Risk Management & Internal Control
Prof. dr. Kris Hardies
2022/2023
Chapter 0: Introduction
0.1 BP Oil Spill
Cause for the oil spill: the organizational culture inside the company
Encouraged cost cutting & cutting of corners
Rewards workers for doing it faster and cheaper, not better
Management failure
Risk management will never work if the organizational culture isn’t right
0.2 Risk categories
I. Category I Risk control failures
Internal
Preventable
Known
E.g.: Siemens Bribery & Corruption scandal (breaching fiduciary duties)
II. Category II Risk control failures
New market or product
Not following or doing something that should be done
E.g.: Ford’s Edsel – “wrong car at the wrong time”,
McDonald’s Arch Deluxe – marketed specifically for adults but everyone
wanted cheap burgers
Walt Disney’s Disneyland Paris – first 10 years huge losses because of the
cultural differences (e.g. no alcohol policy)
Nokia missing the smartphone boom & Polaroid missing the digital
revolution
III. Category III Risk Control Failures
External events (all black swan events = unpredictable events)
E.g.: September 11 attacks, emergence of new technologies (the
internet), 2011 Tōhoku earthquake & tsunami
0.3 A broader framework
Governance:
Internal: principal-agent (employer-employee)
External: shareholders & stakeholders
Changing environment: Source of risk
(Fortune 500 companies keep changing over time)
1
,0.4 Risk management
Risk: The possibility that an event will occur and adversely affect
the achievement of objectives.
Risk management: reducing the likelihood or impact of circumstances that could cause
outcomes to be less than desired.
Managing the change process
Risk management is a corporate governance requirement (Belgian Code on Corporate
Governance)
How much uncertainty is the organization willing to accept in their value creation process?
(every entity exists to provide value for its stakeholders)
Uncertainty: risks as well as opportunities
Managing risks eliminating risks: risks are accepted and managed, not eliminated.
COSO ERM (Enterprise Risk Management) framework
Roles and responsibilities:
o Board of Directors
o CEO
o Chief Risk Officer (CRO) & other top
executives
o Senior management
o Staff
o Internal Audit
o External Audit
o Regulatory Entities
Corporate governance: The system by which companies are directed and controlled. Boards of
directors are responsible for the governance of their companies. The shareholders’ role in
governance is to appoint the directors and the auditors and to satisfy themselves that an appropriate
governance structure is in place. The responsibilities of the board include setting the company’s
strategic aims, providing the leadership to put them into effect, supervising the management of the
business and reporting to shareholders on their stewardship. The board’s actions are subject to laws,
regulations and the shareholders in general meeting.
2
,Chapter 1: Internal Control
1.1 Governance & culture
Governance: sets the organization’s tone, reinforcing the importance of, and establishing
oversight responsibilities for, ERM.
Culture: pertains to ethical values, desired behaviors and understanding of risk in the entity.
The control environment: the set of standards, processes and structures that provide the basis
for carrying out internal control across the entity.
The internal environment: encompasses the tone of an entity and sets the basis for how risk is
viewed and addressed by an entity’s people, including risk management philosophy and risk
appetite, integrity and ethical values and the environment in which they operate.
Integrity and ethical values: code of conduct (explains values inside the company and what is
acceptable)
Commitment to competence
Board of Directors (or Audit Committee): must have independence & competence to override
system controls
Board: Governing body of an entity, which may take the form of a board
directors or supervisory board for a corporation, board of trustees for a not-
for-profit organization, general partners for a partnership, or owner for a small
business.
Management’ philosophy & operating style
Organizational structure
Assignment of authority and responsibility
Human resource policies and practices
Tone at the top: The ethical environment within the firm created through management
practices and espoused values.
Organizational culture control environment
1.2 Questions at the end of the chapter
1. What is not a synonym for the internal environment?
o Control environment
o Governance and culture
o Tone at the top
2. A risk culture is defined by:
o All stakeholders
o Management
o The CEO
3
, Chapter 2: Strategy & Objective-setting
Every entity has a strategy for bringing its mission to fruition and to drive value.
ERM: The culture, capabilities and practices, integrated with strategy-setting and its execution,
that organizations rely on to manage risk in creating, preserving and realizing value.
Business objectives provide the link to practices within the entity to support the achievement
of the strategy.
2.1 Strategy and Risk appetite
Strategy should be consistent with risk appetite
Risk-return tradeoff (do we want less risk or more return?)
Rarely linear or one-to-one
Risk appetite: the types and amount of risk, on a broad level, an organization is willing
to accept in pursuit of value. (=its mission)
Chosen by management (endorsed/confirmed by board of directors)
May change over time (in line with risk capacity)
Risk capacity = maximum amount of risk an entity is able to absorb
Risk tolerance: Acceptable level of variation (in performance) relative to the
achievement of objectives.
Needs to be aligned with risk appetite
Achievement of objectives
The risk pyramid
2.2 Objective setting
Objectives: what an entity desires to achieve.
Strategic objectives
Related objectives (operating, reporting, compliance)
Objectives must exist before management can identify potential events affecting their
achievement!
Aligned with the entity’s mission
Aligned with the entity’s risk appetite
4
Prof. dr. Kris Hardies
2022/2023
Chapter 0: Introduction
0.1 BP Oil Spill
Cause for the oil spill: the organizational culture inside the company
Encouraged cost cutting & cutting of corners
Rewards workers for doing it faster and cheaper, not better
Management failure
Risk management will never work if the organizational culture isn’t right
0.2 Risk categories
I. Category I Risk control failures
Internal
Preventable
Known
E.g.: Siemens Bribery & Corruption scandal (breaching fiduciary duties)
II. Category II Risk control failures
New market or product
Not following or doing something that should be done
E.g.: Ford’s Edsel – “wrong car at the wrong time”,
McDonald’s Arch Deluxe – marketed specifically for adults but everyone
wanted cheap burgers
Walt Disney’s Disneyland Paris – first 10 years huge losses because of the
cultural differences (e.g. no alcohol policy)
Nokia missing the smartphone boom & Polaroid missing the digital
revolution
III. Category III Risk Control Failures
External events (all black swan events = unpredictable events)
E.g.: September 11 attacks, emergence of new technologies (the
internet), 2011 Tōhoku earthquake & tsunami
0.3 A broader framework
Governance:
Internal: principal-agent (employer-employee)
External: shareholders & stakeholders
Changing environment: Source of risk
(Fortune 500 companies keep changing over time)
1
,0.4 Risk management
Risk: The possibility that an event will occur and adversely affect
the achievement of objectives.
Risk management: reducing the likelihood or impact of circumstances that could cause
outcomes to be less than desired.
Managing the change process
Risk management is a corporate governance requirement (Belgian Code on Corporate
Governance)
How much uncertainty is the organization willing to accept in their value creation process?
(every entity exists to provide value for its stakeholders)
Uncertainty: risks as well as opportunities
Managing risks eliminating risks: risks are accepted and managed, not eliminated.
COSO ERM (Enterprise Risk Management) framework
Roles and responsibilities:
o Board of Directors
o CEO
o Chief Risk Officer (CRO) & other top
executives
o Senior management
o Staff
o Internal Audit
o External Audit
o Regulatory Entities
Corporate governance: The system by which companies are directed and controlled. Boards of
directors are responsible for the governance of their companies. The shareholders’ role in
governance is to appoint the directors and the auditors and to satisfy themselves that an appropriate
governance structure is in place. The responsibilities of the board include setting the company’s
strategic aims, providing the leadership to put them into effect, supervising the management of the
business and reporting to shareholders on their stewardship. The board’s actions are subject to laws,
regulations and the shareholders in general meeting.
2
,Chapter 1: Internal Control
1.1 Governance & culture
Governance: sets the organization’s tone, reinforcing the importance of, and establishing
oversight responsibilities for, ERM.
Culture: pertains to ethical values, desired behaviors and understanding of risk in the entity.
The control environment: the set of standards, processes and structures that provide the basis
for carrying out internal control across the entity.
The internal environment: encompasses the tone of an entity and sets the basis for how risk is
viewed and addressed by an entity’s people, including risk management philosophy and risk
appetite, integrity and ethical values and the environment in which they operate.
Integrity and ethical values: code of conduct (explains values inside the company and what is
acceptable)
Commitment to competence
Board of Directors (or Audit Committee): must have independence & competence to override
system controls
Board: Governing body of an entity, which may take the form of a board
directors or supervisory board for a corporation, board of trustees for a not-
for-profit organization, general partners for a partnership, or owner for a small
business.
Management’ philosophy & operating style
Organizational structure
Assignment of authority and responsibility
Human resource policies and practices
Tone at the top: The ethical environment within the firm created through management
practices and espoused values.
Organizational culture control environment
1.2 Questions at the end of the chapter
1. What is not a synonym for the internal environment?
o Control environment
o Governance and culture
o Tone at the top
2. A risk culture is defined by:
o All stakeholders
o Management
o The CEO
3
, Chapter 2: Strategy & Objective-setting
Every entity has a strategy for bringing its mission to fruition and to drive value.
ERM: The culture, capabilities and practices, integrated with strategy-setting and its execution,
that organizations rely on to manage risk in creating, preserving and realizing value.
Business objectives provide the link to practices within the entity to support the achievement
of the strategy.
2.1 Strategy and Risk appetite
Strategy should be consistent with risk appetite
Risk-return tradeoff (do we want less risk or more return?)
Rarely linear or one-to-one
Risk appetite: the types and amount of risk, on a broad level, an organization is willing
to accept in pursuit of value. (=its mission)
Chosen by management (endorsed/confirmed by board of directors)
May change over time (in line with risk capacity)
Risk capacity = maximum amount of risk an entity is able to absorb
Risk tolerance: Acceptable level of variation (in performance) relative to the
achievement of objectives.
Needs to be aligned with risk appetite
Achievement of objectives
The risk pyramid
2.2 Objective setting
Objectives: what an entity desires to achieve.
Strategic objectives
Related objectives (operating, reporting, compliance)
Objectives must exist before management can identify potential events affecting their
achievement!
Aligned with the entity’s mission
Aligned with the entity’s risk appetite
4
