Unit 1 Flashcards
(27 cards)
STOC (areas of improvement with RM, sources of risk for bow tie)
How the event results in a change in strategy (options analyzed, better strategic decision achieved). Tactics (available alternates can be evaluated), Operations (events of disruption early identified, damage limited, cost constrained) and compliance (enhanced as risks with legal/compliance failure will be addressed).
On a personal level:
S - embrace opportunity risks
T - manage uncertainty risks
O- Mitigate hazard risks
C - Minimize compliance risks
FIRM
How the event affects: Finances, infrastructure, Reputation, Marketplace - Impact of Risk
Following the ISO 31000 definition, Hopkin sub-divided risks into four categories, which ones? CHCO
Compliance, Hazards (Events that you do not want to happen), Control (Events that you know will happen, impacts variable (e.g. increase in prices)) Opportunities (you hope will happen)
1.Compliance – mandatory risks
2.Hazard risks – negative risks (you do not want to happen)
3.Control risks – uncertainty (you know will happen but the impact is variable e.g increase in prices)
4.Opportunity risks – positive risk
Risk Attitude
The way the organisation perceives the likelihood and impact of uncertainty (risk-averse, risk-neutral, risk seeking) e.g. conservative investor who prefers low risk investments. Represents the long term approach of the org to risk. ISO 31000: The overall attitude to risk can be described by a set of risk criteria, ISO does not mention risk appetite - only the criteria.
4Ps
People, Premises, Processes, Products (categories of operational disruption)/BOW TIE DIAGRAM - SOURCE (STOCK) - PREVENTIVE CONTROLS - 4PS (DISRUPTION) - RESPONSE CONTROLS - IMPACT (FIRM)
Difference RM and Risk (ISO, ORANGE,COSO)
Risk: 1. Uncertainty that matter 2. Effect of uncertainty of objectives (causes, events, consequences)
RM (ISO 31K, ORANGE): Coordinated activities designed and operated to manage risk and exercise internal control within an organization.
COSO: culture, capabilities, practices, strategy setting - manage risk in creating, perceiving and realising value. This definition recognises that risk management processes, policies, procedures, and other
supporting information, are of no use on their own. It is
the culture, capabilities and practices within an organisation that are integrated to ensure action is taken to change the risks that brings value.
RMF Scope (5 elements to implement effective RM)
ISO 31000: What is needed to implement effective RM: structure, responsibilities, administration, reporting, and communication.
ISO 31000 Process
- Scope, context, criteria, 2. Risk Assessment (identification, analysis, evaluation) 3. treatment, 4. reporting, 5. Monitor and review. Comms, consultation
Definition of Risk 31000 and IRM
ISO 31000 The effect of uncertainty on objectives
IRM: Risk is the combination of the probability of an event and its consequence. Consequences can range from positive to negative
For use in this Certificate, risks are considered simply as uncertainties that matter, or using a more standardised approach, the term risk is used to denote the effect of uncertainty on objectives, considering both sides of the risk ‘coin’ - threats and opportunities.
Operational RM, as per Basel II
There is also a requirement for those in the banking sector to implement operational risk management, where the Basel Committee on Banking Supervision (2021) define operational risk as the “risk of loss resulting from inadequate or failed internal processes, people and systems or from external events”, as can be seen in Basel’s revisions to the ‘Principles for the sound management of operational risk’.
What principles, framework, process mean for ISO 31000
ISO 31000 (2018), Risk Management considers:
what good risk management looks like – the Principles
what is needed to implement effective risk management – the Framework
what the steps are in risk management – the Process.
Definition of each of these key terms:
a)Risk management standard
b)Risk management framework
c)Risk management process
a) Risk standard – A published guide for managing risk, usually comprising a risk framework and (especially) a risk process.
b) Risk framework – Also known as the risk management context. This comprises the risk strategy, risk architecture and risk protocols and forms the risk context which helps to drive the risk process.
c) Risk process – The stages in the process of managing risk, which is driven mainly by how you set up the framework (but also affected by the internal and external environment).
COSR ERM Framework
The front face is the risk management process, consisting of eight items. The top face of the cube describes the four categories of organisational objectives.
Finally, the side face of the cube shows the implementation process of the standard. It indicates that ERM begins at entity level and then is cascaded downwards and across the organisation. In that sense, the fully implemented version of ERM must be embedded in all roles, operations, and activities of the enterprise.
In 2017 the COSO ERM framework was updated to provide greater insight into the links between strategy, risk, and performance, and to highlight the interconnectedness of risks and the effect that risk culture has on the effective implementation of risk management.
COSO CUBE (2017)
Objectives: Operations, Reporting. Compliance (strategy 2004)
Institutional Levels: Function, Operation, Division, Entity Level
Subprocesses in the control environment: RA, Control and activities, info & coms, monitoring
4Ts of Risk Response
Transfer (High Impact, Low Likelihood)
Terminate (High, High)
Tolerate (Low, Low)
Treat (LI, HL)
Difference between Impact and Consequence
Impact: How the event effects the FIRM directly (severity of risk in terms of immediate influence on objectives (financial loss, operational disruption, reputational image). Example: A cyberattack may lead to data loss (impact)
Consequence: How the event results in a change in the planned achievement of effective and efficient STOC - the broader secondary effects longer term results that stem from the impact - downstream implications e.g. legal penalties, customer attrition, regulatory scrutiny). Example: the data loss (impact) may result in fines from regulators, loss of customer trust (consequences)
Risk Appetite
Amount of Risk is willing to seek or accept in pursuit of its long term objectives (reflects the goal, resources, external environment) e.g. start up with high risk appetite - invest in heavily innovative but uncertain projects they may fail but potential rewards justify the risks
What control means
measure that maintains or/and modifies the risk
5 Principles of RM PACED
Proportional to the level of risk, Aligned with the activities, Comprehensive, Embedded within the org, Dynamic and responsive to emerging and changing risks.
5 objectives of RM (MADE2)
Mandatory = ensure conformity with applicable rules, regulations and mandatory obligations
Assurance that RM and ICF complies with PACED
Decision making support
Effective STO and efficient C to ensure volatility of results
What Compliance, Hazard, Control, Opportunity Management are?
Compliance: provides risk governance (Sophistication: Inform)
Hazard: Makes outcomes less negative (e.g. insurance+risk), control reduces the actual cost of hazard losses (often insurable risks )- hazard tolerance declines - more risk capacity available to invest (Reform)
Control: Reduces the range of possible outcomes from an event. Ensure that the overall cost is maintained. (Conform)
Opportunity: maximizes benefits of possible outcomes (Perform)
COSO 5 Components of ERM (GSPRI)
Governance and Culture - Sets organisation tone and oversight - culture related to ethical values, desired behaviour and understanding of risk
Strategy and Objective setting - Aligns risk appetite with strategy and objectives
Performance: Identified, assesses and prioritise risks, impacting objectives
Review and Revision - evaluation, ERM components effectiveness and necessary changes
Info, coms and reporting - ensures continuous info flow within the org
Four Levels of sophistication
- Inform: Unaware of obligations (Compliance Management)
- Reform: Fearful of requirements (Hazard Management)
- Conform: Auditing of compliance (Auditing of Compliance)
- Perform: achievement of benefits (Opportunity Management)
- Bottom: Deform - inactivity caused by obsession
What approach each standard has? ISO 31000, COSO, CoCo?
ISO 31000 follows risk managment
COSO and FRC risk guidance have developed the internal control framework
CoCo (Canadian Institute of Charted Accountatns) follow the risk-aware culture known as Criteria for Internal control framework
