6. Advisory risk frameworks Flashcards
Describe the “Orange Book” on risk management
- Aimed at providing broad-based general advice on principles of RM in public & private sectors
- Describes risk management process
- Includes horizon scanning- systematic activity to identify indicators of changes in risk
- Examines how org’s RM activities relate to wider environment it operates in
- Developed by UK Treasury
Outline the principles of RM in the “orange book”
- Importance of linking risks to objectives
- Distinction between risk and its impact
- Need to distinguish between inherent and residual risks
- Prioritisation of risks is more important than quantification
- Risk appetite must be subdivided into corporate, delegated and project
- Importance of reviewing and reporting regularly
Describe the Treasury Board of Canada Risk Managment Framework
Description
* Decision-making framework for public-sector employees
Principles
* Importance of establishing a comprehensive understanding of org’s risk profile, appetite and tolerance
* Focus on RMF and integration of RM activities
* Value of continuous and supporting learning environment
* Need to establish “relationship between org and it’s operating environment, revealing interdependence of individual activities and horizontal linkages”
What are the 4 elements of the Treasury Board of Canada Risk Managment Framework
Element 1: Developing corporate risk profile
Element 2: Establishing an Integrated Risk Management Function
Element 3: Practising Integrated Risk Management
Element 4: Ensuring continuous risk management learning
Describe the AS/NZ 4630:2004
Description
* Best practice RM Standard published by Standards Australia
Principles
* Detail on risk analysis for non-financial orgs (can be useful for considering operational risk for financial ones)
* Recommends that RM process is formulated into a risk management plan
* Stresses importance of senior management buy-in
* Need for adequate resources allocated to RM
What are the elements of the S/NZ 4630:2004
- Establish internal and external context (incl SWOT factors)
- Identify risks
- Analyse risks
- Evaluate risks
- Treat risks
- Monitor and review
- Communicate and consult
Describe the ISO 3000:2009
- Risk Management Guidance Standard
- Aims to provide generic guidelines for principles underlying best practice RM instead of specific risks or sectors
Outline the principles of ISO 3000:2009
Risk management:
* Creates and protects value
* Is integral part of all organisational processes
* Part of decision making
* Explicitly addresses uncertainty
* Is systematic, structured and timely
* Based on best available information
* Tailored to specific nature of company
* Takes human and cultural factors into account
* Is dynamic, iterative and responsive to change
* Facilitate continual improvement of organisation
Deacruve Risk Assessment and Management for Projects (RAMP)
- Concerned with capital projects and not ongoing business activities
Principles/stages - RAMP launch
- Risk identififcation
- Risk analysis
- Financial evaluation
- Risk mitigation
- Go/no-go decision
- Risk control
- RAMP closedown
What are some differences between RAMP and AS/NZ
RAMP:
* Has launch and closedown
* Has go/no-go step
Describe IRM / AIRMIC / Alarm Risk Management Standard
- Proposes methodical approach to RM and structured approach to risk reporting
- Strong focus on role of a risk management champion, CRO, in an org
Principles of IRM / AIRMIC / Alarm Risk Management Standard
In addition to those in COSO framework
* In-house approach to RM is preferrable
* Internal audit is an important control
* Clarity over roles of stakeholders is important
* Highly structured approach to risk is beneficial