Module 1 - Unit 2 (Risk Management Standards) Flashcards
(35 cards)
What is a risk management standard?
Risk management standard = Risk management framework + risk management process
- It’s a published guide for managing risk.
- It sets out the overall approach to the successful management of risk.
- Including a description of the risk management process, together with the suggested framework that supports the process (Hopkin)
Examples include ISO 31000, COSO ERM cube, and COSO Internal Control Framework
What was the first ever risk management standard called, and in what year was it released?
- AS/NZS4360
* 1995
Define ‘risk management process’.
The risk management process is the stages in the process of managing risks, which is driven mainly by how you set up the framework (but also affected by the internal and external environment).
If an organisation decides to follow the structure of the IRM (2002) Risk Management Standard, list the 5 components of risk management it would have to include in its framework.
- Structure
- Responsibilities
- Administration
- Reporting
- Communication
State the first stage in the risk management process according to ISO 31000.
“Establish the scope, context, and criteria”.
Draw the risk management process for ISO31000.
See Figure 6.4 ‘RM process for ISO 31000 (2018)’ Hopkin (2018).
As part of the ISO 31000 risk management process, ‘monitoring and review’ is best thought of as which of the following:
A. An extra stage
B. A feedback loop
C. Part of an iterative process
C - because each of the stages in the process may be executed multiple times before the risk evaluation is finalised and the appropriate risk treatment agreed.
State the 5 components of the ISO 31000 risk management framework.
- The role of ‘leadership and commitment’ is noted in this section
- The framework is presented as a continuous improvement model, similar to the PIML model.
- The purpose = to assist with integrating risk management into all activities and functions.
The 5 components are as follows: • Integration • Design • Implementation • Evaluation • Improvement
State the 8 ISO 31000 risk management principles.
- The principles outlines what must be achieved, and the framework provides information on how to achieve the required integration.
Value, Creation, and Protection:
- CUSTOMISED
- INCLUSIVE
- STRUCTURED and COMPREHENSIVE
- INTEGRATED
- DYNAMIC
- Best available information
- Human and cultural factors
- Continued improvement
First 5 principles are similar to PACED
Draw the COSO ERM Cube.
See Figure 6.3 ‘COSO ERM Cube’ Hopkin (2018).
From COSO (2014), what are the four elements that make up the COSO ERM Business Model.
- Business planning
- Execution
- Adapting
- Monitoring
State, and describe the 8 components (risk management process) of the COSO ERM Cube.
- INTERNAL ENVIRONMENT
• Encompasses the tone of the organisation and sets the basis for how risk is viewed and addressed - OBJECTIVE SETTING
• Objectives must exist before management can identify potential events affecting their achievement - EVENT IDENTIFICATION
• Internal and external events affecting the achievement of objectives must be identified, distinguishing between risks and opportunities. - RISK ASSESSMENT
• Risks are analysed, considering the likelihood and impact, as a basis for determining how they should be managed. - RISK RESPONSE
• Management selects risk responses: avoiding, accepting, reducing, or sharing risk. - CONTROL ACTIVITIES
• Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out. - INFORMATION AND COMMUNICATION
• Relevant information is identified, captured and communicated so that people can fulfil their responsibilities.
• Effective communication also occurs in a broader sense, flowing down, across, and up the entity. - MONITORING
• The entirety of ERM is monitored and modifications are made if necessary.
State the four categories of organisational objectives of the COSO ERM Cube.
SORC
- Strategic
- Operations
- Reporting
- Compliance
State the four categories that represent the implementation process of the COSO ERM Cube standard (entities)
- Entity-level
- Division
- Business Units
- Subsidiary
COSO issued revised guidance in 2017, ‘Integrating with strategy and performance’, state the 5 components of the double helix.
- Governance & Culture
- Strategy & Objective Setting
- Performance
- Review & Revision
- Information Communication & Reporting
Draw a diagram which shows the relationship between the risk management context, risk management process, and the organisation’s context.
See Figure 7.1 ‘Three components of context’ Hopkin (2018).
Define the following terms:
(i) Risk Management Framework
(ii) Risk strategy
(iii) Risk architecture
(iv) Risk protocols
(i) Risk strategy, architecture, and protocols fit into the wider risk management context, also known as the risk management framework, which helps drive the risk management process
(ii) Risk strategy is set out in the risk management policy statement: strategy, appetite, attitudes, and philosophy.
(iii) Risk architecture sets out the lines of communication for reporting on risk management issues and events, and roles and responsibilities are defined.
(iv) Risk protocols are defined in the risk guidelines of the organisation, and include the rules and procedures, as well as the risk management methodologies, tools, and techniques that should be used.
Explain what is meant by ‘risk architecture’ of an organisation, and contrast the risk architecture with the ‘risk protocols’.o
Risk architecture:
•Risk architecture sets out the lines of communication for reporting on risk management issues and events, and roles and responsibilities are defined.
• An illustrative example could be an organisation chart that shows the committee structures relating to risk reporting and accountabilities, or a risk committee’s terms of reference.
• It is vital that the risk architecture reinforces the fact that responsibility for managing risks remains with the owner for that risk.
• It describes who does what in relation to risk management and how the reporting structure works.
Risk protocols:
• Risk protocols are defined in the risk guidelines of the organisation, and include the rules and procedures, as well as the risk management methodologies, tools, and techniques that should be used.
• Risk management guidelines normally refer to the standards that should be achieved. These procedures will provide direction for directors, managers, and staff within the company.
• They are vital for the delivery of the businesses risk management process and ensure that risk management is undertaken in a consistent and controlled way.
• For example, the risk register forms part of the risk protocols.
Therefore, the two are completely different, yet both are part of the wider subject of the risk management framework.
List the components of the risk architecture, strategy, and protocols (RASP) which make up the risk management framework.
Risk Architecture: • Committee structure and terms of reference • Roles and responsibilities • Internal reporting requirements • External reporting controls • RM assurance arrangements
Risk Strategy: • RM statement/policy • RM philosophy • Arrangements for embedding RM • Risk appetite and attitude to risk • Benchmark tests for significance • Risk assessment techniques • Risk priorities for the present year
Risk Protocols: • Tools and techniques • Risk Classification System • Risk assessment procedures • Risk control rules and procedures • Responding to incidents, issues and events • Documentation and record keeping • Training and communication • Audit procedures and protocols • Reporting/disclosures/certification
Identify which category of RASP a risk management information system would best be placed.
Risk protocols
In setting up the ‘risk architecture’, the board are considering whether the audit committee should report to the risk committee, or whether the risk committee should report to the audit committee.
State which of these two options is most preferable.
The risk management committee should report to the audit committee.
Correct the following statement:
“The organisation’s risk priorities for the present year form part of the protocols for the risk management framework.”
Protocols should read ‘strategy’
Define what is meant by a ‘risk register’.
A risk register is a document used for recording risk management process for identified risks.
Explain why there is always a danger that the risk register could become a static document.
- Static risk register means the risk register becomes out of date (it becomes a photo snapshot of risks in a particular time, rather than a movie).
- There is an argument that the register needs to be updated and monitored continuously, so the organisation can record the latest true status of risks in the business.
