Chapter 16 - Enterprise Risk Management

Question 1

Enterprise Risk Management

Answer 1

Comprehensive, organization-wide approach to identifying, measuring, and managing various risks

Question 2

The CRO position is usually accountable to which of two potential parties?

Answer 2

The CEO

The Board

Question 3

7 Steps to the Risk Management Process

Answer 3

Determine the organization’s risk tolerance/appetite

Identify potential exposures

Quantify each exposure

Compare current levels or risk to the target level of risk

Develop and implement an appropriate risk management strategy to manage the differences between the two

Monitor the exposures and evaluate the effectiveness of the strategy

Review and modify the strategy as needed

Question 4

What are some items that may limit a company’s ability to accept risks?

Answer 4

Covenants or indentures in agreements or charters

Question 5

When identifying potential risk exposures, what are the three factors that should be considered?

Answer 5

Likelihood

Potential impact

Velocity (speed at which the risk would materialize)

Question 6

Risk Profile

Answer 6

How the company’s overall value changes as financial variables change

Question 7

Risk Self-Assessment Steps

Answer 7

Identify the risks

Classifies each risk into clearly defined categories

Quantifies the risks with respect to the probability of occurrence

Question 8

Are risk self-assessments required in some instances?

Answer 8

Yes, required by SOX

Question 9

Risk and Control Self-Assessments (RCSAs)

Answer 9

Risk assessments that are tested regularly

Question 10

The materiality of the risk exposure will drive which two items as it relates to monitoring?

Answer 10

Frequency and amount of monitoring and testing

Question 11

Developing a cost-versus-benefit framework would be a qualitative or quantitative method of quantifying a risk?

Answer 11

Quantitative

Question 12

Residual Risk

Answer 12

Inherent risk less any risk management strategies

Question 13

Four Essential Risk Management Approaches

Answer 13

Retain the Risk

Avoid the Risk

Mitigate the Risk

Transfer the Risk

Question 14

Retain the Risk Examples

Answer 14

Utility company operating in areas prone to hurricanes

Question 15

Mitigate the Risk Examples

Answer 15

Balance sheet hedging

Supplier diversification

Process and facility design

Project management

Education

Compliance management

Question 16

What is the primary means of transferring risk?

Answer 16

Insurance

Question 17

A joint-venture would be an example of doing what with risk?

Answer 17

Retaining some and transferring a portion

Question 18

How can risk be monitored effectively?

Answer 18

Assign ownership over each exposure

Question 19

Internal Control

(COSO Definition)

Answer 19

Process designed to provide reasonable assurance regarding the achievement of objectives across:
* Effectiveness or efficiency of operations
* Reliability of financial reporting
* Compliance with laws and regulations

Question 20

What is an important thing to remember for internal controls in the risk management process?

(this is one of the most common issues with internal controls)

Answer 20

They need to be well-documented as this is a recurring issue for many companies

Question 21

Risk Management Oversight involves which key factors?

Answer 21

• Organizational Culture
• Internal Controls
• Technology
• Guidelines for Board of Directors

Question 22

Market Risk and 4 Components

Answer 22

Fluctuations in rates and prices will reduce the value of a security or portfolio

4 Components
* Equity Price Risk
* Interest Rate Risk
* FX Risk
* Commodity Price Risk

Question 23

Financial Risk

(which risks are categorized under financial risk?)

Answer 23

Impact on an organization from changes in:
* Interest rates
* FX
* Commodity pricing

Question 24

Natural Hedging

Answer 24

Risk mitigation through the organization’s ongoing day-to-day transactions

Question 25

Financial Risk can be focused on individual XXXXXX and the overall XXXXXX of the firm

Answer 25

Transactions Market value

Question 26

ERM Heat Map

Answer 26

Way of visually presenting identified exposures for Probability, Impact, and Velocity of risks

Question 27

Equity Price Risk

Answer 27

Risk associated with volatility in stock prices

Question 28

XXXXXXX risk can be mitigated by holding a portfolio stocks, while XXXXX cannot be eliminated

Answer 28

Firm-specific General risk

Question 29

How does equity risk primarily impact treasurers?

Answer 29

Influence a company’s ability to raise capital in equity and bond markets

Question 30

Why can price volatility be magnified for commodities?

Answer 30

Suppliers are usually concentrated

Question 31

Recovery Value or Rate

Answer 31

Creditor may recover some value after default

Question 32

Loss Given Default

Answer 32

Percentage of Recovery Value or Rate

Question 33

Operational Risk

Answer 33

Losses resulting from inadequate systems, management failure, faulty controls, fraud and human error, etc.

Question 34

Two Areas of Liquidity Risk

Answer 34

Funding Liquidity Risk Asset Liquidity Risk

Question 35

Funding Liquidity Risk

Answer 35

Organization’s ability to raise the necessary cash to meet its obligations as they come due Ability to raise short-term and long-term capital in a timely manner Use marketable securities or available lines of credit

Question 36

Asset Liquidity Risk

Answer 36

Ability to sell an asset quickly and at, or close to, its true value

Question 37

Event Risk

Answer 37

Risk associated with unexpected events

Question 38

Strategic Risk

Answer 38

Risk associated with execution of a strategy that may not be successful and profitable

Question 39

Business Risk

Answer 39

Day-to-day risks associated with strategic risk

Question 40

Reputation Risk

Answer 40

Risk that customers, suppliers, investors, and/or regulator may not want to do business with a firm Heavily influenced by social media, so it should be restricted

Question 41

Sources of Cyber Threats | (review)

Answer 41

Current and former employees Denial-of-Service (DoS) attack Breaches or compromises of electronic databases by computer hackers or other sources Intellectual property theft Financial criminals Activists Corporate identity theft or account takeover

Question 42

When a company outsources activity to a third party, the scope of cyber risk does what?

Answer 42

Increases

Question 43

Internal Operational Risks

Answer 43

Employee Risk Process Risk Technology Risk

Question 44

What is usually the significant source of internal risk stemming from employees related to?

Answer 44

Employee errors in data entry Lack of knowledge or skills Loss of key employees

Question 45

Defalcation Risk

Answer 45

Intentional employee fraud

Question 46

Fidelity Risk

Answer 46

Defalcation risk specific to money, securities, or property

Question 47

Process Risk | (and what does it usually stem from?)

Answer 47

Losses related to the processes employed in day-to-day business operations Usually comes from a lack of proper controls or the failure of employes to follow procedures due to a lack of training

Question 48

Examples of Process Risk | (review)

Answer 48

Accounting or financial reporting errors Lack of timely reconciliation of bank accounts Calculation risk Nonpayment for goods/services Errors in clearing and settlement processes for financial transactions Processes are overly complex Personal data protection and management May not meet terms of contracts with customers and suppliers

Question 49

Security Violations | (what are these and are they internal or external?)

Answer 49

Internal security breaches

Question 50

Examples of Technology Risk | (review)

Answer 50

Third party data access and storage Choice of technology platform or vendor Obsolescence of technology Capabilities, capacity, compatibility of technology Overuse of spreadsheets

Question 51

External Operational Risks * Financial Institution Risk * Counterparty Risk * Legal and Regulatory Compliance Risk * Sovereign and Political Risk (two parts) * Supplier Risk * External Theft/Fraud Risk * Physical and Electronic Security Risk * Event Risk

Answer 51

**Financial Institution Risk** – failure of the financial institution; use of online banking portal, payments and payment files **Counterparty Risk** – other party in a contract or financial transaction will not perform as promised; credit and default risk **Legal and Regulatory Compliance Risk** – potential lawsuits or other legal actions **Sovereign and Political Risk** * Sovereign Risk – government will default on debt * Political Risk – economic impact that businesses may face due to government changes or decisions within a country **Supplier Risk** – supplier or outsourced service will not meet contractual requirements **External Theft/Fraud Risk** – typically focused on payment process; malfeasance involving collusion; robbery or theft of physical cash at retail locations **Physical and Electronic Security Risk** – physical security to control access to premises and electronic data **Event Risk** – effects of natural disasters, terrorism, etc.

Question 52

Supplier risk is a crucial risk to monitor when what is employed by a firm?

Answer 52

Just-in-time inventory

Question 53

The Risk Management Policy should do the following: | (review)

Answer 53

* Contain a concise statement of the risk management goals and overall scope * Define authorities and responsibilities as well as the role of the CRO * Identify the types of exposures to be managed * Delineate the mitigation techniques and products that may be used * Outline the process for determining specific strategies to be employed and exposures to be mitigated * Summarize the process for monitoring performance of the strategies * Outline contingency plans * Require periodic review of the policy and testing of plans

Question 54

Is speculation a treasury objective?

Answer 54

No | This will likely be an incorrect answer

Question 55

What type of risk is a combination of counterparty and operational risk?

Answer 55

Supplier Risk

Question 56

Which actions are usually considered the most significant source of internal risk?

Answer 56

Data entry errors

Question 57

Value at Risk (VaR) | (remember key term of what the VaR boils down to)

Answer 57

**One single measure** that answers the question what is the maximum loss that can be expected over a given period of time?

Question 58

What is a potential risk of using the VaR model?

Answer 58

It is reliant upon historical data and it will not necessarily capture any new relationships between variables.

Question 59

CaR vs. VaR

Answer 59

CaR was developed to allow corporations that don’t have liquid assets to assess impacts on cash flows

Question 60

Benefit of the Results presented in CaR

Answer 60

Easy for nonfinancial specialists in strategic roles to understand

Question 61

Can VaR or CaR provide the maximum amount of a loss?

Answer 61

No, all based on standard deviations

Question 62

Four Objectives in Insurance Management

Answer 62

Insure against catastrophic loss Decide when and what to insure (while complying with laws) Manage the purchase and use of insurance Obtain efficient pricing for insurance needs

Question 63

What is the cost of risk from losses calculated as?

Answer 63

Total actual and potential losses

Question 64

Independent Insurance Agent vs. Broker Agency

Answer 64

Independent Insurance Agent = agent of insurance company Broker = agency of client

Question 65

Key things to consider for insurance provider | (review)

Answer 65

Long-Term Solvency of the Insurer Rating for the Insurer Service Provided Cost versus Exposure Industry knowledge and experience

Question 66

What is one way a firm’s lenders can influence the quality of insurance provided to minimize risk?

Answer 66

Set minimum credit ratings for insurers

Question 67

How are insurers rated from a credit ratings perspective? | (are the ratings provided independent or dependent on one another?)

Answer 67

AM Best Company provides two ratings * Financial strength * Indebtedness | Ratings are INDEPENDENT

Question 68

Total Cost of Risk (TCOR) for Insurance

Answer 68

Cost of insurance Cost of losses ***that are retained*** Administrative costs associated with the firm’s risk management program

Question 69

Deductibles are also known as what?

Answer 69

Retentions Excess

Question 70

Cost of First-Dollar Coverage

Answer 70

Insurance coverage with no deductible Will be very expensive

Question 71

Deductible may be set on a combination of which two approaches?

Answer 71

Per-occurrence basis Aggregate basis

Question 72

Date of Occurrence vs. Claims Made

Answer 72

**Date of Occurrence** – focuses on when the loss actually occurred and must align the coverage period in the policy **Claims Made** – focuses on when the claim is made and which policy is in force at the time

Question 73

What do Insurance Risk Management Services do?

Answer 73

Can help to supplement in-house expertise if it exists in the company

Question 74

Risk Financing

Answer 74

Involves resources that an organization may drawn upon to finance recovery from losses and liabilities

Question 75

Two approaches to risk financing

Answer 75

Risk Retention Risk Transferring

Question 76

Risk Retention Approaches to Risk Financing * Noninsurance * Self-Insurance * Single-Parent Captive * Group Captive * Risk Retention Group * Claims Management

Answer 76

**Noninsurance** – no insurance is purchased **Self-Insurance** – company sets aside funds for loss payouts; may purchase excess **Single-Parent Captive** – subsidiary is created to insure parent; can provide tax benefits and policy efficiencies **Group Captive** – similar to single-parent captive but with multiple parent entities **Risk Retention Group** – specific group captive where multiple organizations in an industry may share similar liability risks; formed under US federal law **Claims Management** – companies may outsource claims processing to a third party to reduce costs

Question 77

What is the difference between noninsurance and self-insurance?

Answer 77

In self-insurance, the organization is making a conscious choice to allocate funds to loss financing

Question 78

Risk Retention Group | (and examples)

Answer 78

A group captive formed under the terms of a US federal law that enable businesses that share similar risks to work together to jointly finance liability claims Must only be liability claims Examples include airline industry, professional occupations, etc.

Question 79

Risk Transfer Approaches to Risk Financing * Contractual Transfer * Guaranteed Cost Insurance Program * Retro Rated Insurance Program

Answer 79

**Contractual Transfer** – hold-harmless agreement to transfer to a non-insurer **Guaranteed Cost Insurance Program** – pay premium annually, may not be eligible for premium refund if cancelled during the year **Retro Rated Insurance Program** – pay a premium that is adjusted later; very common for worker’s compensation

Question 80

Hold Harmless agreements are common in which method of risk financing?

Answer 80

Contractual transfer

Question 81

Subrogation

Answer 81

Recovering loss from other parties

Question 82

Reinsurance

Answer 82

A system where insurance companies transfer part of their risk to another company, called a reinsurer, to reduce the chance of large financial losses from claims

Question 83

What does coinsurance mean in each of these three contexts: * US Property Insurance * US Health Insurance * Reinsurance

Answer 83

**US Property Insurance** – insured much purchase an amount equal to or greater than a specified proportion of the value of the insured property **US Health Insurance** – insured must pay a proportion of any health care costs **Reinsurance** – coinsurance is synonymous with reinsurance

Question 84

Which technique to measure risk involves asking employees to come up with best and worst case scenarios and sometimes having them come up with subjective probabilities?

Answer 84

Scenario Analysis Monte Carlo requires standard probability distributions and random numbers

Question 85

Which one is more expensive for premium pricing: per-occurrence deductible or aggregate deductible?

Answer 85

Aggregate deductible because it limits insured’s exposure if there are multiple events of loss in the same period

Question 86

Disaster Recovery vs. Business Continuity

Answer 86

**Disaster Recovery** – restoration of systems and communications after an event causes an outage **Business Continuity** – actions taken with regard to crisis management, alternative operating procedures, and communications

Question 87

What is the intent of disaster avoidance, recovery, and remediation measures?

Answer 87

Preserve the firm’s revenue stream

Question 88

What is the primary focus area for disaster recovery and business continuity plans?

Answer 88

Business supply chain Financial supply chain (Procure-to-Pay)

Question 89

Financial Supply Chain Internal and External Parties

Answer 89

Internal – treasury, computer systems, policies, procedures, processes, office facilities External – financial institutions, market information, vendors, financial markets

Question 90

Steps in Developing Effective DR/BC Plans

Answer 90

1. Identify Mission-Critical Functions 2. Assess Risks 3. Evaluate Contingency Measures 4. Prioritize Corrective Action 5. Create a Communication Plan

Question 91

How often should DR/BC Plans be tested?

Answer 91

At least annually, preferably semiannually Should also sometimes occur without warning

Question 92

Account Takeover

Answer 92

Hacker gains access to a company’s bank account information and uses that information to remove funds from the account

Question 93

What are the two primary functions of performing periodic testing of DR/BC plans?

Answer 93

Identify problems with the plan that need to be corrected Train employees and ingrain appropriate emergency responses

Question 94

Do government guaranteed funds provide a material level of protection when an insurer fails?

Answer 94

No, they only provide limited protection

Question 95

AM Best Company provides ratings on financial strength and on indebtedness of insurance providers. Are these ratings dependent on one another?

Answer 95

No, they are independent opinions

Question 96

If a company wants to summarize the potential impacts of something in a single measure, which option is best: A. Sensitivity Analysis B. VaR C. Scenario Analysis D. Monte Carlo

Answer 96

VaR was designed to incorporate wide range of risk factors and summarize their impact in a single measure

Question 97

Quantitative Assessment for Measuring Exposure on Risks | (review)

Answer 97

Assess the materiality or level of the exposure Determine the probability or likelihood Assess the estimated timing and velocity Identify the risk drivers or factors that cause the risk to materialize Provide a benchmark for assessing risk mitigation strategies