Assurance

Question 1

Hopkin and Thomson 5 sources of internal assurance

Answer 1

Culture measurement
Unit documentation
Unit performance
Unit reports
Audit reports

Question 2

ToR of AC defined by the Corporate Governance Institute

Answer 2

Financial reporting
Narrative reporting
IC and RM systems
Internal audit
External audit

Question 3

Materiality

Answer 3

Risk is material if it can impact bottom line or
With holding info can influence investor decision making

Question 4

Viability assessment requirement

Answer 4

1.UK Corp Gov. Disclosure on long term viability
2. Going concern - 12 months required by accounting standards

Question 5

Control environment in risk management

Answer 5

Control activities, how effective they are, audit and risk assurance. Whole range of controls and interaction of controls to mitigate risks

Question 6

FRC internal control system

Answer 6

1.encompasses policies, processes, tasks , behaviors
2. Effective and efficient operations by assessing risks , respond to risks, controls
3. Help reduce poor judgement , errors
3. Improve quality of reporting
4. Improve compliance with laws

Question 7

FRC internal control system includes

Answer 7

Control activities
Information and communication
Monitoring of controls

Question 8

What are controls - Hopkin and Thomson

Answer 8

Three definitions
1. Criteria of control - all elements of am organisation’s thay taken together, support achievement of objectives. Resources, systems, processes culture, structure and tasks

2. CoSo - a process effected by board, management , designed to provide reasonable assurance regarding achievement of objectives
   Effectiveness and efficacy of operations
   Compliance with laws
   Reliability on financial reporting
3. IIA - a set of process functions activities systems and people who together ensure achievement of objectives

Question 9

LILAC model to risk culture

Answer 9

Leadership
Involvement
Learning
Accountability
Communication

Question 10

IRM model to risk culture

Answer 10

ABC
Attitude
Behaviors
Culture
Attitude determines behaviors, repeated behavior sets culture

Question 11

ISO definition

Answer 11

Effect of uncertainty on objectives . Effect can be positive or negative

Coordinated activities to direct and control an organization with regard to risk

Question 12

IRM definition of risk

Answer 12

Combination of probability of an event and its consequences. Can be positive to negative

RM - process which helps org understand , evaluate and take action on risks with a view to increasing probability of success and reducing likelihood of failure

Question 13

COSO definition of risk

Answer 13

Possibility that an event will occur and affect achievement of objectives. Positive and negativr

Question 14

Orange book definition

Answer 14

Similar to COSO. Effect of uncertainty on objective. Usually has cause event and consequences

Question 15

Objectives of risk management

Answer 15

MADE2
Mandatory
Assurance
Decision making
Effective
Efficient processes

Question 16

ISO principles of RM

Answer 16

PACED
Proportionate
Aligned
Comprehensive
Embedded
Dynamic

Question 17

Risk management will help improve 4 areas STOC

Answer 17

Strategy
Tactics
Operations
Compliance

Question 18

4 types of risks

Answer 18

1. Compliance - minimize
2. Control risks - manage- associated with new projects. Unknown and unexpected events. Also called uncertainty risk.
3. Hazard risks - mitigate - associated with potential harm or a situation to undermine objectives .
4. Opportunity risk - embrace

Question 19

Bow tie analysis

Answer 19

1. Left side is source of hazard.indicates the risk classification used. High level sources are STOC
2. Right side impact - FIRM
3. Centre is categories of disruption that can happen- people , premise, provess and products

First step is to put risk description in the middle.then identify cause and impact.

Preventative and response controls

Question 20

4Ts of hazard risk

Answer 20

Tolerate -low low- detect control
Transfer High impact - directive control
Treat High likelihood- corrective control
Terminate High high - preventive control

BCP and DRP are both corrective and directive. Or even a fifth type, can’t easily fit to PCDD

Question 21

4Es of opportunity risks

Answer 21

Exploit - high reward
Explore - High risk
Expand/Exit- high reward high risk
Exist - low low

Question 22

Sophistication level in risk management

Answer 22

1. Inform - compliance mgmt. Unaware of obligations
2. Reform - hazard . Aware of non compliance
   3.conform - control mgmt. Actions to ensure compliance
3. Perform - opportunity mgmt.

Question 23

Difference between standard and framework

Answer 23

Standard includes rm process and framework.
Framework includes structure, responsibilities administration, reporting and communication components of rm. Framework supports implementation of process.

Process includes risk assessment identification , analysis, evaluation, treatment and recording and reporting

Question 24

Scope of risk management framework

Answer 24

RASP
Risk architecture, strategy , protocol
Architecture- roles , responsibilities, reporting structure
Strategy - risk strategy, appetite, attitude and philosophy
Protocols - rules and procedures , methodologies, tools and techniques. Need to be reviewed annual basis.range of documentation required. Ridk assessment procedures, control objectives, resourcing arrangement, reaction planning requirement (BCP) , risk assurance system(ToR for AC, CSA)

Question 25

COSO cube

Answer 25

Objectives to achieve- strategic, operations, reporting, compliance
RM process - 8 steps.
Internal environment
Objective setting
Event identification
Risk assessment
Risk response
Control activities
Info and communication
Monitoring

Question 26

COSO rainbow double helix

Answer 26

ERM has to be embedded into activities of the organisation starting from mission, vision and values.
Strategy development
Business objectives
Implementation and performance
Enhanced value

5 principles/components
1. Governance and culture
2. Strategy and objective setting
3. Performa ce
4. Review and revision
5. Information communication and reporting

Question 27

Double S model to risk culture

Answer 27

Soliditary
Sociability
Network - high social low soliditary
Communal - high social high soliditary
Fragmented - low social low soliditary
Mercenary - low social high soliditary

Question 28

Components of context

Answer 28

External
Internal
Risk management context- includes RASP( including establishment of risk appetite or crtiera) and, Risk process itself.

Question 29

Risk classification system PESTLE

Answer 29

Political
Economic
Social
Technological
Legal
Ethical or environmental

Used for external risks. Has to be combined with SWOT.

Question 30

How to evaluate the context for risk management

Answer 30

Using FIRM scorecard and developing a riskiest index
Financial and infrastructure for internal context
Marketplace and reputation for external context

Question 31

Risk register

Answer 31

1. Includes all risks and means to identify based on scoring
2. Three components- data collection, database, data communication
3. Three functions - collecting risk info, establish trends and relationships between risks
4. Communicate and escalate

Question 32

Implementing ERM PIML

Answer 32

Plan - identify benefits, scope, strategy
Implement - risk appetite setting, establish benchmarks, agree assessment tools
Measure - evaluate control effectiveness, align risk management with other activities, embed risk aware culture
Learn - monitor risk , ERM performance and reporting

Question 33

Implementing ERM PIML

Answer 33

Plan - identify benefits, scope, strategy
Implement - risk appetite setting, establish benchmarks, agree assessment tools
Measure - evaluate control effectiveness, align risk management with other activities, embed risk aware culture
Learn - monitor risk , ERM performance and reporting

Question 34

Resilience

Answer 34

Definition - capacity if an organization to consistently achieve a desired state following a change in circumstances.
3 behaviors to achieve resilience
1. Awareness of changes
2. Prevent, protect, prepare in relation to all types of resources
3. Respond, recover and review in relation to disruptive events.

Question 35

Risk assessment in ISO

Answer 35

Includes risk identification,
analysis - impact likelihood score
and evaluation - ranking against risk appetite or criteria

Question 36

Risk assessment techniques

Answer 36

Questionnaire and checklists
Workshops and brainstorming - PESTLE, SWOT. Quantitative analysis - HAZOP, FMEA
Inspection and audit
Flow chart and dependency analysis
Crowdsourcing technology- using mobile applications to upload risks on a data platform

Question 37

Risk attitude vs appetite

Answer 37

Attitude concerned with criteria surrounding a risk
Appetite is amount of risk we are willing to take

Question 38

Risk classification by standard

Answer 38

FIRM
COSO - strategic ,operational, reporting , compliance
IRM - financial, strategic, operational, hazard
Orange book- several

Question 39

Principles of risk appetite

Answer 39

Acknowledging interconnectedness - what’s acceptable in one of business not accepted in another
Messursbility
Variability - different for different risks
Maturity - how adept organisation is at managing risk will have a bearing on risk appetite

Question 40

Controlling downside risks

Answer 40

Loss prevention - reducing likelihood.
Damage limitation - once evebt occurred. E.g fire sprinklers.
Cost containment- after damage limitation. Actions to minimize post incident cost, should be set out in BcP, DRP.

Question 41

Risk zones 4Cs

Answer 41

Comfort - tolerate
Cautious - treat
Concerned - transfer
Critical - terminate

Question 42

Types of controls

Answer 42

Preventative
Directive- first response once risk occurred
Detective - easy to administer and provide early warning
Corrective controls

Question 43

Definition of control

Answer 43

1. Criteria of control - all elements of an organisation that , taken together, support people in achievement of org. Objectives. Elements include resources, systems , processes, culture, structure and tasks
2. COSO - a process, effected by BoD , mgmt and other personnel , designed to provide reasonable assurance regarding the achievement of objectives in the below categories
   Effectiveness and efficiency of operations
   Reliability of financial reporting
   Compliance with laws
3. IIA - set of process, functions activities, systems and people grouped together or consciously segregated to ensure effective achievement of goals and objectives

Question 44

Components of CoCo framework

Answer 44

A continous cycle. Useful to benchmark compliance with internal control component of COSO.
1. Purpose
2. Commitment
3. Capability
4. Monitoring and learning

Question 45

Control environment

Answer 45

FRC states IC system includes
1. Control activities
2. Information and communication processes
3. Monitoring the effectiveness

Control different to data collection and guidance. Should change cause or effect of risk

Question 46

Terms of Reference for AC

Answer 46

Financial reporting
Narrative reporting.
IC and RM
IA
External audit - conduct tender, review independence, non audit services, effectiveness of audit

Question 47

Sources of risk assurance

Answer 47

Culture measurement
Unit report
Unit performance
Unit documentation
Audit report

Control self assessment

KRIs

Question 48

Internal Audit

Answer 48

IIA- IA is concerned with evaluating an organizations management of risk.
Central to effective risk framework is audit through
I. Assurance map - structured means or identifying and mapping source and types of assurance across 4(3) LoD. Risk and control owner, risk oversight, risk assurance.
II. Statistical saying
III. Risk prioritization techniques

Question 49

Corporate governance- FRC

Answer 49

principles and provisions + guidance
5 sections - leadership ; division of responsibility ; composition ,succession and evaluation ; audit , risk and internal controls ; remuneration

Board should establish procedures to manage risk, oversee IC framework and determine nature and extent of principal risks the company is willing to assume.

Principal risks - events or circumstances that can threaten companies business model, future performance, solvency, liquidity and reputation.

Question 50

Board structures

Answer 50

Unitary - executive plus non executive directors in one board
Two tier- supervision and management of operations

Question 51

Types of corporate governance code

Answer 51

Want - principle based . Comply or explain
Compulsory - prescriptive. Comply and sign

Question 52

Committees of board by UK FRC

Answer 52

Nomination
Remuneration
Audit

Question 53

What is risk culture

Answer 53

1. H&T - reflects attitude of every component of mgmt. How individuals behave in certain circumstances
2. IRM - Values beliefs knowledge and understanding about risks. Can be reinforced through positive actions and behaviors
3. COSO - culture, capacities and practices , integrated with strategy setting and execution thay organizations rely on to manage risk in creating preserving and realizing value

Question 54

IRM risk culture framework

Answer 54

Risk culture
Organization culture
Behaviors
Personal ethics
Personal predisposition to risk/risk preference

Question 55

Risk perceptions

Answer 55

Different perceptions imply risks might be missed, irrelevant risks might be captured, manage same risks inconsistently, managing stakeholder perceptions of risk rather than real risk

Question 56

Bias

Answer 56

Bias influenced by
1. Conscious factors- org culture, familiarity, manageability, size of impact
2. Sub conscious - availability, representativeness , anchoring and adjustment, confirmation trap, bandwagon
3. Affective factors (feeling)

Question 57

Understanding and improving risk culture

Answer 57

1. Deloitte - 4 influences- risk competence, motivation, relationship , organization
2. LILAC
3. IRM ABC MODEL
4. DOUBLE S - sociability, solidarity

Question 58

ABC model

Answer 58

Attitude- chosen position towards risk, influenced by perception
Behavior- external observable actions
Cture - values beliefs knowledge and understanding about risk

Question 59

What is successful risk culture

Answer 59

Deloitte
1. High level of understanding
2. Positive attitude
3. Move from reacting to active engagement and management of events

IRM
10 point component. Split between tone at the top - leadership, dealing with bad news
governance - clarity, transparency
competency - risk skill, risk resources
decisions - informed, reward

Question 60

How to change risk culture

Answer 60

1. Evaluate current risk culture
2. Assess impact of current risk culture
3. Identify areas of improvement
4. Plan and implement change
   5 Monitor and adapt to change
   To become compliant - 1 to 2 years
   Maturity - 5 to 10 years

Question 61

4 step process - easy SATARLA

Answer 61

Define context and objectives
Assess risks
Manage risks
Monitor , review and report

Question 62

Extended enterprise for understanding context by IRM

Answer 62

A structure where number of organisations come together. 4 steps to understand.
1. Core processes
2. Inputs to the process
3. Output
4. External influence

Question 63

Stakeholder mapping - Mendelow matrix

Answer 63

Understand influence and interest in an activity
High influence , low interest - keep satisfied
High interest, high influence - actively engage and manage
High interest, low influence - keep informed
Low low - miminal effort