Core Activity D - Evaluate and mitigate risks

Question 1

What are the key elements of the risk management cycle ?

Answer 1

Identify risks

Assess likelihood and impact

Design and implement internal control system

Check internal controls are appropriate and working

Report to management

Circle back with ongoing improvement and monitoring

Question 2

What 5 key areas does ERM involve ?

Answer 2

Understanding how a business is run by its directors

Strategy for success

Positive and negative risks

Risk response

Information gathered on performance and how it responds to that information

Question 3

What 5 key areas does ERM involve ?

Answer 3

Understanding how a business is run by its directors

Strategy for success

Positive and negative risks

Risk response

Information gathered on performance and how it responds to that information

Question 4

What are the two main risk management frameworks ?

Answer 4

COSO ERM - Integrating strategy & performance

ISO 31000 - risk management guidelines

Question 5

What are the 5 key components of the COSO ERM framework?

Answer 5

Governance & culture

Strategy and objective setting

Performance

Review and revisions

Information, communication and reporting

Question 6

What are the four main classifications of risk the portfolio view establishes ?

Answer 6

Financial risks
Operation risks
Compliance risks
Customer risks

Question 7

Describe the TARA framework

Answer 7

Transfer - low/high (insurance)
Accept - low/low
Reduced - high/low
Avoid - high/high

Question 8

What stages might the identification of risks go through ?

Answer 8

Upside / downside risks

External or internal risks

Strategic or operational risk

Question 9

How might the process for risk identification look?

Answer 9

Determine upside or downside risk

Then determine the source of the risk - ie internal or external

Then determine the level of risk - ie operational or strategic

Question 10

What international risks are Rotomyne exposed to?

Answer 10

PESTEL

Transaction risk

Translation risk

Interest rate risk

Physical risk of uranium theft etc

Credit risk - non paying customers

Question 11

How might Rotomyne mitigate exchange rate risk ?

Answer 11

Hedging via the use of forwards, options and futures

Question 12

What other international risks exists?

Answer 12

National culture

Social grouping

Religious issues

Language

Question 13

How might risks be identified from different areas of the business ?

Answer 13

Bottom up identification

Top down risk identification

Question 14

What processes might be used to evaluate risks ?

Answer 14

Qualitative analysis

Quantitative analysis

Risk mapping

Question 15

What quantitative techniques could be used to assess risk ?

Answer 15

Expected value

Standard deviation

Volatility / COV

Normal distribution

Regression / correlation

Question 16

When assessing risk how can quantitative analysis be used to see how variables are related ?

Answer 16

Regression - analysis to obtain the relationship between two (or more) variables

Correlation / correlation coefficient - to see how strong that relationship is

Question 17

How can sensitivity analysis be more efficiently managed?

Answer 17

‘Goal seek function’

Question 18

How can a simulation be more efficiently managed ?

Answer 18

‘What if’ function

Question 19

What visual tools can be used to manage risks ?

Answer 19

TARA model

Heat risk maps (5x5)

Risk bands .. graphs

Question 20

What are the steps for determining risk appetite?

Need to check this - I think appetite is set and tolerance measured! Deloitte example

Answer 20

Understanding the

Risk tolerance - (Overall feeling of risk) How much risk are the board willing to tolerate?

Risk appetite - (The amount of risk the organisation is willing to take to achieve its long term objectives) perhaps more specific and always smaller than risk tolerance.

Risk capacity - How much downside risk can the organisation cope with to just survive (Berkshire has almost infinite resources)

Question 21

Define risk capacity

Answer 21

Ability to shoulder the risks facing the organisation in relation to its goals and strategies

The risk capacity allows the organisation to take some risks but provide a cushion against downside risk

Question 22

How might we gain an understanding of the organisation’s maturity of risk management?

Answer 22

Strong processes = greater maturity

Question 23

What are the financial and non financial considerations of risk capacity?

Answer 23

Are funds available ?
Does the return meet the requirements of the risk ? Economic spread

Reputation risk
Political risk
Infrastructure
Staff and knowledge

Question 24

What’s the definition of risk tolerance?

Answer 24

The acceptable level of variation relative to the achievement of a specific objective

Risk appetite is broad, risk tolerance is tactical and operational and often measured

Question 25

What’s the definition of risk appetite?

Answer 25

The amount of risk, on a broad level, that an organisation is willing to accept in persuite of value

Question 26

Risk definitions

Answer 26

My current understanding is that risk capacity is what the organisation is willing to absorb Risk appetite is broad/ maxi min etc Risk tolerance is subjective to a specific detail of the particular project .. Both linked to performance over time

Question 27

How might the organisation document all identified risks ?

Answer 27

Via a risk register document Included will be ‘risk mitigating control actions’

Question 28

What techniques could be used to analyse external risk ?

Answer 28

PESTEL analysis Porters five forces

Question 29

What techniques could be used to identify internal risks ?

Answer 29

9ms model Value chain

Question 30

What stages are they is strategy whereby risks should be identified?

Answer 30

Type of strategy - cost leadership / differentiation Product market strategy - ansoffs matrix Operational infrastructure Method of growth

Question 31

What does strategy formulation and risk registers have in common ?

Answer 31

They are constant and always being reviewed in an ever changing environment

Question 32

Once an organisation has determined its risk appetite, what techniques may it use to mitigate identified risks?

Answer 32

Scenario planning Stress testing

Question 33

What does strategy formulation and risk registers have in common ?

Answer 33

They are constant and always being reviewed in an ever changing environment

Question 34

What should an organisation also implement alongside ERM?

Answer 34

System of internal controls

Question 35

What should also be be implemented alongside a system of internal control?

Answer 35

Internal audit

Question 36

What’s the purpose of internal control?

Answer 36

Designed to provide reasonable assurance that the organisations operations, reporting and compliance objectives are achieved Affected by an entities board of directors and management / other personnel

Question 37

What is meant my internal audit?

Answer 37

The internal audit team assist the organisation in maintaining effective internal control by evaluating its effectiveness and efficiency and by promoting continuous improvement

Question 38

What are 2 main purposes of ERM?

Answer 38

Reduce likelihood of an event Manage impact when such an event occurs

Question 39

How does ERM support strategy ?

Answer 39

It informs the organisation of risks associated with alternative strategy and also risks associated with the strategy chosen.

Question 40

What’s the definition of cyber risk ?

Answer 40

Any possibility of an organisation suffering loss or harm from a failure of its IT system.

Question 41

What’s the definition of a cyber threat ?

Answer 41

Any circumstance or event with the potential to adversely affect operation, assets, or individuals through an IT system.

Question 42

What’s the definition of cybersecurity?

Answer 42

The process of designing, implementing, and operating controls to protect information and detect / security events that are not prevented.

Question 43

How can we support cybersecurity prevention?

Answer 43

Via a Cybersecurity risk management programme

Question 44

What’s the definition of a Data breach ?

Answer 44

An event in which confidential data have potentially been viewed, stolen, or used by an individual unauthorised to do so

Question 45

What’s the definition of a bad actor ?

Answer 45

Any party that possesses a motive and opportunity to conduct a cyber attack

Question 46

What’s a man in the middle attack?

Answer 46

Involves a bad actor intervening in a conversation between 2 parties. The imposter impersonates both parties to gain access to information

Question 47

What does malware stand for ?

Answer 47

Malicious software

Question 48

What’s a DOS attack?

Answer 48

Denial of service - involves generating large volumes of request that overwhelm the target system.

Question 49

What’s the purpose of the AICPA cybersecurity risk management reporting framework?

Answer 49

Transparency Integrity Reliability

Question 50

What are the main components of the AICPA reporting framework?

Answer 50

Management description Managements assertion Independent accountants opinion

Question 51

What’s the three lines of defense model ?

Answer 51

Function that own and manage risk Functions that oversee risk management policies Functions that provide independent assurance

Question 52

What is the CIA triad ?

Answer 52

Cybersecurity model that focuses on Confidentiality Integrity Availability

Question 53

What tolls or techniques can be used to manage cyber security ?

Answer 53

Exploiting vulnerability Reverse engineering Storage analysis System level analysis

Question 54

What security standard must a company conform to when developing software ?

Answer 54

ISO 27001

Question 55

What are the 5 R/s relating to risk resilience ?

Answer 55

Risk radar Resources Relationships Rapid response Review and adapt

Question 56

How is stress testing different from scenario planning?

Answer 56

Scenario planning is used to develop a range of possible outcome based on probability. Stress testing is a layer of protection added on top to determine how these scenarios may play out under different stressful environments .. ie high inflations / high interest rate environment.

Question 57

How else could internal risks be evaluated ?

Answer 57

Using the 9m's model? Man power - are employees treated fairly? Machinery - Is our fleet electric or ICE?