Acronyms Flashcards
RASP - what is it? What does it stand for?
RASP provides details of the risk management framework and helps define risk management context.
R = "Risk" A = Architecture (as in Risk Architecture. Committees, roles responsibilities etc.) S = Strategy (as in the RM philosophy, appetite, how its embedded) P = Protocols (tools, techniques, assessment procedures)
CHOC - what is it? What does it stand for?
CHOC are the 4 different CATEGORIES of risk used by Hopkin.
C = Compliance Risks: Minimize these. H = Hazard Risks: Mitigate these. 'Pure Risk'. Impact always negative O = Opportunity Risks: Embrace these. 'Speculative'. Impact has the potential to be positive. C = Control Risks: Manage these. 'Speculative'. Impact uncertain.
FIRM - what is it? What does it stand for?
FIRM Is an example of a Risk Categorisation approach that can also be used when developing a ‘Scorecard’ fir Risk.
F = Financial - Internal (the way money is managed, profitability) I = Infrastructure - Internal (efficiency of processes) R = Reputational - External (perception) M = Marketplace - External
Other categorisation approaches include PESTLE (best used for Hazard Risks), or the COSO ERM approach (SORC). Could also overlay CHOC
The 4N’s of Risk Maturity - what are they?
The 4N’s relate to Risk Maturity Model - The “Status Levels” or “Stages” of Risk Maturity. Each stage matches well with a level of embedment under FOIL
Naive - Fragmented ERM embedment
Novice - Organised ERM embedment
Normalised - Influential ERM embedment
Natural - Leading ERM embedmetn
FOIL - what is it?
FOIL relates to the characteristics of Risk Management (or ERM) embedment in an organisation
F = Fragmented (legal and compliance only, e.g. HSE) O = Organised (coordinated and planned across all types of risk) I = Influential (ERM is now influencing process and behaviours) L = Leading (Risk is a substantial factor in decision making)
Different levels of embedment are often seen accompanied by a level of Risk Maturity in an organisation which are the ‘4 N’s or Risk Maturity’
PACED - what is it?
PACED are the 5 Principles of a Risk Framework (what a successful ERM initiative and Framework should be / ‘what does good look like’)
P = Proportionate (to the level of risk in an org) A = Aligned (with other business activities) C = Comprehensive (systematic, structured) E = Embedded (within the business, procedures etc.) D = Dynamic (iterative and responsive to change)
While ‘PACED’ shows ‘what good looks like’ ‘MADE2’ tells us ‘what good give us’ and what objectives good Risk Management will achieve
MADE2 - what is it?
MADE2’ tells us ‘what good give us’ and what objectives good Risk Management will achieve.
M = Mandatory requirements will be met (rules, regulations, laws etc.) A = Assurance that control activities are working and are 'PACED' D = Decision making will be able to use appropriate risk based information E(2) = Effective and Efficient core processes, which will help achieve 'STOC' (strategic, tactical, operational and compliance objectives)
STOC - what is it?
STOC are the core processes of an organisation
S = Strategy (what the org intends to achieve and how it plans to achieve it) T = Tactics (the means by which Strategy will be delivered) O = Operations (the actual activity) C = Compliance (the processes, protocols and procedures in place to ensure mandatory obligations are met)
PESTLE - what is it?
PESTLE is another Risk Classification system (like FIRM, or SORC).
P = Political (Tax policy, employment laws, regulations) E = Economic (Growth, Interest Rates, Inflation, Credit) S = Sociological (Norms, cultures, age distribution) T = Technical (Disruption, barriers to entry, tech changes) L = Legal (changes to laws impacting business) E = Enviromental (or Ethical)
Best applied for HAZARD risks and EXTERNAL risks - and less applicable for financial, infrastructure, reputational.
Also good to use PESTLE within an assessment workshop. The ‘orange book’ recommends doing a SWOT against each PESTLE category.
The 4 T’s - what are they?
The ‘4T’s’ relate to the ‘Risk Response’ and specifically the methods to treat HAZARD risk.
Tolerate - Low Impact, Low Likelihood
Treat - Control or reduce Low Impact, High Likelihood (most common response)
Terminate - Impact is too high, likelihood is too high … just need to stop the activity.
Transfer - High impact but low likelihood. This is via Insurance or other contractual arrangements to offload some risk
Risk responses for Strategic Risks use the 4Es and 5Es approach.
p.175
4E’s and 5E’s
Both are used a Risk Responses for Strategic Risk or Opportunity Risk.
4E’s :
Exploit (High Reward, Low Risk … until competitors arrive)
Exist (Low Reward, Low Risk … in maturing markets)
Explore (Low Reward, High Risk .. entrepreneurial opportunities)
Expand: (High Reward, High risk … depending on risk appetite and capacity (see 5Es)
5E’s: works as a flow chart and adds to ‘expand’ by saying ‘Expand if you can - if you have resources and appetite - or Exit if not - which may still be for a profit).
Start at Explore (high risk, low (current) reward), move up to Expand OR move up again to Exit, then shift left to Exploit, then shift down to Exist.
SORC and the COSO Cube
The ERM version of the COSO cube was produced in 2004.
COSO = Committee of the Sponsoring Organisations of the Treadway Committee (2004)
SORC = is the top of the cube and are the 4 Categories of Corporate Objectives (similar to STOC).
S = Strategic (high level goals) O = Operations (effective and efficient use of resources) R = Reporting (need to report reliably) C = Compliance with laws.
The front of the cube shows the Risk Management approach aligned to how management runs and organisation
LILAC
LILAC is how a Risk-Aware Culture is achieved, through:
L = Leadership: Strong leadership on strategy, projects and operations. I = Involvement: of all stakeholders in the risk management culture. L = Learning: and emphasis on training in risk management procedures and learning from events. A = Accountability: for actions and deliverables (but not a 'blame culture' C = Communication: and openness on issues and lessons learnt.
CoCo and the 4 components of CoCo
is the ‘ Canadian Criteria of Control’ framework.
It is a framework to measure, or benchmark, the quality of the Control Environment, known as the ‘internal environment’ in the COSO cube. The quality of the control environment is also a very good indicator or overall ‘Risk Culture’.
The 4 CoCo Components are:
1) Purpose: Sense of direction / what are we here for?
2) Commitment: Sense of identity / do we want to do a good job?
3) Capability: sense of competence / what actions do we need to take?
4) Monitoring & Learning: sense of evolution / what’s next / how do we get better?
Also know LILAC as another indicator or benchmark for Risk Culture.
SOx … what are the two to know
Step 1: get the data right … SOx 302 - Full and accurate disclosure of all information about the organisation (validated). All data produced by an organisation must be validated.
Step 2: get the data audited … SOx 404 - Accurate reporting of results to a higher authority (must be audited).
Context is with Risk Management Reporting and the Responsibilities of the Board.
SOx recommends use of COSO
