7. Strategic Perspective On Risk Management

Question 0

— — are the first line of defence and have direct responsibility for the management of risks

Answer 0

Operational units

Question 1

List the three lines of defence in risk management.

Answer 1

First line: operational units
Second line: oversight functions
Third line: assurance functions

Question 2

— — are the second line of defence and have responsibility for coordinating and overseeing the risk framework

Answer 2

Oversight functions

Question 3

— — are the third line of defence and provide independent and objective assurance with respect to the integrity and effectiveness of the risk management framework

Answer 3

Assurance functions

Question 4

What does the Code say about the directors’ responsibility with respect to risk management and internal control?

Answer 4

They should, at least annually, conduct a review of the effectiveness of the company’s risk management and internal control systems and should report to shareholders that they have done so.

Question 5

According to Turnbull 2005, what five factors should the board consider when determining its policies with regard to internal control?

Answer 5

Nature and extent of risks facing company
Extent and categories of risk it regards as acceptable to bear
Likelihood of the risks materialising
Ability to reduce incidence and impact of risks that do materialise
Costs of operating particular controls relative to benefit obtained

Question 6

What are the board’s MAIN responsibilities with regard to risk management?

Answer 6

Set out policies for internal control and risk management

Satisfy itself that those policies are working

Question 7

How to the roles of executive and non-executive directors vary with respect to risk management?

Answer 7

Executives responsible for ensuring implementation of board policy
Non-executives responsible for ensuring they have sufficient information to be assured the executives are in control

Question 8

As well as the policy framework, the board should put in place — — to enable effective risk management

Answer 8

Additional structures

Question 9

The board should not just rely on — monitoring processes within a company to discharge its duties

Answer 9

Embedded

Question 10

List the high level responsibilities of the board over risk and risk management

Answer 10

Top level ownership and championship of ERM
Ownership of overall RM policy
Defining high level risk appetite
Regular review of highest level risk register
Taking action on risks that have been escalated
Delegating certain responsibilities to a risk or audit committee
Holding management to account for complying with and operating the RM process

Question 11

To help identify and manage the key risks that an organisation faces, many entities are increasingly employing — — and — —

Answer 11

Risk committees and risk officers

Question 12

In the history of UK corporate governance, who recommended that major financial institutions have separate risk committees?

Answer 12

Sir David Walker (2009)

Question 13

Did the 2010 UK Corporate Governance code take up Sir David Walker’s recommendation that major financial institutions should have separate risk committees?

Answer 13

No

Question 14

The risk committee is — defined in UK Corporate Governance

Answer 14

Poorly

Question 15

How does HM Treasury define the risk committee?

Answer 15

A committee established with executive authority to take action to manage the risks which face the organisation

Question 16

Risk committees more usually consist of…

Answer 16

Executive management

Question 17

A main role of the risk committee is to oversee the implementation of the — — — on behalf of the board

Answer 17

Risk management policy

Question 18

A main role of the risk committee is nurturing and fostering an appropriate — towards ERM across the organisation

Answer 18

Culture

Question 19

A main role of the risk committee is to identify and report to the board on the major — — and opportunities that the organisation faces

Answer 19

Negative risks

Question 20

A main role of the board is m– and r– in detail how effectively the key risks are being managed

Answer 20

Monitoring and reviewing

Question 21

A main role of the risk committee is promoting the exchange of — — — in risk management throughout the organisation

Answer 21

Best practice techniques

Question 22

Where there is no risk committee, where does the UK Corporate Governance Code lay the duties of the risk committee

Answer 22

The audit committee

Question 23

If there is a risk committee, what is the ideal division of effort and focus?

Answer 23

Risk committee presents content of risk register to audit committee or board
Audit committee reviews process whereby organisation identified, evaluated and took action on risks

Question 24

In a large organisation, the risk committee may be supported by what?

Answer 24

Risk officer or officers

Risk function

Question 25

Often, the role of risk officer is not a — — — but forms part of an individual’s wider responsibilities

Answer 25

Full time job

Question 26

Many organisations use their — — as a meeting forum for their risk officers

Answer 26

Risk committees

Question 27

Risk officers assist in the implementation of the organisation’s — — policies and procedures in the area in which they work

Answer 27

Risk management

Question 28

Risk officers bring together in the — — the key risks facing that part of the organisation

Answer 28

Prescribed format

Question 29

Risk officers are often expected to help individual departments carry out…

Answer 29

Risk assessment exercises

Testing to ensure integrity of risk management information

Question 30

What are likely to be the main tasks of an overall risk officer?

Answer 30

Championing methodology
Managing risk management process
Bring together results for consideration of risk committee or board

Question 31

What does CRO stand for?

Answer 31

Chief Risk Officer

Question 32

In some cases, the CRO will also be the head of…

Answer 32

The internal audit function

Question 33

What must be ensured when the Chief Risk Officer is also the Head of Internal Audit?

Answer 33

Roles clearly distinguished
Clear the ownership of risk management lies with management
Head of Internal Audit only responsible for overall risk management policy and reporting to the board
Situation should be approached with caution

Question 34

The role of executive management at lower levels is to — the board’s risk policy into processes and procedures

Answer 34

Interpret

Question 35

— has the primary responsibility of managing risk on a day-to-day basis

Answer 35

Management

Question 36

Management should or should not be seeking to eliminate risk?

Answer 36

Should not

Question 37

Rather than trying to eliminate risk, management should be…

Answer 37

Managing it down to an acceptable level as defined by the risk appetite

Question 38

Management play a key role in the identification of — and — risks

Answer 38

Threat and opportunity

Question 39

How May management identify threat and opportunity risks?

Answer 39

Risk workshops
Discussions with individuals
Assistance of internal audit function

Question 40

Having identified risks in their area, management must assess…

Answer 40

The impact and likelihood of the risks occurring

Question 41

The risks identified and assessed by management will usually form the basis of the local — —

Answer 41

Risk register

Question 42

Management should be involved setting and communicating the — —

Answer 42

Risk appetite

Question 43

The – — helps determine the level and extent of internal controls required

Answer 43

Risk appetite

Question 44

Management decide on the — — they will employ to manage risk

Answer 44

Risk responses

Question 45

Management must ensure they have put in place — mechanisms to show risks are being managed to an acceptable level

Answer 45

Feedback

Question 46

Ideally, feedback mechanisms should — when problems are about to occur

Answer 46

Predict

Question 47

Finally, management should — on the risk situation in their area

Answer 47

Report

Question 48

List the functional experts involved in risk management

Answer 48

Occupational Health and Safety (OHS)
Quality assurance
Risk management
Insurance
Security
Business Continuity Management
Finance, Human Resources and IT

Question 49

The Health and Safety Executive (HSE) recommends a —, — — approach to health and safety

Answer 49

Reasoned, risk based

Question 50

Given its specialist nature, how is the OHS risk management process likely to be treated?

Answer 50

Separately from the general business risk management process

Question 51

The role of the quality assurance function is to promote what?

Answer 51

A process that helps focus on meeting customer requirements
Through the quality of all tasks
Carried out in the organisation

Question 52

Around what quality standard are many quality assurance functions based?

Answer 52

ISO 9001:2000

Question 53

For what is a separate risk management function responsible?

Answer 53

Managing
Coordinating
And overseeing
The risk management policy and processes
On behalf of the board

Question 54

What are the two most important ways that internal audit provides value to the organisation?

Answer 54

Objective assurance that RM processes and internal control systems operating effectively
Assurance that major business risks are being managed appropriately

Question 55

The role of internal audit is primarily to provide assurances on what three areas?

Answer 55

Risk management processes (design and effectiveness)
Management of “key” risks
Reliable and appropriate assessment of risks and reporting of risk and control status

Question 56

Describe internal audit’s core role with regards to ERM

Answer 56

To provide objective assurance to the board on the effectiveness of risk management

Question 57

What are the key factors to take into account when determining internal audit’s role in ERM?

Answer 57

Whether activity raises any threats to independence and objectivity
Whether it is likely to improve risk management, control and governance processes

Question 58

What are the five roles with regard to ERM that internal audit OUGHT TO undertake?

Answer 58

Assurance on RM process
Assurance that risks correctly evaluated

Evaluating RM process
Evaluating reporting of key risks

Reviewing management of key risks

Question 59

What roles should internal audit NOT TAKE with regard to ERM?

Answer 59

Setting risk appetite
Imposing RM processes
Management assurance on risk
Taking decisions on risk response
Implementing risk responses
Accountability for risk management

Question 60

What roles may internal audit legitimately undertake with regard to ERM provided appropriate safeguards in place?

Answer 60

Facilitating identification and evaluation of risk
Coaching management in responding to risk
Co-ordinating ERM activities
Consolidating reporting on risks
Maintaining and developing ERM framework
Championing ERM framework
Developing RM strategy for board approval

Question 61

On what will depend the extent of internal audit’s ERM consulting role?

Answer 61

Other resources available to board

Risk maturity of organisation

Question 62

In deciding whether ERM consulting services are compatible with internal audit’s assurance role, what is the key factor?

Answer 62

Whether internal audit function is assuming any management responsibility

Question 63

One of the safeguards for IA involvement in ERM is that it should be clear that — remains responsible for risk management

Answer 63

Management

Question 64

One of the safeguards with regard to IA involvement in ERM is that IA’s — should be documented in the audit charter

Answer 64

Responsibilities

Question 65

One of the safeguards with regard to IA’s involvement in ERM is that internal audit should not — any risks on management’s behalf

Answer 65

Manage

Question 66

One of the safeguards with regard to IA’s involvement in ERM is that IA cannot also give — — on any part of the ERM framework for which it is responsible

Answer 66

Objective assurance

Question 67

One of the safeguards with regard to IA’s involvement in ERM is that any work beyond assurance activities should be recognised as a — — and the implementation standards relating to such engagements should be followed

Answer 67

Consulting engagement

Question 68

In terms of risk management, each of the associated review functions needs to what?

Answer 68

Be clear about its role to avoid overlap and duplication

Question 69

As far as external audit is concerned, in what two areas of the effectiveness of the risk management process are they particularly interested?

Answer 69

Major risks facing the organisation

What is being done to manage those risks

Question 70

External audit may want to review the risk management process themselves, but they may seek to rely on…

Answer 70

Work carried out by other bodies within the organisation

Question 71

According to the Institute of Risk Management, what should an organisation’s risk management policy do?

Answer 71

Set out its approach to and appetite for risk
And its approach to risk management.
The policy should also set out the responsibilities for risk management
Throughout the organisation

Question 72

By what other terms are risk management policies known?

Answer 72

Risk strategies
Risk management strategies
Risk policies
Risk approaches

Question 73

A risk management policy is a — — — drawn up and/or endorsed by the board of directors

Answer 73

High level statement

Question 74

A risk management policy establishes, at a high level, what?

Answer 74

Overall approach to risk management
Risk appetite
Risk taking preferences
Risk response choices

Question 75

A risk management policy should be formally —

Answer 75

Documented

Question 76

A risk management policy should help establish an overall — within which the organisation should implement risk management

Answer 76

Framework

Question 77

The risk management policy should be — across the organisation

Answer 77

Communicated

Question 78

The risk management policy should be kept — to ensure its continued coherence and effectiveness

Answer 78

Current

Question 79

A risk management policy may contain a board level —

Answer 79

Endorsement

Question 80

A risk management policy may contain an introduction, setting out…

Answer 80

Overall purpose of risk management

Relationship to other policies

Question 81

A risk management policy may contain high-level parameters for risk a—

Answer 81

Appetite

Question 82

A risk management policy may contain statements in respect of risk p— in areas of business or service delivery activities

Answer 82

Preferences

Question 83

A risk policy may contain r— and r— in respect of risk management

Answer 83

Roles and responsibilities

Question 84

A risk management policy may contain the risk management — itself

Answer 84

Process

Question 85

A risk management policy may contain — and — guidelines concerning risks

Answer 85

Reporting and review

Question 86

A risk management policy may contain an e— mechanism in the event of risk management incidents

Answer 86

Escalation

Question 87

A risk management policy may contain a — detailing common risk language and defining terms to be used across the organisation

Answer 87

Glossary

Question 88

The — required to implement the organisation’s risk management policy should be clearly established at each level of management and within each business unit, team or function

Answer 88

Resources