Core Activity D - Evaluate and mitigate risks Flashcards
What are the key elements of the risk management cycle ?
Identify risks
Assess likelihood and impact
Design and implement internal control system
Check internal controls are appropriate and working
Report to management
Circle back with ongoing improvement and monitoring
What 5 key areas does ERM involve ?
Understanding how a business is run by its directors
Strategy for success
Positive and negative risks
Risk response
Information gathered on performance and how it responds to that information
What 5 key areas does ERM involve ?
Understanding how a business is run by its directors
Strategy for success
Positive and negative risks
Risk response
Information gathered on performance and how it responds to that information
What are the two main risk management frameworks ?
COSO ERM - Integrating strategy & performance
ISO 31000 - risk management guidelines
What are the 5 key components of the COSO ERM framework?
Governance & culture
Strategy and objective setting
Performance
Review and revisions
Information, communication and reporting
What are the four main classifications of risk the portfolio view establishes ?
Financial risks
Operation risks
Compliance risks
Customer risks
Describe the TARA framework
Transfer - low/high (insurance)
Accept - low/low
Reduced - high/low
Avoid - high/high
What stages might the identification of risks go through ?
Upside / downside risks
External or internal risks
Strategic or operational risk
How might the process for risk identification look?
Determine upside or downside risk
Then determine the source of the risk - ie internal or external
Then determine the level of risk - ie operational or strategic
What international risks are Rotomyne exposed to?
PESTEL
Transaction risk
Translation risk
Interest rate risk
Physical risk of uranium theft etc
Credit risk - non paying customers
How might Rotomyne mitigate exchange rate risk ?
Hedging via the use of forwards, options and futures
What other international risks exists?
National culture
Social grouping
Religious issues
Language
How might risks be identified from different areas of the business ?
Bottom up identification
Top down risk identification
What processes might be used to evaluate risks ?
Qualitative analysis
Quantitative analysis
Risk mapping
What quantitative techniques could be used to assess risk ?
Expected value
Standard deviation
Volatility / COV
Normal distribution
Regression / correlation
When assessing risk how can quantitative analysis be used to see how variables are related ?
Regression - analysis to obtain the relationship between two (or more) variables
Correlation / correlation coefficient - to see how strong that relationship is
How can sensitivity analysis be more efficiently managed?
‘Goal seek function’
How can a simulation be more efficiently managed ?
‘What if’ function
What visual tools can be used to manage risks ?
TARA model
Heat risk maps (5x5)
Risk bands .. graphs
What are the steps for determining risk appetite?
Need to check this - I think appetite is set and tolerance measured! Deloitte example
Understanding the
Risk tolerance - (Overall feeling of risk) How much risk are the board willing to tolerate?
Risk appetite - (The amount of risk the organisation is willing to take to achieve its long term objectives) perhaps more specific and always smaller than risk tolerance.
Risk capacity - How much downside risk can the organisation cope with to just survive (Berkshire has almost infinite resources)
Define risk capacity
Ability to shoulder the risks facing the organisation in relation to its goals and strategies
The risk capacity allows the organisation to take some risks but provide a cushion against downside risk
How might we gain an understanding of the organisation’s maturity of risk management?
Strong processes = greater maturity
What are the financial and non financial considerations of risk capacity?
Are funds available ?
Does the return meet the requirements of the risk ? Economic spread
Reputation risk
Political risk
Infrastructure
Staff and knowledge
What’s the definition of risk tolerance?
The acceptable level of variation relative to the achievement of a specific objective
Risk appetite is broad, risk tolerance is tactical and operational and often measured
What’s the definition of risk appetite?
The amount of risk, on a broad level, that an organisation is willing to accept in persuite of value
Risk definitions
My current understanding is that risk capacity is what the organisation is willing to absorb
Risk appetite is broad/ maxi min etc
Risk tolerance is subjective to a specific detail of the particular project ..
Both linked to performance over time
How might the organisation document all identified risks ?
Via a risk register document
Included will be ‘risk mitigating control actions’
What techniques could be used to analyse external risk ?
PESTEL analysis
Porters five forces
What techniques could be used to identify internal risks ?
9ms model
Value chain
What stages are they is strategy whereby risks should be identified?
Type of strategy - cost leadership / differentiation
Product market strategy - ansoffs matrix
Operational infrastructure
Method of growth
What does strategy formulation and risk registers have in common ?
They are constant and always being reviewed in an ever changing environment
Once an organisation has determined its risk appetite, what techniques may it use to mitigate identified risks?
Scenario planning
Stress testing
What does strategy formulation and risk registers have in common ?
They are constant and always being reviewed in an ever changing environment
What should an organisation also implement alongside ERM?
System of internal controls
What should also be be implemented alongside a system of internal control?
Internal audit
What’s the purpose of internal control?
Designed to provide reasonable assurance that the organisations operations, reporting and compliance objectives are achieved
Affected by an entities board of directors and management / other personnel
What is meant my internal audit?
The internal audit team assist the organisation in maintaining effective internal control by evaluating its effectiveness and efficiency and by promoting continuous improvement
What are 2 main purposes of ERM?
Reduce likelihood of an event
Manage impact when such an event occurs
How does ERM support strategy ?
It informs the organisation of risks associated with alternative strategy and also risks associated with the strategy chosen.
What’s the definition of cyber risk ?
Any possibility of an organisation suffering loss or harm from a failure of its IT system.
What’s the definition of a cyber threat ?
Any circumstance or event with the potential to adversely affect operation, assets, or individuals through an IT system.
What’s the definition of cybersecurity?
The process of designing, implementing, and operating controls to protect information and detect / security events that are not prevented.
How can we support cybersecurity prevention?
Via a Cybersecurity risk management programme
What’s the definition of a Data breach ?
An event in which confidential data have potentially been viewed, stolen, or used by an individual unauthorised to do so
What’s the definition of a bad actor ?
Any party that possesses a motive and opportunity to conduct a cyber attack
What’s a man in the middle attack?
Involves a bad actor intervening in a conversation between 2 parties. The imposter impersonates both parties to gain access to information
What does malware stand for ?
Malicious software
What’s a DOS attack?
Denial of service - involves generating large volumes of request that overwhelm the target system.
What’s the purpose of the AICPA cybersecurity risk management reporting framework?
Transparency
Integrity
Reliability
What are the main components of the AICPA reporting framework?
Management description
Managements assertion
Independent accountants opinion
What’s the three lines of defense model ?
Function that own and manage risk
Functions that oversee risk management policies
Functions that provide independent assurance
What is the CIA triad ?
Cybersecurity model that focuses on
Confidentiality
Integrity
Availability
What tolls or techniques can be used to manage cyber security ?
Exploiting vulnerability
Reverse engineering
Storage analysis
System level analysis
What security standard must a company conform to when developing software ?
ISO 27001
What are the 5 R/s relating to risk resilience ?
Risk radar
Resources
Relationships
Rapid response
Review and adapt
How is stress testing different from scenario planning?
Scenario planning is used to develop a range of possible outcome based on probability. Stress testing is a layer of protection added on top to determine how these scenarios may play out under different stressful environments .. ie high inflations / high interest rate environment.
How else could internal risks be evaluated ?
Using the 9m’s model?
Man power - are employees treated fairly?
Machinery - Is our fleet electric or ICE?
