The Future of ERM Flashcards Preview

IRMCert Mod 2 - Unit 6: Case Studies in RM > The Future of ERM > Flashcards

Flashcards in The Future of ERM Deck (27)
Loading flashcards...
1

10 steps to successful ERM?

1. Engage senior management and board to provide resource and support
2. Establish independent ERM function reporting directly to a board member
3. Establish risk architecture at exec and board level, supported by IA
4. Develop ERM framework with classifications
5. Develop risk-aware culture using common language, training and education
6. Written procedures with clear statement of risk appetite
7. Agree monitoring and reporting against established RM objectives
8. Undertake risk assessments to identify accumulations and interdependencies of risk
9. Integrate ERM into strategic planning, business processes and ops success
10. Contribute to success by delivering measurable benefits

2

10 barriers to successful implementation of ERM?

1. Lack of understanding and belief it will suppress entrepreneurialism
2. Lack of support and commitment from senior management
3. "just another initiative", relevant and importance not accepted
4. Benefits not perceived as being significant
5. Not seen as part of core activity, seen as time-consuming.
6. Approach too complicated or over-analytical
7. Responsibilities and need for external consultants unclear
8. Risks separated from where they arose and should be managed
9. RM seen as static and not appropriate for a dynamic org.
10 RM seen as too expensive, taking over all aspect of the org.

3

What action should be taken to challenge the barrier of:

1. Lack of understanding and belief it will suppress entrepreneurialism

Establish shared understanding, common expectations and consistent language

4

What action should be taken to challenge the barrier of:

Lack of support and commitment from senior management

Identify a sponsor on the board and confirm shared priorities.

5

What action should be taken to challenge the barrier of:

"just another initiative", relevant and importance not accepted

Agree a strategy that sets out anticipated outcomes and benchmarks for benefits

6

What action should be taken to challenge the barrier of:

Benefits not perceived as being significant

Complete a realistic analysis of what can be achieved and impact on the org's mission

7

What action should be taken to challenge the barrier of:

Not seen as part of core activity, seen as time-consuming.

Align effort with core processes and mission of the org

8

What action should be taken to challenge the barrier of:

Approach too complicated or over-analytical

Establish appropriate level of sophistication for framework and risk assessment

9

What action should be taken to challenge the barrier of:

Responsibilities and need for external consultants unclear

Establish agreed architecture with clear roles and risk responsibilities

10

What action should be taken to challenge the barrier of:

Risks separated from where they arose and should be managed

Include RM in job descriptions and ensure risks are managed in the context that gave rise to them

11

What action should be taken to challenge the barrier of:

RM seen as static and not appropriate for a dynamic org.

Align RM with decision-making activities

12

What action should be taken to challenge the barrier of:

RM seen as too expensive, taking over all aspect of the org.

Be realistic about scope. Do not claim that all business activities are RM activities by a different name.

13

What factors may influence the effectiveness of ERM?

- senior management influence within departments
- external influences including corporate governance
- nature of the business, products, culture
- corporate attitudes, including previous RM experiences
- origins of the RM department

14

How long is it likely to take to implement a RM framework?

2-5 years

15

Why might the timeframe for implementation need to be extended

Implementation of a comprehensive RMIS

16

What are the three types of 'emerging risk'?

New risks in known context
Known risks in new context
New risks in new context

17

What is meant by new risks in known context?

New risks in the external environment that are associated with the existing strategy

18

What is meant by known risks in new context?

Risks already known to the org that have developed, or changed circumstances have triggered the risk.

19

What is meant by new risks in new context?

Risks not previously faced by the org as it relates to a new/changed core process

20

Give three examples of emerging risks within the control of an organisation

New markets
New technologies
More complex supply chains

21

Give three examples of emerging risks outside the organisation

Climate change
Sovereign debt
National security
Changing demographics

22

What is meant by risk velocity?

Whether risks will materialise in the long term or the short term e.g. health effects of mobile phone usage

23

Provide two standards that deal with 'resilience'

ISO22301: Societal Security - BCM Systems
ASIS: Organisational Resilience Standard (American National Standard)

24

What are the three Ps and three Rs of resilience?

Prevent, protect and prepare resources
Respond, recover and review crises

25

What is the definition of resilience?

"Capacity of an org to consistently achieve a desired state following a change in circumstances"

26

What are the three steps to increased resilience?

1. Awareness of change to internal, external and risk man. environments
2. Prevent, protect and prepare all types of resource
3. Respond, recover and review disruptive events

27

Resilience standards are moving toward PDCA (plan, do check, act) cycles, which is compatible with PIML from ISO 31000. What does PIML stand for?

Plan
Implement
Measure
Learn