Chapter 10: Monitoring and communication

Question 1

Requirements of good data and its communication TRAFVICS GRC

Answer 1

• Timeliness of data
• Reliability
• Audience considered
• Format of the data
• Volume and Detail of data
• Internal or external sourcing
• Common classification of data into risk categories
• Suitable technology and systems to capture data
• Good quality of risk management is dependent on quality of data gathered
• Relevance and clarity
• Competency of data capturers

Question 2

Information that should be documented SMARD

Answer 2

• Systems used for documenting
• Management failures
• Assumptions made, data used and methodology used for modelling
• Risk register – ID and assessment of risks
• Decisions made regarding risk management

Question 3

The attributes of a common risk management language TUMS:

Answer 3

• Thresholds for reporting
• Universally understood top-down rating system
• Management level responsible for mitigation linked to risk rating
• Standardised templates used

Question 4

The elements of a good KRI CAD TOMBS CEYA

Answer 4

• Consistent methodologies and standards applied
• Accountable individual linked to it
• Drives decision making
• Trackable
• Objectives tied to it
• Measurable/Quantifiable
• Benchmark set against it
• Cost effective
• Simple
• Clarity on the metrics used
• Expected view created
• Year on year comparison
• Additional information provided

Question 5

Importance of risk reporting IBM MOCK

Answer 5

• Inform stakeholders
• Business decisions are improved
• Monitoring of risks are improved
• Management inefficiencies found
• Compliance must be ensured
• Objectives that are at risk should be assessed
• Key risk exposures assessed

Question 6

The contents of a risk report A TICKLED SARS

Answer 6

• Assist in decision-making
• Trend analysis
• Information – internal, external, formal, informal
• Clear and easy to understand
• Key business risk details
• Losses and incidents
• Events/Milestones
• Detail should be relevant to the parties involved
• Single point of access to critical information
• Analysis, commentary and explanations provided
• Real time data
• Summary of risks

Question 7

The structure of a risk report LEKTOR

Answer 7

• Likelihood and severity of the risk
• Easily understood
• Key risk summaries
o Likelihood and severity
• Traffic light
• Operating units
• Risk types

Question 8

Why a common risk language is important FAEBICS

Answer 8

Focus on substance, rather than structure of risk management ensured
• Audit is easier to conduct across the business
• External and internal risk measurement should be consistent
• Business buy-in to ERM ensured
• Inefficiencies and Duplication avoided
• Concentration of risk avoided
• Silo approach prevented