Chapter 4 - Risk-management frameworks and standards Flashcards
At a minimum, a risk management process for an organisation will include mechanisms for what four things?
- The identification of risks that could impact the organisation
- Assessing the significance of identified risks, in order to prioritise management attention and financial resources
- Monitoring to help detect any changes in the organisation’s exposure to identified risks
- Controlling the organisation’s exposure to the risks that have been identified
What are the three core elements discussed in the ISO 31000:2018? SAP
- Risk-management architecture (committees, reporting structures and so on)
- Risk-management strategy (risk policies and risk appetite)
- Risk-management protocols (processes and procedures)
What does a risk-management policy usually outline?
- Its aims and objectives for risk-management, including how they support the wider strategic objectives
- The processes, procedures and activities that comprise its risk-management framework, including any other risk or control policies (e.g. health and safety, information security, etc)
- Governance arrangements for risk-management, such as the use of a risk committee
- The allocation of roles and responsibilities for risk-management
How can technology be used to support risk-management?
Organisations may use internet or internal network-based technology systems to support their risk assessment, monitoring and control activities. These are known as risk-management information systems (RMIS). These can be expensive but can help improve an organisation’s ability to co-ordinate its risk-management activities
What is the purpose of risk reports?
will help management understand the organisation’s risk exposures and make effective-risk management decisions. Different reports may be produced for different areas and levels of management. The frequency of reporting will depend on how quickly risk exposures are changing or the materiality of the principal risks
What is a risk appetite statement?
The types and levels of risk that an organisation is willing to take in the pursuit of its objectives, as well as the risks that it is not willing to take or will only tolerate in specific circumstances. Stakeholder risk preferences should be taken into account.
What is the ISO 31000:2018?
provides a universal benchmark for risk-management practice – set of internationally recognised principles and guidance on the practice of risk-management in organisations
What are the three main topic areas of the ISO 31000:2018? PCP
- Principles for risk-management
- Core elements of an effective risk-management framework
- The risk-management process
In terms of the risk-management process, ISO 31000:2018 discusses which three core elements? CAT
**Establishing the context
**This relates to understanding the internal and external drivers that may affect an organisation’s exposure to risk, such as the physical environment, technology, organisational structures and processes. Context also means understanding the types of risk that may affect an organisation and the various assessment and control tools that are available to use.
**Risk assessment
**Risk assessment means that an organisation should identify, analyse and evaluate its exposure to all sources of risk to its objectives. Risk assessment may involve the use of statistical models or qualitative judgement.
**Risk treatment (risk control)
**Risk treatment is another term for risk control. The aim is to ensure that the level of exposure is controlled: not too high or too low. The level of control will be influenced by the risk appetite of an organisation.
According to ISO 31000:2018, what are the three core activties of the RM process? CRM
**Communication and consultation
*** Communicating risk-management information (such as policies, procedures or exposures) in a timely, accurate and factual way
* Consulting with key stakeholders
* Communication seeks to promote awareness and understanding of risk and how to deal with it, whereas consultation involves obtaining feedback and information to support decision-making.
**Recording and reporting
**Recording means ensuring that identified risks are documented properly. It also means documenting risk-management processes and procedures to ensure that they are understood and implemented across the organisation.
Reporting means reporting on an organisation’s risk exposures and the measures taken to control these exposures to the relevant decision-makers and stakeholders
Monitoring and review – about learning, improving and adapting
This might include activities such as audits, control effectiveness reviews and compliance reviews. ISO 31000 makes it clear that organisations should review and upgrade their RM activities on a regular basis.
As an organisation changes its strategic objectives or operational activities, it must ensure that its RM framework and associated policies, processes, procedures and controls remain fit for purpose
What is the COSO ERM framework? GRIPS
The COSO ERM Framework is intended for organisations to integrate risk-management into its strategy, operations and decision making. The framework is presented as a set of principles organised into five inter-related components:
- Governance and culture – stakeholders behave in a manner consistent with organisations’ values and code of conduct. Organisation to undertake activities that support the strategic, operation and RM objectives
- Strategy and objective setting – in line with the company’s risk appetite
- Performance – identifying and assessing risks that may affect the achievement of an organisations’ objectives
- Review and revision – based on outcome of previous activities, evaluation of continued appropriateness of RM
- Information, communication and reporting
What is COBIT?
The guideline Control Objectives for Information and Related Technologies (COBIT), published by the Information Systems Audit and Control Association (ISACA), provides a good-practice framework for the control of IT-related risks.
What is British Standard 31100:2009? SOAP
- Reporting to Stakeholders
- Operational RM activities to be completed by IC and governance function
- Assurance to board on RM activities
- Proactive manner not reactive
What are the principles outlined by the Orange Book? GICIC
- Governance and Leadership
- Integration (into the organisation and its activities)
- Collaboration and the communication of information
- Risk-management processes (identification, treatment, monitoring and reporting)
- Continual improvement