Certificate in IRM Module 2 (all) Flashcards
Coca Cola - what did they say?
The world is changing all around us. To continue to thrive as a business over the next 10 years and beyond, we must look ahead. Understanding the trends and forces that will shape our business in the future and moving swiftly will prepare us for what’s to come.
Generic and Industry Specific KRI examples
Generic: Staff T/over, Accident Rates, IT downtime
Specific: % of incorrect sales, % of food contamination indidents
Risk Emphasis
e.g. PLCs = profit. Local Authority = delivery of services
This feature of risk management is often referred to as the ‘risk emphasis’ of an organisation
The nature of the business or objectives drives the primary thinking in regard to the way risks are addressed. A major retailer will have brand management as its focal point for risk management, whereas a pharmaceutical firm will have product efficacy and safety as the key risk emphasis for their risk control efforts.
Materiality - definition
Materiality of business environment changes varies in tune with the organisation’s size, resources, operations and objectives
What would a medium sized housing construction company in the UK be interested in from a Materiality perspective
medium-sized housing construction company operating in the UK will have a strong interest in:
1) economic environment as it affects employment, confidence in the strength of the market,
2) availability of funds to lend to prospective purchases and;
3) the cost of construction materials.
State-funded hospital - Materiality for them?
State-funded hospital would naturally monitor:
1) Government’s monetary policy,
2) political developments and;
3) any austerity measures that are introduced.
Body Shop - vision? Why high risk?
The Body Shop has been successful even though the vision was unproven in the retail market and the market’s acceptance of the branding style and concept uncertain.
Banks - what is their most valuable asset to protect?
Business with banks, in particular, is based on trust and banks will naturally protect their reputation as their most valuable asset.
‘risk emphasis’ - major retailer
Brand Management
‘risk emphasis’ - pharmaceutical firm
Product efficacy and safety
as the key risk emphasis for their risk control efforts.
Risk Emphasis - Regulatory Developments - applicable to who?
Regulatory developments could be sector-specific to certain industries only.
Risk Emphasis - Geographical Issues?
geographical issues may be related to such matters as the physical exposures to an organisation by, for example, earthquake or hurricane/typhoon.
Risk Emphasis - Hotel Sector?
Brand Recognition
RASP - What is the most important part?
‘The Risk Management Policy Statement’ - sets out the overall strategy of the organisation to Risk Management
p.239
What types of Risk Documentation will need to be kept?
- Admin records
- Risk response and imporvement plans
- Event reports and recommendations
- Performance and monitoring reports
AND .. the Risk Register
Where does the interaction b/.w Risk Mngmt & Internal Audit get documented?
Within the RASP
RASP - where does the Risk Management Strategy get recorded / set out?
In the ‘risk Management Policy Statement’
Should ensure that there is Risk Management input into ‘STOC’ - Strategy Tactics Operations Compliance
p.243
What is something that the Risk Management Strategy will include?
‘what the organisation is seeking to achieve wrt Risk Management’
RASP - Protocols … what are they?
Risk Procedures and Guidelines Procedures and Protocols Frequency and nature of risk reports Reviewed annually and kept up to date what activities must be undertaken
Protocols: ‘seen as the Standing Instructions relating to Risk Management in an organisation
What aspects of risk should have clear statements of responsibilities
- Setting of required Risk Standards
- Implementing Risk Standards
- Monitoring Risk Performance
ISO Guide 73 definition of a Risk Owner
a ‘person with authority & accountability to make the decision to treat, or not to treat a risk’.
What is a downside of having the Risk Mngmt Committee (RMC) report into the Audit Committee
Could impair the work of the RMC through extra bureaucracy and unhelpful emphasis on audit and compliance.
How do organisations largely structure their risk management activities?
according to the prevailing management style that applies within the wider organisation.
What is a key feature of risk architecture
The roles and responsibilities of key staff and indeed all individual employees
What does the risk framework take account of
the risk framework takes account of
1) the overall risk management operations,
2) reporting requirements; and
3) assurance arrangements,
What are typical components of a Risk Framework
Risk policy – the high level statement of the organisation’s philosophy on risk and the foundation of the organisation’s risk strategy.
Terms of reference for the risk committee and the head of risk management.
Risk appetite and tolerance statement – for organisations that are groups, there may be a group statement and divisional statements.
Risk register – again there may be local registers and a centralised, consolidated register.
Key risk indicators and a risk dashboard for reporting and monitoring purposes.
Risk models – algorithms designed to model potential risk outcomes.
Issues and events log – to record and learn from actual events and breaches of controls.
Examples of Risk Protocols
- The techniques used in risk identification.
- The format and content of the organisation’s risk register, how it is to be completed and the requirements for regular updates.
- Requirements on entering risk events into the issues and events log and the upward notification of events according to their materiality.
- Detailed reporting requirements – such as weekly or monthly reports and risk analysis, performance against key risk indicators.
- Approval processes for expenditure on risk improvement actions.
- Control and sign-off processes for entering into new (or renewal) contracts.
- Template documents for risk assessments and, where required, certification.
COSO 2017 expectations for information, communication and reportng
Information, Communication, and Reporting:
Enterprise risk management requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organisation.