4-Risk Management Flashcards
Define risk management.
Risk management is a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives.
List the five processes of risk management.
Identification of context Risk identification Risk assessment and prioritization (i.e., risk analysis) Risk response Risk monitoring
What are the three levels at which risk identification should be performed?
Entity level
Division level
Business level
Give examples of methods used for risk identification.
Event inventories Questionnaires and surveys Leading event indicators and escalation triggers Facilitated workshops and interviews Process flow analysis Loss event data methodologies Brainstorming SWOT analysis Scenario analysis
List the three risk assessment processes.
Assessing the significance of an event
Assessing the event’s likelihood
Considering the means of managing the risk
Give examples of qualitative and quantitative risk assessment methods.
Qualitative Quantitative
Risk listing Probabilistic models
Risk ranking
Risk map (e.g., heat map, risk matrix)
List the four risk monitoring processes.
Tracking identified risks
Evaluating current risk response plans
Monitoring residual risks
Identifying new risks
What are the risk management responsibilities of (1) the board, (2) management, and (3) the internal audit activity?
Party Responsibility
The board Overseeing and determining that risk management processes are in place, adequate, and effective
Management Ensuring that sound risk management processes are functioning
Internal audit activity Assurance: Examining, evaluating, reporting, or recommending improvements Consulting:
Identifying, evaluating, and implementing risk management methods and controls
_____________________ determine the internal audit activity’s role in risk management.
Senior management and the board
Define (1) culture, (2) capabilities, and (3) practices in the context of Enterprise Risk Management.
Culture
The attitudes, behaviors, and understanding about risk, both positive and negative, that influence the decisions of management and personnel and reflect the mission, vision, and core values of the organization
Capabilities
The skills needed to carry out the entity’s mission and vision
Practices
The collective methods used to manage risk
Define (1) mission, (2) vision, and (3) core values in the context of the culture component of Enterprise Risk Management.
Term Definition
Mission The organization’s core purpose
Vision The organization’s aspirations for what it intends to achieve over time
Core values The organization’s essential beliefs about what is acceptable or unacceptable
Define (1) strategy and (2) business objectives in the context of Enterprise Risk Management.
Strategy
How the organization will achieve its mission and vision and apply its core values
Business objectives
Steps taken to achieve the strategy
Define (1) risk inventory, (2) risk capacity, and (3) risk appetite in the context of Enterprise Risk Management.
Risk inventory
All identified risks that affect strategy and business objectives
Risk capacity
The maximum amount of risk the organization can assume
Risk appetite
The amount and types of risk the organization is willing to accept in pursuit of value
When is value (1) created, (2) preserved, (3) realized, and (4) eroded?
Value is:
Created when the benefits obtained from the resources used exceed their costs.
Preserved when the value of resources used is sustained.
Realized when benefits are transferred to stakeholders.
Eroded when management’s strategy does not produce expected results or management does not perform day-to-day tasks.
What are the responsibilities of (1) the board and (2) management regarding Enterprise Risk Management (ERM)?
Party Responsibility
The board Oversight of ERM culture, capabilities, and practices
Management Day-to-day managing of risk (the CEO has ultimate responsibility for ERM)
What are the three lines in the Three Line Model?
First line Principal owners of risk
Second line Supporting (business-enabling) functions
Third line Assurance function
Categorize the five components of the COSO ERM framework into (1) the supporting aspect and (2) the common process.
Supporting Aspect Common Process
Governance and culture Strategy and objective-setting
Information, communication, and reporting Performance
Review and revision
What are the five principles of the Governance and Culture component of the COSO ERM framework?
The board exercises risk oversight.
The organization establishes operating structures.
The organization defines the desired culture.
The organization demonstrates commitment to core values.
The organization attracts, develops, and retains capable individuals.
What are the four principles of the Strategy and Objective Setting component of the COSO ERM framework?
The organization analyzes business context and its effect on the risk profile.
The organization defines risk appetite.
The organization evaluates alternative strategies and their effects on the risk profile.
The organization establishes business objectives that align with and support strategy.
List and define the three types of business contexts.
Dynamic
New, emerging, and changing risks can appear at any time
Complex
A context may have many interdependencies and interconnections
Unpredictable
Change occurs rapidly and in unanticipated ways
What are the four criteria for business objectives?
Specific
Measurable
Observable
Obtainable
What are the five principles of the Performance component of the COSO ERM framework?
The organization identifies risks that affect the performance of strategy and business objectives.
The organization assesses the severity of risk.
The organization prioritizes risks at all levels.
The organization identifies and selects risk responses, recognizing that risk may be managed but not eliminated.
The organization develops and evaluates its portfolio view of risk.
What are the two measurements of the severity of risk?
Impact
Likelihood
List the five categories of risk responses.
Acceptance (retention) Avoidance Pursuit Reduction (mitigation) Sharing (transfer)
What are the four levels of risk views?
Risk view (minimal integration) Risk category view (limited integration) Risk profile view (partial integration) Portfolio view (full integration)
What are the three principles of the Review and Revision component of the COSO ERM framework?
The organization identifies and assesses changes that may substantially affect strategy and business objectives.
The organization reviews entity performance results and considers risk.
The organization pursues improvement of ERM.
What are the three principles of the Information, Communication, and reporting component of the COSO ERM framework?
The organization leverages its information systems to support ERM.
The organization uses communication channels to support ERM.
The organization reports on risk, culture, and performance at multiple levels and across the entity.
Give examples of the limitations of ERM.
Faulty human judgment Cost-benefit considerations Simple errors or mistakes Collusion Management override of ERM practices
List the eight principles of the ISO 31000 Risk Management Framework.
Integrated Structured and comprehensive Customized Inclusive Dynamic Best available information Human and cultural factors Continual improvement
List the six components of the ISO 31000 Risk Management Framework.
Leadership and commitment Integration Design Implementation Evaluation Improvement
List the six risk management processes in the ISO Risk Management Framework.
Communication and consultation Scope, context, criteria Risk assessment Risk treatment Monitoring and review Recording and reporting
What are the responsibilities of (1) the board, (2) management, and (3) the internal audit activity defined in the ISO 31000 Risk Management Framework?
Party Responsibility
The board Overseeing risk management
Ensuring that risks are managed and the risk management system is effective
Management Setting the organization’s risk attitude
Identifying and managing risks
Internal audit activity Providing assurance regarding the entire risk management system
The ISO Risk Management Framework describes what three approaches to providing assurance on the risk management process?
The key principles approach
The process element approach
The maturity model
What are the five maturity levels defined by the capability maturity model (CMM)?
Level 1
Initial: Few processes are defined.
Level 2
Repeatable: Basic processes are established.
Level 3
Defined: Standards are developed.
Level 4
Managed: Performance measures are defined.
Level 5
Optimizing: Continuous improvement is enabled.
What are the five maturity levels defined by the Capability Maturity Model Integration (CMMI) Development V2.0?
Level 0
Incomplete: Whether work can be completed is not known.
Level 1
Initial: Work can be completed, but not on time or within the budget.
Level 2
Managed: Projects are planned, implemented, managed, and monitored.
Level 3
Defined: Standards for projects are defined throughout the organization.
Level 4
Quantitatively managed: The organization quantifies performance improvement goals to meet stakeholder needs.
Level 5
Optimizing: The organization pursues continuous improvement, responds to change, and innovates.
ERM is expected to manage risks effectively and to help create, preserve, and realize value when
The components, principles, and supporting controls are present and functioning.
How is risk defined in the Glossary?
“The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.”
What are the fourbroad categories of risk?
Strategic risks
Operational risks
Financial risks
Hazard risks
What is risk capacity?
Risk capacity is the maximum amount of risk that an organization can tolerate without irreparably damaging the company.
What is risk appetite?
Risk appetite is defined in the IIA Glossary as “the level of risk that an organization is willing to accept.”
Risk appetite is shaped by the expectations of stakeholders, regulatory and contractual requirements, and the influence of technology, capital, and human resources.