3 COSO Enterprise Risk Management Framework Flashcards
What are the five interrelated components of the COSO ERM Framework?
Supporting aspects:
- governance and culture
- Information, communication, & reporting
Common process components:
- strategy and objective-setting
- performance
- review and revision
What are the five principles of governance and culture?
- the board exercises risk oversight
- the organization establishes operating structures
- the organization defines the desired culture
- the organization demonstrates commitment to core values
- the organization attracts, develops, and retains capable individuals
How may the board delegate risk oversight?
by creating a risk committee
The manner in which core values are communicated across the organization can be described as what?
The tone of the organization
What are the four principles of strategy and objective setting?
- the organization analyzes business context and its effect on the risk profile.
- the organization defines risk appetite
- the organization evaluates alternative strategies and their effects on the risk profile
- the organization establishes business objectives that align with and support strategy
What is business context?
the relationships, events, trends and other factors that influence the organization’s current and future strategy and business objectives
What is PESTLE analysis?
the external environmental factors consisting of:
Political - government intervention and influence
Economic - interest rates and availability of credit
Social - consumer preferences and demographics
Technological - R&D activity
Legal - laws, regulations, and industry standards
Environmental - climate change
What is risk appetite?
The amount of risk an organization is willing to accept in pursuit of value
What is risk capacity?
The maximum amount of risk an organization can assume
When an organization evaluates alternative strategies, what is an approach commonly used?
SWOT analysis: Strengths Weaknesses Opportunities Threats
When should strategy be changed?
If it fails to create, realize or preserve value
Business objectives are established to align and support strategy, they should be?
- Specific
- Measurable or observable
- Obtainable
- Relevant
What are the five principles that relate to performance?
- the organization identifies risks that affect the performance of strategy and business objectives
- the organization assesses the severity of risk
- the organization prioritizes risks at all levels
- the organization identifies and selects risk responses
- the organization develops and evaluates its portfolio view of risk
What are examples of risk identification methods and approaches?
- day-to-day activities - ex. budgeting, business planning or reviewing customer complaints
- simple questionnaires
- facilitated workshops
- interviews
- data tracking
What is severity of risk?
A measure of considerations such as impact, likelihood, and time to recover from events.
What is time horizon to assess risk?
The amount of time it takes to achieve a strategy - Ex. the risk affecting a strategy that takes 2 years to achieve should be assessed over the same period.
What are examples of quantitative methods used to assess risk?
- decision tress
- modeling (probabilistic and nonprobabilistic
- Monte Carlo simulation
Risks characteristics are evaluated using agreed-upon criteria. Higher priority is given to risks that most affect the criteria. What are examples of the criteria?
- complexity - the nature and scope of a risk
- velocity - the speed at which risk affects the entity
- persistence - how long a risk affects the entity, including the time it takes the entity to recover
- adaptability - the entity’s capacity to adjust and respond to risk
- recovery - the entity’s capacity to return to tolerance (ex, returning to normal operations after a natural disaster)
What are the five categories of risk responses?
- acceptance - no action is taken to alter the severity of the risk
- avoidance - action is taken to remove the risk
- pursuit - action is taken to accept increased risk to improve performance without exceeding acceptable tolerance
- reduction - action is taken to reduce the severity of the risk so that it is within the target residual risk profile and risk appetite.
- sharing - action is taken to reduce the severity of the risk by transferring a portion of the risk to another party ( ex. insurance, hedging, joint ventures and outsourcing)
What is portfolio view of risk?
The culmination of risk identification, assessment, prioritization and response
What are the four risk views?
Risk views have different levels of risk integration:
- risk view - risks are identified and assessed (minimal integration)
- risk category view - identified and assessed risks are categorized (ex. based on operating structures)(limited integration)
- risk profile view - risks are linked to the business objectives they affect and any dependencies between objectives are identified and assessed (partial integration)
- portfolio view - composite view of risks relates to entity-wide strategy and business objectives and their effect on entity performance (full integration)
What are qualitative methods used to evaluate how changes may affect the portfolio view of risk?
- benchmarking
- scenario analysis
- stress testing
What quantitative method is used to evaluate how changes may affect the portfolio view of risk?
statistical analysis
What are the three principles of review and revision?
- the organization identifies and assesses changes that may substantially affect strategy and business objectives
- the organization reviews entity performance results and considers risk
- the organization pursues improvement of ERM
When performance results deviate from target performance or tolerance, this may indicate?
- unidentified risks
- improperly assessed risks
- new risks
- opportunities to accept more risk
- the need to revise target performance or tolerance
What are the three principles of information, communication, and reporting?
- the organization leverages its information systems to support ERM
- the organization uses communication channels to support ERM
- the organization reports on risk, culture and performance at multiple levels and across the entity
What is structured data?
structured data are generally well organized and easily searchable (ex. spreadsheets, public indexes or database files)
What is unstructured data?
unstructured data are unorganized or lack a predefined pattern (ex. word processing documents, videos, photos or email messages)
What is risk taxonomy (categories)?
A risk taxonomy is a comprehensive, common and stable set of risk categories that is used within an organization. By providing a comprehensive set of risk categories, it encourages those involved in risk identification to consider all types of risks that could affect the organization’s objectives.
What is data management architecture?
Information technology is designed that determines what data are collected and how the data are used.
What are the 8 steps for implementing an ERM program?
- seek board and senior management involvement and oversight
- identify and position a leader to drive the ERM initiative
- establish a management working group
- inventory the existing risk management practices of the organization
- conduct an initial assessment of key strategies and related strategic risks
- develop a consolidated action plan and communicate to board and management
- develop and/or enhance risk reporting
- develop the next phase of action plans and ongoing communications
What is ESG?
Environmental, social and governance risks. These risks are also known as sustainability, nonfinancial or extra-financial risks.
The guidance for ESG related risks includes actions to help manage current risks and develop the resilience ot adapt to future megatrends, what the actions?
- governance and culture
- strategy and objective-setting
- performance - risk identification
- performance - risk assessment and priorities
- performance - risk responses
- review and revision
- information, communication, and reporting
