Flashcards in COSO ERM Framework Deck (60)
What is the definition for ERM?
The culture, capabilities and practices integrated with strategy-setting and performance, that organization relies on to MANAGE RISK in creating, preserving and realizing VALUE. Effective integration improves decision making and performance.
What is culture?
The attitudes, behaviors and understanding about RISK, both positive and negative, that influence the decision of management and personnel and reflect the mission, vision and core values of the organization.
What is mission?
The organization's core purpose.
What is vision?
The organization's aspirations for what it intends to achieve over time.
What is core value?
The organization's essential beliefs about what is acceptable or unacceptable.
What are capabilities?
The skills needed to carry out the organization's mission and vision.
What are practices?
The collective methods used to manage risks.
What does "integrating strategy setting and performance" mean?
To consider risk in setting strategy, business objectives, performance targets and tolerance.
What is strategy?
It communicates how the organization will achieve its mission and vision and how it will apply its core values.
What are business objectives?
The steps taken to achieve strategy.
What is (risk) tolerance?
The range of acceptable variation in performance results.
What is risk profile?
The composite view of the types, severity and interdependencies or risks related to a specific strategy or business objectives and their effect on performance. See Figure 1-3 on p.31.
What is portfolio view of risk?
The composite view of the risks related to ENTITY-WIDE strategy and business objectives and their effects on ENTITY performance.
What is opportunity in terms of managing risk?
Any action or potential action that creates or alters goals or approaches for the creation, preservation or realization of value. They differ from positive events, occurrences in which performance exceeds the original target.
True or False. Effective ERM practices provide absolute assurance that the risk assumed is appropriate.
False. Effective ERM practices provide reasonable expectation that the risk assumed is appropriate.
What is risk inventory?
It consists of all identified risks that affect strategy and business objectives.
What is risk capacity?
The maximum amount that an organization can assume.
What is risk appetite?
The types and amount of risk an organization is willing to accept in order to pursue value.
What is inherent risk?
The risk in the absence of management actions to alter its severity.
What is actual residual risk?
The risk remaining after management actions to alter its severity.
What is target residual risk?
The risk an organization prefers to assume knowing that management actions has or will alter its severity.
When is value created?
When benefits obtained from the resources used exceed their costs.
When is value preserved?
When resources used are sustained.
When is value realized?
When benefits are transferred to stakeholders.
When is value eroded?
When management's strategy doesn't produce expected results or when management doesn't perform day-to-day tasks.
Who is responsible for providing risk oversight?
The board provides risk oversight of ERM culture, capabilities and practices. A committee can be formed for this purpose (i.e. audit committee, risk committee, executive compensation committee, nomination or governance committee). An audit committee is usually required by regulators.
Who has the overall responsibility for ERM?
Management is responsible for the day-to-day managing of risk, including developing and implementing of the COSO ERM framework. Within management, the CEO has ultimate responsibility for ERM and achievement of strategy and business objectives.
What role does a risk officer play?
It's the centralized coordinating point to facilitate risk management across the entire enterprise.
What are the three lines of management accountability and their duties?
1. Principal owners of risk: manage performance and risks taken to achieve strategy and objectives.
2. Supporting functions (risk officer): provide guidance on performance and ERM requirements; evaluate adherence to standards; challenge the first line to take prudent risks.
3. Assurance (internal audit): review ERM; identify issues and improvements; inform the board and executives of matters needing resolution.