miscelannous

Question 1

3 objectives of the Prudential Regulation Authority (PRA)

Securing
Promote
Facilitating

Answer 1

• Securing an appropriate degree of protection for existing and potential future policyholders
• Promote the financial safety and soundness of the firms it regulates
• Facilitating effective competition

Question 2

PRA Rulebook includes re. risk-man: (5)
Risk
Risk
Role
Other
Management

Answer 2

• Risk control in general
• Risk reporting to external stakeholders
• Role of auditors and audit committees
• Other roles and responsibilities for risk-man, including the Board
• Management of specific types of risk, such as market, credit and operational risk

Question 3

The PRA supervises organisations to ensure they comply with its rulebook. This supervision includes: (4)

Demanding
Reviewing
Visits
Enforcement

Answer 3

• Demanding detailed financial and risk-man reports
• Reviewing risk-man policies and other documents
• Visits to talk with board members, senior managers, risk-man and audit professionals
• Enforcement action, including fines, where necessary

Question 4

Overarching aim of the FCA

Ensure

Answer 4

Ensure that financial markets operate honestly and fairly so that all stakeholders, especially consumers, get a fair deal

Question 5

3 objectives of the FCA

Consumer
Protecting
Promoting

Answer 5

• Consumer protection
• Protecting integrity of financial markets from misconduct (such as insider trading)
• Promoting competition in financial markets to ensure customers get a fair deal

Question 6

FCA policy and supervisory activities cover many risk-man activities, including: (5)

R
M
C
W
D

Answer 6

• Roles and responsibilities for risk-man, especially in relation to management of conduct-related risk
• Management of fin. crime risks, including money laundering and terrorist financing
• Compliance management
• Whistleblowing
• Disclosing risks associated with fin. products and investments

Question 7

In addition to regulatory, inspection and enforcement powers, HSE has a wide range of …………………….??, designed to help improve H&S management practices.
Topics include: (6)

WODWPD

Answer 7

Guidance documents

• Workplace stress
• Occupational diseases
• Dealing with asbestos
• Working at heights
• Preventing slips, trips and falls
• Dealing with noise, vibration, gas and electricity

Question 8

HSE issues industry-specific guidance on sectors such as: (4)
NTFC

Answer 8

• Nuclear power
• Tree work
• Food
• Cleaning

Question 9

Org activities can cause a range of environmental problems, including: (6)

PREGGD

Answer 9

• Pollution of air, water or earth
• Resource shortages
• Excessive noise
• Generation of greenhouse gases
• Geological problems
• Destruction of natural habitats

Question 10

4 methods (of more) to manage credit, liquidity, market risk

Answer 10

• Statistical models
• Stress testing and scenario analysis
• Risk appetite and limits
• Qualitative assessments

Question 11

3 types included within operational risk

Answer 11

Legal Risk

Regulatory-compliance risk

Data-quality risk

Question 12

4 major categories of market risk

Answer 12

• Equity risk
• Interest-rate risk
• Foreign exchange risk
• Commodity price risk

Question 13

3 common cognitive biases that affect subjectivity of risk perception

Answer 13

Group-think bias - individual decision-makers strive for group consensus

Status quo bias - favours preservation of current state

Myopia bias - increased focus on smaller and less impactful risks at expense of more strategic and more impactful risks

Question 14

6 common risk perceptions

-
-
-
-
-
-
-
-
-
-
-
-
-
- CCFDMR

Answer 14

Choice

Control

Familiarity

Distant risks

Media

Randomness

Question 15

3 key aspects of risk-man’s role in an org

Answer 15

• Reducing uncertainty
• Anticipation and resilience
• Supporting the internal control environment

Question 16

3 ways in which orgs may invest in resilience (names of types)

Answer 16

• Effective crisis management
• Business continuity management
• Organisational learning

Question 17

Other than through regular risk-man activities, 3 specialist internal control management tools that can be used to strengthen internal control

Answer 17

• Risk-based compliance reviews
• Internal audits
• External audits

Question 18

5 new processes and behaviours boards are incorporating into more significant role in linking risks to strategy:

Challenging
Hiring
Encouraging
Connecting
Seeking

Answer 18

• Challenging management on key risk-appetite assumptions and definitions
• Hiring independent external advisors to evaluate risks of sizeable acquisitions
• Encouraging management to discuss risks in relation to strategy
• Connecting internal audit function to strategic planning and risk-man functions
• Seeking more comprehensive assurances on how non-financial risks are monitored, inc. quantification

Question 19

4 barriers holding orgs back from strategic risk-taking:

Lack
Lack
Failure
Corporate

Answer 19

Lack of risk prioritisation - higher priority placed on day-to-day risks at expense of missing the bigger pictures

Lack of designated risk manager to stay on top of emerging trends and navigate strategic risk-taking ideas

Failure to perform adequate due diligence - management and board uncomfortable to take strategic risks due to improperly conducted risk/benefit analysis

Corporate culture - management does not support strategic risk-taking

Question 20

Common definition of ERM

Answer 20

ERM is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives

Question 21

5 org wide benefits of ERM

Avoidance
Improved
Improved
Improved
Improved

Answer 21

• Avoidance of silos (to recognise gaps and overlaps in risk profile)
• Improved reporting to support strategic decision-making (through holistic understanding)
• Improved operational efficiency and cost effectiveness (through better coordination and less duplication)
• Improved profitability and equity value (through improved efficiency and cost effectiveness, and reduction in risk events)
• Improved ability to achieve other business objectives (as more time to focus on them)

Question 22

3 benefits of ERM to local business unit or department

Consistent
Effective
Spreading

Answer 22

• Consistent decision-making (eg. not having other departments push a risk you are mitigating, as everyone is on the same page re. risk)
• Effective resource allocation for risk-man (allocation of funds on risk-exposure basis)
• Spreading risk ownership, allowing management of risks by local experts (therefore, avoiding pitfalls of managing everything from central risk function)

Question 23

An effective ERM process should include the following in addition to the core elements of standard risk-man process: (6)

–
-
-
-
-
-
-
-
-
-
-

-
-
EREREB

Answer 23

• ERM policies and procedures
• Risk appetite
• Enterprise risk reporting
• Risk and audit committees
• Escalation and whistleblowing
• Business continuity management

Question 24

Compliance-management frameworks are necessary to ensure: (3)
‘compliance with…’

COMPONENTS OF EFFECTIVE COMP-MAN FRAMEWORK

Answer 24

compliance with an organisation’s internal policies and procedures

compliance with applicable laws and regulations (such as health-and-safety or environmental regulations)

compliance with standards, guidelines and codes of conduct that the organisation has chosen to comply with, such as ISO 31000.

Question 25

Comp-man policy should contain: (4) Links Expected Reporting Roles

Answer 25

- Links to comp-man procedures - Expected standards and principles - Reporting and escalation arrangements - Roles and responsibilities

Question 26

Comp-man procedures may relate to: (6) Testing Reporting Investigating Procedures Dealing Disciplinary

Answer 26

- Testing effectiveness of controls - Reporting and escalation - Investigating unauthorised non-compliance - Procedures for allowing non-compliance on cost-benefit grounds - Dealing with regulatory enquiries - Disciplinary procedures for unauthorised non-compliance

Question 27

To support effective governance and compliance, the implementation of risk-management policies and procedures require the following: (7) Board Regular An explanation Clear Communication Sanctions The organisation's

Answer 27

- board and senior management support - regular reviews and updates - an explanation of why they are needed - clear and unambiguous roles and responsibilities - communication and training - sanctions for non-compliance - the organisation’s risk-management principles in a risk-management policy

Question 28

Three processes and controls required to ensure agreed compliance standards are enforced

Answer 28

- Comp-man policies and procedures - Compliance reporting and escalation processes - Compliance training and communication

Question 29

How might the adverse affects of a crisis event be limited (4) Communication Working Implementing Business

Answer 29

- Communication with stakeholders - Working with emergency services - Implementing a public-relations plan - Business continuity plans

Question 30

5 stages in control of a crisis event: S P C B L

Answer 30

- Signal detection - looking for early warning signs - Preparation and prevention - preparing for occurrence or prevention through controlling causes - Containment and damage control - limiting adverse effects of event - Business recovery - recovery arrangements can reduce time taken to recover from crisis - Learning from the crisis - if org recovers, imperative that lessons are learnt to help in future

Question 31

Which two stages of crisis event control will business continuity planning support? C B

Answer 31

- Containment and damage control - Business recovery

Question 32

Business continuity plans: (4)

Answer 32

- Most commonly produced for specific functions, systems or premises (but can be for whole org) - Outlines actions to be taken to minimise disruption and recover quickly from crisis event - Explains roles and responsibilities of key individuals in plan - Should be tested, usually annually - either desk-based review or an artificial 'live' test

Question 33

3 roles of risk appetite S S S

Answer 33

- Support risk-man decisions - Support strategic decision-making - Support risk, governance and internal control activities

Question 34

2 common approaches with which risk-appetite can be expressed

Answer 34

- Probability and impact boundaries (exposure) - Targets, limits and thresholds

Question 35

Non-metric expressions of risk appetite: (3)

Answer 35

- Statement of values - Risk-man policy - Formal risk-appetite statement

Question 36

6 methods (or groups of methods) that can be used to identify risks: F P L A C E

Answer 36

- Focus groups and surveys - Physical inspections - Loss event and near-miss investigations - Analytical approaches - Checklists - Expert judgement

Question 37

3 tools to assess/identify emerging risks

Answer 37

- PEST analysis (external) - SWOT analysis (internal) - World Economic Forum Global Risk Report

Question 38

3 main categories of risk assessment techniques

Answer 38

- Qualitative risk assessment - Quantitative risk assessment - Hybrid approaches

Question 39

2 hybrid approaches to risk assessment

Answer 39

Stress testing & scenario analysis

Question 40

5 risk reporting tools H L R R N

Answer 40

- Heat maps - Loss and near-miss databases - Risk, control and performance indicators - Risk dashboards and balanced scorecards - Narrative reporting

Question 41

4 key factors to consider when designing and implementing risk reports (and very briefly, why) Audience Size Degree Reporting

Answer 41

- Audience and its requirements - generally, less info for more seniors - Size of report and level of detail - more data is not always better as can become non-sensical - Degree of statistical complexity - don't make it too complex to understand - Reporting frequency - depends on frequency at which risk exposures change

Question 42

5 areas into which information assurance is broken down: (with brief description) CLUE - - - - - - - - - - - - IAANC

Answer 42

Integrity - information assets are accurate and complete Availability - info assets are available when needed Authenticity - info assets are genuine and sources are valid Non-repudiation - transactions and communications of info assets are valid and undeniable Confidentiality - only those who have right to access info assets can access them

Question 43

3 cyber risk factors/areas (other than re. information assurance) and an example loss event for each - - - - - - - - - - - - - RRP

Answer 43

Reputation - employee using social media in embarrassing or litigious manner Recruitment - prejudging suitability of potential new recruits based on social medias Productivity of operations - network failures

Question 44

5 types of controls for cyber risk-man: (with brief description) - - -- - - - -- -- - - - - - - TPPPL

Answer 44

Technical controls - system-based safeguards such as malware protection, firewalls Physical controls - physical prevention of unauthorised access Procedural controls - acceptable-use policies, effective risk assessments and auditing People controls - effective recruitment practices and training Legal controls - ensuring compliance with legislation, including data protection

Question 45

9 tools which can support comp-man activities of an org: CCCCCGWHEG

Answer 45

- Comp policies and procedures - Comp codes of conduct - Comp reviews and audits - Comp impact analysis - Comp reporting - Whistleblowing procedures - HR related controls - Establishing an appropriate compliance culture - Gap analysis and action planning

Question 46

2 ways in which comp-man and risk-man are linked

Answer 46

- In many countries/sectors there are laws and regs that are related to the practice of risk-man in orgs (which need to be complied with) - Due to laws and regs, there is a risk of sanctions for non-compliance (compliance risk). Risk-man tools and techniques manage this risk

Question 47

10 - emerging risk trends CCCCPPBARS

Answer 47

- Convergence between tangible and intangible risk - Crime, including financial - Corporate gifts - Climate change risks - Political risk - People/Behavioural risks - Bribery and corruption - Asymmetric risk - Resilience to mitigate reputation losses of emerging risks - Shareholder activism

Question 48

Simons' 4 levers of control for risk culture (and brief description) B I B D

Answer 48

Belief systems - used to inspire employees and direct the search for new opportunities Interactive systems - used to stimulate organisational learning and the emergence of new ideas and strategies Boundary systems - used to set limits on risk-taking behaviours Diagnostic systems - used to motivate, monitor and reward behaviours and the achievement of organisational outcomes