Core Activity D: Evaluate and mitigate risk Flashcards
(95 cards)
1
Q
What is risk?
A
Chance that future events or results may not be expected
2
Q
Why incur risk?
A
Gain competitive advantage
Increase financial return
3
Q
What are the types of risk?
A
Political, legal and regulatory
Business risk
Economic risk
Financial risk
Technology risk
Environmental risk
Corporate reputation risk
Fraud and employee malfaesance risk
International risk
4
Q
What is political, legal and regulatory risk?
A
risk due to political instability, risk that legal action will be brought against the business, risk of changes in regulation affecting the business
5
Q
What is business risk?
A
risk businesses face owing to the nature of their operations and products
6
Q
What is economic risk?
A
Risk that changes in the economy might affect the business
7
Q
What is technology risk?
A
risk that technology changes will occur that either present new opportunities to businesses, or on the down-side make their existing processes obsolete.
8
Q
What is environmental risk?
A
risk that arises from changes in the environment such as climate change or natural disasters
9
Q
What is corporate reputation risk?
A
reputation risk is for many organisations a down-side risk as the better the reputation of the business the more risk there is of losing that reputation
10
Q
What are the 6 stages of the risk management cycle?
A
- Identify risk areas
- Understand and assess scale of risk
- Development of risk response strategy
- Implement strategy and allocate responsibilities
- Implementation and monitoring of controls
- Review and refine process and do it again
11
Q
What is risk management?
A
process of understanding and managing the risks that the organisation is inevitably subject to in attempting to achieve its corporate objectives
12
Q
What is enterprise risk management?
A
- Term given to the alignment of risk management with business strategy and the embedding of a risk management culture into business operation
- Process effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives
- COSO ERM framework is represented as a three dimensional matrix in the form of a cube which reflects the relationship between objectives, components and different organisations levels
13
Q
What are the four objectives of COSO ERM framework?
A
Strategic
Operations
Reporting
Compliance
14
Q
What are the eight components of the COSO ERM framework?
A
Internal Environment
Objective setting
Event Identification
Risk assessment
Risk response
Control activities
Information and communication
Monitoring
15
Q
What is event identification?
A
internal and external events which impact upon the achievement of an entity’s objectives and must be identified
16
Q
What are control activities?
A
policies and procedures help ensure the risk responses are effectively carried out
17
Q
What is the double helix?
A
ERM should be ingrained into everything the organisation does including setting the mission, vision and core values of the entity.
18
Q
What are the five components of the double helix?
A
- Governance and culture
- Strategy and objective setting
- Performance
- Review and revision
- Information, communication and reporting
19
Q
What are the benefits of ERM?
A
- Enhanced decision making by integrating risks
- Reduced performance fluctuations and fewer interruptions to operations
- Resultant improvement in investor confidence and hence shareholder value
- Focus of management attention on most significant risk
- Reduced cost of finance through effective management of risk
- Improved utilisation of resources
- Increased opportunities for the organisation
20
Q
What is internal reactive risk identification?
A
Internal audit inspections
Complaints, Incidents and claims
21
Q
What is internal proactive?
A
Brainstorming
PEST/SWOT analysis
Strategic options
Staff interviews/questions
Scenario planning
22
Q
What is external reactive risk identification?
A
Customer surveys
External auditor reports
Professional bodies recommendations
Health and safety reports
23
Q
What is external proactive risk identification?
A
External advisors
Consultation with shareholders
Mandatory/statutory targets
Benchmarking
24
Q
How do we quantify risk exposure?
A
Expected values
Volatility
Value at risk
25
What is expected values?
when statistical estimates are available for the probabilities of different outcomes and the value of each outcome, risk can be measured as an expected value of loss or gain.
26
What is volatility?
another way of assessing risk might be looking at potential volatility
27
What is value at risk?
allows investors to assess the scale of the likely loss in their portfolio at a defined level of probability. Based on the assumption that investors care mainly about the probability of a large loss. VaR of a portfolio is the maximum loss on a portfolio occurring within a given period of time with a given probability.
28
What is the risk treatment methods?
Avoid risk
Transfer risk
Pool risk
Diversification
Risk reduction
Hedging risk
Risk sharing
29
What is pooling risk?
risks from many different transactions pooled together, each individual transaction/item has its potential upside and its downside. Risks tend to cancel each other out, and are lower for the pool as a whole than for each item individually.
30
What is diversification?
Similar concept to pooling but usually relates to different industries or countries. Idea is that the risk in one area can be reduced by investing in another area where the risks are different or ideally opposite.
31
What is risk reduction?
if risk cannot be eliminated company may reduce them to a more acceptable level by a form of internal control. Costs of control measures should justify the benefits from the reduced risk.
32
What is hedging risk?
reducing risks by entering into risk profiles to deliberately reduce the overall risks in a business operation or transaction
33
What is risk sharing?
company reduce risk in a new business operation by sharing the risk with another party. Motivation for entering into a joint venture.
34
What is the roles and responsibilities of risk management?
Board of directors
Audit committee
Risk committee
Risk management group
Risk manager
Internal audit
35
What are the fundamental principles of CIMA ethics?
Integrity
Objectivity
Professional competence and due care
Confidentiality
Professional behaviour
36
What is professional competence and due care?
due to maintain professional knowledge and skill at appropriate level
37
What is professional behaviour?
Members must comply with relevant laws and avoid actions discrediting the profession.
38
What are the ethical threats?
Self interest
Self review
Advocacy
Familiarity
Intimidation
Adverse interest
39
What is self review?
may occur when previous judgement needs to be re-evaluated by the member responsible for that judgement
40
What is advocacy?
may occur when a member promotes a position or opinion to the point that subsequent objectivity may be compromised
41
What is familiarity?
may occur when because of a close or personal relationship a member becomes too sympathetic to the interest of others
42
What is intimidation?
may occur when a member may be deterred from acting objectively by threats, whether real or perceived
43
What is adverse interest?
may occur when a member does not act with integrity because their interests are opposed to the employer
44
How do we resolve ethical conflict?
1. Check facts
2. Escalate internally
3. Escalate externally
4. Refuse to remain associated with the conflict
45
How do we manage reputational risk?
Governance
Employee relations
Enviornmental awareness
External relations
CSR
Risk professionals
Policy framework
Risk sensing tools
46
What is employee relations in association with management of reputational risk?
Regular communication with the workforce including training and education on the potential for reputational risk should be provided.
47
What is external relations in association with management of reputational risk?
transparency withs stakeholders should be as great as is possible without giving away information that provides a competitive advantage
48
What are risk professionals?
company could employ or hire the services of an expert in risk and risk management
49
What is policy framework with risk management?
setting up a framework relating to risks and in particular highlighting reputational risk, can help employees with identification of potential issues.
50
What is risk sensing tools?
organisations investing significantly in tools to analyse texts and linguistic used in social media posts and reviews to understand what is being said about their firm.
51
Why does cyber security matter?
Types of sensitive information held
Technological interactions
Increasing dependency
52
What are the objectives of cyber security?
Availability
Confidentiality
Integrity of data
Integrity of processing
53
What are application attacks?
Broad term for variety of different ways of attacking a victim, this time by attacking an application.
Common types of attacks include denial of service, SQL, Buffer overflo
54
What is denial of service?
overwhelms a system’s resources so that it cannot respond to service requests
55
What is SQL?
Structured query language, attacker uses an unprotected input box on the company’s website to execute a SQL query to the database via the input data from the client to the server.
56
What is buffer overflow?
Occurs when a system cannot store as much information as it has been sent and consequently starts to overwrite existing content
57
What are the types of cyber security risk?
Application attacks
Malware
Hackers
58
What are unethical hackers?
Stereotypical hackers that hack with malicious intent
59
What are ethical hackers?
Hack with the company’s permission
60
What are the six principles of influence within social engineering?
Reciprocity
Scarcity
Authority
Consistency
Liking
Consensus
61
What is reciprocity?
idea that people often feel obliged to do something in return for a favour of gift they have received
62
What is scarcity?
something that is in short supply is perceived to be more valuable
63
What is authority?
if something is deemed to be an expert, they carry more power
64
What is the risks of social media to organisations?
Human error
Productivity
Inactivity
Data protection
Hacking
Inactivity
Reputation
65
What is the risk of social media to individuals?
Trolling
Permanence
Employment
Fraud
Legal sanction
66
What are the security vulnerabilities?
Technical
Procedural
Physical
67
What are the implications of security vulnerabilities?
Downtime
Reputation
Customer loss
Legal consequences
68
What things need to be protected?
Devices
Servers
Networks
69
What are some methods of protection?
Policies
Configurations
Software
Application controls
Security products
70
What are the types of protection?
Identification
Authentication
Authorisation
Encryption
Certificates
Physical security
71
What is encryption?
making sure that only authorised people or systems can view the data/information
72
What is blockchain?
Collective and public bookkeeping providing an effective control mechanism aimed at preventing a hacker privately modifying records
An attempt to interfere with a transaction will be rejected by those network parties making up the blockchain. If just one party disagrees, the transaction will not be recorded.
73
Detection?
Complete protection/prevention is not possible.
Applications
Monitoring – if log of events is recorded in files then these can be reviewed to look for unusual activity
Centralisation
74
Response?
Structured and quick response required
Specific teams or departments
Business continuity planning
Disaster recovery planning
Back ups
75
What is business continuity planning?
proactive and designed to allow the business to operate with minimal or no downtime or service outage whilst the recovery is managed
76
What is disaster recovery planning?
Reactive and limited to taking action to restore the data and applications and acquire new hardware
77
What is mirror site?
effectively a complete copy of a website, hosted on a different URL
78
What is a hot back up site?
building that physically replicates all of the current data centre/servers, with all systems configured and ready to go with the latest back up
79
What is a warm back up site?
building that has all the critical hardware for the servers and systems in place but they will need to be configured and the most recent back up of the data/information installed before the site can take over the organisations activities
80
What is a cold back up site?
area where new hardware could be set up and a recover operation could begin
81
What is forensic analysis?
process of examining the things that have been left behind by the attack/attacker to increase understanding about the attack and how the systems were breached to be able to improve defences in the future
82
What is penetration testing?
attempt to exploit the potential weaknesses by seeing if an ethical can gain access to the system and what the hacker can exploit using the access that has been gained.
83
What is software security?
process of writing security into the software
84
What is digital resilience framework?
Identify all the issues
Aim toward a well-defined target
Best way to deliver the new cyber security system
Risk resource trade offs
Aligns business and technology
Sustained business engagement
85
What is NIST cyber security framework?
National Institute of Standards and Technology
Voluntary guidance to help organisations mitigate cyber security risks
Three main components: Implementation tiers, Core, Profiles
86
What is implementation tiers of NIST?
provide context, helping organisations to choose the appropriate level of rigor for their cybersecurity programmes and often used as a communication tool to discuss risk appetite, mission priority and budget
87
What is core of NIST?
provides a set of desired cybersecurity activities and outcomes using simple easy to understand language. Based on five principles:
1. Identify
2. Protect
3. Detect
4. Respond
5. Recover
88
What is profiles in NIST?
help the organisation map its own requirements and objectives, risk appetite and resources against the desired outcomes included in the core.
89
What is AIC triad?
Aimed at helping organisations understand information security and set up policies to help protect the organisation
Three elements: Availability, integrity, confidentiality
90
What is ISO27001?
* Define a security policy
* Define the scope of the (ISMS)
* Conduct a risk assessment
* Manage identified risks
* Select control objectives and controls
* Prepare a statement of applicability
91
What is AICPA cybersecurity risk management reporting framework?
* Assist organisations as they communicate relevant and useful information about the effectiveness of their cybersecurity risk management programs.
* Assist senior management, board of directors, analysts, investors and business partners gain a better understanding of organisations’ efforts.
92
What are the three key components of AICPA Cybersecurity risk management reporting framework?
1. Management’s description – provides a description of the firm’s cyber security activities
2. Management’s assertion – gives management the opportunity to state whether the risks were described in accordance with the criteria and whether appropriate controls were in place and effective
3. Practitioner’s opinion – qualified CPA accountant gives their opinion on the description of the risks and whether the controls in place are effective
93
What is COSO model of internal control?
* Control environment – management’s attitude, actions and awareness of the need for internal controls
* Risk assessment – controllable risks, uncontrollable risks
* Control activities – having a defined organisation structure, contracts of employment, policies, discipline and reward system, performance appraisal and feedback
* Information and communication – information must be timely, accurate, understandable, relevant to the actions being taken
* Monitoring
94
What are the prerequisities for fraud?
Dishonesty
Opportunity
Motive
95
What is the fraud risk management strategy?
Fraud prevention: Anti fraud culture, risk awareness, whistleblowing, sound internal control systems
Fraud detection: Regular checks, warning signals, whistleblowers
Fraud response
