate prospects and customers
3. Ability to execute and support
4. Professional services
5. Global presence
6. Firm’s overall size
7. Ability to leverage existing relationships to build technology
8. Operational and financial risk expertise
3.3.3 - ERM VS. QUALITY INITIATIVES
ERM is an enterprise level process that is integral to strategy setting. Quality initiatives
provide the methodology and tools to help organizations understand measure and
continuously improve the efficiency and quality of their processes at a detailed level.
3.4– ADVANTAGES
3.4.1 - MANAGEMENT ALTERS AN ENTITY'S RISK CHARACTERISTICS BY
REDUCING:
1. The enterprise's net exposure
2. The variability of the enterprises expected returns caused by specific sources of
uncertainty (fluctuating currency rates)
3. The likelihood of financial distress in the event of realized changes in key variables
(changes in interest rates for highly leveraged company)
4. Other uncertainties in the attainment of expected returns
Page 42 of 48

43. 3.4.2 - ERM TO ESTABLISH A SUSTAINABLE COMPETITIVE ADVANTAGE
1. Integrate risk management with business planning and strategy setting
2. Implement more rigorous risk assessment process
3. Improve management of common risks across the enterprise
4. Improve capital deployment and resource allocation
5. Configure the enterprise's risk taking with its core competencies
6. Seize opportunities through rational assumption of risk
Page 43 of 48

44. 3.5 - SUITABILITY
Key questions a business case must address
Fig.5
Page 44 of 48

45. 3.6 - LIMITATIONS
3.6.1 - VALUE IN USING QUALITATIVE INFORMATION WHEN ASSESSING
RISK
Some risks do not lend themselves to quantitative measurement because the related events
occur so infrequently and, if and when they do occur, they are subject to such a wide range
of possible outcomes in terms of severity that it is difficult if not impossible, to quantify
them.
3.6.2 - COMMON MISTAKES AND PITFALLS DURING RISK ASSESSMENT
PROCESS
1. Lack of clarification and common understanding of the meaning or definition of risk
2. Not including all stakeholders
3. Not considering or giving appropriate weight to knowledgeable positions
4. Setting unclear or unrealistic objectives
3.6.3 - THE PROBLEMS ERM PRACTITIONERS MAY FACE
It comes when identifying, collecting, cleansing, and analyzing data. Often adding to this
frustration is a lack of guidance on how to create an information infrastructure to accomplish
their goals. ERM practitioners also face the challenge of dealing with cultural,
organizational, and political obstacles to data transformation efforts that seem to be almost
universal in organizations of all types (Fraser, Schoening-Thiessen & Simkins, 2008).
ERM information systems are facing the same hurdles as other systems that have required
changes in procedures, processes, or culture; there are many lessons to be learned from the
past implementation of other large systems. Above all, patience and persistence are keys to
the process of implementation.
Page 45 of 48

46. 3.6.4 - DEMONSTRATION OF ERM'S USEFULNESS KEY TO WINNING OVER
MANAGEMENT

Risk managers should expect resistance from their managers.

Risk managers who are preparing to implement an enterprise risk management
process should be ready to mitigate opposition from middle and lower management.

To counter resistance, risk managers must address it before implementing the
process.

Risk managers should demonstrate that ERM is a tool managers can use to improve
unit performance and promote their individual worth.

Risk managers also need a senior manager to co-champion ERM in addition to top
management support.

Unit managers perceive ERM as a spotlight that illuminates losses and potential
risks, which "doesn't paint them in a positive light.
Risk managers must adopt seven principles which will obtain and retain middle- and lowermanagement support:
1. Simplify the ERM process, because "people don't do what they don't understand."
2. Communicate its purpose.
3. Provide training.
4. Personalize it to help managers achieve their objectives.
5. Demonstrate how it adds value to the managers' business operation.
6. Monitor performance.
7. Tie performance to compensation.
Of course, finding an individual whose expertise spans the full spectrum of enterprise wide
risks in a financial institution from loan quality and interest-rate mismatches to fraud and
natural disasters will be a significant challenge.
Page 46 of 48

47. CONCLUSION
I have done an exploratory self-study about Enterprise Risk Management and would like to
conclude that it is a relatively new and vast topic and needs much time and expertise
comprehend. In this study I did not obtain actual numbers and figures of any organization in
particular and I have also not used any advanced statistical techniques. There are different
approaches and models to obtain optimal risk management which needs much detailed
research and practical knowledge. Hence, I have not given any specific recommendations
regarding the implementation, application and use of ERM. But nevertheless it can be
understood that ERM is not just the simple sum of all risks facing an organization.
ERM basically becomes a means of shifting of focus from crisis response management and
compliance to evaluating risks in business strategies proactively to enhance investment
decision making and maximize stakeholder value. Enterprises (regardless of size) need to
protect themselves from the adverse effects of risk and need to exploit risk. ERM solutions
need to be tailored for each organization according to the factors affecting that enterprise.
Risk exists all around us, you can choose to use it or let it destroy you. The concept of ERM
is debatable in terms of time, cost and effectiveness for an enterprise.
Page 47 of 48

48. REFERENCES
https://web.ebscohost.com/ehost/detail
http://pwc.com/us/grc
http://www.pwc.com/us/en/issues/enterprise-risk-management/publications/guide-to-riskassessment-risk-management-from-pwc.jhtml
http://www.ucop.edu/enterprise-risk-management/
http://www.zurich.com/internet/main/sitecollectiondocuments/insight/risk-management-in-atime-of-global-uncertainty.pdf
http://www.zurich.com/insight/global-issues/hbr-study/
http://www.forbes.com/sites/tatianaserafin/2012/07/02/risky-business-managing-risk-in-avolatile-world/
http://www.forbes.com/forbesinsights/risk_management_2012/index.html
http://business.illinois.edu/~s-darcy/Fin321/2007/Readings/erm%20(conference%20board).pdf
mib.rbs.com/Basel-III
Page 48 of 48