Академический Документы
Профессиональный Документы
Культура Документы
Section D
Risk Management
D-1
Miles CMA Review - Class Notes to Wiley CMAexcel Learning System Part 2, Section D
Risk management is a required component of decision making and pricing. The objective of risk
management is to reduce risk to an acceptable level. The management accountant is often involved in
the assessment and management of risk. In particular, management accountants help identify threats
to the organization and their probabilities, controls against the threats and their effectiveness, and the
losses incurred by not preventing or detecting threats prior to their occurrence.
D-2
Miles CMA Review - Class Notes to Wiley CMAexcel Learning System Part 2, Section D
In a business context, risk is defined as the level of exposure to a chance of loss. For example, if a
company determines that a particular risk could result in a loss of up to $50,000, then the company
would be willing to spend up to $50,000 to mitigate the risk. The amount of the loss calculated by
the company represents the maximum possible loss (extreme or catastrophic loss). This loss is
often referred to as the value at risk (VaR)
VaR includes:
Cash flow at risk
Earnings at risk
Earnings per share (EPS) distributions (mean and variance)
Value at Risk (VaR) is the maximum loss within a given period of time and given a specified
probability level (level of confidence). Unlike retrospective risk metrics that measure historical
volatility, VaR is prospective. It quantifies market risk while it is being taken. VaR is
characterized by:
Application - Can be applied to any portfolio that can reasonably be marked to market
performance on a regular basis; is not applicable to real estate or other non-liquid assets
Timeframe/Horizon - Evaluates a portfolio’s performance over a specific period of time such
as a trading day, week or a month
Base Currency - Measures risk in currency; any currency can be used
VaR Measurement - VaR measure summarizes a portfolio’s market risk with a single number
VaR can be calculated using any of the following methods [Note: Note that Value at Risk
calculations are not required on the CMA exam]
Historical Method - Re-organizes actual historical returns for a time period by putting them
in order from worst to best. A histogram plot correlates frequency of returns with losses.
Resulting level of confidence provides a percentage that a worst-case scenario for a daily
loss will not exceed
Variance-Covariance Method: Assumes that stock returns are normally distributed.
Expected (or average) return and a standard deviation are estimated and a normal
distribution curve is plotted. Normal curve shows where the worst percentages lie on the
curve. The percentages looked at are a function of desired confidence and the standard
deviation
Monte Carlo Simulation: Refers to any method that randomly generates trials; involves
developing a model for future returns and running multiple hypothetical trials through the
model
D-3
Miles CMA Review - Class Notes to Wiley CMAexcel Learning System Part 2, Section D
D-4
Miles CMA Review - Class Notes to Wiley CMAexcel Learning System Part 2, Section D
Overview of ERM
COSO published the “Enterprise Risk Management - Integrated Framework” in 2004. In Sep 2017,
the framework was updated and now titled “Enterprise Risk Management - Integrating with
Strategy and Performance”. The framework: 2017 Framework
Defines ERM as: “The culture, capabilities, and practices, integrated with strategy-setting and
its performance, that organizations rely on to manage risk in creating, preserving, and realizing
value”
Provides a framework for boards and management in entities of all sizes, and builds on the
current level of risk management that exists in the normal course of business
Highlights the importance of considering risk in both the strategy-setting process and in driving
performance
Demonstrates how integrating ERM practices throughout an entity helps to accelerate
growth and enhance performance
Also contains principles that can be applied - from strategic decision-making to performance
Management’s Guide to ERM - Management holds overall responsibility for managing risk to the
entity, but it is important for management to go further: to enhance the conversation with the
board and stakeholders about using ERM to gain a competitive advantage. That starts by deploying
ERM capabilities as part of selecting and refining a strategy
Through this process, management will gain a better understanding of how the explicit
consideration of risk may impact the choice of strategy
ERM enriches management dialogue by adding perspective to the strengths and
weaknesses of a strategy as conditions change, and to how well a strategy fits with the
organization’s mission and vision
ERM allows management to feel more confident that they’ve examined alternative
strategies and considered the input of those in their organization who will implement the
strategy selected
Once strategy is set, ERM provides an effective way for management to fulfill its role, knowing
that the organization is attuned to risks that can impact strategy and is managing them well
Applying ERM helps to create trust and instill confidence in stakeholders in the current
environment, which demands greater scrutiny than ever before about how risk is actively
addressing and managing these risks
Questions for management - Can all of management - not just the chief risk officer - articulate
how risk is considered in the selection of strategy or business decisions? Can they clearly
articulate the entity’s risk appetite and how it might influence a specific decision?
The resulting conversation may shed light on what the mindset for risk taking is really like in
the organization
D-5
Miles CMA Review - Class Notes to Wiley CMAexcel Learning System Part 2, Section D
Board’s Guide to ERM - Every board has an oversight role, helping to support the creation of value
in an entity and prevent its decline. Traditionally, ERM has played a strong supporting role at the
board level. Now, boards are increasingly expected to provide oversight of ERM
ERM framework supplies important considerations for boards in defining and addressing their
risk oversight responsibilities. These considerations include:
Culture & Governance
Risk Management leading to Performance
Information, communications & reporting
Monitoring (i.e., Review & Revision)
Enterprise Strategy & Objective-setting
The board’s risk oversight role may include, but is not limited to:
Reviewing, challenging, and concurring with management on:
Proposed strategy and risk appetite
Alignment of strategy and business objectives with the entity’s stated mission, vision,
and core values
Significant business decisions including M&A, capital allocations, funding, and dividend-
related decisions
Response to significant fluctuations in entity performance or the portfolio view of risk
Responses to instances of deviation from core values
Approving management incentives and remuneration
Participating in investor & stakeholder relations
Over the longer term, ERM can also enhance enterprise resilience (i.e., the ability to anticipate
and respond to change)
Helps organizations identify factors that represent not just risk, but change, and how that
change could impact performance and necessitate a shift in strategy
Provides the right framework for boards to assess risk and embrace a mindset of resilience
By seeing change more clearly, an organization can fashion its own plan; e.g., should it
defensively pull back or invest in a new business?
Benefits of ERM - All organizations need to set strategy and periodically adjust it, always staying
aware of both ever-changing opportunities for creating value and the challenges that will occur in
pursuit of that value. To do that, they need the best possible framework for optimizing strategy and
performance. That’s where ERM comes into play.
Organizations that integrate ERM throughout the entity can realize many benefits (few of which are
listed below), which highlight the fact that risk should not be viewed solely as a potential constraint
or challenge to setting and carrying out a strategy. Rather, the change that underlies risk and the
organizational responses to risk give rise to strategic opportunities and key differentiating
capabilities. Benefits of ERM include, but are not limited to:
Increasing the range of opportunities - By considering all possibilities (both positive and
negative aspects of risk), management can identify new opportunities and unique challenges
associated with current opportunities
Identifying and managing risk entity-wide - Every entity faces myriad risks that can affect many
parts of the organization. Sometimes a risk can originate in one part of the entity but impact a
different part. Consequently, management identifies and manages these entity-wide risks to
sustain and improve performance
Increasing positive outcomes and advantage while reducing negative surprises - ERM allows
entities to improve their ability to identify risks and establish appropriate responses, reducing
surprises and related costs or losses, while profiting from advantageous developments
Reducing performance variability - For some, the challenge is less with surprises and losses and
more with variability in performance. Performing ahead of schedule or beyond expectations
may cause as much concern as performing short of scheduling and expectations. ERM allows
organizations to anticipate the risks that would affect performance and enable them to put in
place the actions needed to minimize disruption and maximize opportunity
Improving resource deployment - Every risk could be considered a request for resources.
Obtaining robust information on risk allows management, in the face of finite resources, to
assess overall resource needs, prioritize resource deployment and enhance resource allocation
Enhancing enterprise resilience - An entity’s medium- and long-term viability depends on its
ability to anticipate and respond to change, not only to survive but also to evolve and thrive.
This is, in part, enabled by effective ERM. It becomes increasingly important as the pace of
change accelerates and business complexity increases
D-7
Miles CMA Review - Class Notes to Wiley CMAexcel Learning System Part 2, Section D
D-8
Miles CMA Review - Class Notes to Wiley CMAexcel Learning System Part 2, Section D
Under COSO’s ERM updated 2017 Framework, ERM consists of 5 components {CRIME}:
"C" is the foundation for CRIME
C
E R
Enterprise Strategy & Risk & Performance
Objective-setting
M I
Monitoring (i.e., Review & Information, Communication
Revision) & Reporting
The 5 inter-related components in the updated Framework are supported by a set of 20 principles.
These principles cover everything from governance to monitoring. They’re manageable in size, and
they describe practices that can be applied in different ways for different organizations regardless of
size, type, or sector. Adhering to these principles can provide management and the board with a
reasonable expectation that the organization understands and strives to manage the risks associated
with its strategy and business objectives. The 20 principles are:
Culture & Risk & Performance Information, Monitoring (i.e., Enterprise Strategy
Governance Communication & Review & Revision) & Objective-setting
Reporting
- Exercises Board - Identifies Risk - Leverages - Assesses - Analyzes Business
Risk Oversight Information and Substantial Change Context
- Assesses Severity
Technology
- Establishes of Risk - Reviews Risk and - Defines Risk
Operating - Communicates Performance Appetite
- Prioritizes Risks
Structures Risk Information
- Pursues - Evaluates
- Implements Risk
- Defines Desired - Reports on Risk, Improvement in Alternative
Responses
Culture Culture, and ERM Strategies
- Develops Portfolio Performance
- Demonstrates - Formulates
View
Commitment to Business Objectives
Core Values
- Attracts, Develops,
and Retains Capable
Individuals
D-9
Miles CMA Review - Class Notes to Wiley CMAexcel Learning System Part 2, Section D
CRIME
Culture & Governance
Together form the basis for all other ERM components
Governance sets the organization’s tone, reinforcing the importance of, and establishing
oversight responsibilities for, ERM
Culture is reflected in decision-making and pertains to ethical values, desired behaviors, and
understanding of risk in the entity
Principles (as per the updated 2017 framework):
Exercises Board Risk Oversight - The board of directors provides oversight of the strategy
and carries out governance responsibilities to support management in achieving strategy
and business objectives
Establishes Operating Structures - The organization establishes operating structures in the
pursuit of strategy and business objectives. Operating structure is typically aligned with:
Legal structure - influences how an entity operates, and
Management structure - sets out the reporting lines, roles & responsibilities for ongoing
management & operation of the business
Defines Desired Culture - The organization defines the desired behaviors that characterize
the entity’s desired culture
Organization’s culture reflects its core values, behaviors, and decisions; and influences
how the organization applies the ERM framework: how it identifies risk, what types of
risk it accepts, and how it manages risk
Many factors shape entity culture
(a) Internal factors - like level of judgment & autonomy provided to personnel, how
entity employees interact with each other and their managers, the standards and
rules, the physical layout of the workplace, reward system in place
(b) External factors - like regulatory requirements, expectations of customers, investors
All these factors influence where the entity positions itself on the culture spectrum,
which ranges from risk averse to risk aggressive
Nuclear Private
power plant equity fund
(a) The closer an entity is to the risk aggressive end of the spectrum, the greater is its
propensity for and acceptance of the differing types and greater amount of risk to
achieve strategy and business objectives
Changes within the organization and external influences may cause an entity’s culture to
shift (e.g., change in leadership, M&As, growth from start-up to mature organization)
Demonstrates Commitment to Core Values - The organization demonstrates a commitment
to the entity’s core values; also, embraces a risk-aware culture, enforces accountability, and
keeps communication open (and free from retribution)
E.g., Deviations to Core Values - For a pharmaceutical company, if R&D did not disclose
all potential side effects of a new drug to management (i.e., violates the core values),
and management launches the drug, it could lead to severe adverse effects to the entity
Attracts, Develops, and Retains Capable Individuals - The organization is committed to
building human capital in alignment with the strategy and business objectives
E.g., Aligning business objectives (e.g., quantity targets, quality, customer satisfaction)
with incentives & rewards may lead to greater employee accountability
D-10
Miles CMA Review - Class Notes to Wiley CMAexcel Learning System Part 2, Section D
CRIME
Risk & Performance
Need to identify & assess risks that may impact the achievement of strategy and business
objectives. Risks are prioritized by severity in the context of risk appetite. The organization then
selects risk responses and takes a portfolio view of the amount of risk it has assumed. The
results of this process are reported to key risk stakeholders
Principles (as per the updated 2017 framework):
Identifies Risk - The organization identifies risk that impacts the performance of strategy
and business objectives
E.g., Using a Risk Inventory whereby the below chart illustrates how risks that impact
different levels of the entity form part of the risk inventory:
4
Likelihood Rating
3
Risk 4 Risk 1
2
Risk 3 Risk 2
1
1 2 3 4
Impact Rating
D-11
Miles CMA Review - Class Notes to Wiley CMAexcel Learning System Part 2, Section D
Prioritizes Risks - The organization prioritizes risks as a basis for selecting responses to risks
Priorities are determined by applying agreed-upon criteria including:
(a) Adaptability - Capacity of an entity to adapt and respond to risks
(b) Complexity - Scope and nature of a risk to the entity’s success (e.g., risks of product
obsolescence to entity’s objective of being market leader in customer satisfaction)
(c) Velocity - Speed at which a risk impacts an entity (e.g., risk of disruptions due to
strikes by port & customs officers affecting the objective relating to efficient supply
chain management)
(d) Persistence - How long a risk impacts an entity (e.g., the persistence of adverse
media coverage and impact on sales objectives following the identification of
potential brake failures and subsequent global car recalls)
(e) Recovery - Capacity of an entity to return to tolerance (e.g., continuing to function
after a severe flood or other natural disaster). Recovery excludes the time taken to
return to tolerance, which is considered part of persistence, not recovery
Prioritization takes into account the severity of the risk compared to risk appetite.
Greater priority may be given to those risks likely to approach or exceed risk appetite.
E.g., A utility company’s mission is to be the most reliable electricity provider in its
region. A recent increase in frequency & persistence of power outages indicates that the
entity is approaching its risk appetite and is less likely to achieve its business objectives
of providing reliable service. This situation triggers a heightened priority for the risk
Implements Risk Responses - The organization identifies and selects risk responses. May:
Accept - No action is taken to change the severity of the risk
(a) Esp. if the risk is already within risk appetite
(b) If risk is outside the entity’s risk appetite that management seeks to accept,
generally approval is required from the board or other oversight bodies
Avoid - Action is taken to remove the risk
(a) E.g., Cease a product line, decline to expand to a new market, sell a division
(b) Suggests that the organization was not able to identify a response that would reduce
the risk to an acceptable level of severity
Pursue - Action is taken that accepts increased risk to achieve improved performance
(a) E.g., Adopt more aggressive growth strategies, expand operations, develop new
products and services
(b) When choosing to pursue risk, management understands the nature & extent of any
changes required to achieve desired performance while not exceeding the
boundaries of acceptable tolerance
Reduce - Action is taken to reduce the severity of the risk
(a) Involves any of myriad everyday business decisions that reduces risk to an amount
of severity aligned with the target residual risk profile and risk appetite
Share / Transfer - Action is taken to reduce the severity of the risk by transferring or
otherwise sharing a portion of the risk
(a) E.g., Outsourcing, insurance, hedging
(b) As with the “reduce” response, sharing risk lowers residual risk in alignment with
risk appetite
D-12
Miles CMA Review - Class Notes to Wiley CMAexcel Learning System Part 2, Section D
Develops Portfolio View - The organization develops and evaluates a portfolio view of risk.
E.g., Portico Co. organization develops the following portfolio view:
D-13
Miles CMA Review - Class Notes to Wiley CMAexcel Learning System Part 2, Section D
D-15
Miles CMA Review - Class Notes to Wiley CMAexcel Learning System Part 2, Section D
CRIME
Monitoring (i.e., Review & Revision)
By reviewing entity performance, an organization can consider how well the ERM components
are functioning over time and in light of substantial changes, and what revisions are needed
Principles (as per the updated 2017 framework) :
Assesses Substantial Change - The organization identifies and assesses changes that may
substantially affect strategy and business objectives.
E.g., Changes in:
(a) Internal Environment - rapid growth, innovation, substantial changes in leadership &
personnel
(b) External Environment - changing regulatory environment, changing economic
environment
Reviews Risk and Performance - The organization reviews entity performance and
considers risk
By reviewing performance, organizations seek answers to questions such as:
(a) Has the entity performed as expected and achieved its target?
(b) What risks are occurring that may be affecting performance?
(c) Was the entity taking enough risk to attain its target?
(d) Was the estimate of the amount of risk accurate?
If an organization determines that performance does not fall within its acceptable
variation, or that the target performance results in a different risk profile than what was
expected, it may need to:
(a) Review business objectives
(b) Review strategy
(c) Review culture
(d) Revise target performance
(e) Reassess severity of risk results
(f) Review how risks are prioritized
(g) Revise risk responses
(h) Revise risk appetite
Considering Entity Capabilities - Part of reviewing performance is considering the
organization’s capabilities and their effect on performance
(a) The organization must answer questions like:
(i) If performance targets are not being met, is it because of insufficient
capabilities?
(ii) If targets are being exceeded, is it because corrective action is required?
(b) Corrective action may include reallocating resources, revising business objectives, or
exploring alternative strategies
Pursues Improvement in ERM - The organization pursues improvement of ERM
Management should pursue improvement throughout the entity (functions, operating
units, divisions) to improve the efficiency and usefulness of ERM at all levels
D-16
Miles CMA Review - Class Notes to Wiley CMAexcel Learning System Part 2, Section D
D-17
Miles CMA Review - Class Notes to Wiley CMAexcel Learning System Part 2, Section D
D-18
Miles CMA Review - Class Notes to Wiley CMAexcel Learning System Part 2, Section D
Assessing ERM
An organization should have a means to reliably provide to the entity’s stakeholders with a
reasonable expectation that it is able to manage risk to an acceptable amount. It does this by
assessing the ERM practices that are in place. Such assessment is voluntary, unless required
otherwise by legislation or regulation
ERM framework provides criteria for conducting an assessment and determining whether the ERM
culture, capabilities, and practices collectively manage the risk of not achieving the entity’s strategy
and supporting business objectives
During an assessment, the organization considers whether:
The components and principles relating to ERM are present and functioning
The components relating to ERM are operating together in an integrated manner
The controls necessary to put into effect relevant principles are present and functioning
In these three considerations, being "present" means the components, principles, and controls
exist in the design and implementation of ERM to achieve strategy and business objectives.
Being "functioning" means they continue to operate to achieve strategy and business
objectives. And "operating together" refers to the interdependencies of components and how
they function cohesively.
Organizations may place different emphasis on specific principles and apply them differently,
depending on the benefits an organization seeks to attain through ERM. When these
components, principles, and supporting controls are present and functioning, the organization
can reasonably expect that ERM is helping the entity create, preserve, and realize value.
During an assessment, management may also review the suitability of those capabilities and
practices, keeping in mind the entity’s complexity and the benefits the organization seeks to attain
through ERM
D-19
Miles CMA Review - Class Notes to Wiley CMAexcel Learning System Part 2, Section D
There is no doubt that organizations will continue to face a future full of volatility, complexity, and
ambiguity. ERM will be an important part of how an organization manages and prospers through
these times. Regardless of the type and size of an entity, strategies need to stay true to their
mission. And all entities need to exhibit traits that drive an effective response to change, including
agile decision-making, the ability to respond in a cohesive manner, and the adaptive capacity to
pivot and reposition while maintaining high levels of trust among stakeholders.
As we look into the future, there are several trends that will have an effect on ERM. Just four of
these are:
Dealing with the proliferation of data - As more and more data becomes available and the
speed at which new data can be analyzed increases, ERM will need to adapt. The data will come
from both inside and outside the entity, and it will be structured in new ways. Advanced
analytics and data visualization tools will evolve and be very helpful in understanding risk and
its impact—both positive and negative
Leveraging artificial intelligence and automation - Many people feel that we have entered the
era of automated processes and artificial intelligence. Regardless of individual beliefs, it is
important for ERM practices to consider the impact of these and future technologies, and
leverage their capabilities. Previously unrecognizable relationships, trends and patterns can be
uncovered, providing a rich source of information critical to managing risk
Managing the cost of risk management - A frequent concern expressed by many business
executives is the cost of risk management, compliance processes, and control activities in
comparison to the value gained. As ERM practices evolve, it will become important that
activities spanning risk, compliance, control, and even governance be efficiently coordinated to
provide maximum benefit to the organization. This may represent one of the best opportunities
for ERM to redefine its importance to the organization
Building stronger organizations - As organizations become better at integrating ERM with
strategy and performance, an opportunity to strengthen resilience will present itself. By
knowing the risks that will have the greatest impact on the entity, organizations can use ERM to
help put in place capabilities that allow them to act early. This will open up new opportunities.
In summary, ERM will need to change and adapt to the future to consistently provide the benefits
outlined in the Framework. With the right focus, the benefits derived from ERM will far outweigh
the investments and provide organizations with confidence in their ability to handle the future
D-20
Miles CMA Review - Class Notes to Wiley CMAexcel Learning System Part 2, Section D
D-21
Miles CMA Review - Class Notes to Wiley CMAexcel Learning System Part 2, Section D
D-22