UNIVERSITY OF CENTRAL PUNJAB

FALL 2020

FALL 2020
Course Title: performance strategy

Assignment No. 1
Submitted to: Gulam Fareed
Submitted by: Reg No
Section: B Program: BSAF
Date: 12-11-2020 Submission Date: 16-11-2020

Assignment Topic:
Define ERM and its components?

ERM:
Enterprise risk management activities are designed to ensure that management identifies,
analyzes, and responds appropriately to risks that may adversely affect realization of an
organization's business objectives. Management's response to risks will depend on the likelihood
of the event happening and the impact if it does. Based on this risk assessment, an organization
will need to choose whether to accept the risk, mitigate the risk, or transfer the risk to another
party. When performed effectively, these risk management activities will ensure that the
organization's limited resources will be prioritized to most efficiently address the issues that will
affect them the most.
The process effected by an entity’s board of directors, management and other personnel, applied
in strategy setting and across the enterprise, designed to identify potential events that may affect
the entity, and manage risk to be within its risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives. The key aim of an effective ERM Framework is
to provide the organization the necessary controls, communication & risk-informed decision
making to achieve the right balance between risk & reward.
 Provides higher effectiveness of the Risk Framework, resulting in lower/less unexpected
losses & incidents
 Promotes more forward-looking & strategic Risk related decision making.
 Is a concept, & not a system or ready-made methodology.
 Framework’s maturity ladder is organic & unique for each organization.
ERM is an ongoing process and not that process where one component affects only the next it is
a multi-directional process in which almost any component can and does effect another. The type
of company, its size and structure, will determine how the components function in practice.

Components of Enterprise Risk Management:

Enterprise risk management consists of eight interrelated components. These are derived from
the way management runs an enterprise and are integrated with the management process. These
eight components cover the core areas that an enterprise risk management framework must
address, for a mature enough possibility plan. These components are:

Internal Environment:
It consists of the overall environment within the organisation and in which one sets the basis for
how risk is observed and addressed by an entity’s people, including risk management philosophy
(general attitude or approach an organization takes in dealing with risks) and risk appetite (level
of risk that a company can undertake and successfully manage over an extended time period),
integrity and ethical values, and the environment in which they operate. In internal environment
work culture is a huge factor that influences a team’s risk aptitude. The ability to take, calculated
risks as well as ability really matters. It is observed through that the senior management is a very
well-qualified, their ability to train line managers and mid-senior staff really makes or breaks a
risk contingency plan.

Objective setting:
Objectives exists or set before management. In terms of objective setting, the level of enterprise
wide rang strategy and Organization’s vision and mission (objectives and goals) must be
dynamic for risk management plan that incorporates the mitigation strategies. Risks could also
change the initiative the employees have and the way clients perceives, as an organization.
Objectives should be associated with the organization’s mission and need to be consistent with
the organization’s capacity for undertaking risk because capacity of risk vary by company and
depends on its own culture or circumstances. When objective is set for organization’s managing
risk there is less room for error. The Executive Committee (EC) establishes all-embracing
strategic goals and sets financial targets. Senior management is accountable meeting these goals
and objectives. Business unit, functional and individual employee goals and objectives are
typically aligned to those of the overall organization.

Event identification:
It is all about developing organizational awareness in terms of identifying events that could be
potential risks and those that are potential opportunities. The events are internal and external which
impact upon the achievement of an entity’s objectives. These events distinguishing between risks and
opportunities which are directed to management’s strategy or objective-setting processes. To avoid
surrendering to false notions of the after effects of risk, a risk management plan is made that
documents the type, category that affected future projects of organization. 

Risk assessment:
Risks are examined to consider their possibility or chance and impact as a basis for determining
how they should be managed. Risks are also assessed on an inherent (risk to an organization in
the absence of any actions management might take to alter either the risk’s probability or impact)
and a residual basis (risk that remains after management has responded to the risk). After
identifying risk or event, assessment on its own is prescribed as a component which takes place a
lot of importance on this component by emphasizing both on qualitative methods as well as
quantitative ones of risk assessment. internal risks include operational ones, individual business
persuaded. On the other hand, external ones could be anything from a market slowdown, changes
in physical environment or loss of brand identity. The risk assessment is all about sound
measurement and accurate prioritization of risk. An individual or small team is appointed with
the primary responsibility for implementing ERM.

Risk response:
In this component, management selects risk responses to avoid, accept, reduce or share risk or
transfer. The intention is to develop a set of actions to line up risks with the entity’s risk
tolerances (acceptable variation often measured using the same units, related objectives) and risk
appetite. In this component risk is especially stressed upon more. Risk Responses, in general
depends upon the nature of guidelines that the organization subscribes to as well as the projects
involved.
For example, when health and safety become a huge cause of concern, as they do in construction
projects with extreme weather conditions or an exposure to harmful chemicals, certain set
principles like the As Low as Reasonably Practicable (ALARP) is set to use.

Control activities:
Those Policies and procedures which are established or put in place and implemented to help
ensure that the risk responses are effectively carried out in organization. Control component is
important in an organization which is managed by top managers and mid senior management.
Examples of control activities include segregation of duties, physical controls, IT controls,
analysis of results versus targets and reviews by senior management/specialists.
For example, when a vendor’s bad quality affects the product output and it is up to the line
manager to sell new terms with the clients, the manager’s judgment unfairness, perceptions and
way of communication outweighs almost every scheme of control that the organizational policy
can mandate. However, with effective training if the managers can all be encouraged to embrace
a common code of ethics, internal control becomes far more realistic.

Information and communication:

In this component the business relevant or related information is identified, taken and then
communicated in a form that allow people to carry out their responsibilities. It is a basic
component; lack of which can be an inherent risk (risk to an organization in the absence of any
actions management might take to alter either the risk’s probability or impact) for the
organization. Information and communication component are in place so business leaders and
employees are aware of risks that fall into their area of responsibility. Information as well as
communication is key component to meet any risk in organizations. Information is provided to
new hires and employees transferring to new functions on key processes applicable to their role.
For many areas of risk, required training is conducted. Staff must be trained to recognize
potential risks and communicate it to their leaders. Knowledge is also exchanged within risk
management functions through regular department meetings, short-term rotations through
Corporate or enterprise functions.

Monitoring:
Monitoring help ensure that risks are effectively assessed and appropriate risk responses and
controls are in place. The ERM is monitored and modifications are made which is necessary.
There can be period base or regular base monitoring report. A combination of ongoing and
specific interval monitoring activities is required by this a firm can assess its risk and weakness
within time. For example; identifying weaknesses in control activities by internal and external
auditors, senior management valuations of risk responses, reviewing operating reports etc. For
this appropriate corrective action must be taken and periodic process for reporting should be
established.