Unit 2

Question 1

Principles of a standard

Answer 1

They describe what good risk management looks like and are based on the purpose of ERM

Question 2

Purpose of ERM

Answer 2

Creation and protection of value

Question 3

How do principles contribute to an org fulfilling its purpose?

Answer 3

They apply practices designed to achieve the best possible outcome (ie. Reducing uncertainty)

Question 4

ISO 31000 8 principles of effective rM

Answer 4

1) Framework and processes shall be proportionate
2) Appropriate involvement of stakeholders is necessary
3) Comprehensive approach is required
4) RM is integral to all organisations
5) RM anticipates, acknowledges and responds to changes
6) RM considers limitations of available info
7) Human and cultural factors influence all RM
8) RM continuously improved by learning and experience

Question 5

Coso (2017) 5 components of ERM

Answer 5

1) Governance and culture (board risk oversight is exercised)
2) strategy and objective setting (risk appetite is defined)
3) performance (a portfolio view of risk is developed)
4) Review and revision (substantial change is assessed)
5) Info, communicating and reporting (info systems are leveraged)

Question 6

Orange Book (2020) principles of ERM

Answer 6

Sets out the what and the why but not the how for the design, implementation and maintenance of ERM:
1) Governance and leadership
2) Integration
3) collaboration and best info
4) RM processes
5) continual improvement

Question 7

IRM 5 attributes of effective RM

Answer 7

PACED
P = Proportionate, rm has to be tailored to suit the org
A = Aligned, rm has to be aligned with the b/s in order to be integrated with other organisation activities
C = Comprehensive. Rm considers all risks and controls across the org and outside of it
E = Embedded into the b/s activities of the organisation. RM changes the culture, behaviours and attitudes of people thus the value of ERM is embedded in the org.
D = Dynamic, rm is active management that develops alongside changes in the internal and external contexts.

Question 8

What is the RM Framework

Answer 8

RASP

Architecture = this is the structure of the risk management process. This is composed of roles

Question 9

RACI Chart

Answer 9

Used in project risk management to depict roles and responsibilities.

A risk responsibility matrix that lists stakeholders and their level of involvement: responsible, accountable, consulted, informed

Question 10

Strategy component of the risk management framework

Answer 10

Strategy = components of the strategy include risk philosophy, risk appetite, benchmarks, assessment techniques, risk priorities and responsibilities terms of references, committee structure.

The strategy is about the tone from the top and describes what the purpose of risk management is for the organisation.

Question 11

Risk appetite

Answer 11

Governs whether or not a org responds to a risk

It is the acceptable level of risk, where no further action is required, except for monitoring. It is the level of risk the organisation is willing to take in pursuit of its long term objectives

Question 12

Risk tolerance

Answer 12

The level of risk that you can accept for a short time but are actively managing to bring back to an acceptable level

Question 13

Risk capacity

Answer 13

The level of risks that is unacceptable.

Question 14

Protocols component of a RM framework

Answer 14

Organisations uses protocols to deliver the strategy and architecture

They are the ‘how’ of risk management delivery. They are the tangible practices used during the RM process (ie. Templates, techniques)

Question 15

RMIS

Answer 15

Risk management information system

A tool for storing information on risks and controls. Supports the implementation of RM.

Question 16

ISO 31000 (2018) RM Process: 8 steps

Answer 16

1) Communication and consultation
2) Scope, context and criteria
3) Risk assessment - identify
4) Risk assessment - analysis
5) Risk assessment - evaluate
6) Risk treatment
7) Monitoring and review
8) Recording and reporting

Question 17

COSO (2004) RM Process: 8 steps

Focus on controls

Answer 17

1) Internal environment
2) Objective setting
3) Event identification
4) Risk assessment
5) Risk response
6) Control activities
7) information and communication
8) monitoring

Question 18

COSO (2017) RM Process

Answer 18

The process and RM framework are woven together

Governance and culture: understand context and objectives

Strategy and objectives: same step in the process as above

Performance: identify risk, assess severity, priorities, implement response, develop portfolio view

Review and revision: step in itself

Information, communication, reporting: steps in themselves

Question 19

The Orange Book (2020) RM Process

Answer 19

Combination of framework, principles and process. Rm shall be:

Principle 1) an essential part of governance

Principle 2) an important part of all operational activities

Principle 3) informed by best info

Principle 4) have structured processes. In this principle is the process of rm, steps are; risk identification and assessment, risk treatment, risk monitoring, risk reporting

Principle 5) Continually improved

Question 20

IRM 4 Common Steps of a RM Process

Answer 20

1) Define context and objectives
2) Assess risks
3) Manage risks
4) Monitor, review and report

Question 21

Definition of operational risk

Answer 21

Type of risk that will disrupt normal everyday activities adn this is inbuilt into the activities, processes and controls that deliver the main activities of an org

Question 22

What do the BASEL 3 and Solvency 3 regulatory frameworks require of banks

Answer 22

THey are required to have sufficient capital reserves available to meet the actual and potential financial losses and obligations faced by the Organization in severe but plausible scenarios. Financial insitutions need to measure the level of operational risk that they face and could face under stressed conditions

Question 23

Basel 2 capital adequacy regulations

Answer 23

They require banks take thier operational risk exposure into account in determine their capital requirements. This operation RM framework should include identification, measurement and monitoring, reporting, control and mitigation frameworks for operational risk. This assessment of capital requirements is called economic capital

Question 24

BASEL 2 definition of operation risk identifies four types of risk categories

Answer 24

People, process, system and external events.
People = failure to comply with procedures and lack of segregation of duties
Process = process failures and inadequate controls
System = failure of applications systems to meet user requirements and the absence of built in control measures
External = action by regulators, unsatisfactory performance by service providers and external fraud.

Question 25

What are the BASEL 3 requirements

Answer 25

It provides a standardised approach to measuring operational risk for regulatory capital purposes, which is a function of a banks income (captured through a business indicator) and historical losses (captured through the internal loss multiplier).

Question 26

PRAM

Answer 26

Project risk analysis and managemen guide. There are five points in a project where particular benefit can be achieved from using the PRAM model:
Feasibility = the project is most flexible at this stage, enabling changes to be made that can reduce the risks at a low cost
Sanction = the client can view the risk exposure associated with the project and check that all steps to manage the risks are taken
Tendering = the contractor can ensure that all risks have been identified and that risk contingency limits set
Post - tender = the client can ensure that all risks have been identified by the contractor and assess the likelihood of programmes being achieved
During implementation = the likelihood of completing the poriejct to cost and timescale will increase if all risks are identified and correctly managed

Question 27

ISO 28000:2000 Specification for Security Management Systems for the Supply Chain defines the supply chain as

Answer 27

A supply chain is a set of interconnected processes and resources that starts with the sourcing of raw materials and ends with the delivery of products and services to end users. Supply chains may include producers, suppliers, manufacturers, distributors, wholesalers, vendors, and logistics providers. They include facilities, plants, offices, warehouses, and branches and can be both internal or external to an organization.

Question 28

Joint venture

Answer 28

A mechanism whereby an org can exploit benefits but with a lower risk exposure

Question 29

ALARP

Answer 29

As low as reasonably practical

One of the fundamental principles of RM for health and safety risks.

It refers to managing risk tot he point where the cost of additional controls would exceed the benefits

Question 30

Total risk exposure

Answer 30

Hazard risks will give rise to a hazard tolerance, control risks will give risk to a control acceptance and opportunity risks will give risk to an investment appetite.

Total risk exposure is the sum of the total risk that the org has taken .

Most orgs have no appetite for compliance risks

Question 31

4 overriding principles of Risk Appetite

Answer 31

Acknowledging Inter connectedness
Measurability
Variability
Maturity

Question 32

ISO Guide 73 definition of risk tolerance

Answer 32

the orgs or stakeholders readiness to bear the risk after risk treatment in order to achieve its objectives

Question 33

Neautralizing or hedging risks

Answer 33

Sometimes risks are only accepted as part of an arrangement whereby one risk is balanced against another

Question 34

BS 311000 definition of risk financing

Answer 34

Involves the cost of contingent arrangements for the provision of funds to meet the financial impact of a risk materialising. Normally provided by a insurer. Therefore, finance that is contingent upon cortina insured events taking place

Question 35

ISO 31000 cost of risk financing

Answer 35

This should include the provision of funds to meet the cost of risk treatment.

Question 36

What do the principles in the Orange book ensure

Answer 36

Compliance with the UK Corporate Governance Code

Question 37

Agency theory

Answer 37

Concept used to explain the relationship between principals and their agent.

Principal = relies on an agent to execute financial decisions and transaction that can result in fluctuating outcomes

Principal = shareholders, members trustees

Agent = execs, directors, board, CEO

Question 38

WHAT IS A good risk register

Answer 38

Collates risk and control knowledge
Tailored to the org
Updated regularly
Informs decision making
Enables teams, projects and orgs to prioritise and manage their risks

Question 39

What is a open systems model

Answer 39

Emphasised in iso 31000. Focus on sustaining an open systems model that regularly exchanges feedback with its external environment to fit multiple needs and contexts

Question 40

What makes up the rm context

Answer 40

Consideration of who will be reposnsible and identifies the resources that will be required to fulfill rm activities

Establishment of risk appetite or risk criteria.

Provide a means of establishing the overall total risk exposure

Question 41

What method can be used to validate the business model

Answer 41

FIRM and SWOT analysis

Question 42

What is the rm policy statement

Answer 42

Sets out the overall strategy of the org towards risk management.

BS 31100 states that it should include the objectives, mandate and commitment to manage risk (strategy) and the organisational arrangements that include plans, relaitonship, resources, processes (architecture), and that the framework should be embedded within the orgs overall strategic and operations policies and procedures (protocols)

Question 43

Risk management responsibilities should be allocated to what aspects of managing risk

Answer 43

Development of risk strategy and standards
Implementation of the agreed standards and procedures
Auditing compliance with the agreed standards

Question 44

Detailed rm protocols set out

Answer 44

Rm procedures
Risk control objectives
Risk resourcing arrangements
Reaction planning requirements
Risk assurance systems

Question 45

ISO Guide 73 definition of risk owner

Answer 45

Person with authority and accountability to make the decision to treat, or not to treat a risk