3 - Roles and responsibility Flashcards
The approach adopted by enterprise risk management is BEST described as being:
holistic
In the UK, certain companies are required to disclose in their annual reports and accounts how they have complied with the Corporate Governance Code. This requirement would apply to what type of company?
Sha Manufacturing plc.
The risk tolerance of a firm describes the:
risks that the firm might be able to bear.
A claims manager has been asked by the risk management department to review whether the claims settlement authorities granted to claims handlers are being followed and to report his findings to them. What type of risk management technique is being used?
Control self assessment.
What is an advantage to an organisation of having a successful enterprise risk management programme?
An improved competitive advantage.
NOT
There is little risk monitoring required.
The ability to look at risks individually.
Rapid changes to the risk culture of the organisation.
The MAIN purpose of an internal audit of risk management is to:
provide independent assurance to the board that an effective risk management system is in place and operating effectively.
The UK Corporate Governance Code SPECIFICALLY charges company directors with:
supervising the management of the business.
What responsibilities is a risk officer employed by a large manufacturer likely to have?
Identifying, analysing and evaluating a range of individual risks in specific areas.
In a major UK insurer, who will typically be responsible for agreeing, establishing and overseeing a risk management framework across the organisation?
Chief risk officer.
In a five stage model of risk maturity, an example of level five would include having:
policies that define all aspects of risk management and governance.
One of the five main responsibilities of a board of directors concerns risk. Under this heading, what is the board responsible for?
Supervision of the process of risk assessment and ensuring necessary actions are adopted to mitigate against those risks.
Organisations may consider integrating audit, compliance and risk management activities in a single GRC (Governance, Risk and Compliance) system. What are they hoping to achieve?
GRC is expected to improve governance and efficiency by aligning strategy, processes, technology and people
Overall management and direction of any organisation is the responsibility of a …
small group of people who accept certain roles and responsibilities in line with corporate legislation.
A board cannot ignore its responsibilities regarding risk management. It needs to …
specify risk policy, thoroughly review risk exposures and define levels of risk it is prepared to accommodate.
A common approach with regards to supervising risk is to appoint a …
Risk subcommittee
The risk subcommittee will act with what authority?
board authority, setting policies and making risk decisions as required.
The way a board sets up an organisation to achieve its objectives, together with the systems it puts in place to manage and control that organisation, is known as
Corporate governance
The UK Corporate Governance Code provides a code of best practice for companies listed on the …
London Stock Exchange. It is overseen by the Financial Reporting Council.
SOX established …
enhanced standards for all LJIS public companies listed by the financial regulator.
CSA is
a systematic process requiring management and staff to continually audit and report on risks and risk controls for which they are responsible. Improved awareness and accountability for risk leads to better corporate governance.
What is Enterprise Risk Management?
The structure set up to control risk management across the whole organisation is known as enterprise risk management.
ERM systems allow all the risks involved in an organisation to be looked at …
together and from different perspectives. This is known as a holistic approach.
ERM has been recognised as an important element of strong …
corporate governance.
Today its use in large organisations is internationally supported by laws, regulations and compliance requirements.
The ERM framework is important. It shows how essential functions of an organisation combine to create …
an integrated system for managing risk across the whole organisation.
A common source of overlapping responsibilities in large organisations arises from the activities of
risk management, audit and compliance - all responses to particular requirements organisations have been forced to consider.
Attempts to create such an integrated structure have become known as
governance, risk and compliance (GRC) frameworks.
Organisations with separate risk management, audit and compliance activities have difficulties providing …
coherent (combined) information to the board to improve corporate
governance.
An objective of GRC is to
rationalize information gathering and processing structures using common technology to capture, store and process information. Organisation wide training is also required to introduce a common vocabulary across all risk management and assurance functions.
GRC is expected to improve governance and efficiency by …
aligning strategy, processes, technology and people.
ERM is …
a dynamic management system which states that people be organized and trained to carry out delegated tasks within specified boundaries and specified communication and reporting channels.
In a typical ERM system, a group risk management function would be responsible for:
- setting up and maintaining the ERM framework; and
- managing all risk management functions within the group.
An ERM function can make a valuable contribution to … (formation)
strategy formation as well as managing risk involved.
ERM is a basic management philosophy that can only be initiated and maintained by …
the board, which must deliberately take every opportunity to emphasise ERM’s relevance and importance.
Large organisations are typically concerned with two types of audit process:
internal and external.
External audits are conducted by
separate professional organisations to give independent assurance to stakeholders that published information conforms to specific standards and is factually correct.
Internal audits are carried out within an organisation to provide assurance to
the board that approved systems and procedures are operating as intended.
The board expects internal audit to provide assurance regarding what functions?
several key functions, only one of which is risk management.
Evaluation of risk exposure is important. The internal audit will be looking to come to an informed opinion about reliability of what? and effectiveness of what?
reliability of information and effectiveness of risk management operations.
Organisations whose existence depends on compliance with appropriate laws and regulations often create …
separate compliance function specifically to identify and control threats that might lead to breaches of compliance.
Compliance must keep up to date with existing and new legislation affecting any organisation operation. Compliance provides …
policies, guidance, training and advice on compliance issues, as well as assurance that suitable compliance controls are in place and effective.
Organisation of a compliance function could mirror the organisation of
Risk Management
Compliance activities are a subset of both …
audit and risk management activities, concentrating on a limited number of’ specific, but important risks.
Some organisations treat risk control as an integral part of general management, making each manager responsible for
events in their own area of influence.
Effective risk management will heavily depend on the ability of …
the central risk management professionals to communicate with and persuade their various management colleagues to treat risk in a coordinated manner.
It is difficult, if not impossible, to prevent overlap between various management responsibilities?
True
In the final analysis, responsibility for risk control throughout an organisation lies with
the board of directors
A risk subcommittee will set out the structure …
by which they intend to manage risk in a written document available for general reference. This is usually referred to as risk management architecture. This document describes the risk management structure of the organisation, laying out lines of communication for reporting risk management issues.
The risk management architecture document should be reviewed at least every …
one to two years to reflect major changes in an organisation or its environment.
A chief risk officer will contribute to decisions about the …
direction an organisation is to follow and will be intimately involved in the detail of strategic plans. They could be actively or indirectly involved in many diverse issues.
Could a risk manager have board status?
A risk manager could have board status in some organisations, a middle management or lesser role in others. In some organisations the role may focus on a particular specialist area of risk.
A risk officer is a person who carries out …
selected duties under the guidance and direction of the chief risk officer.
In any organisation committees are established as forums to …
bring together experts or representatives from different areas of the organisation to discuss common topics or objectives.
Risk appetite is
the amount of risk that an organisation is prepared to accept, tolerate or be exposed to at any point in time.
It is important to define risk appetite because?
It is important to define risk appetite and communicate the policy to line managers and decision-making staff.
Defining risk appetite provides a framework for
Decision making
Risk tolerance describes those risks that the organisation might be able to …
put up with
Organisation culture is a collective description reflecting …
typical behavior patterns of people who work there.
Various initiatives may be used to enhance risk awareness culture in an organisation.?
True
Maintaining risk awareness culture requires
Maintaining this culture will require continuous training support, particularly for new recruits. It will also need a continuous review and monitoring programme to ensure not just that procedures are being followed, but that required results are being achieved.
Generally speaking, organisations with effective risk management processes can expect …
less unexpected losses and better selection of future opportunities.
A qualitative indication of progress in developing risk awareness in an organisation can be obtained by
by regularly assessing the current: level of risk culture.
Processes of observation, audit and interviews are used to evaluate the extent to which risk culture is embedded in what?
is embedded in organisation procedures and practices. The result is a classification in terms of risk maturity, where various levels of maturity are defined by descriptions of different risk control structures and perceived attitudes to management of risk.
Do organisations have their own risk maturity models
Yes
Organisations may develop their own risk maturity model for this type of assessment or use one of the general framework models available. A simple model known as the 4Ns is currently being promoted. This has four levels of maturity labelled as naïve, novice, normalized and natural, with corresponding descriptions for each of these levels.
It is accepted that greater risk management system maturity reduces the impact of
undesirable events and will reduce risks involved in forward strategies and plans.
What is corporate governance?
Corporate governance is the way a board sets up an organisation to achieve its objectives, together with the systems it puts in place to manage and control that organisation.
What sort of devices and procedures can be used for internal control?
• approvals;
• authorisations;
• reconciliations;
• separation of duties;
• physical controls;
• IT controls;
• peer reviews.
What is ERM and why is it desirable?
ERM is the structure an organisation sets up to control risk management across the whole of its organisation. ERM allows all the risks involved in an organisation to be looked at together and from different perspectives. This is known as a holistic approach.
Can you outline a typical organisation structure within an ERM framework?
Heads of departments have primary responsibility for identifying, assessing and managing operational risks in their areas. A group risk management function is responsible for setting up and maintaining the ERM framework, and for coordinating all risk management functions within the group.
State five key responsibilities you would expect a chief risk officer to have.
• Ensure risk management is at the heart of strategic decision making.
• Supply appropriate risk management skills and expertise concerning any corporate involvement in major initiatives or programmes.
• Agree, establish and oversee a risk management framework across the
organisation.
• Raise ‘risk awareness’ across the organisation.
• Communicate on risk matters with all business areas and appropriate external stakeholders.
• Ensure all risk owners understand the risk’s they are responsible for.
• Provide advice and support across the organisation to ensure effective risk management.
• Identify risk trends and emerging risks of interest to the organisation.
• Identify, analyze, assess and evaluate a range of individual risks across the organisation.
• Maintain an up-to-date risk register.
• Evaluate existing risk controls - highlighting any deficiencies and creating action plans for improvement.
• Implement cost-effective risk controls or adjustment.
• Identify and report on the most important risks faced by the organisation.
• Prepare insurance programmes and business continuity plans.
• Identify and report on significant changes in probability or impact of the most important risks faced by the organisation.
• Work within agreed budgetary constraints.
• Take overall responsibility for recruitment and development of direct reports including appropriate training.
What is the difference between audit and compliance functions?
Compliance is a subset of audit, concentrating on a limited number of important risks, normally those threatening compliance with relevant laws and regulations.
What is the difference between risk appetite and risk tolerance?
Risk appetite describes those risks that an organisation is actively willing to take. Risk tolerance describes those risks that: the organisation might be able to put up with. A risk appetite policy can be used as a guide for both new and existing risks.
What activities support a risk aware culture?
Activities that support a risk aware culture include leadership, involvement, learning, accountability and communication. Any management device is useful that contributes to the aim of fully embedding risk consideration as an integral part of everyday procedures at all levels in an organisation.
UK Corporate Governance Code
The UK Corporate Governance Code provides a code of best practice for companies listed on the London Stock Exchange. It is overseen by the Financial Reporting Council (FRC).
