Assurance

Question 1

Hopkin and Thomson 5 sources of internal assurance

Answer 1

Culture measurement
Unit documentation
Unit performance
Unit reports
Audit reports

Question 2

ToR of AC defined by the Corporate Governance Institute

Answer 2

Financial reporting
Narrative reporting
IC and RM systems
Internal audit
External audit

Question 3

Materiality

Answer 3

Risk is material if it can impact bottom line or
With holding info can influence investor decision making

Question 4

Viability assessment requirement

Answer 4

1.UK Corp Gov. Disclosure on long term viability
2. Going concern - 12 months required by accounting standards

Question 5

Control environment in risk management

Answer 5

Control activities, how effective they are, audit and risk assurance. Whole range of controls and interaction of controls to mitigate risks

Question 6

FRC internal control system

Answer 6

1.encompasses policies, processes, tasks , behaviors
2. Effective and efficient operations by assessing risks , respond to risks, controls
3. Help reduce poor judgement , errors
3. Improve quality of reporting
4. Improve compliance with laws

Question 7

FRC internal control system includes

Answer 7

Control activities
Information and communication
Monitoring of controls

Question 8

What are controls - Hopkin and Thomson

Answer 8

Three definitions
1. Criteria of control - all elements of am organisation’s thay taken together, support achievement of objectives. Resources, systems, processes culture, structure and tasks

2. CoSo - a process effected by board, management , designed to provide reasonable assurance regarding achievement of objectives
   Effectiveness and efficacy of operations
   Compliance with laws
   Reliability on financial reporting
3. IIA - a set of process functions activities systems and people who together ensure achievement of objectives

Question 9

LILAC model to risk culture

Answer 9

Leadership
Involvement
Learning
Accountability
Communication

Question 10

IRM model to risk culture

Answer 10

ABC
Attitude
Behaviors
Culture
Attitude determines behaviors, repeated behavior sets culture

Question 11

ISO definition

Answer 11

Effect of uncertainty on objectives . Effect can be positive or negative

Coordinated activities to direct and control an organization with regard to risk

Question 12

IRM definition of risk

Answer 12

Combination of probability of an event and its consequences. Can be positive to negative

RM - process which helps org understand , evaluate and take action on risks with a view to increasing probability of success and reducing likelihood of failure

Question 13

COSO definition of risk

Answer 13

Possibility that an event will occur and affect achievement of objectives. Positive and negativr

Question 14

Orange book definition

Answer 14

Similar to COSO. Effect of uncertainty on objective. Usually has cause event and consequences

Question 15

Objectives of risk management

Answer 15

MADE2
Mandatory
Assurance
Decision making
Effective
Efficient processes

Question 16

ISO principles of RM

Answer 16

PACED
Proportionate
Aligned
Comprehensive
Embedded
Dynamic

Question 17

Risk management will help improve 4 areas STOC

Answer 17

Strategy
Tactics
Operations
Compliance

Question 18

4 types of risks

Answer 18

1. Compliance - minimize
2. Control risks - manage- associated with new projects. Unknown and unexpected events. Also called uncertainty risk.
3. Hazard risks - mitigate - associated with potential harm or a situation to undermine objectives .
4. Opportunity risk - embrace

Question 19

Bow tie analysis

Answer 19

1. Left side is source of hazard.indicates the risk classification used. High level sources are STOC
2. Right side impact - FIRM
3. Centre is categories of disruption that can happen- people , premise, provess and products

First step is to put risk description in the middle.then identify cause and impact.

Preventative and response controls

Question 20

4Ts of hazard risk

Answer 20

Tolerate -low low- detect control
Transfer High impact - directive control
Treat High likelihood- corrective control
Terminate High high - preventive control

BCP and DRP are both corrective and directive. Or even a fifth type, can’t easily fit to PCDD

Question 21

4Es of opportunity risks

Answer 21

Exploit - high reward
Explore - High risk
Expand/Exit- high reward high risk
Exist - low low

Question 22

Sophistication level in risk management

Answer 22

1. Inform - compliance mgmt. Unaware of obligations
2. Reform - hazard . Aware of non compliance
   3.conform - control mgmt. Actions to ensure compliance
3. Perform - opportunity mgmt.

Question 23

Difference between standard and framework

Answer 23

Standard includes rm process and framework.
Framework includes structure, responsibilities administration, reporting and communication components of rm. Framework supports implementation of process.

Process includes risk assessment identification , analysis, evaluation, treatment and recording and reporting

Question 24

Scope of risk management framework

Answer 24

RASP
Risk architecture, strategy , protocol
Architecture- roles , responsibilities, reporting structure
Strategy - risk strategy, appetite, attitude and philosophy
Protocols - rules and procedures , methodologies, tools and techniques. Need to be reviewed annual basis.range of documentation required. Ridk assessment procedures, control objectives, resourcing arrangement, reaction planning requirement (BCP) , risk assurance system(ToR for AC, CSA)

Question 25

COSO cube

Answer 25

Objectives to achieve- strategic, operations, reporting, compliance RM process - 8 steps. Internal environment Objective setting Event identification Risk assessment Risk response Control activities Info and communication Monitoring

Question 26

COSO rainbow double helix

Answer 26

ERM has to be embedded into activities of the organisation starting from mission, vision and values. Strategy development Business objectives Implementation and performance Enhanced value 5 principles/components 1. Governance and culture 2. Strategy and objective setting 3. Performa ce 4. Review and revision 5. Information communication and reporting

Question 27

Double S model to risk culture

Answer 27

Soliditary Sociability Network - high social low soliditary Communal - high social high soliditary Fragmented - low social low soliditary Mercenary - low social high soliditary

Question 28

Components of context

Answer 28

External Internal Risk management context- includes RASP( including establishment of risk appetite or crtiera) and, Risk process itself.

Question 29

Risk classification system PESTLE

Answer 29

Political Economic Social Technological Legal Ethical or environmental Used for external risks. Has to be combined with SWOT.

Question 30

How to evaluate the context for risk management

Answer 30

Using FIRM scorecard and developing a riskiest index Financial and infrastructure for internal context Marketplace and reputation for external context

Question 31

Risk register

Answer 31

1. Includes all risks and means to identify based on scoring 2. Three components- data collection, database, data communication 3. Three functions - collecting risk info, establish trends and relationships between risks 3. Communicate and escalate

Question 32

Implementing ERM PIML

Answer 32

Plan - identify benefits, scope, strategy Implement - risk appetite setting, establish benchmarks, agree assessment tools Measure - evaluate control effectiveness, align risk management with other activities, embed risk aware culture Learn - monitor risk , ERM performance and reporting

Question 33

Implementing ERM PIML

Answer 33

Plan - identify benefits, scope, strategy Implement - risk appetite setting, establish benchmarks, agree assessment tools Measure - evaluate control effectiveness, align risk management with other activities, embed risk aware culture Learn - monitor risk , ERM performance and reporting

Question 34

Resilience

Answer 34

Definition - capacity if an organization to consistently achieve a desired state following a change in circumstances. 3 behaviors to achieve resilience 1. Awareness of changes 2. Prevent, protect, prepare in relation to all types of resources 3. Respond, recover and review in relation to disruptive events.

Question 35

Risk assessment in ISO

Answer 35

Includes risk identification, analysis - impact likelihood score and evaluation - ranking against risk appetite or criteria

Question 36

Risk assessment techniques

Answer 36

Questionnaire and checklists Workshops and brainstorming - PESTLE, SWOT. Quantitative analysis - HAZOP, FMEA Inspection and audit Flow chart and dependency analysis Crowdsourcing technology- using mobile applications to upload risks on a data platform

Question 37

Risk attitude vs appetite

Answer 37

Attitude concerned with criteria surrounding a risk Appetite is amount of risk we are willing to take

Question 38

Risk classification by standard

Answer 38

FIRM COSO - strategic ,operational, reporting , compliance IRM - financial, strategic, operational, hazard Orange book- several

Question 39

Principles of risk appetite

Answer 39

Acknowledging interconnectedness - what's acceptable in one of business not accepted in another Messursbility Variability - different for different risks Maturity - how adept organisation is at managing risk will have a bearing on risk appetite

Question 40

Controlling downside risks

Answer 40

Loss prevention - reducing likelihood. Damage limitation - once evebt occurred. E.g fire sprinklers. Cost containment- after damage limitation. Actions to minimize post incident cost, should be set out in BcP, DRP.

Question 41

Risk zones 4Cs

Answer 41

Comfort - tolerate Cautious - treat Concerned - transfer Critical - terminate

Question 42

Types of controls

Answer 42

Preventative Directive- first response once risk occurred Detective - easy to administer and provide early warning Corrective controls

Question 43

Definition of control

Answer 43

1. Criteria of control - all elements of an organisation that , taken together, support people in achievement of org. Objectives. Elements include resources, systems , processes, culture, structure and tasks 2. COSO - a process, effected by BoD , mgmt and other personnel , designed to provide reasonable assurance regarding the achievement of objectives in the below categories Effectiveness and efficiency of operations Reliability of financial reporting Compliance with laws 3. IIA - set of process, functions activities, systems and people grouped together or consciously segregated to ensure effective achievement of goals and objectives

Question 44

Components of CoCo framework

Answer 44

A continous cycle. Useful to benchmark compliance with internal control component of COSO. 1. Purpose 2. Commitment 3. Capability 4. Monitoring and learning

Question 45

Control environment

Answer 45

FRC states IC system includes 1. Control activities 2. Information and communication processes 3. Monitoring the effectiveness Control different to data collection and guidance. Should change cause or effect of risk

Question 46

Terms of Reference for AC

Answer 46

Financial reporting Narrative reporting. IC and RM IA External audit - conduct tender, review independence, non audit services, effectiveness of audit

Question 47

Sources of risk assurance

Answer 47

Culture measurement Unit report Unit performance Unit documentation Audit report Control self assessment KRIs

Question 48

Internal Audit

Answer 48

IIA- IA is concerned with evaluating an organizations management of risk. Central to effective risk framework is audit through I. Assurance map - structured means or identifying and mapping source and types of assurance across 4(3) LoD. Risk and control owner, risk oversight, risk assurance. II. Statistical saying III. Risk prioritization techniques

Question 49

Corporate governance- FRC

Answer 49

principles and provisions + guidance 5 sections - leadership ; division of responsibility ; composition ,succession and evaluation ; audit , risk and internal controls ; remuneration Board should establish procedures to manage risk, oversee IC framework and determine nature and extent of principal risks the company is willing to assume. Principal risks - events or circumstances that can threaten companies business model, future performance, solvency, liquidity and reputation.

Question 50

Board structures

Answer 50

Unitary - executive plus non executive directors in one board Two tier- supervision and management of operations

Question 51

Types of corporate governance code

Answer 51

Want - principle based . Comply or explain Compulsory - prescriptive. Comply and sign

Question 52

Committees of board by UK FRC

Answer 52

Nomination Remuneration Audit

Question 53

What is risk culture

Answer 53

1. H&T - reflects attitude of every component of mgmt. How individuals behave in certain circumstances 2. IRM - Values beliefs knowledge and understanding about risks. Can be reinforced through positive actions and behaviors 3. COSO - culture, capacities and practices , integrated with strategy setting and execution thay organizations rely on to manage risk in creating preserving and realizing value

Question 54

IRM risk culture framework

Answer 54

Risk culture Organization culture Behaviors Personal ethics Personal predisposition to risk/risk preference

Question 55

Risk perceptions

Answer 55

Different perceptions imply risks might be missed, irrelevant risks might be captured, manage same risks inconsistently, managing stakeholder perceptions of risk rather than real risk

Question 56

Bias

Answer 56

Bias influenced by 1. Conscious factors- org culture, familiarity, manageability, size of impact 2. Sub conscious - availability, representativeness , anchoring and adjustment, confirmation trap, bandwagon 3. Affective factors (feeling)

Question 57

Understanding and improving risk culture

Answer 57

1. Deloitte - 4 influences- risk competence, motivation, relationship , organization 2. LILAC 3. IRM ABC MODEL 4. DOUBLE S - sociability, solidarity

Question 58

ABC model

Answer 58

Attitude- chosen position towards risk, influenced by perception Behavior- external observable actions Cture - values beliefs knowledge and understanding about risk

Question 59

What is successful risk culture

Answer 59

Deloitte 1. High level of understanding 2. Positive attitude 3. Move from reacting to active engagement and management of events IRM 10 point component. Split between tone at the top - leadership, dealing with bad news governance - clarity, transparency competency - risk skill, risk resources decisions - informed, reward

Question 60

How to change risk culture

Answer 60

1. Evaluate current risk culture 2. Assess impact of current risk culture 3. Identify areas of improvement 4. Plan and implement change 5 Monitor and adapt to change To become compliant - 1 to 2 years Maturity - 5 to 10 years

Question 61

4 step process - easy SATARLA

Answer 61

Define context and objectives Assess risks Manage risks Monitor , review and report

Question 62

Extended enterprise for understanding context by IRM

Answer 62

A structure where number of organisations come together. 4 steps to understand. 1. Core processes 2. Inputs to the process 3. Output 4. External influence

Question 63

Stakeholder mapping - Mendelow matrix

Answer 63

Understand influence and interest in an activity High influence , low interest - keep satisfied High interest, high influence - actively engage and manage High interest, low influence - keep informed Low low - miminal effort