Universidad De Manila Risk Management Worksheet

User Generated


Business Finance

Universidad de Manila


1. Identify a list (minimum 10) of vehicle (car) controls and what they do

   Named Control:   Airbag

   Type: (Preventative/Detective/Corrective/Compensating)

   Make them interesting and unique (e.g., brakes are boring!!)

2. For selected firm in the class discussion -- Amazon, identify the opportunity areas (3 – 5) for ERM success based on the controls cited above (1 page)

Unformatted Attachment Preview

WHAT IS THE KEY COMPONENT THAT ALLOWS A CAR TO GO (SAY) 80 MILES PER HOUR ON THE ROAD? WHAT IS THE KEY COMPONENT THAT ALLOWS A CAR TO GO (SAY) 80 MILES PER HOUR ON THE ROAD? BRAKES CMM - Balance Risk Management (Insurance) IT Security Physical Security 5 4 3 2 1 0 Compliance Legal Function Physical Security Internal Audit External Audit Business Continuity Disaster Recovery Legal Compliance IT Security Risk Management (Insurance) Risk Managemen t (Insurance) Internal Audit ACTUAL RANK External Audit DESIRED RANK NIRVANA RANK Business Continuity Disaster Recovery ACTUAL RANK 3 3 3 3 3 3 3 DESIRED RANK 3 4 3 4 3 3 4 IT Security Physical Security 5 4 3 2 1 0 Compliance Legal NIRVANA RANK 5 5 5 5 5 5 5 5 5 5 3 3 5 Function Physical Security Internal Audit External Audit Business Continuity Disaster Recovery Legal Compliance IT Security Risk Management (Insurance) Internal Audit ACTUAL RANK External Audit DESIRED RANK NIRVANA RANK Business Continuity Disaster Recovery ACTUAL RANK 3 4 3 4 3 4 3 DESIRED RANK 4 4 4 4 4 4 4 NIRVANA RANK 5 5 5 5 5 5 5 4 4 5 3 3 5 STRESS TESTING STRESS TESTING • Has anyone ever done a stress test? • How does it work? • What does it do? • Metrics • 220 – age = heart rate • Target 85% of that rate • Metrics don’t improve without action STRESS TESTING • What is it (in the real world)? • Common in Financial services/institutions • Exceptional but plausible events (Where, on the risk model?) • Why do this? • Complacency, risk underpricing • New frontiers, with little/no history • Components • Risk Identification and Control • Risk Quantification • Capital needs and Liquidity* needs STRESS TESTING • Approach • Most significant risks • Credit • Market – varied • Market, Specific risks, cash flow mismatch, interest rate, currency/exchange, commodity • Insurance • Mortality, Morbidity, Claim (frequency/severity), etc. RISK OPTIMIZATION – TYPES OF RISK AND IMPACT ON EARNINGS • Credit risk - earnings volatility due to variation in credit losses • Market risk - earnings volatility due to market price movements • Operational risk – earnings volatility due to people, process, technology or one-time events Probability and change in value (can you say IMPACT !) COSO COSO - Deloitte COSO - Deloitte Demand Curve COSO - Deloitte Demand Curve COSO - Deloitte Sweet Spot Demand Curve COSO - Deloitte • Similar, but not exactly a match to what we have done • “Develop Assessment Criteria” as a front end • We took it as a ‘given’ • What would you incorporate into you criteria ? • Results in a common cross-functional (ERM) lens COSO - Deloitte Key elements • • • • Impact – no surprise here Probability – again, not a surprise… Speed of Onset – identify the scale (1 example) Vulnerability – turns the lens around to the destination/affected area Context in the form of a hurricane, earthquake, market shift, etc. Consistent COSO - Deloitte • Impact • Probability • Speed of Onset Variation • Vulnerability I did say that everyone grew up knowing about risk. Risk Appetite The ISO 31000 risk management standard refers to risk appetite as: Amount and type of risk that an organization is prepared to pursue, retain or take". In a literal sense, defining your appetite means defining how "hungry" you are for risk. Risk Appetite Striking the right balance ? • Dollarized RTO (recovery time objective) and insurance retention (deductible) • RTO across the BC and DR domains • Insurance of assets but limited business coverage (due to BC) • Physical and IT Security interconnection • Vendor and Customer SLA’s and internal RTO’s • Know the Risk Tolerance and the Maximum Foreseeable Loss (MFL) • … ERM PROJECT – DEFENSE AGAINST RISK • 3 lines of defense • First line – Business units or functions that own the risk but have an upside bias – revenue, growth, gain • Second line – Risk and Compliance functions that focus on policies, controls, monitoring, etc. – downside bias • Third line – Board of Directors (independent oversight) and Internal Audit (controls and integrity) • Not always quite this distinct or clean • First line may not take active role - defer to second line • Third line (audit) may not be able to function independently PERFORMANCE-BASED CONTINUOUS ERM • Phased history • 1 – Financial and Operational Risk • Market and Credit risk (also liquidity) – essentially bad investments or investment portfolio • Operational – errors, omissions, fraud, etc. • 2 – Compliance-Driven • Federal Reserve (and others) with banking rules • Regulatory compliance and risk aversion • 3 – Creating shareholder value • Globalization • Continuous monitoring, decision support and value ORGANIZATIONAL APPROACH TO RISK THE SILOS • • • • • • • • • CEO – responsible for all risk management within the entity Risk Management – traditionally the insurance organization, evolving Security – responsible for physical assets, personnel safety, etc. Business Continuity – responsible for ensuring a business recovery plan is in place Disaster Recovery – responsible for ensuring a systems recovery plan is in place Legal/Compliance – responsible for contractual risk, liability, etc. Internal Audit – responsible for controls being both in place and followed IT Security – responsible for Information Systems security … • External Audit – responsible for assessing practices (e.g., revenue recognition) ENVISION THIS, AGAIN ! • Accomplished chef asked to cook burgers • Architect laying out plans to build sheds • Portrait painter asked to ‘do the kitchen’ • Concert pianist playing carnival calliope • NASCAR driver asked to drive car to Florida • Football running back who is asked to block • Basketball ‘scorer’ asked to pass the ball • * - vs. High scorer in the loss ! SO, WOULD YOU CONCLUDE THAT WE DON’T NEED SPECIALISTS RISK MODELING RISK TYPES • Inherent or Innate Risk • The probability of loss arising out of circumstances or existing in an environment, in the absence of any action to control or modify the circumstances. • Controlled Risk • Probability of loss arising from the tendency of internal control systems to lose their effectiveness over time, and thus expose (or fail to prevent exposure of) the assets they were instituted to protect. • Residual Risk • • Remainder after applying controls Residual risk = ( inherent risk ) − ( impact of risk controls ); “the quantity left over at the end of a process” RISK MODEL HEAT MAP Impact * Resolve 5,1 5,2 5,3 5,4 5,5 Monitor Accept 4,1 4,2 4,3 4,4 4,5 3,1 3,2 3,3 3,4 3,5 2,1 2,2 2,3 2,4 2,5 1,1 1,2 1,3 1,4 1,5 • Calculation of ‘area’ • Scale varies • Commonly 5 x 5 or 3 x 3 • Could be anything • 10 x 10; 100 x 100 Probability RISK MODEL Impact * High Impact, Low probability Monitor (Transfer) Resolve (Avoid) Accept (Retain) Monitor (Reduce) High Probability, Low Impact Probability 38 Risk Terminology Inherent risk, in risk management is an assessed level of raw or untreated risk; that is, the natural level of risk inherent in a process or activity without doing anything to reduce the likelihood or mitigate the severity of a mishap, or the amount of risk before the application of the risk reduction effects of controls (e.g., Gross risk). Managed risk is the probability of loss or exposure to a danger that has been minimized to an acceptable level through careful planning and implementation of effective countermeasures. Residual risk is the risk of an action or an event, a method or a (technical) process that, although being abreast with science, still conceives these dangers, even if all theoretically possible safety measures would be applied (scientifically conceivable measures); in other words, the amount of risk left over after natural or inherent risks have been reduced by risk controls (e.g. net risk). Risk appetite is the level of risk that an organization is prepared to accept in pursuit of its objectives, and before action is deemed necessary to reduce the risk. It represents a balance between the potential benefits of innovation and the threats that change inevitably brings. The ISO 31000 risk management standard refers to risk appetite as the "Amount and type of risk that an organization is prepared to pursue, retain or take". In a literal sense, defining your appetite means defining how "hungry" you are for risk Risk relationship Examples: • Where inherent risk equals residual risk, the risk is not • • • • • actively managed (accepted) Where inherent risk is not managed, but exceeds the risk appetite, management is needed Where residual risk exceeds the risk appetite, management is needed Where the risk appetite exceeds the residual risk, the risk is over-managed Where the managed risk exceeds the risk appetite, management is needed Where the residual risk equals the risk appetite, risk has been properly managed Heat Map example – Inherent risk & Controls Controls bring inherent down to or towards target Max Risk Mapping Impact $ Min Medium Medium High Critical Medium Medium High High Low Low Medium Medium Low Low Medium Medium Probability Max Probability and Severity treated as separate dimensions (no different that impact and probability) Controls Are there Different Types of Internal Controls? Yes, generally speaking there are two major types: preventive and detective controls. Both types of controls are essential to an effective internal control system. From a quality standpoint, preventive controls are essential because they are proactive and emphasize quality. However, detective controls play a critical role by providing evidence that the preventive controls are functioning as intended. Preventive Controls are designed to discourage errors or irregularities from occurring. They are proactive controls that help to ensure departmental objectives are being met. Examples of preventive controls are: • Segregation of Duties: Duties are segregated among different people to reduce the risk of error or inappropriate action. Normally, responsibilities for authorizing transactions (approval), recording transactions (accounting) and handling the related asset (custody) are divided. •Approvals, Authorizations, and Verifications: Management authorizes employees to perform certain activities and to execute certain transactions within limited parameters. In addition, management specifies those activities or transactions that need supervisory approval before they are performed or executed by employees. A supervisor’s approval (manual or electronic) implies that he or she has verified and validated that the activity or transaction conforms to established policies and procedures. •Security of Assets (Preventive and Detective): Access to equipment, inventories, securities, cash and other assets is restricted; assets are periodically counted and compared to amounts shown on control records. Detective Controls are designed to find errors or irregularities after they have occurred. Examples of detective controls are: •Reviews of Performance: Management compares information about current performance to budgets, forecasts, prior periods, or other benchmarks to measure the extent to which goals and objectives are being achieved and to identify unexpected results or unusual conditions that require follow-up. •Reconciliations: An employee relates different sets of data to one another, identifies and investigates differences, and takes corrective action, when necessary. 43 •Physical Inventories Controls Detective Controls Detective controls seek to identify when preventive controls were not effective in preventing errors and irregularities, particularly in relation to the safeguarding of assets. Example: Production motor alert light goes off indicating that oil level is low Preventive Controls In general, preventive control activities are the most cost effective of the three types of internal control activities, because they help prevent the loss of assets in the first place and are often not very expensive to implement. Example: Production motor shuts down due to low oil level (to protect motor) Corrective Controls When detective control activities identify an error or irregularity, corrective control activities should then kick in to see what could or should be done to fix it, and hopefully put a new system in place to prevent it the next time around. Example: Production motor auxiliary oil tank is utilized when alarm goes off to replenish oil level Compensating Controls When a control is not able to be implemented or fails a compensating control is put in place to address as much of the risk as possible. Example: Post a guard at a door where the lock is out of commission due to power outage. Controls – often overlooked ! Corrective - Coupled with preventive and detective controls, corrective controls help mitigate damage once a risk has materialized. An organization can document its policies and procedures, enforcing them by means of warnings and employee termination when appropriate. When managers wisely back up data they can restore a functioning system in the event of a crash. If a disaster strikes, business recovery can take place when an effective continuity and disaster management plan is in place and followed. Compensating - A compensating control, also called an alternative control, is a mechanism that is put in place to satisfy the requirement for a security measure that is deemed too difficult or impractical to implement at the present time. How do controls affect our risk model? Inherent Risk of operation shutting down due to threat of loss of power (think WIND or SNOW!) • • • • Impact of 5 Probability of 4 Risk ‘value’ = 20 (5x4) – let’s call this a major risk on our scale ! Controls applied = controlled risk (Generator) • • • • Impact stays at 5 (impact harder to manage; operate without power?) Probability reduces to 2 Risk ‘value’ = 10 (5x2) – Residual Risk Controls have reduced risk value by 50% • • 20 becomes 10 • Major reliance on controls; important to acknowledge this DISCUSSION Risk table and Control reliance CONTROLS: ACCESS AUTHENTICATION Authentication Factors: • Something you know • ID, Password, PIN, token code (static) • Something you are - Biometrics • Fingerprint, Iris scan, Facial Recognition, etc. • Something you have • Token, Dongle, token code (dynamic); phone number Multi-Factor: • Combination of factors above • Example: Password and Fingerprint; ID and iris scan • NOT fingerprint and iris; NOT ID and PIN –same factors Example: Boston University access requires Kerberos password and ID as well as call back phone number. Total Exposure Management 50 51 52 What can you do ? 54 COMPROMISING THE 3 LINES OF DEFENSE • Global Resiliency Summit Envision this short dialogue: • “Do you have the time? • “…Well, yes I do.” – end of dialogue ! What are your first impressions? • Disingenuous ? • Not forthcoming ? • Lacking transparency ? … but admittedly accurate, to the letter Letter vs. Spirit – to clarify • Spirit revolves around general understanding; supported with examples that set direction (e.g., - exempli gratia) • Umbrella of coverage on concepts, goals, direction • Includes the ‘white space’ • Principles or inclusion-based • Letter revolves around specifics and doesn’t rely on or require a level of general understanding (i.e., id est) • Detailed, specific on yes/no, accept/reject, in/out, etc. • Build siloes that Create the ‘white space’ • Rules or exclusion-based (kind of) The “Embracer” and the “Avoider” • Embracer • Acknowledges and focuses on the greater good • Follows the spirit, deploying letter for enforcement/clarity • Addresses the issues as needed • Personally blind to loopholes • Avoider • Laser focused on local (personal, team, department) gain • Ignores the spirit, following (only?) the rules as stated • Answers the question as asked • Night vision in search of loopholes, angles, nuances Operational Example: • Creation of High Performance Work Teams (HPWT) • Goals (… in the spirit of…) • Expand the leadership role of management • Evolve line operations into empowered teams • Improve flexibility in the overall business operation • Deploy classic Team Development stages • Forming, Storming, Norming, Transforming Organizational layers: pre-HPWT Senior Management Middle Management Line Operations Organizational layers: post-HPWT Senior Management Line Operations Line Operations Results (…in the letter of …) • Management role remained static • No expansion of leadership activity and duties • Net regression of leadership effectiveness • Operations role expanded somewhat arbitrarily • Responsibilities expanded in one direction; allocated down ! • Operations staff not properly equipped or trained to absorb • Team stuck in neutral; barely Forming Both Management and Operations staff struggle with “new” relationship How is this relevant (to us) in the Risk domain? • HPWT structure parallels the risk 3 Line of Defense (LOD) model • 3 LOD model use is subject to similar vulnerabilities • Structure to the letter; according to the rules • Deployment violating the spirit; contrary to the principles • The Three Lines of Defense Model – Risk Management/Control • Provides a framework for Control, Management, and Assurance • Clear roles and accountability at each of 3 levels • Evolved into the de facto standard of risk and risk oversight • Stakeholders request/require insight into alignment and adherence • Clients, prospects, auditors, regulators, etc. support the model • Often used in due diligence evaluations Composition of the 3 Lines of Defense Internal Audit Risk Assurance Risk and Compliance Risk Oversight Operational Management Risk Ownership Manipulation of the 3 Lines of Defense Risk Assurance Internal Audit Operational Risk Interface Operational Management Risk Oversight Risk Buffer (Layer 1A) Risk Ownership • Translation – Discrete entities now clouded with discreet subtleties • Slides in a mouthpiece to face the risk oversight parties • Carves out risk as a separate entity within the operation • Model designed for risk to be woven into the fabric • Satisfies the letter but violates the spirit of 3 Layer mode • Buffers risk oversight and even risk assurance from risk at the source by the risk owner • Closing Comments • Effectively an internal risk consolidation, or even internal transfer • Builds control as artificial layer in lieu of ongoing assurance within operations • Clouds stakeholder insight, especially Audit Are you seeing or have you seen this ? Questions? Discussion: Quality Control vs. Quality Assurance 73 MISTAKE-PROOFING (POKA YOKE) • De-risk the process via ‘controls’ • Catch error as early in the process as possible ($$$) • Both labor and material costs • Evolve and improve over time • Focus on failure points and improve overall yield • Look around the room • Examples: • Only fits one way • Must weigh between X and Y • Must have all critical fields filled in • Small items elevated (child-proof a house) Methods in Detail Contact Methods:“Do not have to be high tech!” • These can be as simple as blocks that do not allow parts to be seated in the wrong position prior to processing. 75 Methods in Detail Constant Number or Counting Method:• Used when a fixed number of operations are required within a process. • When a product has a fixed number of parts that are attached to it. • A sensor counts the number of times a part is used or a process is completed and releases the part only when the right count is reached. 76 Methods in Detail Motion-Sequence Method:• The third poka yoke method uses sensors to determine if a motion or a step in a process has occurred. • If the step has not occurred or has occurred out of sequence, the sensor signals a timer or other device to stop the machine and signal the operator. 77 Disk 78 File cabinets, opening one drawer locks all the rest, reducing the chance of the file cabinet tipping. 79 Submarine The bathyscaph is a deep water submarine used to explore the very lowest parts of the ocean. It is electrically powered. Once at the bottom, if the batteries or electrical system fail the best outcome would be for the sub to return to the surface. The designers made this outcome occur by holding the ballast in place with electromagnets. When power is lost, the ballast drops off automatically and the sub starts its ascent. 80 Sinks 81 RISK MANAGEMENT / CONTROL OPTIONS Risk Controls - Discussion What do these options mean in a pure risk context? Don’t buy the shares • Do Nothing – don’t take on the risk and forego the gain Buy the shares at the state value of $5,000 and don’t look back • Accept the full value of the inherent risk with no real controls to reduce or manage Buy the shares and incorporate a ‘stop loss’ control that prevents a loss to you of (say) more than $5/share or $500 in total • Reduce the risk as best you can to bring it in line with your risk appetite ($500) Buy the shares and purchase a ‘put’ option that transfers the risk and prevents a loss to you of (say) more than $5/share or $500 in total • Transfer the majority of the risk, accepting the level that is within your risk appetite ($500) Risk Controls – Mechanics • $5,000 investment (100 shares at $50/share) • Purchase a PUT, such that stock gets sold off when price drops to $45/share • • • PUT costs $2/share at the $45 price and lasts 4 months (you purchase this option) PUT costs $3/share at the $48 price and lasts 4 months Essentially like having TERM insurance on your investment • Scenario 1: • Stock climbs to $60/share; gain is price minus total cost or $60 – ($50+$2) or • $8/share Gain is $800 (100 X $8) – would be $1000 but you bought $200 worth of insurance to limit loss • Scenario 2: • Stock drops to $40/share; loss is price minus cost of PUT and limited loss or $50 – • ($5+$2) – you dumped it at $45/share Loss is $700 (100 X $7) – would be $1000 but you bought $200 work of insurance to limit loss • Volatility is reduced VALUE AT RISK (VAR) • Historically, potential loss defined as worst case scenario • VAR (or VaR) metrics introduce loss within a specific confidence level (probability or likelihood) Risk Controls – Value at Risk X% $0 $500 $2500 $5000 1 Class Discussion 4 Controls refer to the rules, mechanisms, and procedures that an organization implements to ensure that its integrity of financial and accounting information is maintained and preserved to promote accountability, hence preventing fraud. This study evaluates the controls that Amazon has incorporated to facilitate effective operations. The threat of substitute commodities is very high since new entrants into the online retail industry. Amazon has excellent customer service and a good brand name, which retains its customers. Amazon places a lot of emphasis on the satisfaction of customers through ensuring to emphasize majorly on quality of commodities. As a result, the organization has low switching costs for customers. As a result of the growth in competition, customers are availed with sufficient information when conducting research on commodities to make choices in accordance with the available data. Amazon uses a variety of controls to ensure that the integrity of its financial and accounting information is preserved to ensure that fraud does not occur. The bargaining power of the suppliers of Amazon is low since the organization always has the upper hand. As much as the organization has a broad base of suppliers, they are required to conduct business in accordance with the rules that it has implemented. The suppliers are required to strictly follow the code of conduct of the organization by ensuring to track supply chain standards precisely. Amazon has the capability of switching to new suppliers since it has a variety of options for all commodities. This, therefore, makes the bargaining power of suppliers to be medium. New entrants do not highly threaten Amazon since building such a brand is not as simple as thought. This is because there are high costs associated with marketing and full implementation. There also exists a lot of strategic factors which call for a lot of dedication, such as that which Jeff Bezos has exhibited towards his brand. There exists a lot of rivalry in the industry in which Amazon operates. However, since the organization has managed to establish a brand, it still retains its customers and emerges as a leader in the e-commerce market. Amazon has integrated organizational challenges, such as the ones that the porters five forces highlight to facilitate its strategic development. Besides ensuring that there is compliance with the laws and that employees are not stealing assets, internal controls are effective in the 2 improvement of operational efficiency by ensuring that accuracy and timeliness of financial reporting are maintained.
Purchase answer to see full attachment
Explanation & Answer:
2 pages
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

View attached explanation and answer. Let me know if you have any questions.

Title; Risk Management

Various factors affect an organization's success in Enterprise Risk Management. In
addition, success in ERM ensures the organization has a competitive advantage in its

One of the opportunities is the increase of risk measurement. Amazon's controls enable
the organization to measure risk in its supply chain.

Another opportunity based on Amazon's controls is data management. Amazon's control
manages data from suppliers to ensure the organization has the best process.

Amazon's controls also enable the company to conduct stress testing in the supply chains.


Risk Management

Student Name
Institutional Affiliation
Professor's Name

Risk Management
Car Controls
Named control: Engine malfunction light indicator
Type: Detective control
Function: It detects problems with engine sensors, ...

Awesome! Made my life easier.


Similar Content

Related Tags