Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

GBA/RPA 3 > Module 10 - Establishing Risk Governance and Culture > Flashcards

Module 10 - Establishing Risk Governance and Culture Flashcards

1
Q

Explain why culture is an integral component of an enterprise risk management framework.

A

Risk governance and culture together form the basis for all other components of enterprise risk management. Culture has a critical influence on enterprise risk management. It reflects the entity’s ethics: its values, beliefs, attitudes, desired behaviours and understanding of risk. Whether the entity is a small family-owned private company; a large, complex multinational; a government agency; or a not-for-profit organization, culture supports the achievement of mission and vision.

Enterprise risk management affects people’s actions; it helps people understand risk in the context of the entity’s strategy and business objectives and consider that in how they respond. An entity with a risk-aware culture stresses the importance of managing risk and encourages transparent and timely flow of risk information. It does this with an attitude of understanding, accountability and continual improvement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Explain the significance of the board’s role and member independence for enterprise risk management.

A

An entity’s board of directors significantly influences enterprise risk management. The board of directors has the primary responsibility for risk oversight in an entity and in many countries, it has a fiduciary responsibility to its stakeholders, including conducting reviews of enterprise risk management practices.

Where the board is generally comprised of members who are experienced, skilled, highly talented and independent from management, it can offer an appropriate degree of industry, business and technical input while performing its oversight responsibilities. Independence allows directors to be objective and to evaluate the performance and well-being of the entity without any conflict of interest or undue influence of interested parties. An independent board serves as a check and balance, ensuring that the entity is being run in the best interests of its stakeholders rather than select board members or management.

It is important for a board to understand the complexity of the entity and engage with management to determine the benefits derived from enterprise risk management. Desired benefits inform the suitability of enterprise risk management for the entity’s needs (i.e., its ability to manage risk to an acceptable amount). The board also works with management to define the operating model, reporting lines and capabilities to achieve these benefits.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Provide examples of factors that impede board independence.

A

The board demonstrates its independence by each board member displaying his or her individual objectivity. A board member’s independence may be impeded if he or she:

(a) Holds a substantial financial interest in the entity
(b) Is currently or has recently been employed in an executive role by the entity
(c) Has recently advised the board of directors of the entity in a material way
(d) Has a material business relationship with the entity, such as being a supplier or customer or having an existing contractual relationship (other than a directorship relationship)
(e) Has donated a significant financial amount to the entity
(f) Has business or personal relationships with key stakeholders within the entity
(g) Sits as a board member of other entities that represent potential conflicts of interest.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Explain how the concept of suitability of enterprise risk management influences an entity’s decision about its risk management approach.

A

“Suitability of enterprise risk management” refers to an entity’s ability to manage risk to an acceptable amount. The enterprise risk management capability needed for a given entity is influenced by the complexity of the entity, which in turn influences its needs and the benefits it wants or expects from enterprise risk management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Explain how an entity’s choice of governance and operating model influences its risk management practices.

A

The entity establishes governance and operating structures to achieve its strategy and business objectives. Risk governance sets the entity’s tone, reinforcing the importance of enterprise risk management and establishing oversight responsibilities for it. Different operating models may result in different perspectives of a risk profile, which may affect enterprise risk management practices. For example, assessing risk within a decentralized operating model may indicate few risks, while a centralized model may indicate a concentration of risk—perhaps relating to certain customer types, foreign exchange or tax exposure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Outline factors that influence an entity’s choice of operating model.

A

Factors that influence choice of operating models may include:

(a) The entity’s strategy and business objectives
(b) Nature, size and geographic distribution of the entity’s business
(c) Risks related to the entity’s strategy and business objectives
(d) Assignment of authority, accountability and responsibility in all levels of the entity
(e) Type of reporting lines (e.g., direct reporting/solid line vs. secondary reporting) and communication channels
(f) Financial, tax, regulatory and other reporting requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Outline the role and characteristics of risk management oversight structures, and explain how these structures differ by the type of entity.

A

Management plans, organizes and executes strategy and business objectives in accordance with the entity’s mission, vision and core values. Consequently, it needs information on how risk associated with the strategy occurs across the entity. One method of gathering this information is to delegate the responsibility to a committee. Each committee member contributes relevant individual skills, knowledge and experience, and they collectively provide risk oversight.

Entities with complex legal structures may have several committees, each with different but overlapping management membership. This multicommittee structure is then aligned with the operating model and reporting lines, which allows management to make business decisions as needed, with a full understanding of the risks inherent in those decisions.

Regardless of the particular management committee structure established, it is common to clearly state the authority of the committee, the management members who are a part of the committee, the frequency of meetings and the specific responsibilities and operating principles the committee focuses on. In small entities, enterprise risk management oversight may be less formal, with management being much more involved in day-to-day execution.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Explain the role of culture in risk-aware decision making.

A

An entity’s culture is reflected in its core values and approach to enterprise risk management. Culture influences how the entity applies the risk management framework it has in place: how it identifies risk, what types of risk it accepts and how it manages risk. A culture in which people do the right thing at the right time is critical to an entity being able to pursue opportunities and minimize risk in achieving the strategy and business objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Explain the concept of “culture spectrum,” and provide an example of how it relates to enterprise risk management.

A

The culture spectrum ranges from risk averse to risk neutral to risk aggressive and can be depicted as:

The closer an entity is to the risk-aggressive end of the spectrum, the greater its propensity for and acceptance of the types and amount of risk necessary to achieve strategy and business objectives.

For example, a hedge fund is likely a risk-aggressive entity. Management and external investors will have high expectations of performance that require taking on potentially severe risks, while still falling within the defined risk appetite of an entity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Outline factors that influence where an entity falls on the culture spectrum.

A

Many factors influence where the entity falls on the culture spectrum. Internal factors include, among others, how entity employees interact with each other and with their managers, the standards and rules of conduct, the physical layout of the workplace and the reward system. External factors include regulatory requirements and expectations of customers, investors and others.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Describe strategies for fostering a risk-aware culture.

A

(a) Maintaining strong leadership

(b) Employing a participative management style

(c) Enforcing accountability for all actions

(d) Embedding risk in decision making

(e) Having open and honest discussions about risks facing the entity

(f) Encouraging risk awareness across the entity

(g) Communicating openly and reporting about risk

In a risk-aware culture, employees know what the entity stands for and the boundaries within which they can operate. They can openly discuss and debate which risks should be taken to achieve the entity’s strategy and business objectives, with the result being employee and management behaviours that are aligned with the entity’s risk appetite.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Define organizational “tone” and “tone in the middle.” Explain their significance to effective enterprise risk management.

A

The tone of an entity is fundamental to enterprise risk management. Without a strong and supportive tone communicated from the top of an entity in support of an ethical culture, risk awareness can be undermined, responses to risk may be inappropriate, information and communication channels may falter and feedback from monitoring entity performance may not be heard or acted upon.

Tone is defined by the operating style and personal conduct of both management and the board. When management and the board of directors behave ethically and responsibly and demonstrate a commitment to addressing misconduct, they communicate to everyone that the entity strongly supports integrity. Where there are personal indiscretions, lack of receptiveness to bad news or unfairly balanced compensation programs, the message sent may be one of indifference, which could negatively affect the culture and provoke inappropriate conduct. Employees are likely to develop the same attitudes about what is acceptable and unacceptable—and about risks and risk responses—as those held by management.

Having a consistent tone helps an entity establish a common understanding of the core values, business drivers and desired behaviour of employees and business partners. It is not always easy to maintain a consistent tone. For instance, different markets and challenges may call for different approaches to motivation, evaluation and customer service. From time to time, these factors may put pressure on different levels of the entity, resulting in a change in tone. (In larger entities, this view of tone is sometimes referred to as “tone in the middle.”)

The more the tone can remain consistent throughout an entity, the more consistent will be the performance of enterprise risk management responsibilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Explain the role of standards of conduct in enterprise risk management.

A

Standards of conduct guide the entity in pursuing its strategy and business objectives by:

(a) Establishing what is acceptable and unacceptable
(b) Providing guidance for navigating what lies between acceptable and unacceptable
(c) Reflecting laws, regulations, standards and other expectations that the entity’s stakeholders may have, such as corporate social responsibility.

Ethical expectations and norms vary across geographical locations and entities. Management and the board of directors establish the appropriate standards and mechanisms for adhering to them, which includes addressing the potential for noncompliance. These expectations are then transcribed onto an organizational statement—a code of conduct. The purpose of a code of conduct is to communicate the entity’s expectations of ethics and desired behaviours, including behaviours relating to enterprise risk management and decision making.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Explain why responding to deviations in standards of conduct is critical to enterprise risk management.

A

When standards of conduct are not adhered to, it is generally for one of these reasons:

(a) Tone at the top does not effectively convey expectations.
(b) Board does not provide oversight of management’s adherence to standards.
(c) Middle management and functional managers are not aligned with the entity’s mission, vision, core values, strategy and risk responses.
(d) Risk is an afterthought to strategy setting and business planning.
(e) Performance targets create incentives or pressures to compromise ethical behaviour.
(f) No clear escalation policy exists on important risk and compliance matters.
(g) Process for investigating and resolving excessive risk taking is inadequate.
(h) Intentional or deliberate noncompliance exists.

An entity sends a clear message of what is acceptable and unacceptable behaviour when deviations become known. Deviations from standards of conduct must be addressed in a timely and consistent manner.

Appropriate responses to deviations and maintenance of consistency in standards of conduct ensure that the entity’s culture is not undermined. The response to a deviation depends on its magnitude, which is determined by management considering any relevant laws and standards of conduct. The responses may range from an employee being issued a warning and provided with coaching to being put on probation or terminated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Explain the role of individual accountability in enterprise risk management.

A

Culture and ethics are integral to the entity’s ability to achieve its mission and vision, but while culture is a powerful force, it is not a determining one; individual decision making, and thus individual accountability, is fundamental to ethics and enterprise risk management.

Wrongdoing occurs for three reasons: good people make mistakes (out of confusion or ignorance), good people have a moment of weakness of will and bad people choose to do harm. Knowing that any one of these three things can take place, an entity must align ethics and culture to help people avoid mistakes and maintain strong will and to identify potential wrongdoers, individuals or groups. This requires appropriately assessing and prioritizing risks and developing detailed risk responses.

Aligning individual behaviour with culture is critical. The most powerful influence comes from management that creates and sustains the organizational agenda. Explicitly, the entity develops policies, rules and standards of conduct. Implicitly, the entity “walks the talk” of core values and standards of conduct. The key is management enforcing that what it says is of value and recognizing that it is the implicit and subtle processes that most effectively establish culture. People respond better to behavioural reinforcement than to written rules and policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Explain how perceptions of communication, transparency and retribution impact enterprise risk management.

A

Management is responsible for cultivating open communication and transparency about risk and risk-taking expectations. Management demonstrates that managing risk is a part of everyone’s daily responsibilities and that it is not only valued but also critical to the entity’s success and survival.

Providing a variety of channels for both management and employees to report concerns about potentially inappropriate risk taking, business conduct or behaviour without fear of retaliation or intimidation is evidence of open communication and transparency. Prohibiting any form of inappropriate retaliation against any employee who participates in good faith in any investigation of behaviour that is not in line with the standards of conduct and risk appetite is also key, as is disciplinary action against employees who engage in inappropriate or unlawful retaliation or intimidation.

17
Q

Identify measures that provide evidence of enforcement of accountability for enterprise risk management.

A

Effective risk management depends upon holding all employees at all levels accountable for enterprise risk management and for the board holding itself accountable for providing standards and guidance. Accountability is evident in these ways:

(a) Management and the board of directors are clear on the expectations. (E.g., a code of conduct is developed and enforced.)
(b) Management ensures that information on risk flows through the entity. (E.g., how decisions are made and how risk is considered as part of decisions are communicated.)
(c) Employees are committed to collective business objectives. (E.g., individual targets and performance are aligned with the entity’s business objectives.)
(d) Management responds to deviations from standards and behaviours. (E.g., termination or other corrective actions are taken for employees failing to adhere to organizational standards; performance evaluations are initiated.)

18
Q

Explain how performance incentives and rewards influence enterprise risk management.

A

Performance is significantly influenced by the extent to which employees are held accountable and how they are rewarded. It is up to management and the board to establish incentives and other rewards appropriate for all levels, considering the achievement of both short-term and longer term business objectives. Establishing such incentives and rewards requires appropriately assessing and prioritizing risks and developing detailed risk responses. Conversely, under a program of incentives, employees who do not adhere to the standards of conduct are sanctioned and not promoted or otherwise rewarded.

Salary increases and bonuses are common incentives, but nonmonetary rewards, such as being given more responsibility, visibility and recognition, are also effective. Management should consistently apply and regularly review the entity’s measurement and reward structures in conjunction with its standards of conduct and desired behaviour. In doing so, the performance of individuals and teams are reviewed in relation to defined measures, which include business performance factors and demonstrated competence.

19
Q

Describe how pressure can either motivate employees to meet expectations or cause them to fear the consequences of not achieving strategy and business objectives, and identify sources of pressure.

A

Pressure can either motivate individuals to meet expectations or cause them to fear the consequences of not achieving strategy and business objectives. In the latter case, there is risk that employees may circumvent processes or engage in fraudulent activity.

Pressure in an entity comes from many sources. Excessive pressure can be associated with:

(a) Unrealistic performance targets, particularly for short-term results
(b) Conflicting business objectives of different stakeholders
(c) Imbalance between rewards for short-term financial performance and those for long-term focused stakeholders, such as corporate sustainability targets
(d) Certain points during the regular cycles of specific tasks (e.g., negotiating a sales contract)
(e) Unexpected external factors, such as a sudden dip in the economy
(f) Change in the business context, such as increased market competition or other market competitor action
(g) Change in strategy, operating model, acquisition or divestiture activity.

20
Q

Explain how an entity’s compensation structure can influence enterprise risk management.

A

Aligning an employee’s compensation to the organizational structure can help achieve strategy and business objectives. Conversely, incentive structures, including related performance measures and performance evaluation processes that fail to adequately consider the risks associated with that same organizational structure, can create inappropriate behaviour. Possible negative reaction to pressure should be accounted for when considering compensation and incentives.

21
Q

Outline human resource (HR) factors considered by an entity when developing enterprise risk management competence.

A

Management, with board oversight, defines the human capital needed to carry out strategy and business objectives. Understanding the needed competencies helps in establishing how various business processes should be carried out and what skills are needed.

The HR function helps promote competence by developing job descriptions and roles and responsibilities, facilitating training and evaluating employee performance for managing risk. Management considers these factors when developing competence requirements:

(a) Knowledge, skills and experience with enterprise risk management
(b) Nature and degree of judgment and limitations of authority to be applied to a specific position
(c) Costs and benefits of different skill levels and experience.

To prepare for succession, the board and management must develop contingency plans for assigning responsibilities important to enterprise risk management. In particular, succession plans for key executives need to be defined, and succession candidates should be trained, coached and mentored for their roles.

22
Q

Define “judgment,” and describe how sound judgment enhances board risk management oversight.

A

“Judgment” is the process of reaching a decision or drawing a conclusion when there are a number of possible alternative solutions. An effective judgment process is logical, flexible, unbiased, objective and consistent. It uses an appropriate amount of relevant information and properly balances experience, knowledge, intuition and emotion. By consistently following a sound judgment process, understanding where decision makers are vulnerable to predictable traps and appropriately challenging their own judgments and the judgments of those they oversee, boards can improve their oversight and monitoring of the entity’s strategies and risks. The challenge for board members is both to effectively challenge the judgments of corporate officers and enhance the quality of their own judgments.

23
Q

Identify and explain the significance of each step in the KPMG Professional Judgment Framework.

A

Step 1: Define the problem and identify fundamental objectives. This step is crucial in setting the stage for high-quality judgments. Skipping this step can result in time wasted solving the wrong problem, and it can severely limit the set of alternatives available for consideration.

Step 2: Consider alternatives. This is important because judgment can only be as good as the best alternative considered.

Step 3: Gather and evaluate appropriate amounts and types of information. This is critical in being ready to move to step 4.

Step 4: Arrive at an informed conclusion.

Step 5: Articulate and document the rationale for the conclusion. This step provides the decision maker(s) an important opportunity to reflect on the rationale for a judgment and on whether a sound professional judgment process was followed. The inability to adequately articulate the rationale for a conclusion often reveals that a decision may have been based on insufficient information or may not have resulted from a good judgment process.

24
Q

Explain the board’s role in managing the impact of organizational bias on enterprise risk management.

A

It is not unusual to find evidence of “groupthink,” dominant personalities, overreliance on numbers, disregard of contrary information, disproportionate weighting of recent events and a tendency for risk avoidance or risk taking. The question is not whether bias exists, but rather how bias within enterprise risk management is managed. The board is expected to understand the potential organizational biases that exist and to challenge management to overcome them.

25
Q

Provide a brief description of the common threats to good judgment in the context of the KPMG Professional Judgment Framework.

A

(a) Rush to solve: The tendency to want to immediately solve a problem by making a quick judgment results in underinvestment in steps 1 and 2 in the judgment process.

(b) Judgment triggers: Every judgment or decision has an initiating force that triggers a decision, and that trigger can lead the decision maker to skip the early steps in the judgment process. Triggers often come in the form of alternatives masquerading as problem definitions.

(c) Overconfidence: The pervasive tendency to be overconfident can lead to suboptimal behaviour in every step of a good judgment process.

(d) Confirmation: The confirmation tendency and related potential judgment bias primarily affect steps 3 and 4 of the judgment process.

(e) Anchoring: The anchoring tendency and related potential judgment bias primarily affect step 3 of the judgment process. In gathering and evaluating information, it is human nature to anchor on an initial value and adjust insufficiently away from that value in making final assessments.

(f) Availability: The availability tendency limits alternatives considered or information gathered to those alternatives or information that readily come to mind.

26
Q

Describe steps that can be taken to mitigate the effects of judgment traps and bias in decision making.

A

(a) Be aware of possible sources, and recognize situations where decision makers might be vulnerable.

(b) Seek opposing and disconfirming evidence.

(c) Question expert opinions.

(d) Encourage opposing points of view.

27
Q

Summarize actions boards can take to mitigate bias caused by the four common judgment tendencies of overconfidence, confirmation tendency, anchoring tendency and availability tendency.

A

Actions that boards can take to mitigate overconfidence bias include:

(a) Be aware.
(b) Challenge experts’ or advisors’ estimates of potential causes of unexpected outcomes and estimates of unexpected outcomes.
(c) Challenge extremely high or low estimates.
(d) Challenge underlying assumptions.

Actions that boards can take to mitigate confirmation tendency include:

(a) Be aware.
(b) Make the opposing case, and consider alternative explanations.
(c) Seek and consider disconfirming or conflicting information.

Actions that boards can take to mitigate anchoring tendency include:

(a) Be aware.
(b) Make an independent judgment or estimate.
(c) Consider relevant alternative anchors.
(d) Solicit input from others.

Actions that boards can take to mitigate availability tendency include:

(a) Be aware.
(b) Consider why something comes to mind (e.g., recent events).
(c) Make the opposing case.
(d) Consult with others.
(e) Obtain and consider objective data.

GBA/RPA 3 (12 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions