COSO ERM

Question 1

Does the ERM of a more risk-aggressive entity demand greater integration than a more risk-averse entity?

Answer 1

Yes. Accepting more risk requires greater integration of the ERM function into the entity’s structure and processes compared to a more risk-averse entity. This is because the ERM unit in a risk-aggressive entity must monitor risk information more quickly and nimbly than a risk-averse entity. Monitoring risk information quickly requires greater integration.

Question 2

What is Enterprise Risk Management?

Answer 2

Culture, capabilities, and practices to create, preserve and realize value.

Question 3

ERM is integrated and linked to what two things?

Answer 3

Integrated w/ strategy setting (plan) and linked to organization performance (outcomes). Both forward & backward looking.

Question 4

What is risk?

Answer 4

Uncertain event that will influence whether an organization achieves its strategic business goals. Neutral event.

Question 5

What is entity culture?

Answer 5

Organization’s culture is way people in organization think and behave.

Question 6

Why is ERM important?

Answer 6

1. Expanding Opportunities.
2. Identifying and managing entity-wide risk.
3. Increase positive & reduce negative outcomes.
4. Reduce performance variability.
5. Better deploying assets better.
6. Increasing enterprise resilience.

Question 7

The ERM component that includes email, board meeting minutes, and reports as important elements is?

Answer 7

Information, communication, and reporting.
Communication is the continual, iterative process of obtaining and sharing information to facilitate and enhance ERM. This function includes reporting on the organization’s risk, culture, and performance.

Question 8

What are the five components of COSO’s risk management framework?

Answer 8

1. Governance and Culture
2. Strategy and Objective-Setting
3. Performance
4. Review and Revision
5. Information, Communication, and Reporting

Question 9

According to COSO ERM framework, what are some examples that will impede the independence of a board member?

Answer 9

1. Having a current business or contractual relationship with the organization.
2. Serving on the board with a major competitor.
3. Long-term service on board with current organization.

Question 10

Regarding COSO ERM framework, provide an example least likely to impede the independence of a board member.

Answer 10

A former financial statement auditor with no business or contractual relationship with the entity.

Question 11

What is the role of management board and governing board in dual board of directors’ structure?

Answer 11

Management board will oversee operations while governing board will oversee strategy.

Question 12

What is the best way to describe a risk-aware organization?

Answer 12

The organizational culture is closely linked to the organization’s strategy, objectives, and business context.

Question 13

Why is hypocrisy of management an important threat to accountability in an organization’s ERM practice?

Answer 13

Hypocrisy is a threat because it deals with setting a tone at the top of talking and acting consistent with organizational values.

Question 14

Describe risk floor (minimum) and risk ceiling (maximum).

Answer 14

A risk floor is a statement of the minimum amount of risk that an entity desires. A risk ceiling is a statement of the maximum amount of risk that an entity desires.

Question 15

Is risk appetite acceptable in words or in numbers?

Answer 15

Both. Words is acceptable (low) as well as numbers (<3 per year).

Question 16

Define risk appetite.

Answer 16

Risk appetite is the amount of risk an organization accepts in pursuit of a strategy and value.

Question 17

Define risk tolerance.

Answer 17

Sets the boundaries of acceptable performance.

Question 18

In ERM, what focuses on the development of strategies and goals?

Answer 18

Risk Appetite.

Question 19

In ERM, what focuses on the implementation of strategy and variation from plants?

Answer 19

Tolerance.

Question 20

What is on the vertical and horizontal axis of a heat map for assessment of risks?

Answer 20

Vertical (Y) Axis - Likelihood rating

Horizontal (X) Axis - Impact ratings

Question 21

Describe target residual risk, inherent risk, actual residual risk, and internal control. Understand the differences.

Answer 21

Target residual risk - Desired risk after implementing a response
Inherent risk - Level of risk before implementing responses; no change
Actual residual risk - Risk that remains after responding to it.
Internal control - Process designed to provide assurance of objectives.

Question 22

Explain the differences between risk avoidance, risk acceptance, and risk reduction, and risk sharing.

Answer 22

Risk avoidance - Exiting the activity that gives rise to risk
Risk acceptance - No response to the risk
Risk reduction - Managing the risk to reduce its likelihood or impact.
Risk sharing - Sharing risk with another party (ex. hedging)

Question 23

A well-formed and precise risk statement must include what two things?

Answer 23

1. A statement of the risk

2. A statement of the impact of the risk

Question 24

The risk that executive management disregards project communications and meetings, which reduces project quality and the likelihood of successful integration with other systems. This is a well-formed risk statement because?

Answer 24

A well-formed, precise risk statement should include a statement of the risk (which this one does) and a statement of the impact of the risk (which this one also does). In fact, this statement includes two outcomes or consequences of the risk, (1) lower project quality and (2) a lower likelihood of successful integration with other systems. Complaining about management is not acceptable!

Question 25

List examples of substantial changes in an internal environment.

Answer 25

1. Rapid growth - ex. sales growth rate higher than expected
2. Innovation - ex. purchase and implementation of a new system
3. Major changes in company leadership or personnel - ex. firing CRO/CEO, etc.
   These would trigger review & revision of ERM practices.

Question 26

List examples of substantial changes in an external environment.

Answer 26

Changing regulatory or economic environment can increase pressures.

Question 27

If an organization launches a new product and determines that product is performing better than expected and volatility of sales is less than expected. What should organization do?

Answer 27

Review its ERM practices. To better understand why it misestimated the risks related to the new product.

Question 28

ERM practices focus primarily on?

Answer 28

Realized vs targeted risk.

Question 29

Knowing ERM practices focus on realized vs targeted risks, what are some questions that an organization is likely to ask?

Answer 29

1. How did the entity perform?
2. Were risk estimates accurate?
3. Are we taking sufficient risks to attain desired performance?

Question 30

Explain the difference between key risk indicator and key performance indicator.

Answer 30

Key risk indicators are predictive and usually quantitative. Key performance indicators are historic.

Question 31

What is the key difference between structured and unstructured data?

Answer 31

Structured data is numeric while unstructured data is text.

Question 32

What are the differences between portfolio view, risk view, risk category view, and risk profile view?

Answer 32

Portfolio view - Be at the level of the entity
Risk view - Focus on individual risks
Risk category view - Focus on categories of risk
Risk profile view - Focus on level of a specific unit of the entity (HR)

Question 33

An important benefit of an enterprise risk management system is? Alignment of management risk with _________?

Answer 33

Alignment of management risk taking with shareholder risk appetite.

Question 34

What are some limitation of an ERM system?

Answer 34

1. Risk relates to future that is uncertain
2. Collusion can result in ERM failure
3. ERM is subject to management override

Question 35

A company is using ERM, what are the steps in the risk management process in order?

Answer 35

1. Set company objectives
2. Identify events
3. Assess risks
4. Determine response to risk
5. Establish controls activities
6. Monitor risks

Question 36

What are the important things to consider when defining a company’s risk appetite?

Answer 36

#1: Resources (financial and human) available to manage risks
#2: Risk Profile - considering the risk types, severity, and interdependence
#3: Risk capability - maximum amount of risk that the entity can absorb

Question 37

Statement: Operator processing errors will reduce the quality of manufacturing units. Why is this a good description of potential root cause of risk?

Answer 37

This is a precisely stated risk (lower quality of manufactured units) that includes a potential root cause (i.e., operator processing errors).

Question 38

What are the three components of COSO’s ERM Framework related to leveraging information systems? Define each one.

Answer 38

1. Data and information governance - governance processes for identifying data and risk owners and holding them accountable
2. Processes and controls - help an entity create and maintain reliable data
3. Data management architecture - include models, policies, rules, or standards that determine which data is collected and how it is stored, arranged, integrated, and used in systems and in the organization

Question 39

Regarding strategy and business objectives, what are some things that would likely trigger a substantial change in company’s strategy and business objectives? Provide an example of something that would least likely trigger a substantial change.

Answer 39

Most likely trigger examples
1. Significant change in technology (new system)
2. Unexpectedly large growth (annual sales)
3. Significant regulation changes
Not likely trigger example
1. Internal promotion

Question 40

Define risk range and target risk.

Answer 40

Risk range - Acceptable level of risk (highest to lowest) established by an organization.
Target risk - Desired level of risk by an entity

Question 41

Define risk capacity.

Answer 41

Risk capacity - Maximum amount of risk an entity can absorb in the pursuit of strategy and business objectives

Question 42

“Net credit losses will be really low.” Is this statement of risk appetite acceptable?

Answer 42

No. It’s vague and imprecise. Statements of risk appetite should be measurable and precise, such as: “Net credit losses will be less than 1% of average loan balances.”

Question 43

#1: IT reports 17 incidents of denied attempts to access the system.
#2: IT analysis indicates a 5% probability of a level 2 system breach within the next 3 months. 

What does statement one represent and why? What does statement two represent and why?

Answer 43

Statement 1 - Key Performance Indicator. This is because it is a historical analysis of system breaches. 17 incidents reported.
Statement 2 - Key Risk Indicator. Analysis of the likelihood (5% probability) and severity (level 2 breach) of the risk is a key risk indicator.

Question 44

“Overall responsibility for overseeing the management of risks, compliance with our risk management framework and risk appetite lies with _______.”

Answer 44

Board of Directors. The ultimate responsibility for these ERM components rests with the board of directors.

Question 45

What component of ERM framework is most associated with risk identification and assessment?

Answer 45

Performance