 Hello, and welcome to the session in which you would look at the enterprise risk management, which is the COSO framework, the integrated COSO framework to be specific. This is part three of five, we already covered two part two components, today we're going to be covering the third component, performance. Before we start, I would like to remind you about the definition ERM is the cultural capabilities and practices integrated with strategy, setting and performance that organization rely on to manage risk in creating, preserving and realizing value. So this is the definition and as I told you when we looked at part one of five, we're going to be going over this definition as we cover the five components today, we're going to learn how the organization manage risk. So performance is about managing risk. So how do we manage risk there are five, there are going to be five steps in analyzing or in studying risk within the COSO framework. Now if you're studying for your CPA exam, most CPA review courses, what they do is they give you a mnemonics to remember the ERM. Well, first certain topics mnemonics are not bad. But when the mnemonics became too many, then they defeat the purpose of being a mnemonic. Therefore, what I'm going to do is try to explain to you in details what you need to understand. This way it's easier for you to remember the material. Therefore if you are a CPA candidate, I strongly suggest you visit my website, farhatlectures.com. I don't replace your CPA review course. Any CPA review course you are taking, you can keep. Add me as a useful addition, as an alternative explanation, as a backup system. And by doing so, I can help you add 10 to 15 points to your grade by helping you understand the material better. Why? Because I explain it differently. I may spend 30 minutes only on performance. The CPA review course may spend 30 minutes on all five components. So that's the difference between what I do, tell you the information in detail. So once you learn it, then you can go to your CPA review course and review it in 30 minutes and it will make more sense and it will be more efficient. This is how I can help you. Now, your risk is one month of subscription. Your potential gain is passed in the exam. And if not for anything, take a look at my website to find out how well your university doing on the CPA exam. If you are taking accounting courses in college, please take a look at my menu. I have resources and lectures for other courses. Connect with me on LinkedIn if you haven't done so. And take a look at my LinkedIn recommendation students who use my system to pass the CPA exam. Please like this recording, share it, connect with me on Instagram and Facebook. So as I stated, today we're gonna be focusing on the performance section, which is this section of ERM. And this section has five different principles. We're gonna identify risk, assess risk, prioritize risk, respond to risk, and look at a risk from a portfolio perspective. And most of the CPA questions about ERM or a lot of them comes from this part, from those principles. And those principles, in my opinion, are the easiest for me to teach you because I think they make most sense and a sense that students can relate to them because we can all relate to risk and what is risk, how to identify risk. So simply put, let's walk through them on this page real quick. We're gonna first identify, how do you identify risk? Find out what the risk is. Once we know our risk, we're gonna assess it. How severe, how important, how likely it to happen. And once we know our risk, we're gonna prioritize them. Which risks are the most imminent? And we're gonna respond to them. And that's basically it. Then at the end, we would look at the company from a portfolio view of risk, which is an overall risk. So that's why it's the most, in my opinion, the section is the one that make most sense, starting with identifying risk. The first are five principles. So how do we identify risk? Well, remember, we have strategies and businesses. And any risk that disrupts our operation from reaching our strategies and objectives is considered a risk. But how do we know that something is a risk? We really don't know, but we can have a list of things that could be potential risks. One thing could be changes in technology. Changes in technology might make us obsolete. Like big data, artificial intelligence, machine learning. Well, if we don't really use them and other companies are using them, then we are behind. That's a risk, that's the risk. Changes in consumer taste, people don't like what we're selling anymore. Why? Because there's a switch for healthier product and we don't sell healthy product. Therefore, that's a business risk. Depleting natural resources. Well, guess what? If we rely on natural resources, whether we rely them as a source or we sell them and they are being depleted, that's a risk for us. Changing mobile workforce, especially with COVID-19 now, that's a risk, especially if our labor force is not mobile. Labor shortage. We don't have enough employees to do the work for us. Changes in demographics. We service people in the 60s and above in the average population where we operate is 35. Well, we're going to have issue with this because the product that we sell, it's not for demographic. Climate change, it could be something that's going to affect our business. Government regulation, changes in taxes, liquidity, our cash position. Are we liquid enough? Can we borrow money easily? So those are all risks that could affect our businesses. Now, how to identify those risks? So how do we identify, let's say this risk is, how do we kind of look for them basically? Well, we have many approaches. For example, we could use big data. Notice here that big data could be a risk and big data could be a way to identify the risk. For example, if we are operating online, we have a website and if we notice a drop in visitation or a visitation from a particular area. For example, we used to have a lot of visitation from Europe. Now, that visitation is no longer, it's dropping. So we can use the data to our advantage to identify the risks. So just like the data is, big data could be a risk for us and it could be, we could use it, leverage it to our own advantage. We could have a risk officer, people or a risk committee, people who specialize in risk and identifying risk. That's all what they do. This is how we can identify risk. We can look our day-to-day activities and see what's going on to identify risks. Like when we prepare a budget, when we do some business planning, review on customer complaint. For example, there is one hotel, I forgot its name because a long time ago, when my wife books a hotel, what they do is what she does is she reviews the cost. Obviously, she reviews the customer and what she looks for, she wants, we usually pick a hotel's where the manager respond to the complaints. So think about it. The manager of this, and we always select that hotel where the manager responds to the customer's complaint. And this is what's called day-to-day activity. So what's happening, the manager is constantly monitoring the customer's complaint and identifying the risk. For example, not enough towels, something is, you know, the breakfast was cold or whatever the reason is, they're identifying the risk from day-to-day operation, the risk to the business. Simple questionnaires with key employees, a key staff and employee, ask your employee, what do you think the risk is for our business? Attend the COSO framework, the COSO have framework, they have workshops, attend those to learn about risks, interviews, talk to people, data track, and look at the business industries, what's going on. Questions, your assumption under different scenarios. Change your assumptions, this is how you can identify risk. And you should have a risk inventory. Risk inventory means a list of all the risks that could happen. So the first thing is you have to do is identify risks. You know, risks could take many forms and this is how you can identify them. Are these the only thing? Absolutely not. But the key is of all of the slide, you have to identify risk. You know what risk is, anything that affects your business objective and you have to find a way to identify it. Once you identify the risks, you're going to have many of them. Then you're going to have to assess them. What is assessing risk? You assess it at multiple level. Not all risks are the same. You can assess it on the entity level, on a division level, operating level, function level and link it to your business strategy and business objective. So certain risks affect the company on a large scale. Certain risks affect the company on a small, limited scale. Let me give you an example. Airline company. Could you name how many risks could affect airline companies? Here's a list that I just kind of thought about. Okay. The airplane crash, that's a big risk. The economy, GDP, the technology, zoom, business spending, restroom not clean in the plane, constantly not arriving on time, customer service reputation, quality of food on intercontinental flight, website not user friendly, COVID-19, foreign currency, cost of oil. These are all business risks that could affect an airline company and those are not limited, just thought of them. What do you think that all these risks, they have the same level of threat? Of course not. For example, an airplane crash could basically devastate the whole company. It's an entity risk. COVID-19 is an entity risk. Okay. Well, restroom not clean. Well, it's not good, but it's not going to put us out of business. It might affect our customer reputation. Okay. It's a risk, but not like an airplane crashing, right? Or the headphones and your seat are not working. Well, that's not good. Well, website is not user friendly. That's not good, but it's not as severe as of the cost of oil, skyrocket, or of deferring currency in which we operate and where we get our money, lost value, so different risks will affect your business differently. So you have to assess this risk. You have to assess what's called the severity of a risk, because it's going to vary across different levels of the company. Okay. So a risk with a high severity and an operating unit may have a low or moderate severity at the entity level. Again, restroom not clean. Well, it's not good, but it's not going to affect the whole company. Okay. Or website is not user friendly. It may not affect the whole company, because we have other sources of selling tickets. Maybe our website is not user friendly, but we sell tickets on many other airline, on many other travel websites. So it's not that users don't only buy tickets from our website. Okay. So it's a high on the operating, the risk is severe on the operating level, but it's not going to affect the company overall. However, COVID-19, it's a high severity and affect the whole company. Okay. So remember, not all risks are the same. The organization assesses the severity of the risk. So what is the severity of the risk? I keep throwing this term. It's the impact, likelihood and the time to recover from the event. The impact is, if it happens, what is the result of this risk? And obviously we're talking about the negative result. What is the impact? That's important. What is the impact of the risk? Not all risks are equal. All these risks are not equal. Okay. The likelihood. What is the likelihood of that happening? Well, hopefully in airplane crash, the likelihood is 0.0001, right? Of that happening. Well, the cost of oil, there's a 20%, the cost of oil could go up. What is the likelihood? What's the possibility of that occurring? You can quantify this qualitatively, like low, medium, high, or you can put a probability on it, 10%, or frequency every six months or whatever. So the likelihood is how often it's going to happen. The time horizon is also important. The time horizon to assess risk should be identical to the related strategy and business objective. So when you assess the risk, you have to know, okay, I'm assessing the risk, but for how long this risk is going to be with us? Because depending on how long it's going to be, I'm gonna have to adjust my strategies and business objective. So assessing risk is important, and we're gonna see why it's important soon. So also, you can use quantitative or qualitative method, qualitative and quantitative method. Qualitative method are more efficient, less costly. Examples will be interview, survey, and benchmarking to assess the risk. Or you could use quantitative method. They're more precise. Here you are dealing with maybe Monte Carlo simulation, which basically, fancy software, probabilistic and non-probabilistic studies, decision and tree modeling. So the organization should reassess severity, not once they should always reassess severity when something happened, when there's a reduction in sales, new competitors, employee turnover, consumer taste, because the severity of the risk could change as the business context changes. So risk assessment should also consider inherent risk, target residual risk, and actual residual risk. And inherent risk is the risk that exists without the management, without the company intervening, mitigating that risk. And remember, the actual risk, the actual residual risk, and what's the residual risk? We have the inherent risk minus what the management does will give us the actual residual risk. The actual residual risk should be less than our target residual risk. So it should always be taken less risk than what we can absorb. So our target, for example, 10 unit, the actual should be nine, or eight, or seven, the lower, the better, should be less. Also what companies do is have what's called a heat map. And this is what a heat map looks like. We have the likelihood, remember the likelihood is what are the chances of that happening, and the impact. If that happened, what are the negative results? Let me tell you what I mean by this. For example, if a likelihood of an event is very high, and the risk of that event is very high, so if we are in this quadrant here, that's a problem. So what does that mean? It means something that's happening often, and when it happens, it devastates us. Let me give you the extreme of them. Something doesn't happen often, and if it does happen, the impact of the company is very low. We're in this quadrant, okay? So notice we have different risks. We have risks that the likelihood is here, low, low, and the impact is very low. So we can live with these risks. And we have the risk of the likelihood of it is high, and the severity of it is high as well. For example, this one here, this yellow, this one right here, I would say this is an airplane, if we're talking about a company, this is an airplane crash. The impact of likely, the, I'm sorry, I'm sorry, I would say a plane crash will be, the likelihood is very low, but the impact will be very high. This will be like an airplane crash, okay? Why? Because it should not happen, but if it does happen, the impact is very high, the impact is very high. So again, you can draw scenarios to find out what word do you want to be. So the company should have these heat map to manage risk. Now, what they want to do is they want to move down here. They want to move down as much as possible to low likelihood and low impact, okay? That's what they want to do. That's your goal. So once you assess the risks, now you have, you identify them, you say, these are my risks. I assess them. These risks are more important than others. No, I assess them. Now I need to prioritize them, and say which one are they have to deal with now? And which one I can kind of defer for later? Maybe because why do you have to prioritize them? Because you don't have unlimited resources. If the company will have unlimited resources, they will deal with all the risks all at once. But since you have limited resources, limited amount of money, you have to prioritize. So in addition to assessing, identifying, you have to prioritize them. And prioritize them is basically, what's the risk severity to our risk appetite? So if we cannot really handle the risk, we have to deal with it, okay? And again, we have the idea behind prioritizing is you have limited resources. If you're studying for the CPA exam, well, guess what? And you don't have enough time. You say, which topics you think are the weakest and I have to study them? So I, at least I can answer some questions on the exam. You have to prioritize your questions and your study time. Now, there are five factors in prioritizing risk. First thing is the complexity of the risk. How difficult or how hard is it to respond to address that risk? That's one, the velocity, the speed of the risk occurring. For example, certain risks, they can spread very quickly. For example, if you're experiencing social media, bad reputation, well, guess what? That's, they might go viral. The velocity of it is very high. The persistence of the risk. How long a risk affect the entity, including the time it takes for the entity to recover? For example, a good question, a good example for today is COVID-19. How long can airline companies deal with that risk without government help? Obviously, adaptability. How able are we to adjust? Again, think about COVID-19. For example, universities were able to adopt quickly. They switched to online learning. Well, airline companies, they cannot go to online flight. So that depends on your business contacts, but those are the factors that you have to take a look at. Also recover, how quickly can we remove this risk and recover from it? Those are the things that's gonna help us in prioritizing the risks that we have to deal with. Now remember, risk with similar severities may receive similar different priorities. So even though it might have the same severity, but it have different priority. For example, an airline company, for example, customer reputation and labor negotiation, they're both important. You're negotiating with your employees, but also have a business reputation, a customer reputation. Well, you want to focus on the customer reputation more than negotiating with your labor union because if you lose your customers, you're not gonna have the revenue. So although they're both severe, they affect the company negatively, but they can receive different priority. And obviously you have to assign higher priority to risks that's greater than your risk appetite. You cannot tolerate certain risk or certain risk that's not gonna allow you to perform well, cause performance level to approach to the outer limit or tolerance. Simply put, it's like we're like really stressing ourselves because of this risk. And risk, especially that affect the entire company, like an airplane crash COVID-19, just COVID-19 is something there's nothing you can do about, right? But airplane crash, of course, you gotta make sure your maintenance people are maintaining the airplane and you are giving them enough money. So now we prioritize the risks, now we know, now what we have to do, we have to respond to that risk. What are we going to do about those risks? So we identified, assessed, prioritized, time to respond. So how do we respond? The following are five categories of risk responses. And usually those topics are tested on the exam. Like for example, they'll give you a scenario, what type of response is that? The first response is acceptance. Okay, why do we accept the risk? It's either within our risk appetite or there's nothing we can do about this risk. Again, a good example, if I was teaching this before 2020, before 2021, it'll have hard time coming up with a good example. COVID-19 is a risk that companies will have to accept and deal with. They cannot change. They cannot change that COVID-19 risk. It's out of their control. Avoidance, you'll take action to remove the risk. So for example, if you are not in compliance with certain regulation, you comply with them. If a product is losing money, sell it, if a subsidiary is losing money, sell it, close it, discontinue it. You avoid the risk. You pursue it, okay? As long as pursuing more risk does not exceed your acceptable level of tolerance, you pursue more risk. For example, you may wanna go over a bigger market share, but that's risky. Why? Because you might have to invest more in marketing and that's risky, but you are pursuing the risk. You are going as long as that risk is acceptable. Reduction, what is reduction? You remember that heat map? I told you, you have to kind of go down to the impact is low and the priority of happening is low. You try to reduce the severity of that risk from one level to the other. That's reducing the risk. And you could do what's called sharing of the risk or transfer, transfer or sharing in some time. It comes under the term transfer. And the good example of it is insurance. When you buy insurance, you either transfer the risk or share it. Transferring a portion of the risk to another party, okay? For example, buying insurance, hedging, joint venture, outsourcing, this is examples of sharing. So on the CPA exam, they'll give you an example and they'll tell you what type of a risk response the company is utilizing here and you'll have to decide what are they utilizing? Okay, so also the following are the factor considered in selecting and implementing risk responses. So you will take a look at the following additional factors. The business context, what environment are you dealing with? That's important. Not all environments are the same. Cost and benefit, that's easy said but easier said than done. Why? Because when you are dealing with risk responses, it's easy to identify the cost. It's easy to quantify the cost. It's very hard to see the benefit. Extremely difficult to see the benefit of the risk response. And that's a problem in the real world. I'll give you an extreme example just to kind of, I want you to think about it. What does that mean cost versus benefit? Let's assume on September the 10th, 2001, someone in the FDA said, look, going forward, we're gonna have a new rule for safety of the airlines, all pilots, they have to lock the door from the inside and they can never open the door for anyone. From the time the flight takes off until the flight, until the flight lands. And because of that, each company will have to invest an additional $50,000 in new doors. If their decision was taken and implemented by September the 10th, September 11th would never happen. So guess what? Everybody will be looking at the cost. Well, whoa, they made us pay an additional $50,000 for every door we installed. Well, that's the cost but you did not see the benefit. We could have avoided September 11th because of that. So this is not an extreme example. Actually it's a very applicable example to show you when you're dealing with risk, the cost, it's easy. Anybody can tell you this is how much it costs you, but they cannot tell you the benefit. It's like, think about, you are writing a history but a revisionist history, history that you can write in your own, draw your own conclusion. This is what the benefit is from responding to risk. You really don't know the benefit. The benefit could be large but since you did not see the damage, you don't see the benefit because you avoided this. I went on a tangent here, but remember cost and benefit is important. Compliance, sometimes you just have to invest. Oh, go back to my September 11th example. Well, if you have to comply, you have no choice. Then you have to comply. Then it doesn't matter. The business context, it doesn't matter. Cost does not matter. Also risk should reflect risk severity, risk response. So you don't want to go crazy on certain things and spend a lot of money because the risk is not as severe. So you should respond within reason. Let's use the word reason. The last thing is the portfolio view of risk. The portfolio view of risk is basically the entity view of the risk, the whole risk of the company. So it's the culmination, the total of risk identification, assessment, prioritization and response. So how does the company handle risk? How does the company handle risk? Because they can handle it in so many different ways and we're gonna look at them. Using a portfolio view of risk management, determine whether the entity residual risk profile align with their overall risk appetite. So just looking at the overall picture. Now why are we saying this? Because certain companies deals with risk differently. There are four risk views that have different level of risk integration. The first one is called minimal integration or risk view. What happened here? The company might have, okay, we only deal with risk on an event by event basis. So something happened, we'll deal with it. We don't link risk to our business objective. So we don't say, this is our business objective and these are the risks. Now we don't do that. The way we look at risk and our company, well, once a risk happened or once we know a risk, we deal with it. Not we don't link it to any business objective, which is minimal integration like case by case basis or we could have limited integration. It's called risk category view. We identify and assess risk by categories. For example, an operating structure. What is your operating structure? And you will identify and prioritize the risk on the operating structure. Or you could have a partial integration. Here what you do, your risk is linked to your business objective. Now you are trying to integrate more. For example, you would look at the objective of increase sales, also depend on the objective of introducing a new product line. So you're looking at new product line and sales at the same time, the risk of running both versus not looking at the risk until the sales started to occur. You have a new product, then you will deal on a risk by risk basis, like an event base rather than business objective. Here on the contrary, you're looking at the product line and you're looking at the increase in sales. It's a partial integration. In the most complete integration, obviously it's called full integration. This is the portfolio view. Now here you are looking at the risk. This composite view of risk related to the entity wide strategy. So you're not only looking at one thing, you are looking at the whole strategy. It's like a web. And once you pull one string, the whole web will changes. So you're looking at the changes, okay? So you're looking at business objective and their effect of the only entity performance. So here's what's happening. You say, okay, if I undertake this option, what's the cascading effect through the entity because of that? So you're looking at the complete view. And obviously ERM wants you to be on this level, to have risk strategy on an entity level, not on minimal integration or limited integration or even partial integration. ERM, this is ERM is a full integration because it looks at every aspect of the company and how does it affect the risk from a different perspective? Now we have qualitative and quantitative method can be used to evaluate how changes in risk may affect the portfolio view of risk. They may include benchmarking, scenario analysis and stress testing. Stress testing means you will create different scenarios like scenario analysis, same thing. And you will see what's the effect on my risk? What's the changes in risk that might affect the portfolio view of my risk? What happened if sales goes down 10 to 15%? What's gonna happen to other product? Well, if I'm well diversified, it doesn't matter. I might have other product, but what if I don't? Or you might use quantitative method like statistical analysis. Again, here both using numbers. I said qualitative, although it's qualitative, you would be using numbers for stress testing and scenario analysis, benchmarking. There are many ways that you can use to evaluate how changes in risk affect your whole portfolio. Now in the next session, because the next thing we're gonna do is to have two more sessions in ERM, review and revision and in the review and revision we have three principles. And I believe information communication and reporting another three as well, which will make it 25, 10, 14, 17, 20. Yes, we have three and three. Once again, ERM, many CPA review courses, they give you a lot of mnemonics. I'm not against mnemonics, but to a degree. So it's very important that you understand it rather than memorize in it because you don't have to remember everything pervade them but you have to kind of apply what you know in a multiple choice setting. Anyhow, study hard, stay safe and I will be covering the next session soon. Good luck.