8/25/22, 4:38 PM CMA Exam Review - Part 2 - Section D: Risk Management

Study Guide
Section D: Risk Management

Risk is the level of uncertainty about future events. Organization managers need to identify, assess, and respond to risks in order for the organization to achieve its
goals and objectives and its vision. Risks must be managed to an acceptable level to adequately protect organizational assets and to mitigate losses. Even though
risks are difficult to determine and quantify, management should make a best effort to identify, assess, and respond to them. This section focuses on the enterprise
risk management (ERM) model. ERM provides a comprehensive approach to risk identification, assessment, and response.

LOS
Learning Outcome Statements Overview: Risk Management

1.  Section D.1. Enterprise Risk

The candidate should be able to:

a. Identify and explain the different types of risk, including business risk, hazard risks, financial risks, operational risks, and strategic risks.
A. Business risk—The possibility that an organization either will have a lower profit than expected or will experience a loss instead of a profit.
B. Hazard risks—Relate to natural disasters, such as storms, floods, hurricanes, blizzards, earthquakes, and volcanoes.
C. Financial risks—Caused by debt/equity decisions related to financing the business. They include liquidity (short-term bill paying) and solvency (longterm
bill paying) risks usually controlled through adequate financial and capital reserves.
D. Operational risks—Relate to the relationship of fixed and variable costs in the organization's cost structure as well as internal process failures, system
failures, personnel, legal, and compliance.
E. Strategic risks—Include regulatory risk, economic risk, and political risk.
b. Demonstrate an understanding of operational risk.
A. Operational risk from inadequate or failed internal processes can include low-quality inputs, product defects and claims, and inadequate internal
controls.
B. Operational risk from people can include human resource deficiencies and occupational safety and health accidents.
C. Operational risk from systems can include business continuity inadequacies and other information technology failures.
c. Define legal risk, compliance risk, and political risk.
A. Operational risk includes legal and compliance risks that relate to the organization's observance of laws, relevant regulations, and contractual
obligations. Political risk is the risk that political influence and decisions may impact the profitability and effectiveness of an organization.
d. Demonstrate an understanding of how volatility and time impact risk.
A. Risks are a function of volatility (variability) and time. Increased volatility, such as variability in expected returns, translates into increased risk. The
longer the time frame, the more the uncertainty and, consequently, the higher the risk. Shorter time frames imply lower risk.
e. Define the concept of capital adequacy; i.e., solvency, liquidity, reserves, sufficient capital, etc.
A. Capital adequacy measures how well a financial institution protects its depositors and protects the financial systems around the world. The measure of
capital adequacy is called the capital adequacy ratio (CAR). For a company, capital adequacy relates to how well it manages solvency, liquidity, and
reserves.
f. Explain the use of probabilities in determining exposure to risk, and calculate expected loss, given a set of probabilities.
A. Assessing risk generally involves the use of probabilities in order to assess the overall exposure to loss. The weighted average of the probability and
extent of loss is used to determined total expected loss.
For example, if there is a 40% chance that a company will suffer a $1,000,000 loss and a 60% chance that the company will suffer a $300,000 loss, the
expected loss can be estimated as $580,000 [(.4 x $1,000,000) + (.6 x $300,000)].
g. Define the concepts of unexpected loss and maximum possible loss (extreme or catastrophic loss).
A. In the example above, it is apparent that the actual loss cannot be $580,000, the amount of the expected loss. If there are two scenarios and one will
result in a $1,000,000 loss and the other will result in a $300,000 loss, those are the only two actual losses that can occur. The unexpected loss is the
amount of loss that exceeds the expected loss. The maximum possible loss is the $1,000,000.
h. Identify strategies for risk response (or treatment), including actions to avoid, retain, reduce (mitigate), transfer (share), and exploit (accept) risks.
A. Risks can be mitigated in these ways:
i. Risk transfer (share)—Risk can be transferred by purchasing insurance policies against the risk itself. For example, a company can purchase
property and casualty insurance and bond employees to minimize losses should a threat be carried out.
ii. Risk avoidance—Ceasing an activity that brings risk to the firm. For example, a firm can shut down (or never open) the zip line operation in an
amusement park.
iii. Exploiting risks—Involves accepting one lower risk to mitigate another higher one. An example is where a company expands into a lower-risk
industry, such as health care, while reducing its commitment in a higher-risk industry, such as automotive parts.
i. Define risk transfer (e.g., purchasing insurance, issuing debt).
A. Risk transfer (share)—Risk can be transferred by purchasing insurance policies against the risk itself. For example, a company can purchase property and
casualty insurance and bond employees to minimize losses should a threat be realized.
j. Demonstrate an understanding of the concept of residual risk, and distinguish it from inherent risk.
A. Residual risks—Those that remain after any actions management might take with regard to inherent risks.
B. Inherent risk—The risk of an activity in the absence of any risk-mitigating strategies.
k. Identify and explain the benefits of risk management.
A. Failure to adequately address risk can have substantial negative effects on a business and could potentially put the company out of business. Given the
potential ramifications of mismanaging risk, companies should implement a risk management process program that will enable them to avoid risks,
reduce the negative effects of risks, prepare to accept some risks, and/or transfer risks to another party (typically by purchasing insurance).
l. Identify and describe the key steps in the risk management process.
1. Identify the risk.

https://app.efficientlearning.com/pv5/v8/5/app/cma/part2_11th_2020.html?#lesson 1/2
8/25/22, 4:38 PM CMA Exam Review - Part 2 - Section D: Risk Management
2. Analyze the risk.
3. Evaluate the risk.
4. Manage the risk.
5. Monitor and review the risk.
m. Explain how attitude toward risk might affect the management of risk.
A. Risk assessment is a function of management's attitude toward risk as well as the estimate of potential risk. For example, the more risk averse a
management team is, the more it will be willing to spend to mitigate the risk. Likewise, the greater the potential risk is perceived to be, the more time and
money management will be willing to spend to minimize or mitigate the risk.
n. Demonstrate a general understanding of the use of liability/hazard insurance to mitigate risk (detailed knowledge not required).
A. Purchasing an insurance policy is a strategy to transfer the risk of potential loss to a third party in exchange for a periodic payment.
o. Identify methods of managing operational risk.
A. Operational risk can be mitigated by having in place adequate internal controls, defined business processes, a trained workforce, and plans for disaster
recovery. A company also can shift the organization's cost structure from fixed to variable to mitigate operational risk.
p. Identify and explain financial risk management methods.
A. Financial risks may be reduced by adjusting the organization's capital structure to minimize the cost of capital. The cost of capital is a function of the
mixture of debt, preferred stock, retained earnings, and common stock issued in the organization's capital structure. The proper mix will reduce to an
acceptable level bankruptcy risk and agency costs.
q. Identify and explain qualitative risk assessment tools including risk identification, risk ranking, and risk maps.
A. Risk identification—Seeks to identify as many threats as possible without evaluating them. Much like a risk brainstorming session.
B. Risk ranking—After risks have been identified, they are ranked according to their probability of occurrence and the magnitude of loss.
C. Risk mapping—A tool to see visually the probability of occurrence and the magnitude of loss when evaluating risk.
r. Identify and explain quantitative risk assessment tools including cash flow at risk, earnings at risk, earnings distributions, and earnings per share (EPS)
distributions.
A. Cash flow at risk—A value at risk (VaR) analysis tool using the cash flow figure as the maximum loss within a given time period
B. Earnings at risk—A VaR analysis tool using the accrual basis earnings as the maximum loss within a given time period
C. Earnings and EPS distributions—These can be used to show the effect of risk management on reducing the volatility of earnings associated with an event.
s. Identify and explain value at risk (VaR) (calculations not required).
A. Value at risk (VaR)—The maximum loss within a given period of time and given a specified probability level (level of confidence). VaR is prospective. It
quantifies market risk while it is being taken. VaR is depicted graphically using a bell curve.
t. Define enterprise risk management (ERM), and identify and describe key objectives, components, and benefits of an ERM program.
A. Enterprise risk management (ERM)—A comprehensive analysis of all risks facing the organization, including financial, operational, and compliance risk.
B. Key objectives:
i. To create, protect, and enhance shareholder value by managing the uncertainties facing an organization. Instead of managing risk in many
individual silos, ERM takes an integrated and holistic perspective on risks facing an organization.
C. The COSO ERM framework includes five interrelated components that may assist a company in managing risk within its risk appetite and provide
reasonable assurance regarding the achievement of entity objectives.
u. Identify event identification techniques and provide examples of event identification within the context of an ERM approach.
A. Event inventories—Detailed listings of potential events that might occur or are common.
B. Internal analysis—Analysis drawing on the experiences within the company and the staff within the company to identify risks
C. Escalation or threshold triggers—Triggers that alert management to areas of concern by comparing current transactions or events with a predefined
criteria
D. Facilitated workshops and interviews—Identify events by drawing on accumulated knowledge and experience of management, staff, and others.
E. Process flow analysis—Considers the inputs, tasks, responsibilities, and outputs that combine to form a process.
F. Leading event indicators—Identify the existence of conditions that could give rise to an event by monitoring data related to those events.
G. Loss event data methodologies—Compilation of historical data detailing specific events that may have triggered losses in the past.
v. Explain how ERM practices are integrated with corporate governance, risk analytics, portfolio management, performance management, and internal control
practices.
A. ERM involves corporate governance, risk analysis, and portfolio management. The organization must be managed properly, management must assess
risks, and it must develop a wealth-maximizing portfolio of investments. The investments (assets) include current assets (cash, trading securities,
receivables, inventories, and prepayments) and noncurrent assets (property, plant, and equipment; long-term investments; natural resources; and
intangibles).
w. Evaluate scenarios and recommend risk mitigation strategies.
A. The information outlined above details many risk mitigation strategies in order to manage risk within an organization.
x. Prepare a cost-benefit analysis and demonstrate an understanding of its uses in risk assessment and decision making.
A. The COSO Framework provides some guidance on preparing a cost-benefit analysis. A risk analysis and response cost-benefit analysis involves steps
similar to any cost-benefit analysis. The costs of the risks or potential losses are weighed against the cost of preventing the event from occurring.
Mitigating factors, and the costs associated with them, are weighed against the benefits of those programs.
y. Demonstrate an understanding of the COSO Enterprise Risk Management - Integrated Framework (2017).
A. The COSO ERM Framework includes five interrelated components. The five interrelated components assist a company in managing risk within its risk
appetite and assist in providing reasonable assurance regarding the achievement of entity objectives. The components are:
i. Governance and culture
ii. Strategy and objective-setting
iii. Performance
iv. Review and revision
v. Information, communication, and reporting

https://app.efficientlearning.com/pv5/v8/5/app/cma/part2_11th_2020.html?#lesson 2/2