 Hello, and welcome to the session in which we would look at the Enterprise Risk Management ERM, the integrated framework as part of the COSO framework. This topic is quite extensive, and it's covered on the CPA exam, BEC section, the CMA exam, and the Accounting Information System course. Before I start, I would like to let you know that because it's very extensive, what I'm going to do in explaining this topic, I'm going to break it down by its five interrelated component. So I'm going to cover each interrelated component separately, and within those five interrelated components, we're going to have 20 principles. For example, in this session, we're going to be covering the governance and cultural component, which has five principles. In the next session, we would look at a strategy and objective setting, which has four principles, so on and so forth. I believe the best way to learn this is not only by memorizing. If you're good at memorizing, by all means, memorize all the mnemonics that you would like to. But if you understand it, if you understand this ERM, it will be easier for you to retain the information for the exam day, and this is what I intend to do, to make sense out of this framework. So this way, it's easier for you to do well on the exam, whether you are taking the CPA or the CMA exam. Now, if you are taking the CPA or the CMA exam, I strongly suggest you visit farhatlectures.com. On farhatlectures.com, I have additional resources that's going to help you with your exam. No, I don't replace your CPA review course. I don't intend to do so. I cannot do so, but I can be a useful addition to your CPA or CMA review course by helping you add 10 to 15 points. How do I do so? I explain the information differently. Think of my explanation as an alternative. Not only explanation. I do have resources like multiple choice through false that's going to help you understand the material. But think of my explanation as an alternative. Maybe your CPA review course is not going deep enough or maybe you want an alternative explanation. I will be there for you to help you succeed. Now here's your risk. Your risk is one month of subscription. Your return is potentially passing your CPA exam. Are you willing to take that risk? If not, you can cancel and don't worry about it. Your loss is one month of subscription. But if not for anything, take a look at my website to find out how well is your university doing on the CPA exam. I do have resources for other courses. Please connect with me on LinkedIn if you haven't done so and take a look at the individuals that used my system along their CPA review course to succeed like this recording connect with me on Instagram and Facebook. So what is ERM? Let's start by defining ERM. Well, the definition simply put what's going to happen is we're going to take this definition. Okay. It's just a definition and we are going to have maybe an hour, an hour and a half of explanation about this definition. So there's a lot of rich terms in this definition that's going to be explained in bits and pieces as we go through these series of lectures about ERM. So what is ERM? It's defined as the cultural capabilities and practices and each one of them is rich definition integrated that's integrated with strategy, setting and performance that organization rely on to manage risk in creating, preserving and realizing value. I mean, oh, that's a lot of information in this definition. Simply put, this definition is going to be broken down into five interrelated components and within those five interrelated components, we're going to have 20 principles. So I'm going to start by listing the five interrelated components, which are the first one, governance and culture, strategy and objective setting, performance, information, communication and reporting, review and revision. Now each one of them will have different principles in total of 20 principles. Again in this session, we're going to be focusing on only one component and that's governance and cultural. This is one out of the five principle and it happens to have one out of the five components and it happened to have also five principles and those are board oversight, operating structure, culture, core value, attract, develop and retain staff. So those are the five principles under this component, governance and culture. Now again, I'm going to take each of these components, each of these principles and discuss it separately and that's the best way to learn ERM, so don't learn them all together, take them one at a time, looking at board oversight. Hopefully we all know who the board is, the board is the group that's selected by the shareholders, by the stakeholders to run the company. Now your job is, they have an oversight job and oversight means make sure the company is running well. To make sure the company is running well, the board of directors must be independent and they must be competent, that's the first thing because they're going to be managing the company, they're going to be managing risk. So how do we determine, how do we say that the board is independent? Well they should not have any financial interest in the entity, especially direct financial interests. Why? Because their decision might be a little bit biased because they might be looking after their own interests. They should not have executive powers, they should not also run the company at the same time, they should play an oversight role, they should not have any conflict of interest. For example, they cannot be a board member with this company and a board member with another competitor, now they are advising or overseeing two different companies that are competitors, they should not have any material contractual obligation with the company. Again, once you have any interest, your decision might be biased, that's the risk. And they should not have any personal relationship with key shareholders or key management because also that might jeopardize their independence and their judgment. And they should not stay for a long period of time, for example, 10, 15, 20 years because you need new sets of eyes to look at the company from a different perspective. They also need to be competent, obviously if they're overseeing the company, they should have necessary skills, experience, business industry, they understand the business contacts that we are dealing with, understand the organizational biases. For example, what could be some biases? For example, if we have a bully CEO, they want to make sure they can identify this issue and deal with it. They should not, for example, if the company relies a lot on data to make decisions, again, they should challenge those established norms, challenge biases that the companies have, that's their job and oversight. Now, again, they're responsible for the risk oversight, simply put, they're going to set the tone of the company, how risky or not risky are we going to be, it's the company mindset, that's their job, okay? So they want to make sure they make the management accountable and responsible for their action. And how do they do so? They may create subcommittees to delegate certain aspect, if they cannot do all the work, for example, they might have a committee for risk, they want to manage risk, maybe they'll have two, three individuals that are familiar with this area of risk management and they will have them. They'll have a compensation committee, people that's going to determine how should we hire, how should we compensate, how should we reward employees? Recruiting, well, compensation and recruitment might go hand in hand sometime, okay? So their job as oversight is to review and challenges decision to strategy. For example, they want to determine how risky do we want to be? What's our risk appetite? And we'll talk about risk appetite little bit more, little by little as we're going through ERM. And they also make big decisions. Part of their job is to make big decisions like mergers, acquisition, for example, approval of the CEO package, like the CEO compensation. Any relation, any relation or public relation, major public relation with shareholders. So that's part of their board oversight. So this is one of five principles when it comes under governance and culture. The second principle is operating structure. So how do we operate the business? How the entity is organized to operate on a day-to-day operation, okay? Certain companies are centralized, others are decentralized. So certain companies, they delegate decision to lower management, they tell them you're on the company, you're on that division. Other companies, they say no, everything goes back to top management. Top management makes a decision. Also operating structure, deal with the legal structure, determine how the entity operates, the legal structure. Are we going to operate under a single entity? Or are we going to have multiple distinct entities like Johnson and Johnson? Johnson and Johnson, it's a bunch of independent companies. There's no one company called Johnson and Johnson. Johnson and Johnson is just a fictitious corporate name. And under that fictitious corporate name, we have many multiple distinct legal entities that are composed. For example, Janssen is part of it. For example, Depew Sintis is part of Johnson and Johnson. Those are all distinct entities, okay? So also operating structure determine how management structure established the reporting line. Do we have direct reporting line? Do we directly report about management? Or do we have a middle person between the lower level and the higher level management? What factors do we consider when board of directors or when the company is building this operating structure? There are many factors that we would consider. For example, the strategy, depending what is our strategy in business objective and risk appetite. Okay, what is the strategy? Strategy is what is our mission? Depending on our mission, we will set up our operating structure. What is our business objective? What steps do we take to achieve those strategies? That's what business objective is. So this is one of the factors that determine how are we going to run the company. Also, other factors is the nature of our business, the size, geographical distribution. For example, are we an online company? Or are we brick and mortar? Or are we both? Well, depending on how we are, we're going to determine the operating structure of the company. Are we a large company, a medium company, a small company? Are we a local company or an international company? That's going to determine how are we going to run the company. Is it centralized or decentralized? How are we going to do it from a legal perspective? Are we going to have a parent company with subsidiaries? Are we going to have one company and everybody else underneath that company? Okay, also assignment of authority, accountability, and responsibility at all levels. How are we going to assign this? Again, that depends on our strategy and our business, on our size, on our location, so on and so forth. Again, the type of reporting lines and communication that depends on those factors as well. And also, we're going to have reporting requirements, external factors that we really don't control. For example, if we are a publicly traded company, we have to report certain things to the SEC. If we are under regulatory oversight of a government agency, then we have to report things differently. At that point, we will not have an option. For example, the banking and the insurance companies, they have to operate in a certain way because they are heavily regulated. So, you really don't have options sometime in how you operate your business. But when you do have the options, many factors will go into determining how you operate your business. Also, your culture. Okay, what is the culture? It's the mindset of the company. Okay, the board and management are responsible for defining the culture. Simply put, the board of directors, people who are in charge of the company, and management itself, they determine, they define the culture. What is the culture? It's basically how risky do we want to, aggressive or risky we want to take? How ethical or unethical we are? What do we value as a company? Okay, so the culture is shaped by many factors. Some internal factors, some external factors. So you could be a very aggressive company. You could be a conservative company. What could be internal factors? For example, internal factors will be how much decisions are we giving to personnel, level of judgment, how much are we giving them decision? How much leeway operating decision? That's going to determine if we are conservative or aggressive. For example, salespeople, we might want to give them a little bit more leeway. Some aggressive, for example, regulatory compliance people. We want them not to be aggressive. We want them to be conservative. Okay, for example, if you are part of Volkswagen, if you are the compliance, you want to make sure that we are complying with all the environmental laws. But if you are a salesperson with Volkswagen, you want to be aggressive because you want to sell the car. So depending on also your level, what do you stand in the company? But every company will have an overall tone, whether they are aggressive or conservative. Again, we could have standards and rules, some formal, some informal, that determine how aggressive we are. For example, health companies, if you're a health company, you're going to be very concerned if you want to outsource your data to the cloud. Why? Because of security, privacy, security, risk of privacy. So here you have formal restriction on you that's going to tell you, look, don't do this, but you have to be conservative because there is the risk of privacy. Okay, also how you set up the company, how you reward your employees will determine your culture. For example, a company like Wells Fargo, the way they treated their employee, the way they reward them is based on sales. Say they put a lot of pressure on them to a point where employees started to commit fraud. So whether it doesn't matter what they say they are doing in terms of mission statement or culture, the reward system was not really ethical. Why? Because they put a lot of pressure on the employees and they reward them based on sales. Therefore, employees at Wells Fargo, by the way, they were opening accounts for people that they, for people, just random people, just to meet their quota for that month. Okay, external factors that also could influence your culture, legal requirements. Again, the banking industry, although Wells Fargo did this and the government came down hard on them, certain industries, like again, banking is a good one, pharmaceutical, they're heavily regulated. Okay, they're heavily, heavily regulated. Also expectation of stakeholders, customers, investors, your image. Sometimes if you're a green company, you want to make sure you want to not only say you are green, you want to appear that you are a green company, that you care about the environment. That also will affect your culture. That also will affect how people look at you. You are known for who you are. For example, Google, they're known for their search engine, and they should be ethical. Otherwise, they don't want to share your personal information. Now, each company will have a risk culture or a risk profile, and that risk profile tells them how much risk they can tolerate. We're going to talk about risk much, much later on in future session about ERM, but this is basically to tell you that it starts with the corporate governance, the overall picture. How much risk you can tolerate? We have risk averse. Certain companies, they like to avoid risk. They're reluctant to take risk when you're risk averse. Conservative. Who's usually a conservative? Usually, well-established company. Usually, well-established company are conservative. Why? Because now you are at the top. You don't want to lose your position. You don't want to shake the boat. Okay, you are really risk averse. Or if the nature of your business is risky, like a nuclear power plant, you don't want to kind of install a new software system because you want to be aggressive or you want to be up to date with a nuclear power plant. What if that software did not work properly? Right? So, how risk you are depending on many factors, including the nature of the business, management itself. And how old you are as a company. If you are well-established, you're not going to take a lot of risk because you are well-established. Risk neutral. We have something called risk neutral. Let's look at the other extreme. We have risk averse and risk aggressive. Risk aggressive is kind of the opposite of risk averse. Now, you are willing to take more risk for the possibility of better return. Now, who would act that way? Well, early startup companies. Because simply put, you have nothing to lose. Not in a sense, you have nothing to lose. If you are not aggressive, you are not going to get anywhere because you don't have any position yet. So, early growth companies, and that's why they go bust startup companies. Many of them go bust. Some of them, they do well once they succeed and once they succeed, they become risk averse. Obviously, as they are willing to take more risk. So, your culture, the age of your company and obviously your industry, for example, in technology, you have to be risk aggressive. You have to create a new product constantly. Otherwise, you are behind the A-ball and you would lose your place. So, you have to be very aggressive. If we just take a look at Netflix. When Netflix started, I'm sure they were pretty risky. That was a risky business because they were going against a blockbuster who was very conservative. Blockbuster was very conservative. They did not want to go into technology. They wanted to go, but they did not find the right partnership. But they were not aggressive enough to explore streaming videos on the internet. Well, guess what? Because they are conservative. They said, well, maybe it's a risky endeavor. And if we invest this money, we are going to lose it. They were looking to get into it, but they were not aggressive enough. So, what they did as a result, because they were risk averse, Netflix, who was risk aggressive, took over and kicked them out of business, basically. And risk neutral, you seek the highest return regardless of risk. And this is not common, we say when you say something risk neutral. So, we could be risk averse or risk aggressive. Also, what determine your risk averse or risk aggressive is your capital structure. Whether you are relying on debt versus equity. If you are a risky individual, you will borrow money. If you are a risky not individual risky company, you would rely more on debt. Why? Because debt is riskier than equity. Equity is you don't have to pay. You don't have to pay. You don't have to pay interest expense on the debt. But if you are highly average, you are a risky company. So, also that tells you how risky is the company by looking at their simply capital structure. That's part of their culture. Do they rely on that? Because think about it. When you rely on equity, equity means you are, the investors are putting up their money. The investors are kind of financing the company. When you're financing the company, you're going to be more careful because it's your money on the line versus you're using other people's money. You might be able, you might be willing to take more risk. So, also that determine kind of capital structure can tell you a little bit more about the culture. The core values of the company, that's important. What are the core values? Basically, the essential belief for the company, what's acceptable and what's not. Okay, what do they say and what do they do? What do they say that's easy? Because all companies, they might have a mission statement and a vision statement, but what really matters is what they actually do. It's reflected in their action. Again, that's reflected. What matters is their action. They might have a mission statement or a vision. And for example, let's take a look at the core values for a company like Johnson & Johnson, J&J. Their core values are growth and innovation, investing in the future, global diversity, citizenship and sustainability, developing diversity and global supply base. Notice their core values are very extremely broad. This is the core values. Okay, this is the core values of Johnson & Johnson. Now, how do they start to kind of zoom in on it? They might have mission statement. Okay, what's their mission statement? Basically, our principle, our credo stems from the belief that consumers, employees and community are equally important. Now, this is their mission statement. So they believe that consumer, employee and community, we all kind of look at them the same way. They are part of the same word, that Johnson & Johnson word. Okay, also, we might have a vision statement. What is a vision statement? For every person to use their unique experience and background together to spark solutions that create a better, healthier core. So notice, again, very general statement. I'll see all three of them, the general statement. Okay, so your mission and vision is the big picture. It's a big picture. This is what you are saying you want to do. Now, obviously, you're gonna reflect this in your own action when you create a product, how you treat your employees, how you treat your customers and your stakeholders, suppliers, anyone that's involved in Johnson & Johnson. In the last principle of the first component is attract, develop and retain staff. Simply put, the board of directors select the CEO, the CFO, top management. Obviously, they have to vet them, make sure they believe in the company's mission statement. They believe in the company's values. Otherwise, why would you hire someone that don't believe? For example, why would Wells Fargo, not Wells Fargo, why would Johnson & Johnson hire someone that does not believe in their mission statement and their values? So the first thing the board of directors will make sure, actually the board of directors themselves, they should believe in the mission statement of the company, then they will have to hire people who believe in that mission statement. Also management now is responsible for defining what we need, who do we need to hire, what competencies do we need to achieve our business objective while achieving our mission statement as well. And that will comes the role of the human resource function in assisting the management in recruiting, attracting employees, reward them, retaining them, so on and so forth. So simply put, what we did is we went over the governance and culture, the one component, one component, one of five components of ERM and we discussed five different principles. Again, understand them is better than memorize them. That's my opinion. Just I'm not going to say they make sense. They should make sense in a business context, but you want to really want to read them, reflect on them, work as many multiple choice as possible about them. The next thing we're going to do is we're going to look at the second component of ERM, which is strategy and objective setting. And under strategy and objective setting, we have four different principles. Again, at the end of this recording, I'm going to invite you to visit my website, farhatlectures.com, whether you are CPA candidate, CMA candidate or an accounting student. Once again, I don't replace your CPA review course. You keep it. I can do, I wish I can tell you, dump it and come with me. I can do that because I don't have enough for you, enough information to stand by itself, but I can be a useful addition to you. I can be that support, the vitamin pill that's going to help you increase your score to pass the exam. Study hard, good luck, and most importantly, stay safe.