12.2 COSO Enterprise Risk Management (ERM) Framework Flashcards
(23 cards)
According to COSO, which component of enterprise risk management (ERM) addresses an entity’s operating structures and core values?
A. Review and revision.
B. Governance and culture.
C. Strategy and objective-setting.
D. Information, communication, and reporting.
B. Governance and culture.
The governance and culture component addresses board responsibilities, operating structures, and core values, among others.
According to COSO, the benefits of enterprise risk management (ERM) include all of the following except
A. Decreased performance variability.
B. Elimination of all risks.
C. Improved resource allocation.
D. Improved risk identification and management.
B. Elimination of all risks.
ERM helps to manage risks, but it does not eliminate risks.
Which of the following components are supporting aspects of the COSO ERM framework?
A. Governance and culture; review and revision.
B. Performance; review and revision.
C. Governance and culture; information, communication, and reporting.
D. Strategy and objective-setting; performance.
C. Governance and culture; information, communication, and reporting.
The supporting aspect components of the COSO ERM framework are (1) governance and culture and (2) information, communication, and reporting.
According to COSO, a risk profile is a view of the relationship between
A. Risk capacity and risk appetite.
B. Inherent risk and target residual risk.
C. Tolerance and risk appetite.
D. Risk and performance.
D. Risk and performance.
A risk profile is a composite view of (1) the types, severity, and interdependencies of risks related to a specific strategy or business objective and (2) their effect on performance.
Inherent risk is
A. A potential event that may affect the achievement of strategy and business objectives.
B. A risk response.
C. The risk after management takes action to alter its severity.
D. The risk when management has not taken action to reduce the impact or likelihood of an adverse event.
D. The risk when management has not taken action to reduce the impact or likelihood of an adverse event.
Inherent risk is the risk when management does not act to alter its severity. Severity commonly is measured as a combination of impact and likelihood.
Enterprise risk management
A. Guarantees achievement of organizational objectives.
B. Requires establishment of risk and control activities by internal auditors.
C. Involves the identification of events with negative impacts on organizational objectives.
D. Includes selection of the best risk response for the organization.
C. Involves the identification of events with negative impacts on organizational objectives.
Enterprise risk management (ERM) is defined as the culture, capabilities, and practices, integrated with strategy setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value.
According to COSO’s ERM framework, which view of risk is fully integrated?
A. Portfolio view.
B. Risk view.
C. Risk profile view.
D. Risk category view.
A. Portfolio view.
A portfolio view is fully integrated. It is a composite view of the risks related to entity-wide strategy and business objectives and their effect on entity performance.
An entity determined that its variable interest rate on borrowing will increase significantly in the near future. Consequently, the entity hedged its variable rate by locking in a fixed rate for the relevant period. According to COSO, this decision is which type of response to risk?
A. Reduction.
B. Acceptance.
C. Sharing.
D. Avoidance.
C. Sharing.
Sharing reduces the risk by transferring a portion of the risk to another party. By entering into a hedging transaction, the entity transferred a portion of the risk to the party that offered the fixed rate.
According to the COSO ERM framework, which of following best describes the difference between strategy and business objectives?
A. Strategy is the plan to achieve business objectives.
B. Business objectives are the steps to achieve strategy.
C. Strategy is the organization’s core purpose, and business objectives are what the organization aspires to achieve over time.
D. Business objectives are broader in scope than strategy.
B. Business objectives are the steps to achieve strategy.
Strategy is the plan to achieve the entity’s mission and vision and apply its core values. Business objectives are the measurable steps taken to achieve the entity’s strategy.
Enterprise Risk Management (ERM) is closely aligned with corporate governance because it
A. Focuses management’s attention on the risks mitigated.
B. Identifies which of the organizations’ objectives is at greatest risk.
C. Reduces the level of acceptable risks to be taken.
D. Identifies and isolates the silos in which risk exists.
B. Identifies which of the organizations’ objectives is at greatest risk.
ERM recognizes risk management across the entire enterprise, so it identifies and responds to the organization’s greatest risks. Managing the risks of an organization is one of the goals of corporate governance.
Based on COSO’s integrated framework, all of the following are components of Enterprise Risk Management except
A. Control activities.
B. Risk response.
C. Feasibility analysis.
D. Objective setting.
C. Feasibility analysis.
Feasibility analysis is not required at any point under the COSO enterprise risk management framework.
Elements of project risk identification include which one of the following?
A. Interviews and observations.
B. Cost estimates.
C. Actual risk events.
D. Activity duration estimates.
A. Interviews and observations.
Interviews and observations are an element of project risk identification because they are an effective means of identifying risks.
The underlying premise of the COSO ERM framework is that every organization exists to
A. Achieve strategy and business objectives.
B. Provide value for its stakeholders.
C. Identify and manage risks.
D. Maximize profits.
B. Provide value for its stakeholders.
ERM is defined as the culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value.
According to COSO, the difference between inherent risk and actual residual risk results because of management’s
A. Inability to alter the severity of inherent risk.
B. Inability to share the actual residual risk.
C. Actions to alter the severity of actual residual risk.
D. Actions to alter the severity of inherent risk.
D. Actions to alter the severity of inherent risk.
Inherent risk is the risk without management actions to alter its severity. Actual residual risk remains after management actions to alter its severity.
Company management completes event identification and assesses the severity of risk. Management then acts to alter the severity of risk. According to COSO, which of the following types of risk does this situation represent?
A. Actual residual risk.
B. Detection risk.
C. Inherent risk.
D. Event risk
A. Actual residual risk.
Actual residual risk is the risk that remains after management acts to alter its severity. It should not exceed target residual risk.
According to COSO, which of the following provides oversight of an entity’s enterprise risk management (ERM)?
A. The board of directors.
B. The risk officer.
C. Management.
D. Financial executives.
A. The board of directors.
The board provides risk oversight of ERM culture, capabilities, and practices. Also, board committees may be formed for this purpose, e.g., a risk committee.
Limitations of ERM may arise from all of the following except:
A. Faulty human judgment.
B. Cost-benefit considerations.
C. Failure to achieve objectives.
D. Collusion.
C. Failure to achieve objectives.
Enterprise Risk Management
Limitations of ERM arise from the possibility of (1) faulty human judgment, (2) cost-benefit considerations, (3) simple errors or mistakes, (4) collusion, and (5) management override of ERM decisions. The failure to achieve objectives is a risk of poor enterprise risk management.
The performance component of the COSO ERM framework addresses an entity’s
A. Performance results and consideration of risks.
B. Performance targets and tolerances.
C. Risk identification, assessment, and prioritization methods.
D. Ability to leverage technology.
C. Risk identification, assessment, and prioritization methods.
The performance component addresses (1) risk identification, assessment, and prioritization; (2) risk responses; and (3) the development of a portfolio view of risk.
Management considers risk appetite for all of the following reasons except
A. Implementing risk responses.
B. Setting risk capacity.
C. Aligning with development of strategy.
D. Aligning with business objectives.
B. Setting risk capacity.
Risk appetite consists of the types and amount of risk the entity is willing to accept in pursuit of value. Among other things, risk appetite should be considered in
- Aligning with development of strategy.
- Aligning with business objectives.
- Prioritizing risks.
- Implementing risk responses.
Risk capacity is the maximum amount of risk an entity is able to assume. Management considers risk capacity in setting risk appetite.
Which of the following is a key component of the COSO Framework for enterprise risk management (ERM)?
A. Objective setting.
B. Risk assessment.
C. Risk response.
D. Risk retention.
A. Objective setting.
Objectives must exist before management can identify potential events affecting their achievement.
Which risk response reflects a change from acceptance to sharing?
A. Management sold a manufacturing plant.
B. After employees stole numerous inventory items, management implemented mandatory background checks on all employees.
C. Management purchased insurance on previously uninsured property.
D. An insurance policy on a manufacturing plant was not renewed.
C. Management purchased insurance on previously uninsured property.
The categories of risk responses under the COSO ERM model are avoidance, acceptance, reduction, pursuit, and sharing. If management does not insure a building, the response is acceptance. Acceptance is appropriate when the risk to strategy and business objectives is within the risk appetite. However, once management purchases insurance, the risk is shared with an outside party.
According to COSO’s ERM framework, which of the following is an essential element of the governance and culture component?
A. Information systems.
B. Human capital.
C. Risk responses.
D. Reports on risk and culture.
B. Human capital.
A principle within the governance and culture component is that the organization attract, train, mentor, evaluate, reward, and retain capable individuals.
An entity defines its risk appetite in which component of the COSO ERM framework?
A. Strategy and objective-setting.
B. Performance.
C. Governance and culture.
D. Control environment.
A. Strategy and objective-setting.
The entity defines risk appetite in the strategy and objective-setting component of ERM. In defining risk appetite, the entity considers its mission, vision, culture, prior strategies, and risk capacity.
