Unit 3 Enterprise Risk Management Flashcards
Unit 3: Enterprise risk management COSO, enterprise risk management, implementing ERM, establishing the context for risk management.
Which of the following definitions best describes the term ‘control activities’ in the COSO ERM cube?
The ways in which compliance with policies and procedures can be checked
The full implementation of ERM in a large business is likely to be measured in terms of which one of the following periods?
More than three years
Which of these is part of the risk management context, as opposed to the external or internal contexts?
The risk management strategy
Activity 3.1. Write a short definition of enterprise risk management.
You can obtain a definition from a number of places in Hopkin (eg pages 51 and 97). The latter provides four different definitions in table 8.2.
Activity 3.1. How does ERM differ from traditional forms of risk management?
We saw in unit 1 how traditional approaches were around the development of specialisms, such as insurance, health and safety and financial risk management; in other words risk was managed in ‘silos’, often mapped to individual departments of a business and there was little commonality of systems and terminologies between them. ERM seeks to overcome this silo-based approach by what we call a ‘holistic’ approach that is driven from the top (or board level) of the organisation and embedded down and throughout the rest of the enterprise. For further details see Hopkin (pages 51 and 95–97).
Activity 3.2. Explain why the COSO ERM framework puts so much emphasis on embedding risk management from the top of the organisation
This goes to the heart of ERM in that risk management starts at the top of the organisation, by the management of entity-wide risks and then the same methodology spreads from there down and across the enterprise. These entity- wide risks might well be the strategic types of risk that if they occur will impact upon the whole of the organisation. Look back to the COSO (2017) reading and you will see how important this is.
Activity 3.2. Consider how one risk from a single source might impact on many departments within your organisation.
To answer this question you might wish to track the potential consequences of one department’s list of risks to see how that could translate to consequences in other departments. This activity of mapping the consequences of a single risk is the only way to determine its enterprise level severity.
Activity 3.3. What are the driving forces in the development of ERM in your sector or country? What are the main restraining factors?
Some of the major influences might be: (i) laws and regulations, (ii) cultures in both the country and sector, (iii) competitor behaviour and (iv) the influences of powerful stakeholders. Some of the restraining factors might include: (i) knowledge and the lack of it, (ii) cultures in both the country and sector, (iii) competitor behaviour and of course (iv costs
Activity 3.5. Suggest 2–3 benefits of establishing the context for risk management.
Establishing the context of the risk management process should help to justify the resources needed for risk management. The context of the risk management process can help define the objectives, scope, responsibilities and resources for risk management. It can also help to identify methodologies to be used and how risk management performance will be evaluated.
Activity 3.5. Identify one method you could use to assess the benefits of an investment in ERM.
You can find the advantages of an ERM approach by the use of the FIRM scorecard in table 8.3 in Hopkin (pages 98-99). But we must emphasise that the organisation can only realise these advantages if the framework is working as it’s intended to work. A tool to measure the good principles of a risk management approach is the PACED acronym. One method you could adopt is to take the benefits from table 8.3 in Hopkin and identify performance measures to mirror your expectations. For example, on the reputational measure you could undertake a questionnaire of stakeholders to get their views on their perceptions of the organisation, say one year after implementing an ERM framework.
