Module 1 - Unit 2: Risk management standards

Question 1

Name five risk management processes

Answer 1

8Rs & 4Ts
IRM (2002)
COSO ERM
ISO 31000
The Orange Book

Question 2

Which of these processes has “control activities” as a feature?

a) COSO ERM
b) ISO 31000
c) The Orange Book
d) IRM (2002)

Answer 2

a) COSO ERM

Question 3

What’s the definition of a “risk standard”?

Answer 3

A published guide for managing risk, usually comprising a risk framework and (especially) a risk process.

Question 4

What’s the definition of a “risk framework”?

Answer 4

Also known as the risk management context. This comprises the risk strategy, risk architecture and risk protocols and forms the risk context which helps to drive the risk process.

Question 5

What’s the definition of a “risk process”?

Answer 5

The stages in the process of managing risk, which is driven mainly by how you set up the framework (but also affected by the internal and external environment).

Question 6

What’s the definition of “risk architecture”?

Answer 6

Part of the risk framework, which focuses on answering the question “Who does what?” in the organisation in relation to risk management.

Question 7

What’s the definition of “risk context”?

Answer 7

This covers three layers of organisation which together drive the risk process; they are the external environment, the internal environment and the risk management context (also known as the risk framework).

Question 8

What’s the definition of “risk protocols”?

Answer 8

The set of tools, procedures and instructions that an organisation has for managing risk.

Question 9

What’s the definition of “risk strategy”?

Answer 9

The agreed overriding purpose and aims of risk management in the organisation, which involves the publication of a risk policy document and the setting of the risk appetite.

Question 10

List the 5 clauses of the ISO 31000 standard

Answer 10

1. Scope
2. Definition of terms
3. The Principles
4. Framework for Implementation
5. Process

Question 11

Describe the “Scope” clause of the ISO 31000 standard.

Answer 11

The standard is generic and is not specific to a specific industry or organisation.

Question 12

Name five of the ISO 31000 risk management “Principles” (Clause 3)

Answer 12

1. Create & protect values e.g. achieve objectives
2. Integrated into orgs. processes
3. Used in decision making
4. Addresses uncertainty
5. Systematic, structured & timely
6. Based on best available information
7. Tailored to context, size and complexity
8. Considers human & cultural factors
9. Transparency
10. Dynamic & iterative
11. Facilitates continual improvement

Question 13

Describe Clause 4 of the ISO 31000 standard, “Framework for Implementation”

Answer 13

1. Mandate & commitment by the Board
2. Design of framework
3. Implement risk management
4. Monitor and review framework
5. Improve framework

Question 14

Describe the five stages of the ISO 31000 risk management “Process” (Clause 5)

Answer 14

1. Establish context
2. Risk Identification
3. Risk Analysis
4. Risk Evaluation
5. Risk Treatment

Question 15

What two features run throughout the five stages of the ISO 31000 “Process” (Clause 5)

Answer 15

1. Communication/consultation

2. Monitoring & Review

Question 16

List the 8Rs and 4Ts of hazard risk management

Answer 16

Recognition of risks
Rating of risks
Ranking against risk criteria
Response to risk
 - Tolerate
 - Treat
 - Transfer
 - Terminate
Resourcing controls
Reaction planning
Reporting on risk
Reviewing & monitoring

Question 17

What three aspect make up the faces of the COSO ERM “Cube”

Answer 17

1. Objectives of risk management
2. Risk management process
3. Internal environment