CH 3 Flashcards
What are board of directors
This a small group of people who accept certain roles and responsibilities in line with corporate legislation
Why does board of directors exist
It exists to watch over an organisation and give it overall direction, they must act in a lawful manner to further interests of shareholders
What does board of directors do
It sets clear objectives for executive management and arranges necessary funds and facilities
The companies Act 2006 requires directors to have regards amongst other to
- long term consequences of their decisions
- interest of the company’s employees
-need to foster the company’s b’ness relationships with suppliers/customers and others
-impact of the company’s operation on the community and environment
-desirability of maintaining a reputation for high standards of b’ness conduct
-need to act fairly between members of the company
The UK corporate Governance Code charges directors with
-reporting to shareholders on their stewardship
-supervising management of the business
-setting the company’s strategic aims and providing leadership to put them into effect
The UK Corporate Governance Code is based on
It’s based on principle of accountability, transparency, probity, and focus on the sustainable success of an entity over the longer term
in the The UK Corporate Governance Code ,under accountability
- the board is responsible for determining the nature and extent of significant risks it’s willing to take in achieving it’s corporate objectives
-the board should maintain sound risk management and internal control systems
Most board of directors have 5 responsibilities which are
-Regulations of the executive to ensure they uphold shareholders interest and laws governing conduct of b’ness
-Approving the report and accounts, annual budget, strategy and other important plans
-Selecting, appraising and rewarding CEO and ensuring succession planning is actively addressed
-Supervision of the process of risk management and ensuring necessary actions are adopted to mitigate against those risks
-Ensuring that company integrity and principles are upheld on critical matters
When does a board delegate some of its responsibilities
They do so after considering ownership ,objectives ,organisation structure, personnel and the interest to other stakeholders
What’s a common approach within which different board go about supervising risk management
They appoint a risk subcommittee
How does a board select members of the risk subcommittee
Board will carefully select individuals with appropriate risk backgrounds from executive and its own members to constitute the risk subcommittee, they may also have additional members from outside the board and the executive.
What does the board delegate to the risk subcommittee
It will delegate its risk assessment and risk management supervision responsibilities
What is the responsibility of the risk subcommittee
They are under pressure from the board to demonstrate that risk controls are implemented and effective. they command full board attention when it has issues to resolve
With whose authority does the risk subcommittee act with
They act with board authority, setting policies and making risks decisions as required. They are required to seek full board approval for policies and decisions that affect the organisation in a major way
The remit for a board risk subcommittee will include
This will include compliance with appropriate legislation and regulation relating risk management functions of corporate governances
What is the risk subcommittee responsible for implementing
-Risk Policies
-Setting up and monitoring systems to identify and asses risks
-specifying risks apetite
-reporting on risk management for the report and account
What is the risk subcommittee responsible for reporting
it will report on
-current risk issues
-profiles
-investigate and advise on risks associated with proposed new ventures
What can the risk subcommittee technically submit
It can only submit recommendations for approval, they will proceed with general board authority on everything except the very largest and important issues and will submit summary reports of its activities for discussions at full board meetings. The full board then votes to accept the report
what is the first and most important task of a risk subcommittee
To publish and maintain the overall risk management philosophy of the organisation
What does the risk management philosophy prepared by risk subcommittee set out
it will set out the organization’s commitment to risk assessment and management, and what it expects to achieve by risk management
the risk management philosophy prepared by risk subcommittee identifies
It identifies major threats to the organisation as seen by the board and strategy for dealing with the threats
the risk management philosophy prepared by risk subcommittee outlines
It outlines the management structure and control by which it means to supervise risk management activities
What is the purpose of the risk management philosophy
To provide a consistent framework for ongoing risk work and convince stakeholders that risk is being effectively managed
For an organisation subject to regulatory regime what is the risk management philosophy
This is a key document to fulfil the requirement to demonstrate proper corporate governance
What is corporate governance
This is the way the board sets up an organisation to achieve its objectives together with the systems it puts in place to manage and control that organisation
What follows with a strong corporate governance arrangement
the board will have good timely information on all aspects of the organisation and be in full control of its operations
What are some common corporate governance codes of practices
- companies should respect shareholders rights and help them to exercise these rights
-Companies should recognize they may have obligations to other stakeholders
-The board needs the skills and understanding to review and challenge management performance
-Companies should have a code of conduct for their directors and managers that promotes ethical and responsible decision making
-Companies should make public the roles and responsibility of the board and management to provide shareholders with a level of accountability
-Companies should have procedures to independently verify their financial reporting
In UK and US codes of corporate governance focuses on
It focuses more on the interest of shareholders
In Japan and continental Europe S codes of corporate governance focuses on
They give more emphasis on interest of other stakeholders
What are the main standards of codes of practice for corporate governance
UK corporate Governance Code
Sarbanes- Oxley Act 2000(USA)
What does the UK corporate Governance code provide
it provides a code of best practice for companies listed on the London Stock exchange
Who oversees the UK corporate Governance code
The Financial Reporting Council (FRC ), this code is reviewed every two years with minor adjustments
Why has the 2018 UK corporate Governance code been re written
its substantially rewritten to improve readability and sharpen its focus. It’s principle based making it more flexible than the US one
Initially the UK corporate Governance code was voluntary however what did the FCA implement
The FCA listing rules the UK financial regulator requires public listed companies in all industries to disclose in their annual report and accounts how they have complied with the code or explain how they have not complied with its recommended practices
What are the recommended practices listed in the UK corporate Governance code and in more detailed guidance on board effectives which it accompanies, include
-board to provide leadership, define purpose, values, strategy and make resources available
-board to consider the views of all stakeholders both shareholders and workforce
-independent non executive directors to be identifies and form at least half the board
-a separation of the roles of chair and ceo
-annual evaluation of the board including composition/diversity/performance, with an effective succession plan in place
-remuneration policies should be transparent/fair and aligned with long-term objectives
What are particularly important recommended practices on
On competence, risk management and internal control
Recommended practices on competence, risk management and internal control specify that boards of listed companies should
-be individually and jointly competent, and possess the relevant skills and knowledge to perform their roles effectively
-conduct a regular, thorough review of risks to which the company is exposed including frequency and severity
-specify the company’s risk apetite
-agree and implement board policies on risk and control
-establish prudent and effective internal controls
-review the effectiveness of the company’s system of internal control and risk management and formally resort these at least annually
What does the The July 2018 UK Corporate Governance Code aim to promote
It aims to promote transparency and integrity in business for society as a whole and requiring the board to interact with all stakeholders particularly workforce
What does the The July 2018 UK Corporate Governance Code aim to strengthen
It aims to strengthen the confidence in the way UK businesses are run and promote the UK as a good place to work, invest and do business.
What has the new code doen to alleviate current concerns
The code tightens recommendation on board succession and diversity and sets out principles for remuneration awards
Strict compliance with corporate mandator is mandator under listing rules for
Public companies only
Other legislation and guidance requires all large public and private companies to
They require large public and private companies to inclide certain information in their annual reports and on their websites
-They also require including a statement disclosing their corporate governance principles for large private companies
The Sarbanes- Oxley Act 2002 was named after
Senator P Sarbanes and Representative M. Oxley, a.k.a SOX
What did The Sarbanes- Oxley Act 2002 establish
It established enhanced standards for all US public companies listed by the US financial regulator i.e US Securities and Exchange Commissions(SEC) and the accountancy firm that audit them
Why was the The Sarbanes- Oxley Act 2002 bought in
It was bought in to clean up a stock market that had shaken by the internet bubble together with succession of scandals involving major corporations, auditors and securities analysis
How are the rules under the US The Sarbanes- Oxley Act 2002
It’s rules-based and has much stricter enforcement that the UK Corporate governance code, it carries heavy fines and long term imprisonment for those who fail to comply with its requirement
What are the eleven sections or titles of the SOX
-1 Public company accounting oversight board
-2 Auditor independence
-3 Corporate responsibility
-4 Enhanced financial disclosures
-5 Analyst conflict of interest
-6 Commission resources and authority
-7 Studies and reports
-8 Corporate and criminal fraud accountability
-9White collar crime penalty enhancements
-10 corporate tax returns
-11 corporate fraud and accountability
What is the public company accounting oversight board
This is a quasi public agency, established to provide independent regulation of auditors, defining the procedures for compliance audits and enforcing the specific mandates of SOX
How are standard for external auditors independence set under Title II
Under this title standards for auditor independence are set, including forbidding them to undertake consultancy work on audited clients
What does Title III of the corporate responsibility entail
This mandates that senior executives take individual responsibility for the accuracy of financial reports and the penalties for non compliance
What does Title IV- Enhanced financial disclosures
Deals with enhanced reporting requirements for financial transactions i.e off balance sheet transaction and stock transaction of senior management
What does Title V analyst conflict of interest entail
Code of conduct is set for security analyst including disclosures of conflict of interest
What does Title VI commission resources and authority entail
Defines the authority of the SEC, to censure or ban securities professionals from practicing as a broker, adviser or dealer
What does Title VII studies and reports entail
Describes how investigations are to be conducted for enforcing violations of the ACT by public companies or auditors
What does Title VIII Corporate and criminal fraud accountability entail
It sets criminal penalties for fraud by manipulation, destruction or alteration of financial records and provides protection for whistle blowers
What does Title VIII Corporate and criminal fraud accountability entail
It sets criminal penalties for fraud by manipulation, destruction or alteration of financial records and provides protection for whistle blowers
What does Title VIII Corporate and criminal fraud accountability entail
It sets criminal penalties for fraud by manipulation, destruction or alteration of financial records and provides protection for whistle blowers
According to the title IX what has happened to white collar crimes penalties
The criminal penalties and conspiracies has increased
Under Title X, who should sign corporate tax returns
The CEO
What does title XI of corporate fraud and accountability entail
Corporate fraud and tampering with records are identified as criminal offences.
What is the SEC empowered to do in regards to corporate fraud
They can temporarily freeze large or unusual payments
What does the SOX put more emphasis on than the UK’s corporate governance code
Less emphasis is put on risk managmemnt and way more on ensuring the validity of financial reports to the shareholders
What is one of the negative drawbacks of the SOX
The compliance has proved costly to implement and also the Act deters smaller organisation from contemplating listing on they New York Stock Exchange
Section 404 of the SOX is often singled out for analysis, why is that so
This is because the section requires that publicly traded corporations use a formal risk control framework and that management and the external auditor report on the adequacy of internal control on financial reporting
When an organisation fails, how are investigations focused
Investigations are more focused on whether or not expected standards were upheld
When an organisation fails what are lawyers focused on
They have a benchmark against which to pursue claims/damages for mismanagement and subsequent stakeholder loss
When an organisation fails what are prosecutors of executives focused on
They highlight risk management deficiencies
What are internal controls
These are devices and procedures put in place to help ensure that management objectives are met
What are some examples of internal control activities
- Approvals
-Authorization
-Reconciliations
-Separation of duties
-Physical Control
-IT control
-Peer Reviews
What is fundamental to effective internal control
The environment in which control is required
What attributes towards the environment for effective internal control
-Standards,
-Philosophy
-Values of an org
-The attitude
-competence of managers and staff
What are procedures for deciding how risks should be managed
Risk identification, analysis and assessment against objectives
Why is information recording and communication important in internal control
This is necessary to coordinate activities and produces consolidated risk report to help the board manage and direct
What does internal audit provide
It provides independent assurance on control and recommend improvement where applicable
Why is monitoring necessary
TO check procedures are both efficient and effective
When are internal controls particularly effective
When a procedure is established with well defined objectives and specified rules
In auditing and accounting what are internal controls
This is the process designed to help an organisation accomplish specific goals or objectives
What is one of the most commonly used internal control framework
The one published by Committee of Sponsoring organisation of the Treadway commission (COSO) in connection with risk classification
Why do US organisation tend to prefer COSO
This is because compliance with it satisfies the US legal requirement for financial reporting as set out in SOX
How does COSO define internal control
This is the process effected by board of directors, management, other personnel of an org to provide reasonable assurance regarding achieving of objectives in the below categories
- Effectiveness and efficiency of operations
-Reliability of financial reporting
-Compliance with applicable laws and regulations
-Safeguarding of assets
Under COSO it defines internal controls as having the below five essential components
-Risk assessment
-control environment
-Control activities
-Information and communication
-Monitoring activities
What are other tools that a risk manager has at its disposal
Risk transfer
insurance
Continuity plans
when is the approach and process of Control Self Assessment(CSA) is usually established
It’s established before hand normally by risk management staff in conjunction with an audit
What does Control Self assessment require from operational management and staff
They require them to self review or elf- audit risk control for which they are responsible and to communicate results up through the appropriate management line
Control Self assessment is used in combination with
It’s used in combination with monitoring activities
Control Self assessment is subject to
It’s subject to periodic audit to check if its delivering trusted and useful information
Control Self assessment is a useful way of ensuring
It’s a useful way of ensuring compliance with corporate standards right across an organisation, this includes risk aspects of legislation and other compliance needs
Control Self Assessment CSA was originally designed for
It was designed for financial controls to support regulatory compliance
What does Control self assessment enable
Risk managers to understand and produce reports on current activity that may be required by the risk department, insurers, audit committee and by external regulator
Risk management in an org is an integrated process aimed at
It’s aimed at identifying and controlling risks that may affect the achievement of corporate goals
Responsibility of risk management lies on
It lies with the board, thus a need for clear communication and reporting structure
Why does the board have responsibility of risk management
- So as to assure the board the system is working as intended
-So as to enable the board to exercise the necessary control
an effective risk management will depend on
-clear statement of objectives from board of directors
- a systematic approach to risk identification in changing circumstances
-an analysis of risk against criteria set by the board
-effective management of selected risk
What is enterprise risk management(ERM)
Structure of an org set up to control risk management across the whole organisation
What does the Enterprise Risk management (ERM) system allow
Allows all risk of an org to be looked at together and from different perspectives, also known as holistic approach
Regular audits of ERM are important because
To provide assurance that processes function to specified standards and also monitor results
What are benefits that successful risk management provide
–better informed strategic decisions
-successful management of change and higher operational efficiency
-reducing borrowing costs
-improving competitive advantage
-org expects more accurate financial reporting
why are small companies less likely to use ERM
They may not have the resources to do so and may not have pressure from outside to confirm
A successful Enterprise Risk Management has 2 key elements, which are
1.Workable framework clarifying functional responsibility and interactions, and the systems for internal communication, reporting and control
2.Personalizing this framework is a set of terms reference for key staff
What does the ERM show
It shows how essential functions of an org combined to create an integrated system for managing risk across the whole org
What does the Enterprise risk management specify
IT specifies required information flows and procedures for achieving them
What does the Enterprise risk management identify
It identifies where overlapping responsibilities might occur and together with job descriptions and clarify who is responsible for initiating action plans and ensuring their success
What will an audit function establish
It will be trying to establish that ERM systems and procedures are effective
What will a compliance function establish
It will look for assurance that risks threatening compliance are being adequately identified and controlled
What is GRC
Governance, Risk and Compliance (GRC)
What does GRC enable in audit and compliance
It enables compliance and audit to work closely together using the same strategis,processes and technologies
Why do organizations with separate risk management, compliance and audit activities have difficulties providing coherent information to the board to improve corporate governance
This is because different vocabulary, approaches, systems and documentation make it difficult to maintain a clear view of risks and their dependencies especially for the risks that are cross departmental boundaries
What is an objective of GRC
To rationalize information gathering and processing structures using common technology to capture store and process information
Why does GRC require organisation-wide training
This is required so as to introduce a common vocabulary across all risk management and assurance functions
Why does GRC require organisation-wide training
This is required so as to introduce a common vocabulary across all risk management and assurance functions
When will there be less room for misunderstanding and more scope for consolidating information from risk audit and compliance
When there is a defined integrated architecture for information processing, supported by common GRC software technology, risk, audit and compliance work with an agreed common database. This becomes easier to identify trends, as monitoring and review become more efficient
When can the GRC be introduced
Only when the overall designed is completed and approved can the GRC system and procedures be introduced progressively at unit/operational level
How is GRC expected to improve governance and efficiency
It does so by aligning strategy, processes, technology and people
in GRC environment how is risk management considered
it’s no longer considered in isolation from audit and compliance activities as it must share the same technology and procedures, but the principles and processes of risk management activity still apply
Why is ERM a dynamic management system
It’s a dynamic system which states that people be organized and trained to carry our delegated tasks within specified boundaries and specified communication and reporting channels
ERM system design takes place in what environment
In an environment that is subject to continual change
In a typical ERM system a group risk management would be responsible for
-setting up and maintaining ERM framework
- managing all risk management functions within the group
The head of all the function called chief risk officer or group risk manager
How does The chief risk officer fulfill their responsibilities
They do so through a number of subordinate risk officers, each with a designated are of interest and specific tasks to address. IF the organisation is large number of risk officers could be supervised by an immediate risk manager if appropriate
What does the board need to ensure to maintain standards of good corporate governance
The board will need to be sure that risk management functions are carried out as they intended
A typical ERM framework might interpose what a group to maintain standards of good corporate governance
a group audit function between the risk management function and the boards
What will be the task of group audit function imposed on a typical ERM framework
They will carry put independent monitoring and performance measurement and are responsible for audit all risk management activities as well as for internal control and other aspects of corporate governance
When an org is closely supervised or regulated by government rules, they run a risk of losing their license, what can an org do to ensure strict compliance
The org can form a separate group compliance function to manage risk threatening compliance with regulations, that operates at the same level as group risk management but only responsible for risks that fall within compliance remit
How do boards share their workload
They do so by appointing subcommittee to carry out certain aspects of their work
The subcommittee appointed by board comprises of
It comprises of board members with appropriate expertise and other expert representative anywhere within the organisation. E.g Risk subcommittees and audit subcommittees
The subcommittee appointed by board comprises of
It comprises of board members with appropriate expertise and other expert representative anywhere within the organisation. E.g Risk subcommittees and audit subcommittees
What is a committee form a management point of view
A specified group of people often from different functions who meet at regular intervals in a controlled environment to exchange info and coordinate actions
The risk subcommittees and audit subcommittees are independent information channels to the board, this helps with
This helps with preventing the board on only getting one sided view of operation from individual function or the CEO
what do committees attract compared to other more passive forms of communication like shared database or reports
they attract being able to encourage dialogue and initiative
how may the board have further independent information channel
If they have an external auditor employed
How does the ERM affect an organisation
IT affects an organisation at every level, function and operational unit of an org and is clearly fundamental to the way an org goes about achieving its objective
Large org are concerned with which types of audit process
2 types, internal and external
Who conducts external audits
They are conducted by separate professional to give independent assurance to stakeholders that published information conforms to specific standards and is factually correct
How are internal audits carried out
They are carried out within an org to provide assurance to the board that approved systems and procedures are operating as intended
according to the IIA what is the aim of internal audit
To evaluate and contribute to improvement of governance, risk management and control process using a systematic and discipline approach
From a board point of view what is the purpose of internal audit
To provide independent assurance that specified functions and procedures are operating effectively and point out improvements that will enhance corporate governance capability
Before starting with risk malmanagement audit what must audit team do
They will have to familiarize themselves with risk management framework, by understanding terms of reference for risk management function and be quite clear about its objectives
Generally what is the audit team to see in the risk management team
They are looking to see if appropriate procedures are in place and being followed and if the whole risk management system is meeting requirements of the board and consider if recommendation for improvement need to be made
what will the audit team consider when deciding whether enterprise risk management systems and procedures are effective
-significant risks are being identified and assessed, especially those risks that could threaten the existence/success of an org
-appropriate risk responses are selected in line with risk apetite decided by the board
-relevant risk information is captured and communicated in a timely manner across the org and enable staff/management/the board to carry out their responsibilities
What risks will the audit team concentrate on
They will concentrate on those risks that affect achievement of stated objectives
Main purpose of internal audit of risk management is
To provide independent assurance to the board that an effective ERM system is in place and operating effectively
What differentiates risk management team from audit team
Responsibility, risk management function is responsible for setting up and maintaining an effective risk management system and responsible for results it achieves, but audit function just monitors comments and advises and does not make risk management decision or does not take responsibility for any risk management actions
What is the ole of an audit team in risk mangement
Advisory work, they can be harnessed as consultants but must avoid line management activities
Auditors must be
Independent advisors
for auditors how should their investigation, observations, and recommdations be
Investigations must be independent, Observation clearly objective and recommendation purely for advise
How can auditors be criticized
They can be criticized as being too closely involved or being distance and out of touch
A professional and competent audit is considered as
This is a powerful check on the operations it examines, and will help improve the effectiveness of the risk management process
Typically what do large organisation set out to do
They set out to act lawfully and uphold moral values
What must compliance keep up in an org
It must keep up to date with existing and new legislation affecting any orgs operation
What does compliance provide
It provides policies, guidance, training and advise on compliance issues and assurance that suitable compliance controls are in place and effective
What is compliance responsible for if an org has published code of conduct
They are responsible for making new employees aware of expected standards
What is the head of group compliance responsible for
They are responsible for identifying and evaluating all risks that threatened to result in non -compliance
The board can appoint a compliance subcommittee to fulfill compliance responsibilities, however the board can avoid appointing a second subcommittee for compliance by
They can do so by having compliance report to the audit subcommittee putting the emphasis on compliance system rather than individual risk control
What is the task of the head of group compliance
They are responsible for identifying and evaluating all risks that threatened to result in non- compliance and provide assurance that rusks are being adequately controlled
Who does the head of group compliance have direct access to
They have direct access to chairperson of the board
Compliance activities are a subset of
They are a subset of audit and risk management activities concentrating on more important risks
What are potential conflicts of audit, risk management and compliance activities working together in a large group
-Line managers will be tired with 2/3 sets of people asking the same questions
-all 3 functions may argue over ownership and priorities of individual risks
-Duplicate records may be kept and objective decision making prejudiced by internal professional rivalry
Effective risk management will heavily depend on
It will depend on the ability of the central risk management professionals to communicate with and persuade their management colleagues to treat risk in a coordinated manner. And require them to treat risk in accordance with the senior management expertise
responsibility of risk control through out an org lies on the
It lies on the board of directors
Board of directors will appoint a risk subcommittee in fulfilling heir responsibilities for risk management, what will this subcommittee promote
It will promote policy directives and also provides a forum for resolving inevitable differences in attitude and priorities between managers
How will risk subcommittee set out structure in which they intend to manage risk
In a written document available for general reference, also known as risk management architecture
what does risk management architecture describe
It describes the risk management structure of the org, laying out lines of communication for reporting risk management issues
Documents describing the risk architecture can be called
-Risk Strategy
-Risk Structure
-Risk Governance
Document describing the risk architecture will as minimum
-specify board of directors or subcommittee responsible for risk management
-state in general terms how risk is perceived
-specify the roles and responsibilities of any senior risk professionals or departments
what other things should risk architecture desribe
-define general framework for identifying/evaluating/reporting risks
-specify an authority to approve risk management related aspects of procedures
-clarify the role of risk committee
-lay down guidelines for auditing and assurance
How often should risk management architecture document be reviewed
It should be reviewed at least every one or two years to reflect major changes in an org or its environment
What is a risk management framework supported by
It’s supported by individual job descriptions that set out duties and responsibilities of individual roles
Risk management framework are designed to ensure
The management decisions are based on good and consistent risk information with sound understanding of possible consequences and likely outcomes of alternative course of action
In their terms of reference what is the head of department primarily responsible for
They are responsible for managing operational risks and promoting risk awareness. and identifying, assessing and prioritizing current and emerging risks in their areas, they will clarify risk strategy, explain the board’s attitude to risk and implement risk management process in their department
individual job description and personal objectives include suitable risk elements so that staff
-recognize and understand risks that relate to their individual roles and activities
-appreciate how risk management contributes to successful achievement of objectives
-clearly understand their personal responsibilities for reporting and managing risks
What happens if the risk management process identifies a risk that needs to be actively managed
The framework will specify that this needs to be assigned to an individual risk owner, and they will be responsible for assessing and managing this organization’s response
ERM system and corporate governance requirements both depend on
They depend on effective risk management frameworks
What do formal risk identification, analysis and control expected to contribute
They contribute to strategic decision making as well ass reducing consequences of risk
if the head of ERM function is not a board member then who is more appropriate
The position to be sufficiently close to board level to reflect board authority and provide easy and regular access to board members
Who is chief risk officer
The most senior professional risk manager in an org
chief risk officer can contribute in which decisions
They can contribute in decisions regarding the direction an org is to follow and will be intimately involved in details of strategic plans
The chief risk officer will be responsible for
-establishing and maintaining effective ERM framework in line with risk subcommittee recommendations
-setting detailed targets and objective within the board remit
-demonstrating whether those objectives has been met
what is a crucial objective of chief risk officer
To improve risk awareness in the org
How long does the board expect risk culture to mature
Every Year
What does the chief risk officer monitor
They shall monitor all significant risks, maintain risk profiles and ensure risk reporting to approval internal and external recipients meets their needs
What is one of the most important aspects of the job of the chief risk officers
Identifying individual risk owners and making sure they carry out actions as required
What are some of the chief risk officers financial constraints
They have to work within a limited budget in terms of activities and allocation of resources and will be expected to justify risk management expenditure in financial terms like return on capital employed
Internal communications by the chief risk officer includes which groups
-business units
-committees
-directors
-legal
-audit
-compliance
External communications by the chief risk officer includes which groups
-Auditors
-Regulators
-Shareholders
-The media
Chief risk officer carries out their responsibilities through
Through a team of direct subordinates and will need appropriate management skills
What is a risk manager
Describes a person who supervises a group of risk officers but reports to a chief risk officer
Who is a risk officer
Title given to risk management professional who carries out selected duties under the guidance and direction fo the chief risk officer
Risk officer can be promoted to a senior risk officer what role will they have
They will have a wider role and additional responsibilities to utilize the benefits of experience
In a large org a risk officer may report to
Report through an intermediary senior risk manager or head of risk
The duties of a risk officer are
They are a subset of those of the chief risk officer
How does a risk officer normally start
They start by familiarizing themselves with one area or function of b’ness reporting in detail to chief risk officer and perhaps sitting in one or tow of lover level committee
Why are committees established
As forums to bring together experts or representatives from different areas of the organisation to discuss common topics or objectives
When do committees work best
when knowledgeable representatives are carefully selected to cover all aspects likely to be discussed and when thy are set up with clear guidelines and objectives
What is the task of the chairperson of a committee
To ensure all views are equally aired, discussions remain objective and conclusions are properly documented in minutes
What does an effective committee meeting need
IT needs adequate preparation against a clear agenda, unrestricted access to up to date, reliable info concerning topics to be discussed
Members of risk committees must be carefully selected for
-their detailed knowledge of the functions being discussed
-the ability to work well in groups
-their reputation in supporting risk management objectives
Generally each committee will have a representative from
at least one representative of a central group risk department, who keeps the chief risk officer informed of important proceedings and pass information on group standards and requests to the committee
Who will be responsible for approving all published work polices and procedures
Group or divisional management, they will expect and respect constructive comments and amendments form appropriate risk committees
What is risk apetite
It’s a statement of an org’s attitude to risk. The amount of risk that an org is prepared to accept, tolerate or be exposed to at any point in time
Risk apetite must consider which type of risks
Threats and Opportunities
Apart from setting limits in amount of downside risk an org is prepared to take, risk apetite policy must allow for
They must allow for controlled risk taking where anticipating long term gains outright potential short term losses
In a large organisation how is risk apetite defined
Its defined at different levels of management and functions, with a formal escalation process where managers encounter risk beyond their level of decision
What does defining risk apetite provide
A framework for informed decision making, highlights the risks that need attention and promotes consistency of business decisions. And provides basis of audits and investigations
How is a risk apetite policy statement typically look like
A typical solution is a presentation in matrix form
Risk apetite policy is a guide that can be used for which risks
It can be used for both Existing risks and for new and emerging risks. Describing those risks an org is actively willing to take
What is Risk Tolerance
Those risks an org might be able to put up with
What is another important characteristic of Risk
How often it’s likely to occur
The way people behave at work is strongly influenced by
Customs and practices of their organisation
The health and safety executive has identified activities that promote a risk aware culture. This includes
The acronym LILAC
-Leadership
-Involvement
-Learning
-Accountability
-Communication
Under the The health and safety executive what does leadership define
Its in terms of clarification of strategic and personal risk objectives
Under the The health and safety executive what does involvement define
Involvement of stakeholders at all stages of risk management
Under the The health and safety executive what does learning define
Learning from events with effective training
Under the The health and safety executive what does learning define
Learning from events with effecive training
Under the The health and safety executive what does accountability define
Accountability of individuals but with shared efforts to prevent reoccurrence
Under the The health and safety executive what does communication define
Communication with free discussion of objectives methods and results
What is an obvious initiative of enhance risk awareness culture in an org
Promotion of an awareness campaign, supported with training aids, literature and poster displays
An organisation with effective risk management process can expect
They can expect less unexpected losses and better selection of future opportunities leading to greater epected gains
What s a qualitative indication of progress in developing risk awareness in an org
Regularly assessing the current level of risk culture
The processes of observation, audit and interviews are used to evaluate
They are used to evaluate the extent to which risk culture is embedded in an org procedures and practices
What is a general risk maturity model commonly used
4NS
What is the 4Ns
This has four level maturity labeled as naïve, novice, normalized and natural with corresponding descriptions for each of these levels
