Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

Module 1 > Introducing ERM > Flashcards

Introducing ERM Flashcards

(167 cards)

Start Studying
1
Q

What is the definition of ERM by ISO 31000

A

Coordinated activities to direct and control an organisation with regard to risk.’

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

When did risk management frameworks develop?

A

From 1995

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What year did risk management become more focussed, following a financial crisis and why?

A

2008, as a result of the financial crisis risk management due to increases in regulation and to hold people responsible (GRC), governance, risk and compliance, particularly in the financial services sector.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is a definition of Risk

A

The effect of uncertainty on objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the 4 categories of risk

A

Hazard risks - negative risks
Compliance - mandatory risks
Control risks- uncertainty
Opportunity risks- positive risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What should ERM look like to be successful

A

ERM makes a company more successful by creating a single view of all risks and managing those risks in a consistent way up, down and across the enterprise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the aspects of a traditional risk management approach

A

Risks as individual hazards
Risk mitigation only
Risks with no owners
Risk is insurance
Risk is not my responsibility

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the COSO definition of ERM

A

The culture, capabilities, and practises integrated with strategy setting and it’s execution, that organisations rely on to manage risk in creating, preserving and realising value

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What benefits can risk management bring

A

Soft people benefits such as improving working relationships
Hard benefits such as a higher return on investment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is corporate governance

A

The UK corporate governance institute defines governance as the system of rules, practices and processes by which a company is directed and controlled

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is a GRC approach?

A

GRC is governance, risk and compliance, where there should be an integrated approach to compliance, risk management, internal controls and internal audit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

5 benefits of ERM

A

Builds confidence in stakeholders and investors
Comply with relevant legal and regulatory requirements
Improve resilience
Increase the likelihood of a business meeting its objectives
Optimise the allocation of resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the four easy steps of risk management

A

Define context and objectives
Assess the risks
Manage the risks
Monitor, review and report

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the SATARLA risk management steps

A
  1. Context and Objectives
  2. Assess Risks - identification (which could be very broad), understanding (values of organisation and how risks can impact objectives & risk velocity or clock speed), so what (can we leave a risk or do we need to manage these)
  3. Management of risks - controls and understanding of controls
  4. Monitoring of whether the management of risks is working, or any changes to context, review & reporting, communication out to key stakeholders.
    Combined this creates risk based decision making
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the financial risk management regulations

A

Sarbanes Oxley law mandates certain practices in financial record keeping and reporting for corporations in the US
The Basel accord regulations regulate the banking sector
European Union Solvency II regulates the insurance sector

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What does the Basel committee on banking supervision (2021) define operational risk as?

A

Risk of loss resulting from inadequate or failed internal processes, people and systems from external events

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What does RIDDOR stand for?

A

Reporting of injuries, diseases, and dangerous occurrence regulations (RIDDOR)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What does COSHH stand for?

A

Control of substances hazardous to health

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the definition of projects

A

Unique, transient endeavours (Association for Project Management (APM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Common themes of projects

A

They have elements of uniqueness
They are temporary - have a beginning and an end
Are focussed
Have elements of complexity
Are reliant on third parties
Are based on assumptions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What 3 factors does ISO 31000 consider in relation to risk management

A

The principles - what good risk management looks like
The framework - what is needed to implement effective risk management
The process - what the steps are in risk management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

When was ISO 31000 first invented

A

2009 and updated in 2018

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Can ISO 31000 be used for certification purposes

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is RASP

A

Risk architecture, strategy and protocols and is a supportive structure of the risk management process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What are the various components of the COSO ERM CUBE
The face is the risk management process, consisting of 8 items The top of the face describes the four categories of organisational objectives The side shows the implementation process of the standard
26
What does COSO 2017 include
This includes the rainbow double helix. This reflects the changing complexity of risks and the evolving business environment
27
What are the three distinct approaches to risk management as cited by hopkin and Thompson
Risk management approach, followed by ISO 31000 Internal control approach, developed by COSO internal control framework and by the FRX risk guidance Risk aware culture approach, developed by the Canadian institute of chartered accountants, known as the CoCo framework
28
What are the principles of risk management
Focus on the premise that it delivers value to the organisation by applying practices designed to achieve the best possible outcome, reducing volatility and uncertainty
29
What is the purpose of risk management according to ISO 31000
The creation and protection of value
30
What are the eight principles of risk management by ISO 31000
1. Framework and processes should be customised and proportionate e 2. Appropriate and timely involvement of stakeholders is necessary 3. Structured and comprehensive approach is required 4. Risk management is an integral part of all organisational activities 5. Risk management anticipates, detects, acknowledges and responds to changes 6. Risk management explicitly considers any limitations of available information 7. Human and cultural factors influence all aspects of risk management 8. Risk management is continually improved through learning and experience
31
What are the orange book (2020) principles?
A) Governance and Leadership B) Integration C) Collaboration and Best Information D) Risk Management Processes E) Continual Improvement
32
What are the attributes of effective risk management?
PACED - Proportionate (tailored to the organisation) Aligned (the process is integrated with other organisational activities) so that business can continue as usual Comprehensive (the process encourages consistency in the risk management process) Embedded (the ERM framework and process encourages a change in risk attitudes) Dynamic (the process does not finish with the completion of the risk register)
33
What is Risk Architecture?
Committee structure and terms of reference Roles and responsibilities Internal reporting requirements External reporting controls Risk management assurance arrangements Budget and agreement on resources
34
What is agency theory?
The concept used to explain the important relationships between principals and their relative agent. The principal is someone who heavily relies on an agent to execute specific financial decisions and transactions that can result in fluctuating outcomes
35
What is a hybrid approach to risk management?
Where discretion in the design and operation of a subsidiary is allowed in certain areas, but others such as brand management is held corporately
36
What is a RACI chart?
A RACI chart or Responsible, Accountable, Consulted and Informed is used as a responsibility assignment matrix which lists relevant stakeholders and their level of involvement in the project
37
What can FIRM be used for
Assessing the benefits of a fully implemented and effective ERM framework. Benefits of ERM can also be assessed by MADE2
38
What can ERM implementation demonstrate
ERM implementation is not really a type of risk management but rather a view on risk management maturity in an organisation.
39
What is PIML
Planning, implementing, measuring and learning
40
What are the factors that can influence timescales in implementing ERM
The start position - what can the organisation use that is already in place The commitment from the top The size and complexity of the enterprise The extent to which the enterprise is a global actor The resources available to support implementation
41
How long does it take to implement ERM
Some say it’s around 3-5 years. Others say in larger, complex and decentralised organisations it can take 5-10+ years. Effective ERM is long term to derive the relevant benefits
42
Should risk management reflect the cadence of meetings that are already in place?
Yes, this will help embed ERM into governance and reporting lifecycle or structure of an organisation.
43
What are the components of risk strategy as interpreted by Hopkin and Thompson
Risk management philosophy Arrangements for embedding risk management Risk appetite and attitude to risk Benchmark tests for significance Specific statements / policies Risk assessment techniques Risk priorities
44
Is a risk management policy common?
Yes, a risk policy adopted by the board and used across the organisation is common. This is sometimes achieved in an ERM policy that outlines the philosophy of risk management in the organisation, states who should be responsible for it and commits to provide the resources necessary to manage risks to an acceptable level
45
What does the IRM define risk appetite as?
The amount of risk that an organisation is willing to seek or accept in the pursuit of long term objectives
46
What is risk tolerance
The level of risk that you can accept for a short period of time, and which you will be actively managing to bring to an acceptable level
47
Risk capacity
The level of risk that is unacceptable. This is the tipping point that the organisation cannot or does not wish to go over.
48
Risk procedures - what are they
They are the ‘how’ regarding the delivery of good quality risk management.
49
What may a risk protocol contain?
Techniques used in risk identification The format and content of the risk register; how it is to be completed and how often Requirements on entering risk events into the log and upwards escalation depending on severity Detailed reporting requirements Approval processes for expenditure on risk improvement actions
50
Are tools and techniques usually in a risk management procedure?
No, tools and techniques can be referenced in a risk management procedure
51
What are the eight steps of COSO (2004)
Internal environment Objective setting Event identification Risk assessment Risk response Control activities Information and communication Monitoring
52
What are the orange book (2020) risk management principles
Risk management shall be: An essential part of governance and leadership (A) Integral to all operational activities (B) Collaborative and informed by the best available information (C) Have structured processes (D) Continually improved (E)
53
What does principle D of the orange book risk management principles comprise of?
Risk identification and assessment Risk treatment Risk monitoring Risk reporting
54
What are the four main steps in the risk management process
1. Define context and objectives 2. Assess the risks 3. Manage the risks 4. Monitor, review and report
55
What are the three components of context as cited by Hopkin and Thompson
The organisations risk management context The internal context The external context
56
What does the internal context include?
The organisations divisions, departments, internal stakeholders, staff, the board, approach to corporate governance, competencies and capabilities
57
What is the extended enterprise
The IRM defines the extended enterprise as ‘a structure where a number of organisations come together in a joint endeavour in order to achieve outcomes that none of them could have achieved on their own’
58
What are five techniques that can be used for risk assessment according to Hopkin and Thompson?
1. Checklists and questionnaires 2. Workshops and brainstorming 3. Inspections and audits 4. Flowcharts and dependency analysis 5. Crowd sourcing technology
59
What are emerging risks?
A risk which is new or a familiar risk in a new or unfamiliar context of under next context conditions (re-emerging)
60
Why do organisations choose to classify risks?
Because it provides a structure to the process of risk identification which can facilitate the identification of more risks It also helps with the development of consistent risk terminologies across an organisation
61
How can risks be classified
They can be classified in terms of short term, medium term and long term. Short term risks are those with an immediate impact such as operational activities Medium term risks with tactics - few months to a year Long term risks with strategy - one to five years after the event
62
What is a second dimension to the FIRM risk scorecard to classify risks?
Risks can be classified depending on where they derive such as internal (staff fraud) which can be seen as financial and infrastructural risks. The source of internal risk is the internal context External (exchange rate variability) which can be seen as reputational and marketplace risks. The source is the external context
63
Which risks are overlooked more often, internal or external?
External risks are often overlooked as people know the inner workings of their organisation better than they do externally
64
How can likelihood be measured?
Probability - as a value between 0 and 1 - there is a 2% chance of rain in the city of Jeddah. Probability is used when risks might only occur once in the timeframe considered Frequency - in just one day in 2005, hurricane Katrina resulted in a one in a hundred-year flood in New Orleans. Frequency is commonly used for risks that might occur more than once in the timescale considered.
65
What is impact versus action?
The amount of action needed to bring a risk to an acceptable level
66
What are the benefits of impact versus action?
Avoids unnecessary debate on likelihood Prioritises attention on the risks that require immediate focus Prompts robust discussion and action regarding the extent to which risks truly need to be managed
67
What is risk proximity?
How close a risk is to occurring or how soon a risk can happen.
68
What is risk velocity
How fast a risk can impact an organisation once it occurs - Hopkin and Thompson say this is timescale of risk impact
69
Risk clock speed - what is it?
Slow clock speed risks are those where enough thinking time is available Fast clock speed risks are at or close to real time
70
What is the risk clock speed window?
The range between how well organisations can deal with fast clock speed risks and slow clock speed risks and still function effectively
71
What are the three risk rating levels?
Inherent - this is the level of risk before any controls have been put in place or actions taken to manage the risk and change the likelihood or impact. This is useful to understand the real exposure an organisation has to a risk should the controls fail. It also helps to identify when risks might be over or under controlled. This is sometimes called the raw , total or gross level of risk. The current risk - the risk taking into account current controls in place to manage it, working at their current effectiveness ‘net’ or ‘residual’ sometimes describe this. Target - this is the levels of risk that is desired to bring the risk to an acceptable level. This rating is often missed by organisations but is important to consider in how much effort is needed to manage risks to an acceptable level.
72
What are residual (design) risks?
Residual risks where the level of risk represents current controls working effectively and / or taking account of additional planned actions to manage the risk.
73
Where a risk has different impact scales, which one should be plotted onto a risk matrix?
The highest, otherwise the averaged out scores may ignore the real effect of risk.
74
What are HILP risks
They are high impact low probability risks, which because of their low likelihood are often perceived as risks that do not need much attention, such as COVID-19
75
What is risk evaluation?
This is the decision point in which we decided whether to respond to risk or not to respond to risk
76
How do we treat risks?
We treat by comparing the current risk rating with the target risk rating (usually our risk appetite). If the current risk rating exceeds the risk appetite, we will manage it. Ben we re-analyse the current risk after treatment. If the current risk rating still exceeds risk appetite then we will treat it again to manage the risk further towards our target. Then we re analyse the current risk again, only when the current rating has reached our target rating do we stop implementing additional actions to manage the risk. If we cannot reach the target rating sufficiently or economically then we might have to consider revising our objectives and beginning the process again.
77
What is a control as defined by ISO 31000?
A control is a measure that maintains and/or modifies a risk
78
What should controls do?
They should take charge and modify the risk - either by tackling the causes and changing the likelihood of the risk occurring, or the consequences and changing the impact should the risk occur.
79
What are some of the risk response strategies ?
Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk Taking or increasing the risk to pursue an opportunity Removing the risk source Changing the likelihood Changing the consequences Sharing the risk Retaining the risk by informed decision
80
What are the 5Es
Explore - start up operations Expands - this is during the growth phase - for example making investment or making sales The operation may decide to exit through a successful and profitable sale or if investment is outside risk appetite Exploit - as a mature operation the opportunity is exploited further Exist - operations in decline have not change and will just exist
81
What are the three treatments for threats using loss control?
Loss prevention - controls designed to stop a risk occurring Damage limitation - controls designed to reduce the size of the risk as soon as it has occurred Cost containment - controls designed to reduce the long term effect of the risk such as business continuity management
82
What is PCDD?
Preventative controls - these are suggested as being the most important approach but prevention is not always cost effective - so it is necessary to do a cost benefit analysis Corrective - these are where preventative controls are not feasible, desirable or cost-effective. Corrective controls need to be developed prior to the risk occurring but become effective once the risk has occurred Directive - these are a common type of control and are based on giving directions to another person as to how they should behave in certain circumstances but as it is dependent upon behaviour, these may not be very reliable. Directive controls on their own are not real controls such as guidance and data in covid and need to be supported with other controls Detective controls - these detect a risk occurring such as a fire alarm or audit of a project off track
83
Which controls are pre and post event manifestation
Directive and preventative controls are pre - event manifestation Corrective and defective controls are post- event manifestation
84
What are anticipatory controls?
These controls are forward looking, similar to directive controls but they tend to be more long term and strategic in nature
85
What is the hierarchy of controls in HSE?
Elimination - physically remove the hazard Substitution - replace the hazard Engineering controls - isolate people from the hazard Administrative controls - change the way people work PPE - protect the worker with equipment and this should be the last resort to protect against risks.
86
What is monitoring and reporting
The purpose of monitoring and review is to assure and improve the quality and effectiveness of process design, implementation and outcomes. Monitoring is ongoing whereas review is periodic
87
What does monitoring include?
Reviewing the status of risk, controls, causes, consequences and any changes in these as well as changes in context and objectives
88
What does reviewing include?
Reviewing is checking the effectiveness of controls in place to manage risks and the risk management process, with the review being perhaps ok a less regular basis
89
What are the three core methods to monitor risks?
Key risk indicators, key control indicators and risk status
90
Key risk indicators - what are they?
They provide information on the changes in risks
91
What are key control indicators
They measure the effectiveness of controls and changes of controls - it could include Number of unauthorised trades Percentage of employees receiving supervision Regularity of disaster recovery plan testing
92
What is the difference between leading and lagging indicators
Leading indicators look into the future and provide an early warning of changes - measures of customer engagement and brand reputstion Lagging indicators look into the past and measure outcomes and results, such as financial results including profit or loss, number of audit findings KRIs and KCIs tend to be lagging measures
93
What do risk datasets look at?
This is a quadrant which compares internal / external data and human / machine sourced information
94
What is risk status / lifecycle?
Draft - the risk has only just been raised and needs to be assessed to ensure it is a real risk and that it belongs in the scope of activity being addressed Active - we are actively dealing with a real risks, and further actions are required to manage it to an acceptable level. These risks and controls should be monitored regularly to ensure controls are effect and the risk is moving from the current to target level Ongoing - we have managed the risk to an acceptable level but it should not be closed and may changed. Ongoing risks are reviewed less frequently but KRIs and KCIs should be developed to help recognise any underlying changes to the risk Closed / managed - this risk can be closed to successful management and lessons can be learnt to ensure that risks of this type are managed in a similar manner in the future Closed / occurred - this risk can be closed because it has occurred and lessons can be learnt to ensure risk of this type can be better managed in the future
95
What are the characteristics of review of controls?
The review of risks is carried out to provide assurance that risks are being managed effectively - they are usually held on a planned basis and are retrospective.
96
How often is the risk management framework and process reviewed?
This is often on a three year cycle which allows for review to be undertaken, improvements identified, agreed and implemented and give time for those improvements to take effect
97
How often does the UK corporate governance code state that board should carry out a review of the risk management internal control systems?
At least annually
98
How are reviews of risk management benchmarked?
By industry standards such as health and safety By risk management standards and frameworks such as ISO 31000 Relevant industry or sector best practices based on subject matter experts knowledge and experience
99
What is the primary objective of monitor and review
Improvemejts in risk management activities
100
What are key controls
The controls that reduce the organisations most key risks (sometimes called critical controls)
101
What are the benefits of undertaking reviews of the whole risk management process?
To ensure responses are effective and effecient, including the identifying and closing of any holes or gaps in control defences To identify and manage potential adverse side effects and unintended consequences To build up knowledge to improve risk identification and analysis To better link risks to objectives, key dependencies, core processes and stakeholder expectations To detect and prepare for changes in our internal and external context To detect and prepare for changes in trends in our risks To identify and prepare for new and emerging risks To identify good risk management practices, build on them and disseminate it to other parts of the organisation
102
Why is it important to review near misses?
This can understand; Why it occurred Whether we had a previously identified it as a possible risk Why it did not have a big impact Whether we had correctly analysed its likelihood and impact
103
How is communication and consultation defined?
Continual and iterative processes that an organisation conducts to provide, share or obtain information, and to engage in dialogue with stakeholders regarding the management of risk
104
What are the differences between communication and consultation?
Communication seeks to promote awareness and understanding of risk whereas consultation involves obtaining feedback and information to support decision making
105
What is useful information that could be shared in risk reports?
Level of confidence that objectives can be met Important changes - in risks, controls, context, objectives and so on Any significant new and emerging risks Any new themes or trends The progress on actions needed to bring risks to an acceptable level Actions needed to manage risks further Update on the effectiveness of controls
106
What does the financial reporting council expect in annual reports and accounts regarding risk?
The principal risks Whether directors have a reasonable expectation that they company will be able to continue to operate to meet its liabilities The going concern basis of accounting A review of and the main features of risk management and the internal control system
107
What is the central question of risk management?
Given the context in which we are working, and the risks faced (be those opportunities or threats) that are faced, and the exterminator to which they are managed, it is possible to achieve the objectives previously set?
108
What are the types of decision making?
Analytical - analyse data and look at evidence, require more data but have a tolerance for ambiguity Conceptual - big picture thinkers willing to take risk - have a high tolerance for ambiguity and are creative. Directive - quick decisive thinkers with little tolerance for ambiguity - focuses on the task with little consultation and can be aggressive in nature Behavioural - focuses on relationships rather than the task and evaluates feelings of others with a low tolerance for ambiguity, have a persuasive nature
109
What is a definition of culture?
The ideas, customs, knowledge, beliefs and behaviours shared by a group of people whether in society or within organisations
110
What is risk culture?
The values, beliefs, knowledge and understanding about risk shared by a group of people with a common focus, in particular the employees of an organisation or groups within an organisation
111
What does risk culture require to be positive:
Good communication of the organisations expectations to all staff Convincing employees that they will personally benefit from good risk management practises Involvement in the risk identification process will achieve greater buy in Training programmes that instil the right practices and knowledge Investment in the use of effective IT security tools and active and transparent monitoring of IT usage that is made clear to all employees
112
How was the COSO framework updated in regards to risk culture
To recognise that having a best in class ERM approach does not add value where a positive risk culture does not support it
113
What are the personality profiling methodologies regarding risk?
These assess an individuals predisposition towards risk, measuring a persons preparedness to take risk and their resilience in the face of risk
114
What are the two elements of risk from a culture perspective
Objective reality (the likelihood that it will or will not rain tomorrow) Subjective (the human perception of the risk, shaped by psychological factors, cultural factors and other intangibles)
115
What are the dangers associated with risk perception
Organisations may manage the same risks inconsistently, depending on the individual who must manage that risk, thus increasing the overall organisational uncertainty Risk managed could seek to achieve greater kudos amongst their stakeholders by focussing efforts on managing stakeholders fears over what they perceive to be the most significant risks rather than what actually are significant risks
116
What are common biases?
Confirmation bias - basing decisions on what we want to believe because information confirms our existing preconception or beliefs Conformity bias - choices of a group or the majority influence how we think, even if against our own personal judgement Authority bias - where we favour the ideas of an authority figure Bandwagon bias - where we favour ideas already adopted by others Anchoring bias - where we are influenced by information we already know, and have trouble moving outside that pre-existing knowledge
117
What does LILAC stand for - a risk culture model?
Leadership, involvement, learning, accountability and communication
118
What are the ABC elements of risk culture?
Risk attitude - the chosen position adopted by an individual or group towards risk, influenced by risk perception Risk behaviour - the external observable risk related actions of individuals Risk culture - the values, beliefs, knowledge and understanding about risk shared by a group of people with a common purpose.
119
How do Hopkin and Thompson define risk attitude?
The long term view of the organisation to risk defined by the 4Cs of comfort, cautious, concerned and critical
120
What is the double ‘S’ model?
Sociability - the people focus based on how well people interact socially - vertical axis of the model Solidarity - the task focus based on goals and team performance - horizontal axis of the model
121
How can risk culture be measured?
Organisation wide surveys. Which can be done as a proxy if too burdensome Interviews - a more personal approach and help understand the reasons for a risk culture but need to be based on a standard set of questions. These can be especially helpful when looking to gather views of executives or board members Surveys - gathering a wider and more diverse understanding of culture which is a mechanistic approach to a very subjective subject.
122
What is the culture aspects model?
This looks at culture in eight aspects which are grouped together into four themes: Tone from the top - risk leadership and dealing with bad news Governance - accountability and transparency Decisions - informed risk decisions and reward Competency - risk resources and risk skills
123
What are the steps to change risk culture?
Evaluate the current risk culture Assess the impact of the current culture Identify areas of improvement Plan and implement cultural change Monitor and adapt to change
124
What are the principles of risk appetite?
Acknowledging interconnectedness - what is acceptable in one part of an organisation might not be acceptable in another Measurability - ability to measure the risk appetite to ensure a consistent view on what is acceptable Variability - need for a range of appetites for different risks Maturity - recognition that the maturity of ERM within an organisation, both in the understanding and effective management of risk will influence appetite to take risk.
125
What are one of the board responsibilities regarding risk appetite
Determining the nature and extent of the principal risks faced and those risks which the organisation is willing to take in achieving its strategic objectives
126
What is the risk universe?
The range of risks which could impact, either positively or negatively, on the ability of the organisation to achieve its long term objectives’
127
What has risk capacity tended to be associated with?
The insurance industry where questions regarding the size of deductible or maximum size of insurance cover have been considered in relation to financial capacity
128
What is risk tolerance?
An areas where risks can be tolerated for an amount of time (if push comes to shove), while active risk management is undertaken to bring those risks to an acceptable level. This is sometimes referred to as the wiggle room an organisation has outside of their acceptable level of risk.
129
What is meant by risk appetite?
The amount of risk an organisation is willing to seek or accept in pursuit of its long term objectives
130
Why is risk appetite not placed centrally within risk tolerance?
As an organisation will have very little tolerance for some risks, such as health and safety or bribery but it may have more tolerance for other risks such as project risks. The closer the risk to capacity, the more effort required to bring the risk to an acceptable level.
131
What should risk impact criteria be based upon?
Risk appetite and tolerance
132
How does the UK governments risk appetite paper consider risk?
In terms of a tolerance and optimal position: The optimal position is the level of risk with which an organisation aims to operate The tolerable position is the level of risk with which the organisation is willing to operate, given its constraints.
133
What are the benefits of adopting risk appetite?
Reducing uncertainty Improving consistency across governance and decision making Focusing on priority areas Improving resource prioritisation
134
Who has the responsibility of setting risk appetite statements?
The directors and senior management should explicitly consider their degree of appetite and tolerance regarding how they want the strategy and objectives to be achieved
135
What are the stages for developing risk appetite statements?
Identify stakeholders and their expectations Define organisation wide risk exposure Establish the desired level of risk exposure Reconcile the current and desired risk appetite and tolerances Formalise and ratify the risk appetite statement and communicate it
136
What are the principles of risk appetite statements
They can be complex It needs to be measurable It is not a single, fixed concept It should be developed in line with an organisations risk management capability and maturity It must take account of different views at strategic, tactical and operational levels It must be integrated with the control culture
137
What are the elements of risk appetite as defined by the IRM working team?
Capacity - financial, infrastructure, reputation, people and knowledge Maturity - business context, risk systems, risk management culture and risk processes
138
Why are narrative risk appetite statements used for communicating risk appetite to external audiences
Because these ensure that sensitive information is not unnecessarily shared but provides information on the direction of an organisations risk appetite in key areas or against key risks
139
What is the 5 leg system for risk appetite according to the UK government?
Opposed - avoidance of risk Minimalist - preference for safe options with a low degree of inherent risk Cautious - preference for safe options with a low degree of residual risk Mindful / open - willing to consider all options and choose one that is most likely to result in successful delivery Enterprise - eager to be innovative and choose options based on maximising opportunities / accept greater uncertainty
140
What is TARP?
Triggered action response plans
141
Why do some organisations weight their risk matrices to emphasise risk impact over probability?
Because this means that HILPs are given a higher focus on a risk matrix than if probability and impact were given equal treatment
142
What are the different levels of risk appetite that could be seen in an organisation?
High level - high level risk capacity , risk appetite statements measures and limits Directional - key risk drivers, risk related appetite statements, measures and limits Specific - specific principles and policies to operationalise risk appetite Detailed - detailed risk appetite measures and limits
143
What are the main features of the UK corporate governance code?
Leadership - every company should be headed by an effective board which is collectively responsible for the long term success of the company Division of responsibilities - there should be a clear division of responsibilities between leadership of board and execs Composition, succession and evaluation - the board and its committees should have a combination of skills, experience and knowledge Audit, risk and internal control - the board should establish procedures to manage risk, oversee the internal control framework and determine the nature and extent of the principal risks the company is willing to take in its pursuit of its long term strategic objectives Remuneration - the remuneration policies should be designed to support strategy and promote long term sustainable success, executive remuneration should be aligned to company purpose and values be clearly linked to the successful deliver of the company long term strategy
144
How does the UK corporate governance code apply?
It only applies to companies listed on the London stock exchange
145
What are the advantages of a unitary board?
The board receives more detailed information and has greater involvement in the organisation, being closer to organisational strategy.
146
What are the disadvantages of a unitary board?
From an external perspective there is little distinction between management and supervision and conflicts of interest and loss of independence may develop
147
What is the advantage of a two tier board?
Although executives have more control over the appointment of NEDs, members are appointed on their expertise. There is a reduction in bias decision making as the CEO is prevented from serving as the chair of the supervisory board.
148
What is the main disadvantage of a two tier board?
They tend to be larger than unitary boards
149
What are the three committees of the board?
Nomination - appointment of new directors and ensuring a succession plan is in place for the board and exec level beneath Remuneration - setting exec pay and ensuring an organisation can attract and retain exec directors but not paying them too much Audit - responsible for an organisations financial reporting and reviewing the effectiveness of internal controls and risk management. Also conduit for whistleblowing and following up on any issues of bad conduct
150
If an organisation appoints a further committee to oversee the effectiveness of risk management, What might they advise on?
Risk appetite generally Effect of strategy changes and strategic transactions on risk appetite Principal risks and their management Emerging risks Outcomes of stress testing effectiveness Appropriateness of values, culture and reward system
151
What is the financial reporting council?
They regulate auditors, accountants, actuaries by setting corporate governance, reporting and auditing standards and hold those responsible for delivering them to accounts
152
What are the FRC responsible for?
The UK corporate governance code, the related guidance on board effectiveness and the wates corporate governance principles for latter companies
153
What are the responsibilities of a non executive director?
Provide creative contribution to the board by providing independent oversight and constructive challenge to executive directors Strategic direction Provide a creative and informed contribution and to act as a constructive critic in looking at the objectives and plans devised by the chief executive and the executive team Monitor performance Remuneration Communication Risk Audit
154
What are the responsibilities of the board with regard to risk management?
Ensure the design and implementation of appropriate risk management and internal control systems that identify the risks facing the company and enable the board to make a robust risk assessment of the principal risks Determine the nature and extent of the principal risks faced and those risks which the organisation is willing to take in achieving its strategic objectives Ensure that appropriate culture and reward systems have been embedded throughout the organisation Agree how principal risks should be managed or mitigated to reduce the likelihood of their incidence or their impact Monitor and review the risk management and internal control systems, and the managements process of monitoring and reviewing, and satisfying itself that they are functioning effectively and that corrective action is being taken where necessary Ensure sound internal and external information and communication processes and taking responsibility for external communication on risk management and internal control.
155
What is the role of internal audit?
An independent, objective asssurancr and consulting activity designed to add value and improve an organisations operations
156
What is risk assurance?
Indicate the information and analysis that is provided to managers and directors with regard to the status of the risk and control environment in an organisation - it is the internal process used to create checks and balances within our governance and risk frameworks
157
What is assurance mapping?
A means of identifying and mapping the main sources of assurance in an organisation across the four lines of defence and coordinating them to best effect
158
What are some of the downsides of the three lines of defence model?
According to BDO, the main issues are the assumption that the liens are distinct from each other and the risk management and internal controls apply vertically and linearly. This creates a rigid approach where silos have been created causing gaps and overlaps There are sometimes lines providing other lines of assurance and the focus on defence means that opportunities may have been ignored
159
What does the uk corporate governance code state regarding external auditors and the audit committee?
The audit committee must conduct a tender process and recommend to the board the appointment, reappointment or removal of the external auditors Review and monitor the external auditors independence and objectivity Review the effectiveness of the external audit process Develop and implement policy on the engagement of the external auditor to supply non audit services
160
Who do external auditors report to?
Primarily the shareholders or external stakeholders of an organisation
161
Where does internal assurance come from?
Culture measurement Audit reports Unit reports Performance of the unit Unit documentation
162
What is another form of internal assurance?
Self certification or control risk self assessment where by local management complete a regular (often annual) return and level of assurance has been achieved in that local area
163
What is a longer term viability statement?
This is the statement where organisations state that they have a reasonable expectation that they will be able to continue in operation and meet their liabilities as they fall due over the period of assessment. This period of assessment is expected to be significantly longer than 12 months from the approval of the financial statements
164
What does an internal control system include?
Control activities Information and communications processes Processes for monitoring the continuing effectiveness of the system of internal control
165
What should the system of internal control do?
Be embedded in the operations of the company and form part of its risk culture Be capable of responding quickly to evolving risks to the business arising from factors within the company and to changes in the business environment Include procedures for reporting immediately, to appropriate levels of management, any significant control failings or weaknesses that are identified together with details of corrective action
166
What are the components of CoCo?
Purpose - understanding the purpose of a task Commitment - commitment to perform a task well Capability - support in the implementation of the task Monitoring and learning - monitoring of the task to learn lessons and improve
167
What is CoCo?
The criteria of control framework, developed in 1995 as a structure means of measuring the quality of control environment within an organisation. This means it is another means of providing assurance on risk management and internal control

Module 1 (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions