Module 2 & 3

Question 1

ISO 31000 principles

Answer 1

1. Framework and process should be customised and proprionate
2. Appropriate and timely stakeholder involvement
   3.Strucutred and comprehensive approach is required
3. RM is INTEGRAL part of all orgs activities
4. Risk management anticipates, detects and responds to changes
5. RM considers all limitations of available information
6. Human and cultural factors influence all aspects of RM
7. RM is contuously improved through learning and experience

Question 2

COSO (2017) Principles

Answer 2

1. Governance and culture
   Exercises board oversight
   Establishes operating structures
   Defines desired culture
   Demonstrates comitment to core values
   Attracts develops and retains capable individuals
2. Strategy and objecive setting
   Analyses business context
   Defines risk appetite
   Evaluates alternative strategies
   Formulates business objectives
3. Performance
   Identifies risk
   Assess Severity of risks
   Prioritises risks
   Responds to risk
   Implements risk responses
   Develops portfolio view
4. Review and revision
   Asseses substaintial change
   Reviews risk and performance
   Pursues improvement in ERM
5. information, communication and reporting
   Leverages information systems
   Communicates risk
   Report on risk culture and performance

Question 3

COSO (2017 double helix) Principles which apply to the simple RM process

Answer 3

1. Define context and objectives -
2. Analyses business context
3. Evaluates alternative strategies
4. Formulates business objectives
   (all part of strategy and objective setting)
5. Assess risk
6. Identifies risk
7. Assesses the severity of risk
8. Prioritises risk
9. Manage risks
10. Implement risk responses
11. Monitor, review, report
12. Assess substantial change
13. reviews risk and performance
14. communicated risk information
15. reports on risk culture and performance

Question 4

Orange book principles (2023)

Answer 4

A. Governance and leadershp
B. Integration
C. Collaberation and best information
D. RM process
E. Continuous improvement

Main principles should help each government org how to operate in accordance with the UK corp governance code

Question 5

Attributes of effectived RM (PACED)

PROPORTIONATE - Strucutred
ALLIGNED - Integrated
COMPREHENSIVE - Consistency, context
Embedded - culture attitude maturity
Dynamic - risk information, process does not finish with risk register

Answer 5

Proportionate
Structured approach customer and tailored to suit the org and activity being undertaken. Consistency in overall process and language used for commons understanding of risk management process, risks, controls and actions to manage them

Alligned
the process is INTEGRATED with others org activities so business can continue as usual with ERM as a touchpoint into those activities and an escalation to allow effective management of risks and reporting

Comprehensive
process encourages CONSISTENCY in the risk management process, and consideration of risks and controls across the organisation and outside of it. This allows effective oversight and understanding of the overall risk profile and improves the understanding of the existing, new and emerging risks from both the internal and external context of the organisation ,so considering what is going on the in the world around them

Embedded – the ERM framework and process encourages a change in risk attitudes, behaviour and culture, to help progress the risk management maturity and awareness of its value to the organisation

Dynamic – the process does not finish with the completion of the risk register. Although it is important to collate the risk information, this is only ‘risk register writing’, it is not risk management. The energy needs to keep flowing through the process, and effort needs to be invested in how to keep the process alive for the organisation so that it can continue to support decision making and add value.

Question 6

Risk management framework AKA RASP

Answer 6

Risk artictecture (comittee structure, budget, roles and responisbilities, reporting requirements)

described as the rm organisation and arrangement of the org
STRUCTURE of the RM process alligned to the structure of the org

components
comitteee structure and TOR
roles and responsibilities
internal reporting requirements
external reporting controls
risk management assurance arrangements
budget and agreement on resources

Risk strategy

Risk protocols

Question 7

Agency theory

Answer 7

The Corporate Finance Institute defines ‘Agency Theory’ as “the concept used to explain the important relationships between principals and their relative agent. In the most basic sense, the principal is someone who heavily relies on an agent to execute specific financial decisions and transactions that can result in fluctuating outcomes”.

Question 8

Orgsanisation/governance strucutre

Answer 8

Centralised - corperate structure with the strategy and operations directed by a head office or other CENTRAL team
Decentralised - management responsibility is delegated to unit or divisional manager with little direction from the centre
Hybrid - discretion in the design and operation of the subsidiary entities is allowed in certain areas but others (brand management, H&S, banking) the corperate apporach must be adopted

Question 9

Risk management reponsibilities - CEO/Board/execs

Answer 9

Determine STRATEGIC APPROACH to risk
establish STRUCTURE for RM
understand most SIGNIFICANT risks
Consider implications of poor decisions
Manage organisation in crisis

Question 10

The location manager - heads of department / middle manager

Answer 10

BUILD risk aware CULTURE within the location
agree RM targets for the location
EVALUATE reports from employees on RM
ensure implementation of risk improvement
identify and report changed circumstances/risks

Question 11

individual employees

Answer 11

understand, accept and implement RM processes
report inefficient, unnecessary or unworkable controls
report loss events and near miss incidents
co-operate with management on incident investigations
ensure visitors and contractors comply with procedures

Question 12

2nd line of defence -role of the risk manager

Answer 12

Develop the risk management policy and keep up to date
faciliate a risk aware culture within the organisation
establish internal risk policies and structures
cooridnate risk management activties
compile risk information and prepare reports for the board

Question 13

Specialist risk management functions e.g H&S or specialist support (2nd line of defence)

Answer 13

assist company in establishing specialist risk policies e.g Business contuinity, h&s
develop specialist contingency or recovery plans
keep up to date with information in specialist area
support investigations of incidents and near misses
prepare detailed reports on specialist areas

Question 14

internal audit manager (3rd line of defence) QSA?

Answer 14

develop a risk based internal audit programme
audit the risk processes across the programme
provide assurance on the management of risk
support and help develop the risk management processes
report on the efficiency and effectiveness of internal controls

Question 15

Orange book principles

Answer 15

A. RM should be essential part of GOVERNANCE AND LEADERSHIP and fundamental to how the org is directed , managed and controlled at all levels

B. RM shall be an INTEGRAL part of all org activties to support decision making

C. Rm shall be collaberative and informed by BEST AVAILABE INFO and exppertise

D Risk management processes shall be structured to include
a Risk ID andd assessment
b the selection design and implementation of risk treatment options
c the deisgn and operation of integrated insightful and informative risk monitoring
d timely and accurate useful risk reporting

E. RM shall be contuinally improved through learning and experience

Question 16

Risk management strategy

Answer 16

risk management philosophy
arrangements for embedding RM
risk attitude and appetite
benchmarks tests for significance
specific statement / policies
risk assessment techniques
risk priorities

Question 17

risk management policy

Answer 17

includes risk strategy
outlines philosophy of RM for the org states who should be responsible for it and comitts to provide the resources nessessary to manage risk to an acceptable level
policy typically approved and owned by the board or a risk comittee of the board

Question 18

risk appetite

Answer 18

The amount of risk an org is willing to seek or accept in the pursuit of long term objectives

the ACCEPTABLE level for the risk where no further action is required other than monitoring and reviewing for changes in the context, risk and controls

Question 19

Risk tolerance

Answer 19

the level of risk that you can accept for a short period of time which you will be actively managing to bring to an acceptable level

Question 20

Risk capacity

Answer 20

the level of risk that is unacceptable. this is the tipping point that the org cannot or does not wish to go over

Question 21

risk protocols

Answer 21

the means by which the risk strategy and architecture are delivered in practice

collated together into a manual, standard, procedure, tools, templates - documents

Question 22

Included in risk protocols

Answer 22

techniques used in risk id
the format and content of the orgs risk register
requirements on enterisng risk events into the issues and event logs
reporting requirements against KPI’s
approval processes for expenditure on risk improvement actions
templates

Question 23

PESTLE

Answer 23

understanding context
identifying risk

Question 24

Coso 2004 RM process

Answer 24

internal enviornment
objective setting
event ID
risk assessment ~(instead of analysis and evaluation in ISO31000)
risk response
control activities
information and communication
monitoring

Question 25

COSO 2017 RM process

Answer 25

framework and process are woven together understanding context and objectives are captures in first two components of framework - governance and structure and strategy and objective setting. More reconisable RM process steps are found in the third component - performance ID risk assess severity of risk prioritises risk implements risk responses develops portfolio review assess and prioritises are used instead of analysis and evaluation steps in ISO 31000 rest of RM process is captured in 4. review and revision and 5. information commnuication and reporting

Question 26

The OB 2023 RM process

Answer 26

Combination of RM framework, principles and processes risk manageemnt shall be A - essential part of governance and leadership B- an integral part of all operational activties C- collaborative and informed by best available info D- have structured process E- continually improved Princple D includes the main process Risk ID and aassessment risk trreatment risk monitoring risk reporting. risk assessment alligns to ISO 31000 steps of analysis and evaluation. The OB framework is closely alligned to ISO 31000 in its language and approach

Question 27

internal context

Answer 27

governance and reporting arrangements operational structure roles and responsibilities many areas considered in the risk architecture detailed list 1. the orgs devisions, departments, strcutures,systems, processes and accountability, cultures, leadership, stregnth and weakness 2. internal stakeholders - staff manager the board 4. its approach to corp governance, resources, competencies and capabilities, its culture the way it conducts itsself 5. factors that influence how the org will try to set and achieve its objectives when undertaking a risk assessment for a single team or task, the internal context is considered to be everything INSIDE that team rather than the full context for the org COSO 2017 focuses on setting of strategy as the core to ERM process & the effect that internal and external context changes can have on setting the strategy and the ability to achieve it

Question 28

external context

Answer 28

the external enviornment which the org operates in - taking into accoiunt things that can affect the orgs ability to achieve its objecctives relates to 1. external stakeholder expectations 2.industry regulators 3. behaviour of competitiors 4. general economic enviornment org operates in this includes: 1.the social and cultural, Polictical , legal, regulatory, financial , technological, economic, natural and competitive enviornment 2.industrty products markets competitiors supliers logistic 3. key driver and trends impacting on the objectives of the org 4. relationships with and the perceptions and values of external stakeholders helps answer what does the world around us look like what is driving our strategic direction FIRM scorecard- Reputational and Marketplace

Question 29

Internal context

Answer 29

expectations of internal stakeholders includes members of staff and contractors , outsourced suppliers orgs structures cultures, the views and behaviours of the board of directors and internal stregnths and weaknesses your org has FIRM scorecard - Financial and infastructure are primarily related to internal context Infastructure can also relate to internal context FIRM scorecard SWOT

Question 30

the extended enterprise

Answer 30

a structure where a number of orgs come together endeavour in order to achieve outcomes that none of them could have achieved on their own four key elements 1/core actvivtirs of the team function department project or org that is being considered - WHAT IS IT YOU DO 2.key inputs to those core acvtivies WHAT DO YOU NEED IN ORDER TO DO WHAT YOU DO 3. key outputs from those core activties - what is it that you need to deliver from those core activties

Question 31

PESTLE analysis

Answer 31

a tool used to help understand the external context of an org using standard catagoties or cliassification as prompts - stands for political economic social tech legal enviornment also used as a risk classification tool

Question 32

PESTLE advdantages

Answer 32

simple framework 1. facilitates an understanding of the wider business enviornment 2. encourages the devlopment of external and strategic thinking 3. anticipates future business threats 4. helps identify actions to avoid threats or minimise impacts of threats 5.facilitates identification of business opportunties

Question 33

PESTLE disadvantages

Answer 33

1.can over simplify the amount of data needed for decisions 2. needs to be undertaken on a regular basis to be effective 3. requires different people being involved with different perspectives 4.access to quality external data sources can be costly and time consuming 5.difficult to antipate developments that may effect the org in future 6.risk of capturing too much data - difficult to identify priorities 7.can be based on assumptions which prove to be unfounded

Question 34

PESTLE classification system

Answer 34

POLITICAL tax, policy, employment laws, enviornmental regulations, trade restrictions and reform, tarrifs and political stability ECONONOMIC economic growth/decline, itnerest rates, exchange rates and inflation, minimum wage, working hours, unemployment, credit availability ,cost of liviing SOCIAL cultural norms and expectations, health and consciousness, population growth rate, age distributation, career attitudes, emphasis on safety, global warning TECHNOLOGICAL technology changes that impact your products or services, new technologies, barrries to enteries in given markets, financial decisions like outsourcing and supply chain ENVIORNMENTAL OR ETHICAL

Question 35

Risk description language

Answer 35

Cause (Source - fact) As a result of, due to, because of.. existing condition LANGUAGE - is ,does , has, has, not (present tense) Cause is happening now or happened (FACTS) Risk (uncertain event) MAY occur LANGUAGE - may, might, possibly (uncertain future) CONSEQUENCE (impacts) which would lead to.. effect on objectives LANAGUAGE - would will... conditional future

Question 36

Risk examples