Risk-management processes, perspectives, and responsibilities

Question 1

2 key characteristics of the standard risk-man process

Answer 1

• Sequential, one element precedes the next
• Circular process in continuous use, with no clear distinction of start and end

Question 2

4 elements of the standard risk-man process

Answer 2

Identify risks > Assess exposure > Monitor exposure > Control exposure > identify …

Question 3

Risk identification involves…

Answer 3

identifying the risks to which an organisation is exposed, for better or for worse

Question 4

3 techniques that can be used to identify risk

Answer 4

• Checklists
• Root-cause analysis
• Delphi technique

Question 5

Risk assessment generally occurs once…

Answer 5

once a risk or a set of risks have been identified

Question 6

Formula for risk exposure (re. assessment)

Answer 6

Probability (likelihood) of risk event x impact (severity) of risk event = exposure to risk event

Question 7

Purpose of risk assessment

Answer 7

to determine the potential significance of the risk or risks in question

Question 8

What will a risk assessment allow?

Answer 8

For risks to be placed in an order to establish their priority

Question 9

Purpose of risk monitoring

Answer 9

Provide a comprehensive picture of current risk profile in relation to objectives, with an indication of how this might change

Question 10

Risk monitoring involves the collection and dissemination of a wide range of data, including: (4)

Answer 10

• loss data on previous risk events
• a range of other risk, control and performance indicators
• production of risk reports for board & management
• external risk reports for stakeholders

Question 11

Risk control involves: (2)

Answer 11

• Application of tools and techniques to influence probability and impacts of a risk event
• Mitigating any secondary disruption effects that may follow initial risk event

Question 12

Risk control tools include: (4) & example of each

Answer 12

• Physical devises, such as door looks
• Financial tools, such as derivatives
• Transferring risk, such as with insurance
• Detecting tools, such as smoke alarms

Question 13

What does ERM stand for?

Answer 13

Enterprise risk-management

Question 14

What is the concept of ERM? *very basic

Answer 14

An extension of the standard risk-man process

Question 15

Why is ERM not always better than standard risk-man? (3)

Answer 15

• It may not be the right fit for every org
• Its effectiveness depends on how it is implemented
• Poorly implemented ERM processes can do more harm than good

Question 16

Common definition of ERM

Answer 16

ERM is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives

Question 17

One key point to take away from ERM defiition

Answer 17

‘ERM is a process’ - it may be more complicated and sophisticated than standard risk-man, but at its heart it remains focussed on identification, assessment, monitoring, and control of risk

Question 18

3 essential characteristics distinguishing ERM from standard risk-man process

Answer 18

Holistic - A holistic focus

Value added - An emphasis on value-added risk-man

Formal and informal factors - The blending of formal and informal risk-man tools and activities (standard risk-man generally focussed only on formal)

Question 19

ERM characteristics - Holistic (3)

Answer 19

• ERM should be applied across an org to embrace all types of risk in every part of an org, recognising interconnectedness
• Avoids issues of standard risk-man which ignores gaps, overlaps and correlations between categories due to silo approach
• Can be implemented with creation of an integrated risk function under the control of a chief risk officer (CRO)

Question 20

ERM characteristics - Value added (2)

Answer 20

• Risk-man, if applied correctly according to ERM, should create and protect value for an org through effective strategic level risk-man
• This fights against perhaps instinctive view of risk-man as an activity to prevent downside risks, which is therefore inconsistent with (or counter to) strategy and objectives

Question 21

ERM characteristics - Formal and informal - formal factors relate to…

Answer 21

the tangible systems, processes, procedures, policies, committees and forums that exist within organisations, as well as organisation structures, hierarchies

Question 22

ERM characteristics - Formal and informal - informal factors relate to…

Answer 22

things like organisational culture, social networks and how risk and risk-management are perceived

Question 23

ERM characteristics - Formal and informal factors

Answer 23

• Recognises equal importance of formal and informal factors in influencing exposure to risk (standard risk-man generally focusses on only formal)
• Formal factors are the tangible systems, processes, procedures, etc. that exist
• Informal factors are things like organisational culture, social networks, perception of risk and risk-man

Question 24

5 org wide benefits of ERM

Answer 24

• Improved reporting to support strategic decision-making (through holistic understanding)
• Avoidance of silos (to recognise gaps and overlaps in risk profile)
• Improved operational efficiency and cost effectiveness (through better coordination and less duplication)
• Improved profitability and equity value (through improved efficiency and cost effectiveness, and reduction in risk events)
• Improved ability to achieve other business objectives (as more time to focus on them)

Question 25

3 benefits of ERM to local business unit or department

Answer 25

- Consistent decision-making (eg. not having other departments push a risk you are mitigating, as everyone is on the same page re. risk) - Effective resource allocation for risk-man (allocation of funds on risk-exposure basis) - Spreading risk ownership, allowing management of risks by local experts (therefore, avoiding pitfalls of managing everything from central risk function)

Question 26

An effective ERM process should include the following in addition to the core elements of standard risk-man process: (6)

Answer 26

- ERM policies and procedures - Risk appetite - Enterprise risk reporting - Risk and audit committees - Escalation and whistleblowing - Business continuity management

Question 27

An ERM policy should include: (7)

Answer 27

- Overarching approach to risk, how this is aligned to mission, vision, values, objectives - Specific risk-man, governance, internal control and compliance objectives - How threats and opportunities are balanced - High-level overview of ERM process used - Statement regarding risk culture - Roles and responsibilities for ERM - Reporting structure for ERM, including lines into the CRO

Question 28

Risk reports under ERM should:

Answer 28

Provide a holistic organisation-wide picture, without drowning boards and senior managers in large amounts of detail

Question 29

2 considerations from an ERM perspective on risk and audit committees

Answer 29

- Harder to get into a more risk-positive opportunity mindset where risk and audit is combined as audit committees are focused on internal control and risk reduction - good to separate to avoid this conflict - Risk committee must consider all categories of risk, and all risks which may have significant effect on strategy and business objectives

Question 30

ERM - escalation and whistleblowing (3)

Answer 30

- Important part of risk monitoring - Procedures should always be org wide - All concerns should be reported in a consistent manner to a single point of contact (usually CRO, their delegate, or CoSec)

Question 31

ERM - business continuity management

Answer 31

As it is impossible to eliminate risk, an effective ERM process must include mechanisms to ensure initial and longer-term impacts of risk effects and properly managed and mitigated when cost effective to do so

Question 32

What is the board responsible for re. risk-man? (3)

Answer 32

Oversight of risk-man process, and ensuring it received appropriate assurance from management that correct processes are in place and being used correctly Determining risk appetite Periodically monitoring risk profile

Question 33

What might a risk committee hierarchy look like in a large organisation?

Answer 33

The board risk committee will report to be the board. Beneath the board risk committee, there may be other committees for specific business units or for specific risk categories

Question 34

The role of the CRO is to: (4)

Answer 34

- Support board and risk committee in fulfilment of responsibilities, including raising any concerns - Directing work of risk function - Overseeing risk-man activities of whole org and ensuring management of risk is consistent with risk appetite - Working with compliance and internal audit functions to ensure regulatory-compliance risk-man arrangements are in place across org

Question 35

How will risk function differ for standard risk-man & ERM?

Answer 35

Standard risk-man will usually see separate risk functions for different types of risk ERM will typically have a central risk function that looks at all types of risk

Question 36

What is the role of the risk manager and wider risk function? (5)

Answer 36

- To oversee, co-ordinate and facilitate risk-man activity across an organisation - Risk manager may get involved in managing specific risks in smaller orgs - Monitoring and reporting - collecting exposure and risk-man information - Advising how to control specific risk and train employees - Supporting design and implementation of risk-man processes

Question 37

What is the role of the compliance manager and wider compliance function re. risk? (3)

Answer 37

- Ensure that design and operation of risk-man processes are compliance with all applicable rules and guidance - Includes ensuring H&S and environmental risks are managed appropriately - Act as intermediary between the org and risk-man regulatory or supervisory bodies * important to work closely with risk manager / function

Question 38

What is the role of the internal audit function re. risk man? (2)

Answer 38

- Provide assurance that an org's risk-man process is effective in terms of design and implementation - Conduct audits of risk function and of process used to support management of risk * important to work closely with risk manager / function

Question 39

What is the role of the CoSec re. risk? (5)

Answer 39

- In small orgs, not uncommon to be given responsibilities of a risk manager - May have compliance related responsibilities - May have direct risk-man responsibilities in certain areas, such as purchase of insurance - Always has a supporting role to play to board so will need to be ready to advise on risk-man responsibilities - Work closely with risk, compliance managers or functions

Question 40

Asides from the board, risk, compliance and audit, other functions with responsibilities include: (5) * all functional areas have responsibility

Answer 40

- Finance - H&S - Human resource management - Information security - Operations