7. Strategic Perspective On Risk Management Flashcards by Matthew Wright

— — are the first line of defence and have direct responsibility for the management of risks

Operational units

How well did you know this?

Not at all

Perfectly

List the three lines of defence in risk management.

First line: operational units
Second line: oversight functions
Third line: assurance functions

How well did you know this?

Not at all

Perfectly

— — are the second line of defence and have responsibility for coordinating and overseeing the risk framework

Oversight functions

How well did you know this?

Not at all

Perfectly

— — are the third line of defence and provide independent and objective assurance with respect to the integrity and effectiveness of the risk management framework

Assurance functions

How well did you know this?

Not at all

Perfectly

What does the Code say about the directors’ responsibility with respect to risk management and internal control?

They should, at least annually, conduct a review of the effectiveness of the company’s risk management and internal control systems and should report to shareholders that they have done so.

How well did you know this?

Not at all

Perfectly

According to Turnbull 2005, what five factors should the board consider when determining its policies with regard to internal control?

Nature and extent of risks facing company
Extent and categories of risk it regards as acceptable to bear
Likelihood of the risks materialising
Ability to reduce incidence and impact of risks that do materialise
Costs of operating particular controls relative to benefit obtained

How well did you know this?

Not at all

Perfectly

What are the board’s MAIN responsibilities with regard to risk management?

Set out policies for internal control and risk management

Satisfy itself that those policies are working

How well did you know this?

Not at all

Perfectly

How to the roles of executive and non-executive directors vary with respect to risk management?

Executives responsible for ensuring implementation of board policy
Non-executives responsible for ensuring they have sufficient information to be assured the executives are in control

How well did you know this?

Not at all

Perfectly

As well as the policy framework, the board should put in place — — to enable effective risk management

Additional structures

How well did you know this?

Not at all

Perfectly

The board should not just rely on — monitoring processes within a company to discharge its duties

Embedded

How well did you know this?

Not at all

Perfectly

List the high level responsibilities of the board over risk and risk management

Top level ownership and championship of ERM
Ownership of overall RM policy
Defining high level risk appetite
Regular review of highest level risk register
Taking action on risks that have been escalated
Delegating certain responsibilities to a risk or audit committee
Holding management to account for complying with and operating the RM process

How well did you know this?

Not at all

Perfectly

To help identify and manage the key risks that an organisation faces, many entities are increasingly employing — — and — —

Risk committees and risk officers

How well did you know this?

Not at all

Perfectly

In the history of UK corporate governance, who recommended that major financial institutions have separate risk committees?

Sir David Walker (2009)

How well did you know this?

Not at all

Perfectly

Did the 2010 UK Corporate Governance code take up Sir David Walker’s recommendation that major financial institutions should have separate risk committees?

How well did you know this?

Not at all

Perfectly

The risk committee is — defined in UK Corporate Governance

Poorly

How well did you know this?

Not at all

Perfectly

How does HM Treasury define the risk committee?

A committee established with executive authority to take action to manage the risks which face the organisation

How well did you know this?

Not at all

Perfectly

Risk committees more usually consist of…

Executive management

How well did you know this?

Not at all

Perfectly

A main role of the risk committee is to oversee the implementation of the — — — on behalf of the board

Risk management policy

How well did you know this?

Not at all

Perfectly

A main role of the risk committee is nurturing and fostering an appropriate — towards ERM across the organisation

Culture

How well did you know this?

Not at all

Perfectly

A main role of the risk committee is to identify and report to the board on the major — — and opportunities that the organisation faces

Negative risks

How well did you know this?

Not at all

Perfectly

A main role of the board is m– and r– in detail how effectively the key risks are being managed

Monitoring and reviewing

How well did you know this?

Not at all

Perfectly

A main role of the risk committee is promoting the exchange of — — — in risk management throughout the organisation

Best practice techniques

How well did you know this?

Not at all

Perfectly

Where there is no risk committee, where does the UK Corporate Governance Code lay the duties of the risk committee

The audit committee

How well did you know this?

Not at all

Perfectly

If there is a risk committee, what is the ideal division of effort and focus?

Risk committee presents content of risk register to audit committee or board
Audit committee reviews process whereby organisation identified, evaluated and took action on risks

How well did you know this?

Not at all

Perfectly

In a large organisation, the risk committee may be supported by what?

Risk officer or officers | Risk function

Often, the role of risk officer is not a --- --- --- but forms part of an individual's wider responsibilities

Full time job

Many organisations use their --- --- as a meeting forum for their risk officers

Risk committees

Risk officers assist in the implementation of the organisation's --- --- policies and procedures in the area in which they work

Risk management

Risk officers bring together in the --- --- the key risks facing that part of the organisation

Prescribed format

Risk officers are often expected to help individual departments carry out...

Risk assessment exercises | Testing to ensure integrity of risk management information

What are likely to be the main tasks of an overall risk officer?

Championing methodology Managing risk management process Bring together results for consideration of risk committee or board

What does CRO stand for?

Chief Risk Officer

In some cases, the CRO will also be the head of...

The internal audit function

What must be ensured when the Chief Risk Officer is also the Head of Internal Audit?

Roles clearly distinguished Clear the ownership of risk management lies with management Head of Internal Audit only responsible for overall risk management policy and reporting to the board Situation should be approached with caution

The role of executive management at lower levels is to --- the board's risk policy into processes and procedures

Interpret

--- has the primary responsibility of managing risk on a day-to-day basis

Management

Management should or should not be seeking to eliminate risk?

Should not

Rather than trying to eliminate risk, management should be...

Managing it down to an acceptable level as defined by the risk appetite

Management play a key role in the identification of --- and --- risks

Threat and opportunity

How May management identify threat and opportunity risks?

Risk workshops Discussions with individuals Assistance of internal audit function

Having identified risks in their area, management must assess...

The impact and likelihood of the risks occurring

The risks identified and assessed by management will usually form the basis of the local --- ---

Risk register

Management should be involved setting and communicating the --- ---

Risk appetite

The -- --- helps determine the level and extent of internal controls required

Risk appetite

Management decide on the --- --- they will employ to manage risk

Risk responses

Management must ensure they have put in place --- mechanisms to show risks are being managed to an acceptable level

Feedback

Ideally, feedback mechanisms should --- when problems are about to occur

Predict

Finally, management should --- on the risk situation in their area

Report

List the functional experts involved in risk management

``` Occupational Health and Safety (OHS) Quality assurance Risk management Insurance Security Business Continuity Management Finance, Human Resources and IT ```

The Health and Safety Executive (HSE) recommends a ---, --- --- approach to health and safety

Reasoned, risk based

Given its specialist nature, how is the OHS risk management process likely to be treated?

Separately from the general business risk management process

The role of the quality assurance function is to promote what?

A process that helps focus on meeting customer requirements Through the quality of all tasks Carried out in the organisation

Around what quality standard are many quality assurance functions based?

ISO 9001:2000

For what is a separate risk management function responsible?

``` Managing Coordinating And overseeing The risk management policy and processes On behalf of the board ```

What are the two most important ways that internal audit provides value to the organisation?

Objective assurance that RM processes and internal control systems operating effectively Assurance that major business risks are being managed appropriately

The role of internal audit is primarily to provide assurances on what three areas?

Risk management processes (design and effectiveness) Management of "key" risks Reliable and appropriate assessment of risks and reporting of risk and control status

Describe internal audit's core role with regards to ERM

To provide objective assurance to the board on the effectiveness of risk management

What are the key factors to take into account when determining internal audit's role in ERM?

Whether activity raises any threats to independence and objectivity Whether it is likely to improve risk management, control and governance processes

What are the five roles with regard to ERM that internal audit OUGHT TO undertake?

Assurance on RM process Assurance that risks correctly evaluated Evaluating RM process Evaluating reporting of key risks Reviewing management of key risks

What roles should internal audit NOT TAKE with regard to ERM?

``` Setting risk appetite Imposing RM processes Management assurance on risk Taking decisions on risk response Implementing risk responses Accountability for risk management ```

What roles may internal audit legitimately undertake with regard to ERM provided appropriate safeguards in place?

Facilitating identification and evaluation of risk Coaching management in responding to risk Co-ordinating ERM activities Consolidating reporting on risks Maintaining and developing ERM framework Championing ERM framework Developing RM strategy for board approval

On what will depend the extent of internal audit's ERM consulting role?

Other resources available to board | Risk maturity of organisation

In deciding whether ERM consulting services are compatible with internal audit's assurance role, what is the key factor?

Whether internal audit function is assuming any management responsibility

One of the safeguards for IA involvement in ERM is that it should be clear that --- remains responsible for risk management

Management

One of the safeguards with regard to IA involvement in ERM is that IA's --- should be documented in the audit charter

Responsibilities

One of the safeguards with regard to IA's involvement in ERM is that internal audit should not --- any risks on management's behalf

Manage

One of the safeguards with regard to IA's involvement in ERM is that IA cannot also give --- --- on any part of the ERM framework for which it is responsible

Objective assurance

One of the safeguards with regard to IA's involvement in ERM is that any work beyond assurance activities should be recognised as a --- --- and the implementation standards relating to such engagements should be followed

Consulting engagement

In terms of risk management, each of the associated review functions needs to what?

Be clear about its role to avoid overlap and duplication

As far as external audit is concerned, in what two areas of the effectiveness of the risk management process are they particularly interested?

Major risks facing the organisation | What is being done to manage those risks

External audit may want to review the risk management process themselves, but they may seek to rely on...

Work carried out by other bodies within the organisation

According to the Institute of Risk Management, what should an organisation's risk management policy do?

Set out its approach to and appetite for risk And its approach to risk management. The policy should also set out the responsibilities for risk management Throughout the organisation

By what other terms are risk management policies known?

Risk strategies Risk management strategies Risk policies Risk approaches

A risk management policy is a --- --- --- drawn up and/or endorsed by the board of directors

High level statement

A risk management policy establishes, at a high level, what?

Overall approach to risk management Risk appetite Risk taking preferences Risk response choices

A risk management policy should be formally ---

Documented

A risk management policy should help establish an overall --- within which the organisation should implement risk management

Framework

The risk management policy should be --- across the organisation

Communicated

The risk management policy should be kept --- to ensure its continued coherence and effectiveness

Current

A risk management policy may contain a board level ---

Endorsement

A risk management policy may contain an introduction, setting out...

Overall purpose of risk management | Relationship to other policies

A risk management policy may contain high-level parameters for risk a---

Appetite

A risk management policy may contain statements in respect of risk p--- in areas of business or service delivery activities

Preferences

A risk policy may contain r--- and r--- in respect of risk management

Roles and responsibilities

A risk management policy may contain the risk management --- itself

Process

A risk management policy may contain --- and --- guidelines concerning risks

Reporting and review

A risk management policy may contain an e--- mechanism in the event of risk management incidents

Escalation

A risk management policy may contain a --- detailing common risk language and defining terms to be used across the organisation

Glossary

The --- required to implement the organisation's risk management policy should be clearly established at each level of management and within each business unit, team or function

Resources