6. Risk Management Frameworks And Standards

Question 0

How does the Institute define risk?

Answer 0

The possibility of an event occurring
That will have an impact
On the achievement of objectives.
Risk is measured in terms of
Impact
And likelihood

Question 1

The view of risk as a h—, enterprise-wide activity is a recent one.

Answer 1

Holistic

Question 2

When should a problem or hazard not be considered a risk?

Answer 2

When it does not or cannot affect the organisation’s objectives

Question 3

Risk can create — as well as bring threats or dangers

Answer 3

Opportunities

Question 4

What are the main two elements involved in measuring risk?

Answer 4

Impact

Likelihood

Question 5

How does the Institute define risk management?

Answer 5

A process to
Identify
Assess
Manage
And control
Potential events or situations
To provide reasonable assurance
Regarding the achievement of the organisation's objectives

Question 6

How does COSO define Enterprise Risk Management?

Answer 6

A process effected by an entity’s board of directors, management and other personnel,
Applied in strategy setting and across the enterprise,
Designed to identify potential events that may affect the entity,
And manage risk to be within its risk appetite,
To provide reasonable assurance
Regarding the achievement of entity objectives

Question 7

Many top level considerations of risk concentrate on processes and structures. What else should they consider?

Answer 7

Culture

Question 8

Organisations with a — culture find it difficult to review materialised risks, incidents and near misses for lessons learned

Answer 8

Blame

Question 9

The — of risk management are the elements of the organisation responsible for managing different aspects of risk

Answer 9

Structures

Question 10

Outline the general steps of a risk management process

Answer 10

Setting objectives
Identifying risks
Assessing impact and likelihood
Determine appetite
Implement responses
Monitoring and reporting of effectiveness of responses
Taking corrective action

Question 11

How does the Institute define risk appetite?

Answer 11

The level of risk that is acceptable
To the board or management.
This may be set in relation to
The organisation as a whole,
For different groups of risks
Or at an individual risk level

Question 12

What are the main categories of risk management strategies?

Answer 12

Terminate
Tolerate
Transfer
Treat
(Exploit)

Question 13

According to the Institute, Internal Audit will normally provide assurance on what three areas of the risk management process?

Answer 13

Design and effectiveness of RM processes
Management of “key” risks, including effectiveness of responses
Reliable and appropriate assessment of risks and reporting of risk and control status

Question 14

What are the three most important sources of current thinking on risk management?

Answer 14

Financial services
Hazard management
Insurance

Question 15

Historically, risk management has been a key discipline within the — — sector

Answer 15

Financial services

Question 16

List the main types of risk

Answer 16

Strategic
Operational
Financial
Legal
Reputational
Project
Information
Country

Question 17

Operational risks relate to the — carried out within an organisation

Answer 17

Activities

Question 18

— risks relate to the activities carried out within the organisation

Answer 18

Operational

Question 19

Operational risks may include risks associated with…

Answer 19

Recruitment
Retention
Human error
Fraud
Business interruption
Security

Question 20

Operational risks may arise from what sources?

Answer 20

Organisation’s structure and systems
People
Products
Processes

Question 21

How does the Office of Government Commerce describe strategic risk?

Answer 21

Risk concerned with
Where the organisation wants to go
How it plans to get there
And how it can ensure survival

Question 22

Strategic risks are more likely to relate to — factors than operational risks

Answer 22

External

Question 23

Strategic risks are more likely to be beyond the organisation’s ability to — or — than operational risks

Answer 23

Manage or control

Question 24

Strategic risks are usually — term than operational risks

Answer 24

Longer

Question 25

As well as presenting significant dangers to the organisation, strategic risks can also provide —

Answer 25

Opportunities

Question 26

Financial risks include what four types of risk?

Answer 26

Credit
Liquidity
Market
Investment

Question 27

From what three areas do legal risks mainly arise?

Answer 27

Threat of litigation
Risk of breaching legislation and regulations
Risk posed by changes in legislation and regulations

Question 28

What are the main types of project risk?

Answer 28

Human
Technical
Cost
Quality
Time
Benefits
Partner risk

Question 29

Which of the key corporate governance committees highlighted the linkage between corporate governance and risk management?

Answer 29

The Hampel Committee (1998)

Question 30

Which principle of the Code states that “the board should maintain risk management and internal control systems”?

Answer 30

C2 Risk Management and Internal Control

Question 31

What does principles C2 Risk Management and Internal Control state?

Answer 31

The board should maintain risk management and internal control systems

Question 32

According to provision C.2.1, the board should, at least annually…

Answer 32

Conduct a review of the effectiveness
Of the company's
Risk management
And internal control systems
And report to shareholders that they have done so

Question 33

The annual review of risk management and internal control systems required by provision C.2.1 should cover what?

Answer 33

All material controls, including:
Financial
Operational
And compliance controls

Question 34

How did the business community initially react when the requirement to include and annual review of risk management and internal control was introduced into the 1998 combined code.

Answer 34

They were unsure how to conduct such a review, especially where they had previously only considered financial controls

Question 35

What was the response to the business community’s concerns over the requirement for annual review as stated in provision C.2.1?

Answer 35

The Turnbull Guidance

Produced by Nigel Turnbull

Question 36

List the principal risk management standards

Answer 36

AS/NZS 4360:1999 and AS/NZS 4360:2004
HM Treasury "Orange Book" 2001 & 2004
IRM Risk Management Standard 2002
COSO Enterprise Risk Management 2004
ISO 31000

Question 37

Which large UK organisation based their risk management standards on AS/NZS 4360?

Answer 37

National Health Service

Question 38

What are the seven steps of the risk management process according to AS/NZS 4360?

Answer 38

Establish context
Identify risks
Analyse risks
Evaluate risks
Treat risks
Communicate risks
Monitor risks

Question 39

When was AS/NZS 4360 withdrawn?

Answer 39

Following the issue of ISO 31000

Question 40

What are the six steps of the Orange Book risk management process?

Answer 40

Identify risks and define framework
Evaluate risks
Assess risk appetite
Identify responses to risks
Gain assurance about effectiveness of risks
Embed and review

Question 41

When was the COSO Enterprise Risk Management framework published?

Answer 41

2004

Question 42

According to the COSO ERM framework, what does ERM encompass?

Answer 42

Aligning risk appetite and strategy
Enhancing risk response decisions
Reducing operational surprises and losses
Identifying and managing multiple and cross-enterprise risks
Seizing opportunities
Improving deployment of capital

Question 43

According to COSO ERM, ERM can be considered a —, ongoing and flowing through an entity

Answer 43

Process

Question 44

According to COSO ERM, ERM can be considered as effected by — at every level of the organisation

Answer 44

People

Question 45

According to COSO ERM, ERM can be considered as applied in — setting

Answer 45

Strategy

Question 46

The COSO ERM framework is geared to achieving an organisation’s objectives, set forth in what four categories?

Answer 46

Strategic
Operations
Reporting
Compliance

Question 47

The COSO ERM framework is based on the COSO internal control framework. What are its eight components?

Answer 47

Internal Environment

Objective Setting
Event Identification
Risk Assessment
Risk Response

Control Activities
Information and Communication
Monitoring

Question 48

ISO 31000 stresses the importance of the risk management —

Answer 48

Context

Question 49

What does ISO 31000 mean by the risk management “context”?

Answer 49

The structure that supports risk management processes

Question 50

According to ISO 31000, what are the three elements of the risk management “context”?

Answer 50

Risk architecture
Risk strategy
Risk protocols

Question 51

What does risk architecture comprise?

Answer 51

Roles and responsibilities

Communication and reporting structure

Question 52

What does risk strategy comprise (as part of ISO 31000 risk context)?

Answer 52

Risk management policies, including:
Risk appetite
Risk attitude

Question 53

What do risk protocols comprise?

Answer 53

Rules, procedures and guidelines, specifying:
Risk management methodologies
Tools and techniques
Monitoring and reporting arrangements

Question 54

An effective risk management framework ought to enable risk management to become a — part of an organisation’s approach, rather than a one off exercise

Answer 54

Living

Question 55

An effective risk management framework ought to enable risk management to give encouragement to — — that is properly informed, understood and controlled within the overall risk appetite and control framework

Answer 55

Risk taking

Question 56

An effective risk management framework ought to enable risk management to — an organisation’s corporate governance structures and requirements

Answer 56

Complement