Module 1

Question 1

ISO 31000 (2018) definition of risk

Answer 1

The effect of UNCERTAINTY on objectives. The effect is a deviation from the expected. Positive or negative or both.

Question 2

IRM definition of risk

Answer 2

Risk is the COMBINATION of the probability of an event and its CONSEQUENCE. consequence can range from positive to negative

Question 3

Four categories of risk

Answer 3

Hazard - Negative
Opportunity - Positive
Control - Uncertainty
Compliance - Mandatory

Question 4

ISO 31000 risk management definition

Answer 4

COORDINATED activities to direct and control an organisation with regard to risk

Question 5

Aspect of ERM approach

Answer 5

1.Risk in the context of business strategy
2. Risk portfolio development with 3. risk interconnectivities
4. Focus on critical risks
5. Risk is entity wide
7. identifying and defining risk responsibilities
6.Monitoring and measuring risk
7.Risk is embedded into everyone’s responsibility

Question 6

Aspects of traditional RM approach

Answer 6

1. Focus on risk identification and analysis
2. Risk individual hazards
3. Focus on all risks managed in separate areas
4. risk mitigation
5. risk with no owners
6. risk is insurance
7. risk is not my responsibility

Question 7

COSO ERM Framework (2017) defines ERM as

Answer 7

The CULTURE,CAPABILITIES AND PRACTISES integrated with strategy-setting and its execution that orgs rely on to manage risk in creating, preserving and realising value.

Question 8

IRM risk management definition

Answer 8

Process which aims to help orgs understand, evaluate and take action on their risks with the view of increasing PROBABILITY of success and reducing the LIKELIHOOD of failure

Question 9

HM treasury risk management definition

Answer 9

THE co-ordinated activities designed and operated to manage risk and exercise INTERNAL CONTROL within an org

Question 10

Features of an ERM approach

Answer 10

1. Encompasses all areas of org exposure to risk
2. Prioritises and manages exposures as an interrelated risk portfolilo rather than in Silos
3. evaluates the risk portfolio in context of all significant internal and external contexts, systems, circumstances and stakeholders
4. Recognises individual risks across the org are interrelated and can create a combined exposure that differs from the sum on individual risks
5. provides structured approach to RM regardless if risks are qualitative and quantitative in nature
6. Seeks to embedd RM as a component for all critical decisions throughout the ORG.
7. Provides the means for ORG to identify the risks it is willing to take in order to achieve strategic objectives
8. CONTSTRUCTS MEANS OF COMMUNICATING on risk issues so there is a common understanding of the risks faced by the org and their importance.
9. SUPPORTS ACTIVTIES OF INTERNAL AUDIT by providing a structure for the provision of assurance to the board and audit comittee
10. views the effective management of risk as a COMPETITIVE ADVANTAGE that contributes to the achievement of business and strategic objectives

Question 11

Orange book definition of ERM

Answer 11

The co-ordinated activites designed and operated to manage risk and exercise internal control within an org

Question 12

IIA definition of ERM

Answer 12

A RIGOROUS and co-ordinated approach to assessing and responding to all risks that effect the achievement of an orgs strategic and financial objectives

Question 13

RIMS definition of ERM

Answer 13

ERM is a strategic business discipline that supports the achievement of the orgs objectives by addressing the FULL SPECTRUM of its risk and managing the combined impact of those as an interrelated risk portfolio

Question 14

Benefits of ERM

Answer 14

Financial
1. increased PROFIT
2. improved FINANCIAL REPORTING
3. enhanced CORPERATE GOVERNANCE
4. REDUCED COST of funding and capital
5. better control of CAPEX approvals

Infastructure
1. Improved STAFF and SUPPLIER morale
2. targeted risk and COST REDUCTION
3. efficiency and COMPETITIVE advantage
4. RESILIANCE

Reputational
1. REGULATORS satisfied
2. Improved utilisation of company BRAND
3. Enhanced SHAREHOLDER value
4. Good reputation and publicity
5. Improved perception of org

Marketplace
1. COMMERICAL opportunities maximised
2. better MARKETPLACE presence
3. increased CUSTOMER SPEND and satisfaction
4. Higher rate of business successes
5. Low rate of business disasters

Question 15

SCOPE of ISO 31000

Answer 15

1. Provides guidelines in managing risks
2. follows a common approach
3. covers the entire lifecycle of org RM
4. applied at all levels and functions
5. Decision making

Question 16

ISO Principles

Answer 16

INTEGRATED
Risk management in an integral part of all org activities
STRUCTURED AND COMPREHENSIVE
This contributes to consistent and comparable results
CUSTOMISED
The RM framework and processesare customised and proportianate to the orgs external and internal context related to its objectives
INCLUSIVE
appropriate and timely involvement of stakeholders enables their knowledge an d views to be considered. Improves awareness and informed RM.
DYNAMIC
RM anticipates, detects, acknlowedges and responds to those changes and events in appropriate timely manner
BEST AVAILABLE INFO
Risk management explicity takes into account any limitations and uncertainties associated with information and expectations.
HUMAN AND CULTURAL FACTORS
human behaviour and culture significantly influences all aspect of RM at each level and stage
CONTINUAL IMPROVEMENT
RM is continually improved through learning and experience.

Question 17

ISO 31000 RM Framework

Answer 17

Centre - Leadership and comittment
Design DO
Implementation I
Evaluation EVER
Improvement Inhale
Integration Ice cream

Question 18

RM History

Answer 18

1500: Religious belief, fate and superstition – evolutionary theory. 
1500 – 1900: A decline of the above by educational enlightenment in risk. 
1900 – 1970: Development of specialist risk professions. 
1970 – 95: Risk management specialism moves towards generalism. 
1995 – date: The maturing risk profession. 
1995 – 2004: The introduction of risk management standards. 
2004 – 2018: International frameworks and standards developed and updated, such as COSO ERM Frameworks and ISO 31000.
2010 - date: Prominence of climate change and ESG rises – CSR, sustainability and resilience become core risk management conversations.

Question 19

Chapman (2011) Benefits of ERM - Strategy, Governance, Operational performance and People

Answer 19

STRATEGY
Build confidence in stakeholders and the investment community
Allign risk appetite and strategy
Link grown risk and return
GOVERNANCE
Comply with relevant legal and regulatory requirements
Enhance corporate governance
embedd of the risk process throughout the org
Rationalise capital
ORGANISATIONAL PERFORMANCE
^ likelihood of realising business objectives
^ organisational resiliance
Embedd RM process throughout the org
Minimise operational surprises and losses
enhance risk response decisions
identfy and manage cross enterprise risks
PEOPLE
Optimise allocation of resources
improve org learning

Question 20

Why risk informed decision making matters (2019)

Answer 20

States that risk informed strategy should be a priority
With the C suit expecting ERM to play an ^ role in setting and implementing the orgs strategy

Question 21

UK’s corporate governance institute (CGI) defines governance as

Answer 21

the system of RULES, PRACTISES AND PROCESSES by which a company is directed and controlled

EY board priorities 2022 - considers boards should focus attention on fast evolving business enviorment at the same time as monitoring emering risks rather than limiting their audit focus on financial reporting

Question 22

Why understanding risk is important - STOC

Answer 22

STRATEGY
risk assocaited with strategic options better analysed = better decision making

TACTICS
consideration to selection of tactics and assocaited risks involved and available alternatives evaluated

OPERATIONS
events which cause disruption will be identified in advance and action take to reduce likelihood of occuring and damage

COMPLIENCE
risks assocaited with failure to achieve compliance will be adressed

Question 23

Specialist areas of RM

Answer 23

project
medical/clinical
energy rm
financial
IT
information securtiy
B continuity
H&S
DR planning

Question 24

4 T’s of Hazard risks

Answer 24

Tolerate
Treat
Transfer
Terminate

Question 25

Five E's of opportunity management

Answer 25

Explore, (exit) or expand, exploit, exist

Question 26

SATARLA (2022)

Answer 26

Define context and objectives Assess the risks Manage the risks Monitor, Review and report

Question 27

Risk management specialisms

Answer 27

1. Sarbanes Oxley Law 2. Occupational safety and health act (1970) 3. international BASEL accord (2021) (banking) 4. Europeon union SOLVENCY 11 regulations (insurance) 5. H&S - first legislation 1800's, factories act 1833, but H&S WORK ACT 1974 6.RIDDOR - contstruction, working from height, injuries, diseases, dangerous occurence regulation 7. COSHH - Control of asbestos and control of substances hazardous to health regulations Basel Committee on Banking Supervision (2021) define operational risk as the “risk of loss resulting from inadequate or failed internal processes, people and systems or from external events”,

Question 28

Project RM -

Answer 28

IPMA - 1965 PMI 1969 APM 1972 Projects have element of uniqueness temporary focused - delivering a change elements of complexity are reliant of 3rd parties based on assumptions

Question 29

ISO 31000 (2018) Principles

Answer 29

1. Framework and processes should be customised and proportionate 2.Appropriate and timely involvement of STAKEHOLDERS is neccessary 3. Structure and comprehensive approach is required 4. RM is an INTEGRAL part of all org activties 5. RM should ANTICIPATES, DETECTS AND ACKNOWLEDGES AND RESPONDS to change, manage and respond to change 6. RM considers limitations of available information 7.Human and cultural factors influence all aspects of RM 8. is continually improved through learning and improvement

Question 30

ISO 31000 (2018) Risk management process

Answer 30

Scope context critera Risk assessment Risk ID Risk analysis Risk evaluation Risk treatment recording and reporting Communication and consultation monitor and review

Question 31

ISO 31000 2018 - Framework

Answer 31

Leadership and commitment (centre) design implementation evaluation improvement integration

Question 32

COSO ERM Framework (the cube 2004)

Answer 32

ERM is a multidirectional iterative process where any component can and does influence all other components do implement ERM org must apply all of the components of the front of the cube in relation to the four catagories of objectives across the top in all part of the org (side of the cube) fron face is the risk management process 8 items top face describes four categories of org objectives side face shows the implementation process of standard. Begins at entity level and cascaded downwards across the org. updated in 2017 despite this the cube remains important and influential as it provides a framework against risk management and internal control systems all principles on front of cube, 1.internal environment 2.objective setting 3.event ID 4.risk assessment 5.risk response 6.control activities 7.information and communication 8. monitoring top 1.strategic 2.operations 3.reporting 4. compliance side 1.subsidary 2.business unit 3.division 4.entity level

Question 33

COSO (2017) Rainbow Double helix

Answer 33

guidance on how ERM can be integrated with STRATEGY AND PERFORMANCE. update from the cube to reflect the changing complexity of risks and the evolving business environment in particular emphasises that ORGS who INTERGRATE ERM throughout the entity can realise more benefits. emphasis the positive ERM can make to performance COSO 2017 recognises that ERM is not just about managing risks to objectives - but understanding implications from the strategy and the possibility the strategy does not allign. Core of framework - ENHANCING performance in line with orgs mission, vision and core values. Embedded in this strategic planning are 5 components support by 20 principles adherence to these manegable principles will ensure orgs understand and strive to manage risks related to their strategy and business objectives framework is designed to meet the needs of executive management and the board with a principles based approach that integrates with strategy and performance 1. Mision , vision and core values 2. strategy development 3. business objective formulation 4. implementation and performance 5. enhanced value

Question 34

Coso 2017 principles organised into 5 interrelated components

Answer 34

1. Governance and culture CULTURE, TONE, GOVERNANCE, VALUES Governance sets the orgs tone. reinforcing of establishing oversight responsibilities for ERM culture pertain to ethical values, desired behaviours and understanding of risk in the entity 2. Strategy and objective setting STRATEGY, APPETITE, BUSINESS OBJECTIVES ERM, strategy and objective setting work together in strategic planning process. Risk appetite is established and aligned with strategy. Business objectives put strategy into practise whilst serving as a basis for identifying, addressing and rrsponsidng to risk 3. Performance ID RISK, PRIORITISE, SERVIRTY, RISK RESPONSES, PORTFOLIO VIEW Risks that may impact the strategy and business objectives need to be ID's and assessed. Risks prioritised by severity in the context of risk appetite The organisation selects risk responses and takes a portfolio view of the amount of risk it has assumed results of this process are reported to key risk stakeholders 4 review and revision ASSESS SUBSTAINTIAL CHANGE, REVIEWS RISK & PERFORMANCE, IMRPVE ERM by reviewing entity performance an organisation can consider how well the ERM components are functioning over time and what revisions are needed 5. info, communication and reporting INFO & TECH, COMMUNICATES RISK INFO, REPORTS on risk culture and performance ERM requires a continual process of obtaining sharing necessary information from both internal and external sources which flows up down and across org

Question 35

Specialist function standards

Answer 35

Banking - Basel 111 Insurance- Solvency 11 Health and safety - ISO 45000 family/ Occupational healthy & safety Legal - ISO 31022/ RM guidlines for legal risk Business continuity - ISO22301 Projects - APM / PRAM COBIT - information risk technology

Question 36

Three distinct approaches followed in standards

Answer 36

Risk management approahch - ISO 31000 Internal control approach - COSO international control framework and FRC guidance Risk aware culture - CocO framework by Canadian institute of chartered accountants

Question 37

Orange book 2023

Answer 37

Designed for governance and public sector guidance provides insight into RM in general looks at main principles to adopt rather than detailed processes and procedures. its the what and the why and not the how 5 main principles Governance and leadership integration collaboration and best information risk management processes continual improvement

Question 38

COSO 2017 5 components supported by 20 principles

Answer 38

Governance and culture 1. exercises board risk oversight 2.establishes operating structures 3. defines desired culture 4. demonstrates commitment to core values 5. attracts, develops and retains capable individuals Strategy and objective setting 6. analyses business context 7. defines risk appetite 8. evaluates alternative strategies 9. formulates business objectives Performance 10. ID risk 11. Assess severity of risk 12. Prioritises risk 13. Implements risk responses 14. Develops portfolio review Review and revision 15. Assesses substantial change 16. Reviews risk and performance 17. Pursues improvement in ERM Information, communication and reporting 18. leverages info and technology 19. communicates risk information 20. reports on risk, culture and performance

Question 39

COSO recognised trends which will effect on ERM in future

Answer 39

dealing with profileration of data leveraging artifical intelligance and automation managing the cost of risk management building stronger organisations