Part 3 Flashcards
(34 cards)
What is GRC, and what does it help organizations achieve?
GRC = Governance, Risk, and Compliance
It is a comprehensive framework that helps organizations:
- Govern effectively – Set direction, make decisions, and ensure accountability
- Manage risks – Identify, assess, and respond to threats and opportunities
- Ensure compliance – Meet legal, regulatory, and ethical obligations
Purpose: Together, these functions support principled performance — achieving goals while maintaining integrity.
What are the three core components of GRC according to SAP’s Tripod Model, and what does each include?
1. Governance
- Sets strategic direction and defines oversight structures
- Aligns decisions with the organization’s purpose and stakeholder expectations
2. Risk Management
- Identifies internal and external risks to strategy, operations, and reputation
- Puts controls in place to reduce threats and support informed decisions
3. Compliance
- Ensures the organization follows laws, regulations, standards, and ethical norms
- Builds trust with regulators, investors, and the public
Why is GRC considered integrated and cross-functional, and why does it matter?
GRC is Enterprise-Wide:
GRC spans all functions—strategy, risk, legal, IT, HR, ethics, and sustainability—not just audit or compliance.
Why It Matters:
It breaks silos, boosts transparency, improves crisis response, and supports ethical, long-term value creation.
What are the different definitions of risk across common usage, decision theory, and finance/economics?
- Common Usage: Risk = The likelihood of negative events
- Decision Theory: Risk = Uncertainty with known probabilities
- (In contrast, ambiguity means probabilities are unknown)
- Finance/Economics:
Risk = Any deviation from the expected outcome
Can be positive or negative; measured as variance
Insight: Risk is not always bad — the Chinese word for “crisis” includes both danger and opportunity.
What are the main types of risks faced by organizations, and how are they defined?
Types of Risks Faced by Organizations:
- Counterparty Risk, Market Price Risk, Operational Risk, Liquidity Risk, Investment Risk, Pension Risk, Other Risks
What drives risks and opportunities in organizations, and how do they impact outcomes?
Risks and opportunities come from both external and internal drivers and can lead to financial consequences.
- External drivers: Market conditions, regulation, climate, competitors, customers
- Internal drivers: Financial stability, leadership, IT integrity, operational efficiency
All of these factors influence performance, reputation, and long-term value.
What are megatrends and VUCA, and how do they affect organizational risk?
Megatrends = long-term risk drivers
- Megatrends are slow but powerful forces that reshape societies and markets over decades.
- Examples: Climate change, Aging populations, Urbanization,Digital transformation, Inequality & geopolitics
→ Root causes of systemic and emerging risks
VUCA = the modern risk environment
- Volatile: Rapid, unpredictable change
- Uncertain: Outcomes are unclear
- Complex: Many interconnected factors
- Ambiguous: Hard to interpret or predict
Implication: Organizations must build flexibility, foresight, and resilience to navigate a VUCA world.
What is risk capacity, and how is Value at Risk (VaR) used to measure it?
Risk Capacity = A company’s ability to absorb losses and stay solvent under stress.
Companies must prepare for:
- Expected Loss (EL): Predictable losses (e.g. defaults, operational risks)
- Unexpected Loss (UL): Rare, high-impact events
Measuring Risk: Value at Risk (VaR)
- Estimates potential loss over a time period with a given confidence level
- Formula: VaR(α) = EL + UL(α)
Example: “We’re 99% confident losses won’t exceed €X in 10 days.”
=> Limitations: VaR does not reflect extreme losses (tail risk)
=> Alternative: Expected Shortfall (ES): Measures the average of losses beyond the VaR limit
What are the two types of risk in CAPM?
CAPM Risk Types:
Systematic Risk
- Affects the whole market (e.g. inflation, recession)
- Cannot be diversified → must be compensated with higher returns
Unsystematic Risk
- Specific to a company or industry
- Can be diversified across a portfolio
What are the four main risk response strategies, and how does ERM differ from traditional risk management?
Risk Response Strategies:
- Accept (Retain): Tolerate the risk within limits; monitor and manage exposure
- Mitigate (Reduce): Lower the likelihood or impact (e.g. prevention, controls, hedging)
- Share (Transfer): Shift risk to others (e.g. insurance, outsourcing, partnerships)
- Avoid: Eliminate the risk by not engaging in the activity
What is the structure and function of Enterprise Risk Management (ERM) according to the Three Lines Model, and how do ICS, RMS, and Compliance contribute?
ERM: The Three Lines Model
Defines clear risk roles across the organization:
- 1st Line: Operational Management => Owns and manages risks (e.g. operations, front office)
- 2nd Line: Risk & Compliance Functions => Develops frameworks and policies; monitors risk; provides training
- 3rd Line: Internal Audit =>Provides independent assurance; audits risk systems and controls
→ All three lines collaborate to protect and create value, moving beyond a defensive mindset.
Internal Control System (ICS)
Embedded across all three lines to:
- Ensure reliable financial reporting and compliance
- Safeguard assets and improve efficiency
Risk Management System (RMS)
Enables proactive risk oversight by:
- Identifying risks early (e.g. assessments)
- Assessing probability and impact
- Communicating via dashboards/reports
- Mitigating via action plans and controls
→ Aligns risk exposure with company strategy and risk appetite.
Compliance as a Strategic Function
Once seen as a “cost center,” now a strategic enabler
- Ensures integrity, avoids fines, builds trust
- Shapes culture and governance
- Operates in the 2nd Line (guides business, monitors adherence)
What is the purpose of ISO 31000, and what are its key principles and context factors?
Is a voluntary gobal standard for Enterprise risk manegement (best practice guidance)
- helps organistations create and protect value by manageing risks systematically
- promotes continous, integrated approach across leadership, stratgey and decision-making
- considers both internal and external factors
- enterprise resilence supports compliance and builds stakeholder trust
What is the COSO ERM Framework, and what are its objectives, key activities, and scope?
COSO ERM Framework Overview:
- Goal: Align risk with organizational objectives
Key Organizational Objectives:
- Strategic: Align goals with mission
- Operations: Improve efficiency and effectiveness
- Reporting: Ensure reliable data
- Compliance: Meet legal/regulatory requirements
Core ERM Activities:
- Risk identification
- Event analysis (cause → event → effect)
- Risk response
- Control activities
- Monitoring and communication
Risk Levels (Scope):
ERM covers risks across: Subsidiaries, Business units, Divisions, The entire enterprise
Key Insight: Use a portfolio view — manage risk across all levels, not in silos.
How are risks identified and assessed in Enterprise Risk Management (ERM) Step 1?
Risk Identification: Cause → Event → Effect
- Cause: Weak cybersecurity
- Event: Data breach
- Effect: Reputational damage, fines
Includes: Internal & external triggers and All risk types (e.g. strategic, operational, credit)
Risk Assessment Steps:
- Likelihood: Probability of occurrence
- Impact: Severity of consequences
- Score: Risk Score = Likelihood × Impact
Tools: Heat maps, Risk scoring matrices, Aggregation models (e.g. Value at Risk), Likelihood scales
Limits:
- Black swans: Rare, high-impact events often missed by models
- Low-frequency risks: Frequently underestimated
What are the main risk response strategies, and how does the 4-T Risk Steering Model guide action?
Risk Response Strategies
Organizations respond to risks based on their risk appetite:
- Avoid: Eliminate the risk entirely
- Reduce: Mitigate or control the risk
- Share: Transfer risk (e.g. insurance, outsourcing)
- Accept: Tolerate within defined limits
Goal: Bring gross risk down to an acceptable net risk level, aligned with company strategy.
What are the roles of control, communication, and monitoring in ERM, and why does ERM matter?
Final Takeaways:
- ERM is a strategic and cultural framework, not just a control tool
- The Three Lines Model, internal controls, and governance help manage risk at all levels
- Standards like ISO 31000 and COSO support structured risk management
- Effective ERM enhances resilience, trust, and performance — especially in volatile or regulated environments
How do impacts, risks, and opportunities relate in a sustainability context?
Definitions:
- Impacts: How a company affects people or the environment (positive or negative; actual or potential; short- or long-term)
- Risks: ESG-related uncertainties that could harm the company’s strategy, operations, or financial health
- Opportunities: ESG trends or events that could create value (e.g. innovation, reputation, new markets)
Distinction:
- Impacts = How the company affects the world
- Risks/Opportunities = How the world (ESG context) affects the company
Assessment of ESG Risks/Opportunities:
- Based on impact magnitude and probability of occurrence
- Opportunities are assessed like risks: Score = Impact × Likelihood
What are the ESRS 2 GOV disclosures, and what do they aim to cover in sustainability governance?
Purpose: ESRS 2 GOV disclosures define how sustainability is governed within a company, aligned with Governance, Risk, and Compliance (GRC) principles.
Examples:
- GOV-2: Show how the board is informed about material ESG issues, policy effectiveness, and due diligence outcomes
- GOV-4: Report the ESG due diligence process, including stakeholder input and corrective measures
- GOV-5: Explain how ESG is integrated into internal controls, supported by data validation and external audits
What does the German Supply Chain Act (LkSG) require for ESG risk management, and who is responsible?
Purpose: LkSG shifts the focus from ESG disclosure to active ESG risk management in supply chains.
Due Diligence Responsibilities:
- Own operations: Full responsibility
- Direct suppliers: Full responsibility
- Indirect suppliers: Duty of care if risks become known
- Products/services: No due diligence required
Focus Areas:
- Human rights: Child labor, forced labor, unsafe working conditions
- Environment: Toxic pollutants, hazardous waste, mercury
Compliance Requirements:
- Policy statements
- Ongoing risk analysis
- Risk mitigation and corrective action
- Complaints mechanism
- Annual public reporting
Why is GRC integration important in ESG risk management?
- GRC (Governance, Risk, and Compliance) principles are now essential to sustainability.
- ESG is not optional — it is a strategic, financial, and operational risk category.
- Boards must treat ESG risks just like any other material risks.
How does BaFin guide banks in integrating ESG risks into traditional risk categories?
BaFin (Germany’s financial regulator) emphasizes the financial materiality of ESG risks.
Banks should map ESG risks to traditional risk types:
- Credit Risk: Carbon-heavy firms default due to regulation
- Market Risk: Brown asset values fall after policy changes
- Liquidity Risk: Floods cause mass customer withdrawals
- Operational Risk: Wildfires disrupt branch operations
- Underwriting Risk: Climate disasters lead to increased insurance claims
- Strategic Risk: Bank loses relevance in green transition
- Reputational Risk: Greenwashing scandal damages trust
What does BaFin expect from banks regarding ESG strategy and governance?
Strategy Integration (Chapter 3):
- Embed ESG into core strategy (standalone or integrated).
- Align with global standards (e.g., TCFD, UN PRB).
- Communicate ESG strategy internally and externally.
Governance (Chapter 4):
- Management is accountable for ESG risk.
- Assign clear ESG roles and oversight responsibilities.
- Link ESG performance to incentives (e.g., bonuses).
- Ensure ESG expertise at board level.
How should ESG be embedded operationally and within risk systems, according to BaFin?
Organisational Embedding (Chapter 5):
- Define ESG policies and internal guidelines.
- Allocate ESG-dedicated staff and resources.
- Integrate ESG across all functions: front/back office, risk, compliance, audit.
Risk Management Systems (Chapter 6):
- Extend core risk processes to include ESG: identification, control, reporting.
- Cover all risk types: credit, market, operational, liquidity.
- Focus on forward-looking risk management.
Methodologies:
- Portfolio alignment: Match with climate goals
- Scenario analysis: Quantify ESG impact
- Exposure-based: ESG scores, internal ratings
→ ESG should inform asset valuation.
What are BaFin’s expectations for ESG stress testing and outsourcing?
Stress Testing (Chapter 7):
- Adapt or build models to simulate ESG-related shocks.
- Cover transition risks (e.g. carbon pricing) and physical risks (e.g. floods).
- Use tools: Monte Carlo simulations, Sensitivity analysis,ESRS-aligned stress scenarios
Outsourcing (Chapter 8):
- Apply ESG criteria in third-party due diligence.
- Monitor outsourced providers’ ESG performance.
- Ensure ESG risk controls match those used in-house.
