Enterprise Risk Management

Group Project

< Apple Inc. >

Team members:

Yuyang Cai
Biying Zhuge
Zheng Yan
Hongfeng (Oliver) Guo
Jiaqi Li
Ziwei Zhu
Xiaochen Ma
Zixuan Wu

October 15, 2017

Index

Section Section Reference

A. Reporting
ERM Summary Report Main Body
B. Project Planning and Management
ERM Plan Appendix 11
ERM Policy Appendix 8
ERM Organization Chart Appendix 9
C. Risk Management Documentation
Company Background Appendix 1
Company Definition of Risk Appetite Appendix 2
Business Objective Setting Appendix 3
Risk Universe Appendix 4
Risk Assessment Criteria Appendix 5
Risk Scale Appendix 6
Prioritized Risk Action Plan Appendix 7
ERM Summary Report
Drivers & Objectives:

Keep growing technology industry and increasing competition in technology industry drivers

Apple to initiate enterprise risk management (ERM) plan. Implementation of ERM gradually

becomes a new trend in the market, and many Apple’s competitors as a result have already

started to establish their own risk management plan. It is critical for Apple to have one to keep its

leading position.

ERM help Apple to analyze the potential risks as well as impacts of identified risks. Through

implementing action plan Apple can effectively manage these potential risks by effectively

allocate available resources and reinforce risk response decisions to reduce operational surprise

and mitigate unnecessary losses. In the meantime, having ERM in place the company help Apple

develop a risk aware culture and share common objectives and standard about risk management.

ERM need to be developed and implemented within every level from top to bottom so as to be

recognized by each person in the company. Beyond that, Apple’s strategy and culture tend to

reflect on the unimaginable growth of technology industry in order that it can leverage the risks

and returns continuously.

Process Employed

We first initiated a ERM group after selecting the most competitive team members from

potential candidates. And then we implemented risk management based on COSO ERM

framework issued in 2004. According to COSO, this framework aims to help business and other

entities to enhance their risk management and internal control system. And this ERM framework
“has since been incorporated into policy, rule, and regulation, and used by thousands of

enterprises to effectively control their activities in moving toward achievement of their

established objectives.” The framework is divided into 8 steps which are internal environment,

objective setting, event identification, risk assessment, information and communication, control

activities and monitoring. We assigned 8 steps for the selected team members. After identified

and assessed 5 key risks, we took actions to respond risks as described as well as set up control

activities and monitoring to continuous growth. We took action to treat and transfer risks

depends on different impacts, likelihood and cost. For rapid technology changes and fierce

competition in industry, Apple need to increase their investment in R&D department to bring

more innovative technology and products to be more competitive. Besides, it is necessary to

protect their products under the law, to prevent products from being emulated by other

competitors. In terms of Globalization and economic condition, the fluctuation of price on

material and labor will affect Apple’s financials. Apple could diverse their foreign currency

holdings so as to remedy losses from one currency by the profit from another currency. Plus,

Apple could buy different forward contracts to cover their losses from exchange risks. Dealing

with outsourcing services, it is better to share their risks with other parties. Besides insurance,

Apple need to require more priorities on their agreement in order to prevent them from

predicating risks associated outsourcing. Considering with performance of distributors and

resellers, Apple need to take actions to share the risks when those carriers fail to sell Apple

products due to financial problems. For example, Apple could offer financial assistance as

exchange of specific returns from those carriers like actively advertise and sell to increase their

sales.
Our team also developed ERM policy and organizational charts to identify the responsibilities at

each level in Apple. To help every person recognize their position under ERM will directly

contribute to exposure risks and implemented ERM process timely.

Finally, Apple need to develop and help managements to utilize the most effective way to

communicate with either internal or external. As needed, implementing effective control

activities and monitoring system help Apple evaluate the effectiveness of ERM to continuously

mitigate the risks for achieving its objectives.

Milestones

The Milestones of our risk management process are mostly according the purpose of ERM and

related deliverables. Essentially, Our purpose tends to expose, identify, and response potential

risks prior to their happening. Thus, implementation of ERM intend to minimize the negative

impacts on achieving objectives. There are five milestones for Apple’s ERM. We first set up an

internal ERM project team by selecting capable professionals to focus on the ERM

implementation. After that we formulated ERM plan (Appendix 11) and ERM project charter

(Appendix 10) including identifying project objectives, analyzing major stakeholders,

appointing the team leaders, scheduling routine meeting and assigning team members’ functions

related to their competency. Then we completed ERM policy (Appendix 8) and ERM

organization chart (Appendix 9) to define employee’s responsibility in the risk management.

Accordingly, We started process with collecting information to understand the company

background (Appendix 1) and business environment of Apple. Next, we planned and

implemented ERM based on the COSO ERM framework. Each team member was assigned with

one of eight components in the framework to work on. In this milestone, we completed risk
appetite consideration (Appendix 2), business objectives setting (Appendix 3), event

identification (Appendix 3), risk universe identification and risk register (Appendix 4) and

prioritized risk action plan (Appendix 7). Ultimately, we finalized ERM implementation plan and

completed a final report of this project.

Key Risk Analysis

We first define Apple’s risk universe (Appendix 4) according to four categories, which are

strategic risks, operational risks, compliance risks and financial risks. In order to prioritize these

risks, we assessed them based on their impacts and likelihood. For the impacts, we categorized

risks in three levels which are low, medium and high. Each levels are differentiate in degree of

their losses on multiple aspects. Take medium impacts for example, the financial losses reach to

from $500M to $5000M with probably lawsuit and reputation damage will be medium impacts

for Apple. To sort likelihood of risks, we rate risks from low to high by percentage which are

less than 20%, 20-70% and more than 70% in accordance with their frequency and probability.

(Appendix 5). According to this risk assessment criteria, we scaled most of risks (Appendix 6)

and have prioritized six risks, which explained below.

Rapid technology changes

Apple’s ability to compete successfully depends heavily on its ability to ensure a continuing and

timely introduction of innovative new products, services and technologies to the marketplace.

Any new innovative products will impact Apple deeply and will make Apple suffer significant

loss on its financials and market share if it couldn’t keep its leading position in technological

changes. In the meantime, competitors like Samsung, Microsoft and Huawei are thriving in
making changes for technology world. Therefore, risk of rapid technology changes is high in all

its impacts, frequency and probability, which will be the most severe risks to be responded.

Fierce competition in market

The competition in the industry is fierce. Apple’s competitors like Samsung, Huawei, and

Microsoft enjoy great resources and ample experience to maintain high market share. Each of

them is able to compete with Apple. For example, they are selling products with similar features

at a lower price, this strategy helps them attract lots of price-sensitive customers. Also, Samsung

nowadays is competitive from its diversity, sales and marketing. Huawei emerged rapidly in

recent years and has a big market in China, which makes Apple lost large amount market shares.

If Apple fails to develop innovative products with attractive margins, or if it fails to expand its

market share and win potential customers, it will lose competitive edge in the market and suffer

from huge financial loss. Therefore, the impact and likelihood of fierce competition in market are

high.

Global and regional economic conditions

Uncertainty about global and regional economic conditions poses a risk to Apple. Consumers

and businesses may postpone spending in response to low-speed global and local economic,

tighter credit, higher unemployment, financial market volatility, government austerity programs,

negative financial news, declines in income or asset values and/or other factors. These

worldwide and regional economic conditions could have a material adverse effect on demand for

Apple’s products and services

Substantial inventory risk

Since Apple is also a goods-consuming company, which means they will need to forecast the

demand and production in advance. Because the Company’s markets are volatile, competitive

and subject to rapid technology and price changes, there is a risk Apple will forecast incorrectly

and order or produce excess or insufficient amounts of components or products, or not fully

utilize firm purchase commitments. The incorrect forecast will bring redundant inventories with

continuous depreciation. The ongoing depreciation will impacts financials especially cash flow

in a deep.

Key personnel leave

Much of the Apple’s future success depends on the continued availability and service of key

personnel, including its Chief Executive Officer, executive team and other highly skilled

employees. Experienced personnel in the technology industry are in high demand, and

competition for these talents is intense, especially in Silicon Valley, where most of the

Company’s key personnel are located. Increasing number of important senior employees, who

stay in important position including technicians, management even CFO left with knowledge and

information of Apple, which could cause significant intangible loss to Apple’s assets. The loss

on intangible assets will delay development and management among Apple.

Outsourcing product manufacturing and logistical services

Since substantially all of the Company’s manufacturing is performed in whole or in part by a few

outsourcing partners located primarily in Asia, so Apple doesn’t have direct control over its

product. Hence, the impact of this risk is high since it is hard for Apple to estimate the product

defect rate and the corresponding warranty expenses, but the likelihood of this risk is low as

Apple still has high buying powers over these outsourcing partners because they are more likely
to maintain a long-term relationship with Apple. As for the logistical service risk part, its

likelihood is low because most of the time it can be transferred timely, but due to the uncertainty

existing in the transportation process, like the possibility of natural or man-made disaster, it is

still possible that those components are failed to be delivered from outsourcing partners to the

final destination as expected, consequently, customers dissatisfaction rate will be raised and

Apple may lose customers.

Please see details prioritized risk action plan in Appendix 7

Conclusion:

Our team firstly developed and categorized our objectives in four parts, which are strategic

objective, operating objective, reporting objective and compliance objective. Upon our research,

we created our assessment chart to identify the most severe risks which are technology changes,

competition, distribution, outsourcing and inventory. Moving forward, the risk responses was

reinforced depends on different situations. Finally, the control activities and monitoring system

was developed associated with identified risks. Implemented our ERM will help Apple to

identify risks and mitigate the impacts in advance. The control activities could reduce the

probability of risks effectively as well as the monitoring system evaluate the effectiveness of

ERM and transfer warnings prior to risks happening. Upon that, Apple could analyze the market

with effective ERM and predict the trend in order that they can reflect changes timely and

survive from huge changes. Along with implemented ERM, Apple could be more competitive to

acquire market shares back and be prepared to adapt to the potential risks from globalization and

economic condition. With effective internal control, Apple could bring more confidence to
stakeholders. By using cost-benefit method under ERM, Apple could leverage risks and returns

to increase their revenue to push up their stock price.

Finally, our ERM tends to mitigate the impacts from risks by increasing the effectiveness and

efficiency to react the potential risks either ongoing or future. ERM also assure Apple to achieve

their objectives effectively.

Appendixes

Appendix 1

Company Background

Apple is an American multinational technology company, and sells consumer electronics,

computer software and online services. It was founded in 1976, Los Altos California where first
apple computer was born. After Apple computer, it also introduced products like ipod, iphone
and apple watch sequentially. By the year 2016, Apple has grown to be the leading technology
company in the industry and first brand value company in the world with $170B brand value. In
2016, Apple’s global revenue has reached $214.2B. Apple has also been ranked No.1 admired
company in the world. Its dominant position could not be replaced by other company in the
world.
Appendix 2

Company Definition of Risk Appetite

According to IRM (2011), the amount of risk that an organization is willing to seek or accept in
the pursuit of long-term objectives. The board of directors of a company decides their risk
appetite by considering risk capacity result from variety of factors such as capital structure,
accesses to financial and non-financial resources, reputation, human resources and corporate
governance. In this way, the risk appetite of an organization establishes a direct link between its
strategies and risk management process at all levels with a consistent view of how to respond to
risks.

The characteristics of Apple’s board define the characteristics of entrepreneurial traits, where
they have the ability to find opportunity and gather resources to take advantage of opportunities.
Apple would never have existed without the vision of the board, since the board paid more
attention on the potential in technology rather than only the money, which allowed Apple to take
more risk on promising investment.

In 2006, Apple’s stock gained 82%. Incidentally, it was also everyone’s favorite stock in 2007
(+136%), 2008 (-56%), 2009 (+132%), 2010 (+51%), and 2011 (+23%). This success greatly
increased Apple’s risk capability and risk appetite. For example, As we know, Apple designs and
creates the iPhone, iPad, Mac notebooks and desktop computers, iOS 8, OS X, iPod and iTunes,
and the new Apple Watch. A risk to having this mission completed has been the competitive
pressures of Samsung’s Galaxy line of cell phones. With enhancements and integration of the
entire iPhone platform to meet what consumers wanted and needed for their everyday use, the
company embraced the competitive risks and has consequently flourished around the world.

However, due to the special and spectacular period with Steve Jobs was over in 2011, the stock
premium decreased and the price per share shrunk a lot. Although Apple’s revenues were high,
its quarterly revenue growth has been shrinking somewhat dramatically for 2013. Also, Apple's
cost of debt increased significantly signaling to investors that the company's risk premium has
changed since its 2013 debt raise. During this period, Apple started to take risk-averse strategy.
As a result, Apple has recently been criticized for no longer innovating at the same pace it used
to, which might be due to its declining little tolerance for risk.

From internal environment perspective, high premium is also because Apple had small number
of strategies related to premium pricing, low cost, product segregated strategy, low focus on
market share, low shareholder return policy and global cheaper marketing. Even though Apple’s
internal environment has some room for criticism, it also sets the foundation for how risk is
viewed and addressed by an entity’s people, including risk philosophy and risk appetite,
integrity, ethical values, and the environment in which they operate.
Appendix 3

Business Objectives Setting

Globalization
There are two globalization objectives apple is going to achieve. First, in order to focus on its
core technology, Apple will keep outsourcing the manufacturing and logistical services to
companies around the world, which lowers the operating costs and also increases operation
efficiency. Apple will also obtain all components from limited suppliers with high quality to
maintain its uniqueness. Because most of those suppliers are located in the foreign countries,
Apple will spend more effort to maintain a sustainable relationship between business partners.
Second, Apple will keep expanding global market through opening more chain of Apple stores
globally, building more online stores in foreign countries and negotiating its third-party
distribution network to effectively reach more customers and provide them with a high-quality
sales and post-sales support experience.

Product Innovation
Without innovative hardware and supporting operation software, Apple cannot maintain a
leading position in the market. Boston Consulting Group keeps ranking Apple as the world’s
most innovative company. Considering the nature of technology industry and company’s
competitive advantages, Apple will keep increasing R&D budget even during tough times to
continue introducing new products and services, developing new product lines and improving
product transitions. Apple will also work closely with customers to understand and analyzes their
demand to bring them better product experience. Recent years Apple has experienced some
quality issues, which have negative impacts on its brand. Therefore Apple will conduct more
quality controls to make sure product quality can reinforce the product innovation.

Reporting
Apple as one of the largest public companies will maintain a good public relation through meet
the requirement to fully disclose reliable financial and non-financial information to stakeholders
inside and outside the company to help them better evaluate the company and make appropriate
decisions. Apple will also establish a strict internal reporting policy to make sure information is
reliable and is communicated effectively and timely.

Compliance
In order to successfully expand both domestic and global market, Apple will work close with law
and regulation experts to oversee areas such as intellectual property ownership and infringement,
tax, import and export requirements, anti-corruption, foreign exchange controls to make sure
operations are comply with applicable laws and regulations. Apple will also prudently select
business partners such as employees, suppliers and agents to make sure they are not violating any
laws. In addition, as we know Apple’s success partly rely on the third-party software developers.
Therefore one of objectives for Apple is to oversee the intellectual property ownership and
digital content of developers.

Event identification

Economic events
Apple’s globalization strategy makes it very sensitive to economic events happened all over the
world. Events like new trade agreement, price movement, capital availability, financial crisis,
and change of taxation policy are both potentially bring opportunities and risks for Apple.

Natural environment events

As we know components of Apple products are supplied by companies from different countries.
Recent years the world has suffered from various natural disasters like floods, fire, and
earthquake. Some of our business partners and global market are located in areas experienced
such natural disasters, which may adversely affect Apple’s operations.

Political events
Both domestic and foreign political events will affect Apple’s operations. Events like new
present selections or new regulation and law will to some extent affect the organization.
However, it is uncertain that whether these events will provide Apple with opportunities or risks.

Social events
Changing demographics, customer behaviors, income level and family structures will influence
consumer purchase decisions. Again these social events may help Apple discovered new
opportunities, but they could also negatively affect its operations.

Technological events
Apple is always the one who initiates the technology innovations. As the center of technological
events, Apple enjoys many opportunities from its R&D. It is important for Apple to better
control and anticipates the technology-changing trend to generate more benefits from the market.
Appendix 4

Risk Universe

Strategic Operational Compliance Financial

Rapid technological changes and Outsourcing product manufacturing and
R&D development
Fierce competition in market
Global and regional economic
changes
Global operations management
Customers loyalty consolidation
and development
Unfavorable results of
Revenue fluctuation
logistical services legal proceedings
Performance of distributors, carriers and other
Labor laws Stock price volatility
re-sellers
Substantial inventory risk (obsolete or exceed Regulations on media Substantial investment and
anticipated demand) device worldwide resources
Product introduction and transition
Product quality problems
Information tech system
Key personnel and labor cost
Access to third-party digital content/intellectual
property
The availability of third-party software
developers
Appendix 5

Risk Assessment Criteria

Impact:
High Financial loss of 5000 M or more;
Game-changing loss of market share;
Rating: 7-9 Demands far more than supply;
Significant prosecution and fines related to patents;
Key senior leaders & technology designers leave;
Key operational problems such as information system break down;
Global reputation damage: product quality problems, copyright violation...
Medium Financial loss of 500 M up to 5000M;
Significant or regional loss of market share;
Rating:4-6 Product turn over can’t meet the demand regionally;
Laws violation;
Experienced staff turnover;
Some operational problems such as retail stores management problems;
Local reputation damage;
Low Financial loss of less than 500 M;
Subtle decreasing market share regionally;
Rating:1-3 Supply meets demand and high turnover;
Not compliance to local laws such as labor laws;
Employee turnover and morale problems;
Small operational problems that can be fixed;

Likelihood:
Frequency Probability (chance of occurrence)
High Up to once or more in one year 0.7 - 1
Medium Once or more in 5 years 0.2 - 0.7
Low Once or more in 10 years 0 - 0.2
Appendix 6

Risk Scale
Impact Likelihood Gross Risk=Impact*Likelihood
Major risks >= 4.5
Rapid technological changes and R&D development 9 0.95 8.55
Fierce competition in market 8 0.9 7.2
Global and regional economic changes 8 0.85 6.8
Substantial inventory risk (obsolete or exceed anticipated demand) 7.5 0.8 6
Key personnel and labor cost 7.2 0.75 5.4
Outsourcing product manufacturing and logistical services 9 0.5 4.5
Minor risks < 4.5
Performance of distributors, carriers and other re-sellers inefficiency 7 0.45 3.15
Product introduction and transition slow down 7 0.3 2.1
Product quality problems 7.5 0.27 2.025
International operational problems 6.8 0.45 3.06
Information tech system break down 8 0.2 1.6
Not access to third-party digital content/intellectual property 5.5 0.4 2.2
The non-availability of third-party software developers 4.5 0.3 1.35
Unfavorable results of legal proceedings 6 0.2 1.2
Labor laws and regulations on media device worldwide violation 4.3 0.25 1.075
Revenue fluctuation 2.3 0.2 0.46
Stock price volatility 2.4 0.33 0.792
Lack of substantial investment and resources 2.6 0.15 0.39
Appendix 7
Prioritized Risk Action Plan

Risk Response
Technology change risk
The risk response to the rapid technology change risk is to treat it. The risk brought by rapid
technology change is that Apple may fail to bring innovative products or the higher product
price with lower product differentiation as compared to its competitors, consequently, it will
suffer from customer loss and profit shrink, and these impacts are severe. Additionally, the
likelihood of the technology change risk is high since we are in a technology updating age.
Though the amount of risk is highly over its risk appetite, Apple can do little to prevent the
risk from happening, additionally, this risk is hard to be transferred into the insurance market,
so in response to it, Apple should take actions to reduce the likelihood of this risk. One of the
main methods to reduce this risk is to invest its research and development department to keep
pace with the instant technology update and bringing out the innovative products
continuously to attract customers, besides, Apple can cooperate with a professional law firm
to protect its intellectual products from infringing, thus, competitors will be discouraged to
emulate its product feature.

Fierce market competition

The risk response to the fierce market competition is to treat it. Based on the risk assessment,
the impact of fierce market competition is high. Obviously, the impact is unacceptable to
Apple, and though Apple wishes to terminate the risk, it is hard for them to stop the
continuous competition from its current and future competitors. Hence, what Apple can do
now is to take any practicable actions to bring the risk to a tolerable level, and the methods to
deal with this risk are similar to the ones in response to the technology change. Like the
investment in its R&D department to improve its product function and bring the innovative
design. Though the investment maybe costly, it is still worthful because the customers can be
retained and Apple can enjoy its competitive edge in its ability to design featured products.

Global and regional economic conditions

The risk response to global and regional economic conditions is to treat it. The impacts of
global and regional economic conditions are severe, like the loss from currency fluctuation,
company’s inability to obtain credit to finance development, and the higher unemployment
rate. Thus, the risk isn’t tolerable, besides, Apple is unavoidable to be exposed to this risk or
to behave effectively to prevent the global or regional range risk, so what Apple is suggested
to respond to this risk is to treat it and bring the risk within its risk tolerance. For example, to
reduce its loss from exchange rate risk, Apple can diversify its foreign currency holdings, so
the decline in the value of one currency will not affect the overall dollar value of Apple.

Substantial inventory risk

The risk response to substantial inventory risk is to treat it. If Apple is short of inventory, it
can’t ship its order on time, consequently, it will lose customers and have negative impact on
customer loyalty, and if its inventory exceeds the demand amount, there will be an inventory
overstock issue, which increases operating cost. All these impacts are significant, and the
likelihood of this risk is medium because the differences between the budget inventory
numbers and actual market needed numbers is common, moreover, the cost of preparing the
budget plan is lower than the benefit of it. Hence, it is better for Apple to treat this risk. One
of the ways to reduce the risk is that Apple can periodically set an inventory budget plan
based on its history inventory data and forecast on the future market needed quantity, so the
budgeted order number can be located in a reasonable range, accordingly, the risks of
overstock or stock shortage can be mitigated to an acceptable level.

Key personal leave

The risk response to the key personal leave is to treat it. The impact of this risk is high as
large portion of Apple’s value reply on its human assets. Like Apple’s important strategic
and operational business decisions are made by its senior managers, if they leave the
company, Apple will find it difficult to make significant decisions in a timely way. Also, the
cost of recruiting successors is high, for example, it includes the cost to search potential
candidates, train new hires, and handle the work handover. Luckily, Apple has a high
employee retention rate because of its unique company culture, professional working
environment and high compensation satisfaction. After considering the nature of technology
industry, we believe the likelihood of this risk is medium to low. Therefore, facing the high
impact and medium likelihood and analyze the cost and benefit, Apple’s risk response is to
reduce it. For example, Apple can conduct more recruitment assessment to hire people that
are most suitable for its organization culture. Apple can also regularly have conversations
with employees to understand their needs and concerns.

Outsourcing product manufacturing and logistical services

The risk response to product manufacturing and logistical services provided by outsourcing
partners is to transfer after considering the high impact and the low likelihood according to
the risk assessment. To discourage or prevent its partners from violating the materials
regulation and producing products with low quality, Apple is recommended to set an
agreement with those partners that lists the specific terms on the tolerance of product defect
rate, and once the rate is over a certain percentage, the partners should not only cover all the
product warranty expenses but also shoulder the after-sale-service responsibility to repair the
defects. Additionally, the term can list that when the defect rate is over a reasonable range,
Apple can stop the cooperation relationship with the partner and ask for the compensation for
loss.

As for the logistical service risk part, taking the low likelihood and high impact into
consideration. we recommend Apple to transfer this risk by signing a contract with an
insurance company on the distribution conditions, thus, when components can’t be delivered
timely, the insurance company will pay for the loss. By transferring risks, Apple can reduce
the financial impact to a tolerable range.

Control Activities
Due to the complexity and scope of the business area that Apple develops, our
action plan will only give a brief description without detailed elaboration including
quantitative and qualitative demands and standards. Besides, the action plan is aiming
to specific risks which have been prioritized before in risk-assessment part. The action
plan is consisting of two parts: control activities and monitoring.

Rapid technological change

To mitigate the risk that Apple may be no longer competitive in markets due to rapid
technological change, three related control activities are listed as below:
a. Sustainable R&D expenses should be invented in updating products including
software, hardware, operating system and other services. To be detailed, invest
Advanced Technology Laboratory to cultivate research in HighTech area and
establish a group to help with elaborate the products the Labs designed, communicate
with manufacturing department and collecting feedback information from various
different ways.
b. Exploring and hiring outstanding scientists and programmer in R&D department is
also significant to the company. That includes attractive benefit and predictable career
development design. Besides, regular training to employees in Human Resource
Department is critical. The training content will include updated technology changes
and science related to the company. In this way, potential high-quality candidates will
not be neglected due to some rare but still existed reasons.
c. Monitoring the apply process of patents, trademarks, copyrights and relevant
intellectual properties. The process includes prepare to apply, keep those deliverables
 confidential and notice that whether the competitors infringe on the company’s
intellectual property.

Fierce Competition in Market

The company faces a fierce competitive global market where the usage of price-cutting
method, the continuous introduction of new products, evolving industry standards and short
product life cycle exist. To mitigate the risk, the company can carry out control activities as
below:
a. Keeping invest in current operating system. Due to the fact that the company is the
only authorized maker of hardware using macOS which competing with other
operating system that, in Personal Commuter, the majority is Windows; in
Smartphone, most Android, one of the best ways to hold a competitive position is to
provide the best system service and related third-party service in the existing OS.
b. Keep and develop a close relationship with third-party which provides
applications, software, and digital content based on this specific operating
system(OS). Furthermore, invest in those suppliers which produce outstanding
products but lack of enough funds to continue.
c. Monitoring competitors’ technology developing trends therefore reasonably
schedule the next step. Take an eye on competitors’ behavior and evaluating the
current situation of the company is useful because it gives a chance to review whether
the developing strategy is appropriate and whether the company will keep its
competitive condition in the future.

Global and regional economic conditions

Global and regional economic conditions greatly influence the company’s performance and
operations since related economic policy and affairs are indirectly associated with the
manufacture, inventory and sales. To mitigate this risk, a set of control activities combined
with financial management and regulation monitoring will be implemented as below:
a. To mitigate the financial related risk, establishing a financial group is suggested.
The financial group will use asset portfolio to make sure the risk is sustained in a
predetermined extend. For example, currency forward contracts and foreign futures
are two of the most popular financial instruments to hedge risks in currency
fluctuation risk.
b. Setting a group of experts to monitor and predict the related economic policies.
Apple is a multinational company which subsidiaries are in numbers of countries
where economic policies are different from U.S., compliance with local regulations
and response in a correct way will be very important. The experts will analyze and
 make predictions about economic policy beforehand and give suggestions to the
financial group’s behavior afterwards to make sure the expectations are met.
c. Maintaining good and close relationship with outsourcing partners, vendors and
suppliers. Not only Apple will face the financial related risks, the relevant
stakeholders will be affected simultaneously. Keeping an eye on the three parties’
conditions will be helpful to project the company’s next step. For example, if a
vendor is short of cash and cash equivalents due to some emerging economic policy,
thus resulting in inability to meeting the material demand from Apple, a backup plan
should be instructed long before the scheduled material demanding time. In this way,
Apple’s inventory will not be affected. To make this process run smoothly, analysis
about the three parties could not be avoided.
d. Monitoring the conditions of customers including channel partners. Customers’
conditions determine the sales revenue. If customer is lack of ability to obtain credit
to finance purchases of the product, undoubtedly the company will suffer a great loss.

Substantial Inventory Risk (obsolete or exceed anticipated demand)

To reduce the risk that products manufacturing is not properly consistent with the market
demands, the company should develop a monitor system of inventory. For the beginning of
the system, market analysis about how large is the inventory at the specific period of time and
how long will it take between purchasing orders from factory to customer receiving final
products should be given. Considering the life cycle of releasing a new product to customers,
the second step is to purchase orders about projected manufacture, supplier contracts, and
shipment contracts. The third step is new product announcement. Then the company is open
to orders from customers. After collecting orders, shipment will be arranged. In the process
of monitoring, each step should be confirmed with the scheduled time and record the existing
problems and difficulties. At the end of the monitoring, value-added feedback will be come
up with about the differences between the reality and the analysis expectations.

Key Personnel Leave

Apple is headquartered in Silicon Valley where experienced employees and talents are in
high demand therefore labor market is very competitive. Even though the HR department has
employed a talent for the company, maintaining the talent is also important. To reduce this
risk, the company can implement control activities as below:
a. Signing a win-win employing contract including terms that restricting a free
job-hopping behavior.
b. Develop a regular work shift and peer-training program. This combination
behavior can reduce the risk that a critical position content can only be done by a
 specific person. Peer-training program is a project that employees share their working
content and skills with other colleagues.
c. Providing a positive and creative working environment for employees. A
competitive benefit package is not rare in Silicon Valley. One of the best ways for
people maintain their position is to make people feel that working here is a satisfying
thing and this kind soft strength of the company could not be learned or replaced by
other competitors.

Outsourcing product manufacturing and logistical services

a. Evaluating and monitoring the current and future condition of outsourcing
partners. Many critical components in manufacturing and majority part of logistical
management have been outsourced in Asia and Europe where environments are
different from U.S. Those environments include, but not limited to, nature, society,
labor, regulation and finance. To mitigate the risks that outsourcing partners perform
worse than expected or failed to perform as agreed in contracts, the company should
closely observe the current condition of the outsourcing partners and properly predict
the future state of partners based on the evaluation of local environment.
b. Containing provisions for warranty expense reimbursement in contracts with
outsourcing partners and sampling checking the quality and quantity of the products
manufactured by the outsourced partners. Considering the customer may ask for
warranty service due to the products defects, it is reasonable to share this risk with
partners. Even though outsourcing diminishes the direct control of the final
products(for example, assembling work is outsourcing in Asia), sampling checking
can still function in an indirectly way to mitigate the risk.

Information and Communication

The success of ERM is highly dependent on the effectiveness and efficiency of Apple’s
information and communication, which is one of the COSO elements. Our purpose is to make
sure that all relevant information is identified, collected, and shared from both internal and
external sources. Also, necessary information should flow up, down, and across the
organization. Therefore, the ERM initiative goal in this phase is establishing and maintaining
both internal and external communication channels to support the Apple’s ERM project.
Information Requirement
According to COSO ERM, risk communication starts with identifying stakeholders. Once the
stakeholders have been identified, the nature, purpose, and methods of communication for
different stakeholders could be decided.
Management must consider Apple’s objectives and related risks to identify and gather
relevant information for managing risks. COSO notes that information must be:
· Appropriate and at the right level of detail;
· Timely;
· Current;
· Accurate and reliable;
· Accessible to those who need it.

Defined ERM Policy

To make sure that all personnel receive a clear message from top management that ERM
responsibilities must be taken seriously, the ERM branch should construct a defined ERM
policy which includes objectives, scope, and approach of ERM, as well as responsibilities of
each employee. The ERM policy will help to set the foundation of ERM and also guide
employees to make appropriate actions and decisions in the management of uncertainty and
opportunities.

Appendix 8 is the ERM policy that our team establish for Apple. The ERM program is based
on the COSO standard. The Chief Risk Officer (CRO) appointed by the Board of Directors
will lead the ERM Branch and promote the implementation of ERM program, and the ERM
Branch including Head of Department and key business unit leaders is responsible for
supporting the CRO (See Appendix 9). In addition, the Board will oversee all risk
management activities, and the CEO is essentially responsible for the ERM. Also, all
employees are responsible for supporting the information and communication flows in the
program.

Communication throughout the Organization

In addition to ERM policy, there are many different ways that Apple can choose for internal
communication, such as manuals, memoranda, emails, websites, bulletin board notices, and
face-to-face meetings. The ERM branch will help the management to select and develop the
most appropriate methods of communication in consideration of audience, purpose, and cost.
Also, the ERM branch and internal auditors will periodically evaluate the effectiveness and
efficiency of established communication channels.
The ERM branch will help to establish Apple’s ERM website as a company resource for
information on risk and control topics and best practices, so employees can refer to these
guidelines anytime. To facilitate greater understanding of ERM, employee training is
necessary. These training will focus on applying ERM to routine work in different
departments. Emails, newsletters, and bulletin boards will also be used to advocate ERM and
timely inform other risk and control issues.

Upward communication is also important, and employees must have a means of reporting
what is happening. Independent and anonymous reporting options, such as whistleblowing
system and hotlines, should be established and continually monitored by internal auditors.

Communication with External Stakeholders

Apple also should have two-way communications with external parties, such as customers,
suppliers, regulators, external auditors, and shareholders. Information exchanges can assist in
achieving objectives, improving internal controls and reduce risks. They could take the form
of hard copy documents, electronic format, or face-to-face meetings. For example, Apple
should collect and analyze information from customer feedback to manage product and
market risks. It is also helpful to give publicity to the progress of Apple’s ERM through
annual or quarterly reports, Website postings and press conference, so that we could increase
customers’ and shareholders’ confidence in Apple. Besides, the ERM branch and internal
auditors will perform periodic evaluation on the external communication to make sure that
we use the optimal method to exchange high-quality information timely.

Monitoring System

Tone from the top

It is necessary for both employees and management to be aware of the importance of
monitoring. Management’s behavior can influence how employees react to monitoring and
the board’s behavior can impact the management’s attitudes toward monitoring. To
successfully set the tone at the top, the company can establish a Risk Oversight Committee
that specialized in monitoring the company’s operations. The Risk Oversight Committee can
establish risk oversight policies, monitor internal controls that are designed to manage risks
to decide whether they are effective, and ensure deficiencies can be identified and resolved
timely. The establishment of ROC sends the signal to the entire company that the board pays
attention to monitoring.
Organizational structure
The company should assign proper monitoring responsibilities among all levels of
employees. For instance, in executive level, CFO is responsible for monitoring internal
controls over financial reporting, Chief Design Officer is responsible for monitoring internal
controls on product designing, and Chief Operating Officer is responsible for internal
controls on business operations. Lower level management is responsible for ongoing
monitoring that provides oversight on everyday control activities performed in specific units.
The company should also have evaluators from the outside area to perform independent
assessment such as internal auditors and other designed groups with specialized skills to
focus on monitoring in one specific area.

Monitoring procedures
Rapid technological changes
The only way for the company to cope with rapid technological changes is to keep pace with
the new technology and innovate its products. To ensure achievement of this object, the
company should assess its process in Research & Development. The company can first
develop a monitoring plan that list the goal and expectation, project scope and size, and
project budget. Based on the monitoring plan, the project manager should have ongoing
monitoring on status of the project and communicate with team members to ensure the
project is implemented on time and within budget and expectations. It is normal that new
situations appear during the project and the project manager should react quickly to
situations, discuss with team members about options to take, and take actions to complete the
project as expected.
In addition, internal auditors can review the company’s periodic report to determine whether
the capital allocated on Research & Development is properly used by R&D department and
determine whether related R&D expenses are recorded properly.

Fierce competition in market

To maintain the company’s leading position in the competitive market, the company need to
ensure the quality and safety of its product. When the product delivered from manufacturing
outsourcing partners, the manager should ensure that employees have verified the products to
meet government regulations and meet the company’s requirement. The manager can provide
random and periodic inspection of verified products to determine the effectiveness of
employees’ verifying process. Actions should be taken by the manager to improve the
process if there are any deficiencies.
The company should also provide adequate monitoring of third-party activities to reduce
risks of financial loss since it relies on the third-party for applications, software, and digital
content. The company should review periodically about significant arrangements from the
third-party, and assess if the third-party’s operations are consistent with the contract. A
specialized group can be built to monitor the third-party’s financial condition, quality of
service, relationship with the company, and analyze whether the third-party’s future growth
coordinates with the company’s product development. The group should report results to the
board periodically and communicate with the third-party about identified deficiencies timely.

Global and regional economic conditions

To ensure control activities in reducing financial risks effectively implemented, CFO in the
company should monitor how credit risk, liquidity risk, investment risk, political risk, and
currency risk are treated. For instance, assessing whether the portfolio works as expected,
whether the policy regarding investment reasonable and effective, whether cash obligations
be met timely, whether currency forward contracts effectively hedge risks in currency risk,
and how will political or economic policies changes impact the company’s business.
Internal auditors in the company should analyze financial data periodically to independently
evaluate the company’s current financial risk controls, and provide insight and
recommendation to improve the effectiveness of controls.

Substantial Inventory Risk

To reduce the inventory risk that inventory might be obsolete or might exceed anticipated
demand, the company should first use the inventory management software that
automatically keeps record of inventory comes in and out the company. The software also
shows the pace of inventory items moving through the company, and inventory manager
can analyze the trends based on data collected from the software and determine whether
the pace between moving in and moving out inventory is appropriate for the current
situation.

To ensure receiving products manufactured by outsourcing partners timely, the company

should closely monitor outsourcing partners’ activities. The inventory manager should pay
attention to the promise delivery date, actual delivery date, the quantity ordered and
received, and the quality of product received to determine the reliability of each
outsourcing partner. If there are unreliable partners, the company should take actions to
help them improve their performance , adjust quantity of product planed to be
manufactured by them, or switch to other partners.
In addition, the company could have an independent inventory consultant to review the
inventory management process in an unbiased way and improve the effectiveness of the
process to keep up with demand.

Key personnel leave

Manager in HR department should evaluate the company’s contract with employees to
ensure the contract includes competitive benefit package that satisfies employees’ needs,
financial incentives that encourage employees to work, and clear descriptions for
employees to know how they can get promoted. The manager should then verify whether
all terms in contract are implemented for employees as expected. The manager could also
monitor the effectiveness of the implementation by analyzing the turnover ratio. In
addition, the company should oversee whether training projects are developed for
employees to improve their comprehensive skills.

Moreover, the HR manager can evaluate current hiring procedures to identify any
deficiencies, and improve the procedures if necessary to hire more appropriate and
qualified employees.

Outsourcing product manufacturing and logistical services

Establish acceptable services standard to determine outsourcing partners’ performance level
and equip expertized monitoring group to oversee the outsourcing process. Design more
frequent assessment and monitoring for outsourcing partners with higher risk and discuss
with them about detected problems timely. Implement risk mitigation plans for higher risk
partners if necessary, and conduct more strict monitoring for partners having financial,
compliance and control issues.

Establish procedures to monitor outsourcing partner’s financial conditions to ensure their

ability to maintain their outsourcing business sustainably. The company can review their
recent annual reports and financial statements, analyze trends in assets, debts, and
incomes, and pay attention to any red flags that may impact partners’ future operations.

Assess outsourcing partners’ compliance with local laws and regulations, list
compensation for the company in advance in contracts if they fail to comply with related
laws and regulations.

Assessing and reporting results

The company can develop a database that can be accessed by internal management, auditors,
and external customers to report any issues they identified about control activities and
products. These issues will be prioritized and reviewed by the board and executive
management, then traced back to management in specific areas to resolve them. The board
and executive management will keep an eye on them until all issues are resolved.
The board should pay attention to significant issues that affect the company’s operational or
financial objectives, not only take actions to resolve such issues but also come up with
effective and efficient control and monitoring activities to prevent issues occurring again.
Internal auditors can be helpful in improving the company’s effectiveness of risk
management, control, and monitoring processes.

Appendix 8:

APPLE INC. ENTERPRISE RISK MANAGEMENT (ERM) POLICY

2011

Purpose

Apple Inc. understands that its success is dependent upon the effective management of risk. Risk can
either be transferred to third parties, through insurance, contracts or hedge; it can be mitigated by
implementing internal risk management strategies; or it can be ignored. However, it is important to assess
risks at all levels of the organization in order to effectively identify and appropriately address them.
Risk management is everyone’s responsibility. Establishing the ERM Policy will guide employees in their
actions and decisions to the management of the Apple’s portfolio of risks. It will improve the
management of existing uncertainty and the approach to new opportunities, thereby helping Apple
achieve its vision and mission and to maximize utilization of Apple’s available resources.

Scope and Approach

The scope of the ERM Policy is enterprise wide and is applicable to the Board, Management and
employees of Apple Inc.

Apple Inc. has adopted an enterprise risk management (ERM) based on the COSO standard. An ERM
Branch including Head of Department as well as key business unit leaders will ensure the ERM efforts
are firmly embedded within Apple’s core business activities. The Chief Risk Officer (CRO) appointed by
the Board will lead the ERM Branch and take responsibility for heading the ERM activities.

Responsibilities

Board of Directors
• Overseeing the risk management activities of Apple.
• Knowing the extent to which management has established effective ERM in Apple.
• Being aware of and concurring with Apple’s risk appetite.
• Reviewing the organization’s portfolio view of risk and considering it against Apple’s risk
appetite.
• Being apprised of the most significant risks and whether management is responding appropriately.
Chief Executive Officer (CEO)
• Is the ultimate risk executive and is essentially responsible for ERM priorities, strategies,
tolerances and policies.
• Aligning business objectives with risk strategies, action plans and policies.
• Settling conflicts with regards to ERM strategies and action plans.
• Must ensure that a sufficient resource of the organization is allocated in pursuing ERM initiatives,
strategies and action plans.
• Reporting to the Board of Directors on a regular basis about ERM.

Chief Risk Officer (CRO)

 •Establishing ERM policies, including defining roles and responsibilities and participating in
setting goals for implementation.
• Promoting a culture of risk management and risk awareness.
• Guiding integration of ERM with other business planning and management activities.
• Monitoring the risk exposure and risk management activities.
• Providing timely and consistent flow of risk information to the Board and CEO.
• Providing an annual ERM performance report to the Board.
ERM Branch
• Is responsible for supporting the CRO with the development and implementation of the ERM
Program.
• Developing, coordinating and communicating the ERM framework including training, and
organizing the sharing of best practices across the company.
• Constantly reviewing and providing updates in the risk dictionary and ensuring that newly
emerging risks are identified and included.
• Supervising the consistent execution and continuous improvement of the ERM process in their
respective business functions.
Internal Audit Division

• Assisting management and the board by examining, evaluating, reporting on, and recommending
improvements to the adequacy and effectiveness of Apple’s ERM.
Risk Owners

• Has the responsibility for and ownership of the assigned risks and other risks under the same
functional area of responsibility.
• Identifying root causes of the significant risks, identifying and implementing relevant risk
mitigation activities, and reporting on risk monitoring and management on an ongoing basis with
the guidance and support of the ERM Branch.
• Overseeing the development of risk tolerances and risk management activities at the various
operational units; monitoring these activities and compliance with established risk tolerances; and
escalating any such instances where events could occur outside of risk tolerances to the CRO.
All Employees
• Risk management is everyone’s responsibility. All employees are responsible for supporting the
information and communication flows of ERM.

Policy Review Schedule

The Policy will be reviewed annually.

 Appendix 9:
Apple Inc. ERM Organization Chart

Board of Directors
(Audit Commi3ee)

CEO

CRO

ERM Branch
(Head of Department
and key business unit
leaders)

Senior Vice Chief Financial Chief Design Chief OperaFng

Presidents Vice Presidents
Officer Officer Officer

User Interface Design;

Retail;
CommunicaFons;
So>ware Engineering;
Industrial Design;
......
......
Appendix 10

Apple Inc. ERM Project Charter

Team members:

Yuyang Cai
Biying Zhuge
Zheng Yan
Hongfeng (Oliver) Guo
Jiaqi Li
Ziwei Zhu
Xiaochen Ma
Zixuan Wu
 PART 1: CREATING A CLEAR & ENGAGING DIRECTION
Team Objectives and Goals

1. What is the overall purpose of the team?

Learn, develop, and apply ERM concepts, tools, and skills through simulation.

2. What are the specific objectives and goals for the team? That is, what outcomes or results do
you want to accomplish?
Establish and implement the ERM function for Apple beginning from 2011 to present day.
Simulate the process of planning, implementing and operating the ERM for Apple.
Predict the proposed future state and process after ERM functioning.

3. Who are the major stakeholders for the team? That is, who are the primary groups of people
outside your team that you must pay attention to, keep happy, influence, etc.?
a. Audiences: other classmates listening to our presentation.
b. The professor who evaluates our project
c. Apple investors and employees

4. What results are expected from the team by each of your major stakeholders? How will you
keep each of these stakeholders informed about what you’re doing?
a. Audience is willing to see some special features or attractive points which are different
from common cases. To achieve this objective, we will give out a presentation which
outstands from other groups. Besides, we will try to analyze the case in several
perspectives so that audiences will gain some unique information.
b. The professor would like to see a complete and competitive project report which has an
effective ERM. In addition, the professor wants to see our improvement in leadership
skills as well as communication skills. Therefore, we will submit our detailed project
plan and status report, and make an excellent presentation to show professor our
progress.
c. We will provide an comprehensive ERM project report to Apple’s investors and
employees.

5. How will you measure the success of your project? In other words, what tangible outcomes
would you cite to indicate that your team accomplished its goals?
The success of our project depends on whether we find out specific risks for Apple and the
way we assess these risks. Also, it depends on how the ERM is structured, and whether the
risks we found are successfully managed after the implementation of ERM. In addition, the
grades gained from the professor for both presentation and report, feedback collected from
other classmates after our presentation, and peer evaluation from each other will indicate the
performance of our team.

Page 2
 PART 2: UNDERSTANDING & EFFECTIVELY USING MEMBERS’ STRENGTHS
Team Member What project-relevant knowledge
and experience does this person
Name possess? Who or what do they
know that will help the team?
Yuyang Cai
She is familiar with the team
leading, which helps team
achieve each milestone,
resolve any conflicts within
the team,keep the group
project work under an
appropriate timeline, and
ultimately present
competitive deliverables.
Biying Zhuge
She is skilled in business
writing and familiar with
ERM concepts.
Zixuan Wu
She is good at strategic
planning, business process
analysis and presentation.
What are the unique
strengths of this person (as
you know them so far)?
She is familiar with
collaborating with others
and helping others.
She is good at listening
to alternative ideas and
perspectives and
integrating the
contributions of different
team members.
She is detail-oriented and
skilled in problem
solving. She is good at
giving constructive
suggestions and
integrating different
ideas. Also, she is a good
mediator and tries to seek
consensus.
How can our team best utilize
this expertise and set of
strengths?
She is responsible for
leading the team through
assigning different tasks，
controlling project process,
keeping every team member
updated, and controlling the
deliverables quality.
She is responsible for
clarifying our group
objectives and integrating
the ideas of others at group
meeting. Also, she will
summarize our group's
discussions for each
meeting and make
conclusions in the report.
She is responsible for
defining group mission,
completing part of analysis,
and reviewing the integrity
of the final report. In
addition, she will become
the mediator of our team
and deal with conflicts.
Page 3
Ziwei Zhu
She is familiar with the
internal control framework
good at collecting
information and research
material from different
resources.
Xiaochen Ma
She is familiar with risk
assessment knowledge and is
good at searching project
related information.
Jiaqi Li
She is good at analyzing and
identifying enterprise’s risks.
In addition, she is good at
sorting information and
resources.
Zheng Yan
She is good at risk
classification, which means
she can find out the kind of
risk in the project and find
how the ERM frame can
work with the risks.
She is good at analyzing She is responsible for
information and collecting relevant
considering issues from information and material.
various perspectives. She Besides, she will help write
is good at listening to the final report.
others and sharing her
opinions with others.
She is adept at making She can help apply searched
team members finishing information to the project,
tasks on a timely manner. adjust task contents if
She is good at properly needed, and write the report.
adjusting the tasks in
terms of team members’
constructive suggestions.
She is motivated to She will help set up a
shoulder her detailed time frame for the
responsibilities, and good team to finish the projects
at communicating and step by step, and she will
collaborating with other help write the final report.
teammates to work
toward the common goal.
She is good at She is responsible for
communicating with finding risks in the project
group member and and finding how frame
cooperating with each works with risks, and she
other. will also write the final
report with other team
members.
Page 4
Hongfeng
(Oliver) Guo He is good at problem solving
and creating control activity,
which means he is able to set
up a new and efficient system
to monitor those activities to
mitigate the possibilities of
risks.
He is good at providing His responsibility is to
new ideas, identify each events to judge
communicating and if those are opportunities or
collaborating with other risks. Beyond, how those
group members. He also opportunities or risks will
pays attention to every impact us to achieve
details. objectives.
Page 5
 PART 3: ESTABLISHING TEAM RESPONSIBILITIES, ROLES, & NORMS

Team Responsibility Matrix

Action Items and What roles & duties will be needed to complete this
item? Which members will have responsibility for
Team Tasks these roles/tasks?
(It’s best to assign members responsibility based on
unique strengths they bring to the team.)
What expectations will the team hold for
the member(s) responsible for this item
or task?
(Be specific & include measurable
expectations such as time frames for
specified deliverables)

Collect relevant Detail-oriented research skill is needed. Have a brief understanding of

information and Every team member should gather background and current situation
determine information and share research outcomes with of Apple. Have milestone timeline
milestones and other team members. and ERM organization chart.
ERM organization Due date: Sep 15, 2017
chart of the project.

Internal Understand the general culture, values and Establish Risk management
Environment environment related to risk management philosophy, and risk appetite.
Apple operates. Assign board of directors to
oversight.
Zheng Yan will be responsible for this part.

Set business This item is the whole picture of the projects. Strategic, operations, reporting and
objectives and Identifying objectives will help the team find compliance objectives will be
identify drivers of out Apple’s exposed enterprise-wide risks and identified, and the drivers of
each objective. conduct further analysis. objectives and risk tolerance will
be determined.
Yuyang Cai will be responsible for this part. Due date: Sep 17, 2017

Event identification Identify events that either provide Five types of events should be
opportunities or pose risks to achieve given: a. economic events; b.
objectives. natural environment events; c.
political events; d. social events; e.
Hongfeng (Oliver) Guo will be responsible technical events.
for this part. Due date: Sep 24, 2017

Page 6
Conduct risk Risk assessment involves the recognition of
assessment, and risks and the rating of them to determine the
identify priority significant risks facing the organization,
risks. project or strategy.
Zixuan Wu will be responsible for this part.
Plan risk response. In this part, different response options are
examined (accept, reduce, share, or avoid),
cost-benefit analysis is performed, a response
strategy is formulated, and risk response plans
are developed.
Jiaqi Li will be responsible for this part.
Determine control The team should design control activities to
activities. achieve objectives and respond to risks.
Control activities are performed at all levels
of the company and at various stages within
business processes. They may be preventive
or detective.
Ziwei Zhu will be responsible for this part.
Information and This part requires establishing both internal
communication and external communication channels to
support Apple’s enterprise risk management.
Biying Zhuge will be responsible for this part. individuals at all levels.
Establish Ongoing evaluations, separate evaluations, or
monitoring system some combination of the two are used to
ensure the ERM is functioning.
Xiaochen Ma will be responsible for this part.
Identify the risk universe and
establish the risk priority.
Identify an appropriate risk model
for Apple
Due date: Sep 19, 2017
Select appropriate responses based
on impact and likelihood levels of
the risks (avoid, share, reduce,
accept)
Due date: Sep 23, 2017
Review control policies and
procedures. Classified the control
activities into different categories
and give suggestions of
improvement.
Due date: Sep 24, 2017
Establish appropriate
communication process that ensure
relevant, accurate, and timely
information be available to
Due date: Sep 26, 2017
Ongoing monitoring process is
conducted during analyzing
process. The results of the process
should be delivered.
Due date: Sep 26, 2017
Page 7
Give out status Everyone team member will be responsible Status report and presentation
report and for completing the status report before should be aligned with the
presentation. deadline and making the presentation. requirements of Group Project
Description.
Due date: Sep 27, 2017

Give out formal Every team member will contribute to the Formal report and final
report and final formal report and presentation. presentation should be finished in
presentation. a complete and well-organized
way.
Due date: Oct 10, 2017

Page 8
PART 4: TEAM NORMS

Meeting Norms – Expectations include when, where, and how often to have team meetings. What is expected of
members with regard to attendance, timeliness, and advance preparation? What is the desired balance between
work and fun during meeting times?
Meeting norms for team:
1. We will meet every Saturday/Sunday at McKeldin library. The meeting will be about 2 hours,
depending on the situation.
2. We will prepare for each meeting and come ready to engage.
3. We will begin and end our meetings on time and stay fully engaged throughout each meeting.
4. We will be patient when listening to others speak and do not interrupt them.
5. Everyone is responsible for helping to stay on topic. Speak up if you feel like we’re getting off
track.

Work Norms – Expectations involve firmness and explicitness of standards & deadlines, how equally effort &
work should be distributed, how & by whom work will be reviewed, and what consequences will result if members
do not follow through on their commitments.
Working norms for team:
1. Everyone is responsible for observing the norms and meeting the deadlines.
2. The leader will assign task to team members as fairly as possible, and will review the results.
3. If there are problems or concerns about the work arrangement, team members can talk to the
leader or mediator.

Leadership Norms – Expectations include whether a leader is desired and who that will be, if and how leadership
will be rotated or shared, responsibilities for leaders, and how to keep the leader from taking on too much
responsibility.
Leadership norms for team:
1. Yuyang Cai is our team leader and responsible for the successful completion of our project. She
will take responsibility for creating an inspiring team environment with an open communication
culture. She will also clarify the team goals, delegate tasks and set deadlines. In addition, she will
ensure smooth team operations and effective collaboration.
2. To keep the leader from taking on too much responsibility, Jiaqi Li will become our timekeeper
and will keep the group aware of time constraints and deadlines; the recorder, Biying Zhuge, will
take notes summarizing team discussions and keep all necessary records; the mediator, Zixuan
Wu, will deal with conflicts and help to reach consensus.

Communication Norms – Expectations center on when communication should take place (i.e., what issues
require full-team versus individual-members-only communication), who is responsible for initiating contact,
preferences for how often and through what media (phone, email, etc.) communication should occur as well as
procedures for raising difficult issues or negative feelings about the team or members (including how mid-term &
final team member evaluations will be handled).
Communication norms for team:
1. We will communicate by Wechat and email whenever we have questions. We can use the
“Discussion Group” in Wechat to conduct both full-team and individual-members-only

Page 9
 communication.
2. The leader is primarily responsible for initiating contact, and everyone needs to actively participate
in discussion.
3. If members feel they cannot talk about issues or concerns during group discussion, they can talk to
the leader about their issues in private.

Consideration Norms – Expectations center on how much effort members will make to: express disagreements
tactfully or diplomatically, respect or incorporate minority viewpoints, avoid inflammatory language or
accusations, and share honest perspectives (even if these are unflattering). What procedures will be used to resolve
disagreements (e.g., majority rules, consensus, flip a coin)? They also include the extent to which members will
undertake positive efforts to congratulate each other and recognize each others’ accomplishments.
Consideration norms for team:
1. The leader will make sure all voices are heard, and the mediator will help to deal with conflicts.
2. Everyone should be willing to support a team consensus.
3. Everyone should present in a positive manner and treat members with respect.
4. Don't make threats or rude comments to members.
5. If there are any problems or concerns, talk to the leader before or after the meeting and separate
your own personal feelings from what’s best for the team.
6. Everyone will undertake positive efforts to congratulate each other and recognize each other’s
accomplishments.

Page 10
We have all participated in developing our team’s charter and agree to adhere to the principles in this
charter both individually and collectively.

_____Yuyang Cai_________________________ __ Yuyang Cai____________________________

Name Signature

_____Zixuan Wu__________________________ ___Zixuan Wu___________________________

Name Signature

_____Jiaqi Li____________________________ ___Jiaqi Li_______________________________

Name Signature

____ Biying Zhuge_________________________ __ Biying Zhuge___________________________

Name Signature

____ Ziwei Zhu____________________________ _ _Ziwei Zhu______________________________

Name Signature

____Xiaochen Ma_________________________ __ Xiaochen Ma_____________________________

Name Signature

____ Zheng Yan__________________________ __ Zheng Yan_____________________________

Name Signature

____ Hongfeng (Oliver) Guo_______________ Hongfeng (Oliver) Guo____________________

Name Signature

Page 11
Appendix 11
ERM Development Timeline
Apple Corp
2011-2017
Year One
Phase Task # Task Description Deliverables Jul 2011 Aug 2011 Sep 2011 Oct 2011 Nov 2011 Dec 2011 Jan 2012 Feb 2012 Mar 2012 Apr 2012 May 2012 Jun 2012
Information Gathering and Planning
Identify risk assessment and/or risk management Risk Baseline info for organization
1
activities currently in practice/use
Identify an appropriate risk model for Apple Inc., Draft: Risk Model/Universe, ERM Plan, Risk Assessment Plan
2 develop ERM project plan, and define key deliverables
1
(include risk assessment plan)
Identify leadership for ERM process, and define ERM ERM organization chart
3
organization
Obtain Management and Board approval for risk model, Approved: Risk Universe, ERM Organization, ERM Plan, Risk Assessment Plan
4
ERM organization, and ERM and risk assessment plans
Risk Awareness and Assessment
Establish risk language and develop risk assessment Risk listing with definitions, and risk awareness and assessment training materials
1
documentation and training materials
Conduct risk assessment interviews with key members List of risks for risk assessment (with linkage to objective(s))
2 of management - Identify relevant risks for risk
assessment.
Hold risk awareness session(s) with Senior Management
3 and the Audit & Finance Committee of the Board

2 Hold risk assessment training sessions with identified

4
participants in the risk assessment
5 Execute risk assessment Preliminary list of prioritized risks
Review and revise risk priorities (with input from ERM Prioritized list of risks, linked to owner(s) in the Organization, identified actions required
management, risk assessment participants and executive (Including goals for improving risk management for the top key business risks and risk
6 management), and prepare presentation of the results to response); and Risk assessment presentation
the Board and executive management.
Present the results of risk assessment, including Additional action items, if deemed appropriate, by the Board
7 associated action items and next steps, to the BoD.
Policy Setting and Initiating of Process Monitoring
1 Prepare, review and approve ERM policy ERM Policy
Review and incorporate results of internal control Risk prioritization data
assessments and self-assessments, as well as the results
2 of internal audits/evaluations/investigations and other
reported observations (e.g. regulators, external auditors,
3 etc.) in the risk assessment.

3 Follow-up open action items Status report and updated open action items.
Risk Monitoring Alerts and Monthly reports on observed performance/conditions versus defined Key Risk
Indicators (KRIs) and Key Performance Indicators (KPIs), with explanations for
4 significant changes to prior month, misses on budget, etc.

Follwing years Year Two - Six

Task # July August September October November December January February March April May June
Reassess Risk Management process and policy, and Updated ERM Policy & Procedures
1
make changes, when/if appropriate.
Execute risk assessment - Facilitated Risk prioritization data
2 sessions/workshops to identify, analyze, and prioritize
key risks and RM techniques/strategies
Review results and presentation with the Management Risk assessment presentation
3
and internal audit, and revise as appropriate
Present the results of risk assessment, including Risk assessment presentation
4 associated action items and next steps, to the BoD.
4 5 Internal control assessments and self-assessments
Internal control self-assessments Management assessment and Opportunities to improve controls
6
Review and incorporate results of internal control Risk prioritization data
assessments and self-assessments, as well as the results
7
of internal audits/evaluations/investigations and other
reported observations in the risk assessment.
8 Follow-up open action items Status report and updated open action items.
Risk Monitoring Alerts and Monthly reports on observed performance/conditions versus defined Key Risk
9 Indicators (KRIs) and Key Performance Indicators (KPIs), with explanations for
significant changes to prior month, misses on budget, etc.

Legend:

Enterprise Risk Committee

Apple Inc. Controls
Enterprise Risk Working Group
Risk Owners

B-1