FAR EASTERN UNIVERSITY Institute of Accounts, Business, and Finance LEVEL AND IMPACT OF ENTERPISE RISK MANAGEMENT APPROACH

ON SELECTED COMPANIES FACING FINANCIAL CRISIS IN THE PHILIPPINES

An Accounting Research Paper Presented to the Faculty of the Institute of Accounts, Business, and Finance Far Eastern University

In Partial Fulfillment of the Requirements of the subject ACT37A53- Accounting Research with Internet

Submitted by: Ofilan, Rosemarie C. Vinluan, Charmaine Yang, Alice Jie Bautista Mayeanne Cordova Gerwin Escudo Joanna Lalar Cherryl

August 2011

TABLE OF CONTENTS Approval sheet ... i Evaluators rating ....ii Certificate of originality .. iii Dedication . iv Acknowledgment .. v Chapter I Statement of the Problem and its Background Background of the Study ................................................................................ Statement of the Problem .............................................................................. Conceptual Framework .................................................................................. Conceptual Paradigm ..................................................................................... Significance of the Study ................................................................................. Scope and Delimitation .................................................................................. Definition of Terms ............................................................... Chapter II Review of Related Literature ................................................................... Chapter III Methodology Research Design ............................................................................................. Data Collection Procedure ............................................................................. Data Gathering Instrument ............................................................................ Data Analysis Procedure ............................................................................... Chapter IV Presentation, Analysis, and Interpretation of Data ............................. Chapter V Summary Fundamental, Conclusion and Recommendation Summary of Findings .................................................................................... Conclusion .................................................................................................... Recommendation .........................................................................................

Introduction

it was the best of times, it was the worst of times By a tale of two cities In a busy world like today we never know when we will be at risk, like in business world we never know what would be those risk that could possibly affect the flow of our business and how will it happen nor what can possibly happen. The global financial crisis due to fraud is like a cancer that slowly destroys the business and this has thrown up numerous examples of inadequate risk management that resulted to financial institutions collapse. Risk has many fallacies when it talks about business. Wrong notions is that risk is too bad and should be eliminated however not all risk will bring threat, some are opportunities. Actually, Risk creates opportunity, opportunity creates value and value creates wealth who would have thought that risk is that bad. Risk is not just all about threat but also opportunities. Risk in itself is not actually bad asserts Suzzanne Labarge, chief risk officer at Royal Bank of Canada. what is bad is risk that is mismanaged, misunderstood, mispriced or unintended. More than ever, it is vital to understand the dimension of risk as well as how to best manage it to gain a competitive advantage. In a moving forward country like Philippines, Enterprise Risk Management might be one of the solution for the company to survive and stand on end. In our generation the pace of business with the help of improving technologies is accelerating, behind this is

complexity of risk, hence, company should advance its methodologies to remain competitive. Importance of managing risk is increasingly acknowledged abroad but here in the Philippines few companies utilize Enterprise Risk Management, it is totally new in our country. Instead of utilizing the resources on Risk management, they preferred to spent on more profitable activities as a result they forget the possible threats and failed to achieve the positive outcomes. We believe that this study is necessary for the companies guidance in enforcing the ERM as part of their companys life cycle. To that end, this document impart the necessity of embracing enterprise risk management in their day-to-day operations. This document will provide answers to why some company succeeded and failed in their decision making of engaging risk management.

Background of the Study : Managing holistically to applet rigorous and coordinated approach to assessing and responding to all risks that affect the achievements of an organisations strategic and financial objectives risk magazine website Everything in this world evolve when we encounter unwanted changes in our life. Risk existed way back Greek and Egyptian civilizations. Theories comes out at the Renaissance period in mid 17-th century. According to Chartered Enterprise Risk Analyst (CERA) Enterprise risk management (ERM) is the process of coordinated risk management that places a greater emphasis on cooperation among departments to manage the organizations full range of risks as a whole. ERM offers a framework for effectively managing uncertainty, responding to risk and harnessing opportunities as they arise. The discipline by which an organization identifies, assesses, controls, measures and monitors various risks and opportunities for the purpose of achieving the entitys strategic and financial objectives. Enterprise risk management defined by COSO deals with risks and opportunities affecting value creation or preservation, defined as is a process, effected by an entitys board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

ISO 31000 (Section 4.1) states that the success of risk management will depend on the effectiveness of the management framework providing the foundations and

arrangements that will embed throughout the organization at all levels. Standards from COSO ERM framework 2010.A1 The internal audit activitys plan of engagements should be based on a risk assessment, undertaken at least annually. 2120.A1 Based on the results of the risk assessment, the internal audit activity systems. 2210.A1 When planning the engagement, the internal auditor should identify and assess risks relevant to the activity under review. The engagement objectives should reflect the results of the risk assessment. Never repeat the history as other people says, financial misused and misappropriating the financial statements will result to financial crisis of a certain company but enterprise risk management is to the rescue. Different scandals came out from the past events and most of them had a huge impact in our business view globally. One sample is about what had happen to the company of Enron wherein lack of business model, lack of independent internal audit function and lack of performance measurement tied to risk taking. Federated is lacking business model, lack of proper risk assessment, lack of independent internal audit function and inadequate ALM. Most of the examples are internationally known cases in business failure that resulted to some theories and principles come out. In the Philippines there are cases that is should evaluate the adequacy and effectiveness of controls

encompassing the organizations governance, operations, and information

reported but there is no corresponding action instead the mistake they had where repeated as the years passed. We believe that going through this document is not easy but we find it exciting to fully determine by our own self how does really Enterprise Risk Management will take effect financial industry in the Philippines. Whether it is large or small- medium companys they have the same aim and that is to be more competitive and to survive in the business industry and as a researcher our aim is to guide them in properly utilizing the ERM approach.

Conceptual Framework :

The following Independent variable represents the level of the enterprise risk management, this will direct the researcher of determining whether the company appropriately utilize the newly approach that will result of assessing whether this variables are present and functioning effectively in the operation of the selected company. The frameworks idea was adapted through the COSO- ERM framework and we highly suggested to the companies we surveyed to use this as there guide of analyzing the risk they may encounter. The objectives and strategies of the organization should undergo risk identification to document the possible effects of the events and conditions that might bring material threat or opportunity to the enterprise achievement of its objectives. Subsequently risk assessment should be done to prioritize the extreme events for an appropriate treatment. After risk assessing there should be a

corresponding action as to how it will affect to the organization. The managements response will vary upon determining the risk and that is whether avoiding, accepting, sharing or a reduction of risk will be done. After determining the response of the identified risk the management should control the activities of risk identified to have threat or opportunities, in a way of preventing, detecting or correcting the risk occurred depending on the companys capacity. Lastly monitoring the appropriate control for the companies benefit and a corresponding enhancement and improvement on the objectives and strategies. The dependent variable is necessary to identify and compare the different companies level and impact to the independent variables. The impact of enterprise risk management will be identify through the use of risk assessment model of COSO ERM.

Operational Framework # 2 : Determining the Impact Versus Probability of Risk Occurrence.

Statement of the problem : The study attempts to explain and determine the level of Enterprise Risk Management of the companies facing financial crisis in the Philippines . The study sought to answer the following questions : 1. What is the profile respondents of the selected companies ? a. Annual Revenue b. Years of Operation 2. Determine the level of ERM on selected companies facing financial crisis in the Philippines in terms of : a. Objectives and Strategies b. Risk identification c. Control activities d. Risk monitoring e. Risk assessment f. Risk response g. Information communication 3. Determine the impact of ERM on the selected companies in terms of : a. Environmental b. Operation c. Decision making 4. Are there significant differences in the level of Enterprise risk management approach used by the selected companies facing financial crisis when group according to profile respondents ?

Research Hypothesis : 1. The selected company differs in annual revenue and the length of business operation then the level of Enterprise Risk management approach can be determine whether ERM is effective or lacking. 2. Objectives and strategies, risk identification , controlling activities, risk monitoring, risk assessment and risk response is appropriately followed, the company will be effective in using ERM. 3. Enterprise risk management is appropriately conducted and implemented to the environmental, operation and decision making of the company will strengthen the competitive advantage and lessen the weakness affecting the growth of the business. 4. There are significant differences in the level of the ERM approach used by the selected companies facing financial crisis when grouped according to the profile respondents.

Figure 1.3: Shows the researchers hypothesis according to the relationship of the factors that identifies the overall characteristics of Enterprise Risk Management together with the impact of the specified level towards the companys operations its objectives.

Internal Control
Low High

Risk
High Low

Possiblity of Occurance
High Low

Level of Enterprise Risk Management

Low High

Impact to the Organization

High Low

Significance of the study : We strongly believe that our research work will provide necessary informations to those people who are in need of seeking the same information with regards to determining the level and impact of enterprise risk management in selected companies facing financial crisis in the Philippines . Research papers about ERM in the Philippines have only few sources therefore our paper will add up a relevant data to those who are seeking the same topic that we did. For the students who are studying Internal Auditing, the ERM as part of the curriculum will provide relevant data regarding on how to implement effectively the newly arise approach and its relevance in the business industry. As you study this document you will be enlightened of how ERM approach is important not just as a part of auditing but also as a part of the life cycle of the business. For the business industry which is currently facing a huge financial crisis, thru our research this will serves as a guide for implementing effectively the ERM approach in its specific areas not just to gain huge profit but also to attain competitive advantage over the competitors. For the company that we surveyed , they will able to determine the importance of ERM as a competitive advantage towards gaining a high profit. They will able to figure out the impact of having ERM and the disadvantage of not implementing appropriately the ERM.

Scope and Limitations : We only aim to determine the level and impact of ERM in the selected company in the Philippines. Through the use of high technology like internet we were able to surveyed the companys by sending an email attaching the letter and survey form without going beyond manila. Due to the confidentiality of the company that we surveyed the informations that we get are only limited and enough to answer relevant questions and not allowed to reveal the companys own identity. Through the help of the journal articles, thesis, internet, books and magazine we were able to extent further relevant informations regarding our topic. However the said topic has found only few sources as it refers the Philippine territory only. Researchers will conduct surveys and interviews limiting its respondents to 30. The survey form or questionnaires will be given through an email or by the survey website or personally by the researchers and only to the employees involved in the specified industry. We will gather 30 companies as our survey and interview source and only 3 companies that is deemed to have a highly significance in our study will undergo in depth research.

Operational Definitions : Enterprise Risk Management defined by COSO internal control framework deals with risks and opportunities affecting value creation or preservation, defined as is a process, effected by an entitys board of directors,management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Financial Crisis Business Risk Risk Appetite Risk tolerance -

Review of related literature The business industry in the Philippines is getting tougher and competitive despite of the fact that we are currently facing a global crisis. In order to go with flow there are many strategies developed to fully enhance the organizations procedures and finding the right one usually requires sophisticated self-analysis. Nevertheless projects still fail to meet their objectives, and businesses are deprived of the expected and needed benefits, despite the theoretical principle that risk management should contribute to project and business success (Charette 2002). Through the use of matrix we were able to identify easily the relevant topics in Enterprise Risk Management. Traditional business models and management techniques use what could be called a silo approach, keeping the management of risk separate and parallel within individual business functions, departments or subject-matter expertise. Historically, risk management in even the most successful business tended to occur in silos, the insurance risk, the technological risk, the financial risk, the operational risk, the environmental risk all managed independently in separate compartments or departments.

SYNTHESIS : Maslow implicitly recognized risk in his famous hierarchy of needs by placing food and shelter, both essential to survival and the first rung of the ladder (Hoffman, 2002). Like in the business industry strategy is vital. That is why the recent economic crisis has forced many companies to evaluate their risk management process. Enterprise risk management has gone global but still it isnt well known in the Philippines. In fact, the scope of today's enterprise risk management dialogue is global, more focused, and applicable to all organizations (Allen,2010). Previous study done by other authors is from different countries, apparently through our thorough research we rarely find a similar case like our topic here in the philippines. Since this topic is rare in the Philippines, we decided to compare the results we sum up to the results done by the previous researchers in other country. It is impossible to "create a business that doesn't take risks. According to Thomas Stewart aptly summarizes the implication of risk in business: "Risk--let's get this straight upfront--is good. The point of risk management isn't to eliminate it; that would eliminate reward. The point is to manage it--that is, to choose where to place bets, where to hedge bets, and where to avoid betting altogether. Coordination of risk management was usually nonexistent, and the identification of new risks was sluggish (Rao, Ananth,Marie, Attiea et al,2007). Enterprise risk management is fast joining the business lexicon for more and more companies as increasing regulatory, legislative or stock exchange rules demand that their senior executives and corporate boards certify their knowledge of current and future risks and the program in place for managing those risks. Already everybody feels safer says Craig Raymond an appointed chief risk officer for Hartfold Financial

Services Group.

Increasingly, regulatory and legislative requirements as well as a

boatload of rules being issued by stock exchanges globally require or strongly suggest that corporate boards and senior executives certify publicly that they are aware of all of their current and future risks (Quinn, 2005). Some companies said that they realized they have to broaden their view of what constitutes risk including operations, market, credit, regulatory, cyber and physical. In the Philippines we believe that the said case as our study is rare as it shows no result at all in any publications we tried to reach.

Research Design : This research evaluates the current status of Enterprise risk management in the business organizations in Philippines by specifically focusing on the several problems and question we have in mind. We utilize the Correlation approach to test relations between variables, the field approach to study the participants natural setting, experimental designs to establish cause and effect relationship between the variables, qualitative and quantitative approach to interpret the studies within their context. There

Identify objectives and prescribed controls

Select samples randomly

Evaluate the samples based on prescribed controls

Figure 3.1 Steps in Attribute Sampling Deviation Controls Determine the sample size

Determine the upper deviation limit

Determine respondents

Determine the parameters affecting the sample size

Evaluate sample results

are issues regarding the results of tests of the internal auditor in identifying the impact, level, performance and probability of Enterprise Risk Management in an organization. There are instances that the auditors presumption differs from the conclusion reached during the audit procedure. Thats why the internal auditor should not hold on to their hesitations. Some internal auditors need to have survey applied with specific items and tests of the participants identified as the population in the organization. Statistical results measures the sufficiency of evidence obtained and quantitatively evaluate results. Attribute sampling will enable the researchers to reach a conclusion about the population of respondents in terms of the rate of its occurrence. Figure 3.1 will show the nine steps of attribute sampling. STEP 1: Identify objectives and prescribed controls. This is the key factor in determining what is to be sampled. The main function of this is to guide researchers to not exceed the scope and limitations of the study. By that, it will instantly validate that the research was valid or adverse to the research objectives. Doing so will direct the researchers to have appropriate conclusions. STEP 2: Deviation controls. Control attributes to the interest that would benefit to the organization. This is just as important as defining the control objective and control deviation. STEP 3: Determine the respondents. Name, background and information about the respondents will fill up the main reasons of doing research in the organization. The information gathered can be validly chosen if the researchers analyze their data by tracing its history or records of performance.

STEP 4: Determine the parameters affecting the sample size. The factors affecting the sample size includes judgments about the: (1) acceptable risk of assessing the risk too low- inversely related with the sample size, (2) tolerable deviation rate- the rate that the organization is willing to accept and still conclude that the control is acceptably effective, (3) expected deviation rate- the researchers best estimate of the actual deviation rate given by the organization. STEP 5: Determine the sample size. It is simply the classification of the total number or population of the respondents. STEP 6: Select samples randomly. The rate of possibility that the researchers expectations and the actual acceptable risk have direct relation. STEP 7: Evaluate the samples based on prescribed controls. Analyze if the samples gathered and the prescribed controls of the management is positively related. To arrive with a measure that is appropriate to achieve the research objectives. STEP 8: Determine the upper deviation limit. Use sampling evaluation tables to determine the achieved upper deviation limit. STEP 9: Evaluate sample results. Involves: (1) Formulating statistical conclusionsenables the researcher to quantify and measure the sampling risk, (2) Make decisions based on the quantitative sample- formulate conclusions from the statistical data this will identify the position about the effectiveness of ERM based on sample results, (3) Consider qualitative aspects of the sample results- consider the qualitative aspects of the deviations from the prescribed controls that were left uncovered.

Research Locale: The enterprise respondents to be surveyed are more than 20 companies subdivided into 3 parts large, small and medium companies. The assume setting is around manila and other parts of the Philippine who utilize enterprise risk management through an email survey and video interview. The type of industries we wish to conduct are in the field of manufacturing industry, financial services and telecommunication industry. The study focuses on determining whether the company uses Enterprise risk management on their organization and to determine the level and impact of this to their management operations. The study wants to emphasize to the readers on what is the real concept and state of ERM approach in the Philippines.

Participants: The profile of respondents was measured through the use of statistical sampling. The survey was conducted by the internal auditing students from far eastern university of the Philippines. Responses were received from the managers, executives and employees from more than 20 selected companies in the Philippines. Assume that 18 of these companies are reusable and has a complete information. The identity of the companies wishes to be hide as it is highly confidential and that was the agreement between the surveyor and interviewer. They will be reaching the participants through the use of email and video. We will personally interview them and surveyed them to manage and gathered more relevant informations for assurance of completeness of the informations. With respect to the respondent we assure that all there confidential matters are being handle safely and also assuring that the result of this study will provide no harm and will be fairly assess by the research group. The common mistakes are the profile respondents informations are being concealed and sometimes add up information were they did not filled but we assure the reader that this document is not concealed nor misstated.

Data gathering procedures :

Application of the survey/sample tests Sample Attributes Research Objectives Prescribed Controls Deviation Control

Characteristics of the qualified respondents Name of the Respondent Uses ERM (YES/NO) Qualification (YES/NO)

Parameters affecting the sample size Name of the Acceptable Risk of Assessing the Risk Tolerable Rate Too Low Expected Population Rate

Organization

Final Sample Deviations: ___________________ Upper Deviation Limit Number Sample Deviations of Upper Deviation Limit

Sample Results:

RESEARCH INSTRUMENTS We used questionnaires to form an analysis. This will give an information on how the company operates the organization by utilizing the newly adapted Enterprise risk management approach. The data gathered was through the different publications such as books, journal articles, internet, magazine and graduate thesis. The survey form below will be put to the appendix to maximize the important data. We used statistical sampling and standard deviation for determining the results.

Survey Form Please fill up with the following information: Name of the organization: Your name: Position: Year of service in the organization: Answer the following as indicated: 1. How long have you been using Enterprise Risk Management (ERM)?
2. Which of the following describes how you attained your knowledge of Enterprise Risk Management (ERM)?

a. ____ From others in my company. b. ____ From our examination materials. c. ____ Through seminars/courses presented by: (please specify) _________________ d. ____ Through self-study of the literature. e. ____ Through on-the-job learning. f. ____ From specific readings/textbooks. (please specify) ______________________ g. ____ Other (please specify) ____________________________________________ h. ____ I have no current knowledge of ERM.
3. Which of the following best describes your level of knowledge, involvement, and interest in ERM? (Please check one.)

a. ____ I consider myself somewhat of an expert in ERM and devote a considerable portion of my time to ERM projects. b. ____ I am familiar with ERM and have been involved with some ERM projects. c. ____ I have some understanding of the ERM concept, but have never been involved with an ERM project. d. ____ I am not very familiar with ERM, but am interested to learn about it. e. ____ I have no interest in ERM.

For numbers please check all that applies

4. Which of the categories of the organization are you currently involved?

a. Identification of risks on an enterprise-wide scale: ____ Hazard risk property/casualty ____ Hazard risk other (e.g., health, safety, HR-related) ____ Financial risk ____ Operational risk ____ Strategic risk b. Analysis/quantification of hazard risk: ____ Property/casualty hazard risks ____ Other types of hazard risk (please specify) ______________________________ c. Analysis/quantification of financial risks: ____ Credit risk ____ Foreign exchange risk ____ Interest rate risk ____ Liquidity risk ____ Other (please specify) ______________________________ d. Analysis/quantification of operational risks: ____ Operations ____ Information Technology ____ Integrity ____ Information risk ____ Other (please specify) ______________________________ e. Analysis/quantification of strategic risk: ____ Competition ____ Customer wants ____ Technological innovation ____ Capital availability ____ Regulatory ____ Political ____ Other (please specify) ______________________________

f. Integrated risk analysis including the following categories: ____ Integration of various types of property/casualty hazard risks faced by an entity (e.g., property catastrophe risk with automobile liability). ____ Integration of property/casualty hazard risks with other types of hazard risk faced by an entity (e.g., workers compensation with health risk). ____ Integration of hazard risk, financial risk, operational risk, and/or strategic risk. g. Assessment or prioritization of risks faced by an entity. ____ hazard ____ financial ____ operational ____ strategic h. ____ Recommending ways to treat or exploit risks that have been identified, quantified, and assessed. i. ____ Monitoring of changes in the risk environment and performance of the risk management processes.

5. Which of the following best describes your primary role in the ERM projects that you have been involved with? (Please check one.)

a. ____ Project leader. Part of a team of practitioners with my role being: b. ____ Primary technical analyst for all risks. c. ____ Primary technical analyst for hazard risk, but a secondary role in other risks. d. ____ Integrator of all risks. e. ____ Other (please specify) ___________________________________________

Please return the survey by . Thank you for your participation.

With standard deviation of the sample An estimator for sometimes used is the standard deviation of the sample, denoted

by sN and defined as follows:

This estimator has a uniformly smaller mean squared error than the sample standard deviation (see below), and is the maximum-likelihood estimate when the population is normally distributed. But this estimator, when applied to a small or moderately sized sample, tends to be too low: it is a biased estimator. The standard deviation of the sample is the same as the population standard deviation of a discrete random variable that can assume precisely the values from the data set, where the probability for each value is proportional to its multiplicity in the data set.

Slovin Formula: n= N__ 1+N(e) Where: n = sample size N = population size E = margin of error * desired