Group Members: Ayesha Siddiqa (48)

Ayesha Rauf (16)

Laraib Fatima (40)
Rimsha Abdullah(28)
Noor Yousaf (38)
Nimra Bashir (30)
Noor Fatima (22)
Aliza Yaseen (49)
Semester: 7th evening A
Department: BBA
Subject: Risk Management
BEST PRACTICES Session : 2021-2025
Submitted To: Miss Nimra Iqbal
Best Practices:
Best Practices in Risk Management refer to the most effective and
efficient methods for identifying, assessing, managing, and mitigating risks. These practices are
widely accepted and are based on standards, research, and practical experiences. The goal is to
enhance the risk management process and ensure that organizations can effectively navigate
uncertainties.

Key Components of Best Practices in Risk Management:

The key
components of best practices in risk management:

1. Risk Identification: Finding potential risks through stakeholder input, historical data
analysis, and tools like brainstorming.
2. Risk Assessment: Evaluating risks based on their impact and likelihood, often using
qualitative and quantitative methods.
3. Risk Mitigation: Developing strategies to reduce or eliminate risks, such as avoidance,
transfer, reduction, or acceptance.
4. Monitoring and Review: Continuously tracking risks and evaluating the
effectiveness of management strategies.
5. Communication and Reporting: Keeping stakeholders informed about risks and
management strategies.
6. Documentation: Maintaining records of risk assessments and actions taken for
accountability and future improvements.
Standards Of Risk Management:
The standards for risk management are :

1. ISO 31000
2. COSO

ISO 31000:
ISO 31000 is an independent, nongovernmental group with a current
membership of 168 national standards bodies. It is an international standard for risk management
that provides guidelines and principles for creating a risk management framework. It emphasizes
a structured approach to managing risk and is applicable to any organization, regardless of size
or industry. It has developed nearly 25,000 international standards for management systems,

1. Quality management
2. Occupational health and safety;
 3. Information security and many other topics, including risk management.

The ISO 31000 standard provides principles, a framework and a common approach to
managing any type of risk faced by an organization -- for example, equipment failure,
employee or customer accidents, cybersecurity breaches and financial fraud.

Example: In a manufacturing sector, a company faces risks in supply chain disruptions.

Key components of ISO: The standard has the following three primary components:
1. Principles: ISO 31000 lists eight principles as the foundation for managing risk to
create and protect business value. They provide guidance on the characteristics of
effective and efficient risk management efforts and on how to explain the purpose of
ERM and communicate its value.

2. Framework: This is designed to help organizations apply risk management

mechanisms in business functions and governance structures. It includes six
customizable components: leadership and commitment, integration, design,
implementation, evaluation, and improvement.

3. Process: The standard outlines the process that organizations should use to identify,
evaluate, prioritize and mitigate risks, with guidance on how to apply policies,
procedures and practices in a systematic way. It also includes steps for communication,
monitoring and review, and reporting.

COSO: COSO stands for the Committee of Sponsoring Organizations of the Treadway
Commission, a private sector organization that provides guidelines for businesses to evaluate their
risk management and internal controls. It was originally formed in 1985. Five organizations are
part of COSO: the American Accounting Association, the American Institute of Certified Public
Accountants, Financial Executives International, the Institute of Internal Auditors and the
Institute of Management Accountants. COSO's stated mission is to help organizations improve
their performance by offering guidance on internal controls, risk management, governance and
fraud deterrence. The group's output includes standards frameworks and research studies; it also
has published various thought papers that are available to view and download for free on
the COSO website.
Example: Habib Bank Limited Pakistan,( HBL) one of Pakistan's largest banks, uses the COSO
framework to manage risks. By applying the COSO framework, HBL demonstrates its
commitment to effective risk management, which helps maintain stakeholder trust and supports
the bank's long-term success.

Key Components of COSO:

The ERM framework can be used in organizations of all sizes

and in all industries, according to the document's executive summary. It's a set of 20 principles
organized into these five components of the enterprise risk management process:

1. Governance and culture: This establishes oversight responsibilities for enterprise

risk management and defines the desired organizational culture, including an
understanding of risk and the importance of managing it.
2. Strategy and objective-setting: As part of strategic planning, the organization
determines its risk appetite and aligns that with business strategy. Specific business
objectives are used as a basis to identify, evaluate and respond to risk.
3. Performance: Different kinds of risks are identified, assessed for severity and
prioritized in accordance with the risk appetite. The organization then decides how to
respond to them and creates a portfolio view of the risk it has taken on.
4. Review and revision: The organization reviews business performance and how
well the ERM process is functioning and then decides whether changes are needed to
improve the process.
5. Information communication and reporting: Information about the risk
management process is collected and shared through ongoing communications and
reporting on risk and business performance at multiple levels across the organization.

Each component contains various principles that describe the specific actions and
practices required. However, they can be applied in different ways by different
organizations. As further guidance on that, COSO has also published a "Compendium
of Examples" supplement with case studies on implementations of the ERM framework
by individual entities.

Certificates:
The two main certificates are as follow.
1. CRMA
2. CRM
CRMA:
CRMA stands for Certified Risk Management Assurance. It is a certification for
professionals who specialize in checking if a company’s risk management and governance
processes are working properly. People with this certification help organizations ensure that
risks are being identified, managed, and controlled effectively. Think of it like having
someone who double-checks that a company’s plan to deal with risks is solid and helps
improve it if needed. The main purpose of CRMA (Certified in Risk Management
Assurance) in risk management is to help professionals understand and manage risks in an
organization. CRMA-certified individuals ensure that the company has good processes in
place to identify, assess, and reduce risks. They provide assurance that the company is
managing its risks well and is following the right procedures to protect its goals and assets.
Essentially, CRMA helps companies stay safe from potential problems by improving how
they manage risks.

Example:

Imagine a retail company like Target plans to open new stores in different cities.
This is exciting but risky because they might choose bad locations, spend too much money,
or fail to attract enough customers. A CRMA-certified professional would step in to help, they
would:

1. Check for Risks: Look at how the company chooses store locations and make sure they
consider things like customer demand and competition in the area.

2. Review Spending Controls: Ensure the company has systems to track construction costs
and avoid going over budget.

3. Give Confidence: Report to the company’s leaders, confirming that risks are being handled
well or highlighting areas that need fixing.

This kind of work helps the company avoid mistakes, save money, and
successfully open new stores.

Key Components of CRMA:

The key components of CRMA are as follow.

1. Establish Scope and Objectives: Firstly, define the purpose of the assurance
review then assess the design and implementation of the risk management framework
Evaluate the effectiveness of risk controls in mitigating identified risks and then
 Confirm compliance with relevant standards (e.g., ISO 31000, COSO ERM) a

2. Understand the Risk Management Framework:

 Review the organization’s risk management policies, procedures, and

governance structures.
 Evaluate how the framework integrates into the organization’s strategy and
decision-making processes.
 Identify key risk indicators (KRIs) and risk appetite statements to ensure
alignment with business objectives.

3. Assess Risk Identification and Evaluation Process:

 Examine the process for identifying risks

 Is it comprehensive and includes input from all relevant stakeholders?
 Are emerging risks and trends considered?
 Evaluate the methods used for assessing risks:
 Are both qualitative and quantitative approaches used effectively?
 Are risks evaluated consistently for likelihood and impact?

4. Review Risk Mitigation Strategies:

 Assess the design and implementation of controls

 Are they aligned with identified risks and adequate for the level of risk
exposure?
 Are they cost-effective and proportionate to the risk level?
 Verify control effectiveness through testing:
 Use walkthroughs, control testing, or audits to validate their operation.
 Assess if control gaps are identified and addressed promptly

CRM: A Certified Risk Manager (CRM) is a professional designation that demonstrates

expertise in identifying, analyzing, controlling, and managing risks within an organization. The
CRM designation is awarded by organizations like The National Alliance for Insurance Education
& Research after completing rigorous training and examinations. Overall, a Certified Risk
Manager plays a vital role in safeguarding a company’s assets, ensuring regulatory compliance,
and supporting long-term organizational success. The main purpose of a Certified Risk Manager
(CRM) in a company is to proactively identify, assess, and manage risks to protect the
organization's assets, ensure business continuity, and support strategic objectives. This involves
implementing effective risk management practices to minimize potential losses, enhance decision-
making, and create a resilient and compliant operating environment.

Example:

Risk Managers at tech companies like Google, Microsoft, or Apple play a vital
role in managing cybersecurity risks, intellectual property protection, and regulatory
compliance, especially as these companies deal with global data privacy laws and
technological disruptions.

Key Components of CRM:

The key components of CRM are as follow.

1) Risk assessment and analysis

2) Risk control techniques
3) Risk financing and transfer

Conclusion:

❖ ISO 31000:

 International standard for Risk Management.

 Provides principles and guidelines for effective risk management.
 Focuses on integrating risk management into organizational processes.

❖ COSO (Committee of Sponsoring Organizations):

 Framework for Enterprise Risk Management (ERM).

 Provides guidelines for identifying, assessing, and managing risks.
 Emphasizes a holistic approach to risk management.

❖ CRMA (Certified Risk Management Assurance)

 Certification for professionals who audit and assure risk management processes.
 Demonstrates expertise in risk management assurance and internal audit.
❖ CRM (Certified Risk Manager)

 Certification for professionals who manage and mitigate risks.

 Demonstrates expertise in risk management principles, practices, and techniques.