Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CMA Part 2 > COSO ERM Framework > Flashcards

COSO ERM Framework Flashcards

1
Q

What is the definition for ERM?

A

The culture, capabilities and practices integrated with strategy-setting and performance, that organization relies on to MANAGE RISK in creating, preserving and realizing VALUE. Effective integration improves decision making and performance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is culture?

A

The attitudes, behaviors and understanding about RISK, both positive and negative, that influence the decision of management and personnel and reflect the mission, vision and core values of the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is mission?

A

The organization’s core purpose.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is vision?

A

The organization’s aspirations for what it intends to achieve over time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is core value?

A

The organization’s essential beliefs about what is acceptable or unacceptable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are capabilities?

A

The skills needed to carry out the organization’s mission and vision.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are practices?

A

The collective methods used to manage risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What does “integrating strategy setting and performance” mean?

A

To consider risk in setting strategy, business objectives, performance targets and tolerance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is strategy?

A

It communicates how the organization will achieve its mission and vision and how it will apply its core values.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are business objectives?

A

The steps taken to achieve strategy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is (risk) tolerance?

A

The range of acceptable variation in performance results.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is risk profile?

A

The composite view of the types, severity and interdependencies or risks related to a specific strategy or business objectives and their effect on performance. See Figure 1-3 on p.31.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is portfolio view of risk?

A

The composite view of the risks related to ENTITY-WIDE strategy and business objectives and their effects on ENTITY performance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is opportunity in terms of managing risk?

A

Any action or potential action that creates or alters goals or approaches for the creation, preservation or realization of value. They differ from positive events, occurrences in which performance exceeds the original target.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

True or False. Effective ERM practices provide absolute assurance that the risk assumed is appropriate.

A

False. Effective ERM practices provide reasonable expectation that the risk assumed is appropriate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is risk inventory?

A

It consists of all identified risks that affect strategy and business objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is risk capacity?

A

The maximum amount that an organization can assume.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is risk appetite?

A

The types and amount of risk an organization is willing to accept in order to pursue value.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is inherent risk?

A

The risk in the absence of management actions to alter its severity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is actual residual risk?

A

The risk remaining after management actions to alter its severity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is target residual risk?

A

The risk an organization prefers to assume knowing that management actions has or will alter its severity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

When is value created?

A

When benefits obtained from the resources used exceed their costs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

When is value preserved?

A

When resources used are sustained.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

When is value realized?

A

When benefits are transferred to stakeholders.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

When is value eroded?

A

When management’s strategy doesn’t produce expected results or when management doesn’t perform day-to-day tasks.

26
Q

Who is responsible for providing risk oversight?

A

The board provides risk oversight of ERM culture, capabilities and practices. A committee can be formed for this purpose (i.e. audit committee, risk committee, executive compensation committee, nomination or governance committee). An audit committee is usually required by regulators.

27
Q

Who has the overall responsibility for ERM?

A

Management is responsible for the day-to-day managing of risk, including developing and implementing of the COSO ERM framework. Within management, the CEO has ultimate responsibility for ERM and achievement of strategy and business objectives.

28
Q

What role does a risk officer play?

A

It’s the centralized coordinating point to facilitate risk management across the entire enterprise.

29
Q

What are the three lines of management accountability and their duties?

A
  1. Principal owners of risk: manage performance and risks taken to achieve strategy and objectives.
  2. Supporting functions (risk officer): provide guidance on performance and ERM requirements; evaluate adherence to standards; challenge the first line to take prudent risks.
  3. Assurance (internal audit): review ERM; identify issues and improvements; inform the board and executives of matters needing resolution.
30
Q

What are the five interrelated ERM components?

A
  1. Governance and culture
  2. Strategy and objective setting
  3. Performance
  4. Review and revision
  5. Information, communication and reporting
31
Q

What is the flow chart for ERM?

A

Mission, Vision & Core Values -> Strategy Development -> Business Objective Formulation -> Implementation & Performance -> Enhanced Value

32
Q

What are the five principles in Governance and Culture?

A
  1. The board exercises risk oversight
  2. The organization establishes operating structures
  3. The board and management define the desired culture
  4. The organization demonstrates commitment to core values
  5. The organization attracts, develops and retains capable individuals
33
Q

What are the four principles in Strategy and Business Objectives Setting?

A
  1. The organization analyzes business context and its effect on the risk profile
  2. The organization defines risk appetite
  3. The organization evaluates alternative strategies and their effects on the risk profile
  4. The organization establishes business objectives that align with and support strategy
34
Q

What are the five principles in Performance?

A
  1. The organization identifies risks that affect the performance and business objectives
  2. The organization assesses the severity of risk
  3. The organization prioritizes risks
  4. The organization selects risk responses
  5. The organization develops and evaluates its portfolio view of risk
35
Q

What are the three principles in Review and Revision?

A
  1. The organization identifies and assesses changes that may substantially affect strategy and business objectives
  2. The organization reviews entity performance results considers risk
  3. The organization pursues improvement of ERM
36
Q

What are the three principles in Information, Communication and Reporting?

A
  1. The organization leverages its information system to support ERM
  2. The organization uses communication channels to support ERM
  3. The organization reports on risk, culture and performance at multiple levels and across the entity
37
Q

How is ERM assessed?

A

When the components, principles and supporting controls are present (exist) and functioning (continue to operate), ERM is reasonably expected to manage risks effectively and to help create, preserve and realize value.

38
Q

What are the limitations of ERM?

A
  1. Faulty human judgment
  2. Cost-benefit considerations
  3. Simple mistakes or errors
  4. Collusion
  5. Management override of ERM practices
39
Q

List the board’s role in risk oversight (including but not limited to).

A

Review and challenge decisions related to strategy, risk appetite, and major business decisions (i.e. M&A).
Approve management compensation.
Participate in shareholder relations.

40
Q

What are required of the board to be most efficient in risk oversight?

A
  1. Has the skill, experience and business knowledge to understand the organization’s strategy & the industry and to maintain this understanding as business context changes
  2. Is INDEPENDENT of the organization
  3. Understands the organizational biases influencing decision making and challenges management to minimize them
41
Q

List internal factors that shape culture.

A
  1. Level of judgment and autonomy allowed to personnel
  2. Standards and rules
  3. Reward system in place
42
Q

List external factors that shape culture.

A
  1. Legal requirements

2. Expectations of stakeholders (customers and investors)

43
Q

What is culture spectrum?

A

It’s a scale that ranges from risk averse to risk neutral and to risk aggressive. Placement on the scale is determined by the organization’s definition of culture.

44
Q

What is a contingency plan?

A

It is developed to prepare for succession and critical for ERM. The plan is to train selected personnel to assume responsibilities.

45
Q

What are the factors related to the internal environment of business context?

A
  1. Capital (assets)
  2. People (skills and attitudes)
  3. Processes (policies, procedures and tasks)
  4. Technology
46
Q

What are the factors related to the external environment of business context?

A

“PESTLE” Analysis:

  1. Political (government intervention & influence)
  2. Economic (interest rate & availability of credit)
  3. Social (consumer preference, demographics)
  4. Technological (R&D)
  5. Legal (law, regulations and industry standards)
  6. Environmental (climate change)
47
Q

What are the characteristics of business context?

A

Dynamic (new, emerging and changing risks can appear at any time)
Complex (interdependencies and interconnections)
Unpredictable (change can occur in unanticipated ways and rapidly)

48
Q

List methods/approaches for risk identification.

A
  1. Day-to-day activities
  2. Simple questionnaires
  3. Facilitated workshops
  4. Interviews
  5. Data tracking
49
Q

How to measure severity of risk?

A

Measurement can be a combination of impact (positive or negative effect) and likelihood (possibility of event occurrence).

50
Q

What’s the rule of time horizon in assessing risk?

A

The time horizon to assess risk should be identical to that of the related strategy and business objectives. For example, The risk affecting a strategy that takes two years to achieve should be assess over the same period.

51
Q

What methods are more efficient and less costly for assessing risk?

A

Qualitative methods; such as interviews, surveys and benchmarking.

52
Q

What methods are more precise for assessing risk?

A

Quantitative methods; such as decision trees, modeling and Monte Carlo simulation.

53
Q

When to reassess severity?

A

An organization should reassess severity when a triggering event occurs (i.e. when business context or risk appetite changes)

54
Q

What are the agreed-upon criteria used to evaluate characteristics risk?

A

Complexity: nature and scope of the risk
Velocity: the speed at which risk affects the entity
Persistence: low long a risk affects the entity, including the time that takes the entity to recover
Adaptability: the entity’s capacity to adjust and respond to risk
Recover: the entity’s capacity (not the time) to return to tolerance

55
Q

What are the four risk views?

A
  1. Risk view (minimal integration): risks identified and assessed so the emphasis is only on the event
  2. Risk category view (limited integration): identified and assessed risks are categorized based on operating structures
  3. Risk profile view (partial integration): risks are linked to the business objectives that they affect; dependencies between objectives are identified and assessed
  4. Risk portfolio view (fully integrated): composite view of risks relates to entity-wide strategy and business objectives and their effects on entity performance
56
Q

How to use a risk portfolio view to ensure risk management?

A

Management can determine whether the entity’s residual risk profile (inclusive of risk responses) aligns with overall risk appetite.

57
Q

What are the changes that will most likely affect strategy and business objectives substantially?

A

Business context and culture.

58
Q

True or False. The organization must continually improve ERM at all levels, even if actual performance aligns with target tolerance.

A

True.

59
Q

What is an open communication channel?

A

It allows risk information to be sent and received both ways.

60
Q

What are the purposes of reporting in ERM?

A

It is to support personnel in their understanding of the relationships among risk, culture and performance. It also support their decision making related setting strategy & objectives, governance and day-to-day operations. The reporting can combine quantitative and quantitative risk information, and the emphasis is on information that supports forward-looking decisions.

CMA Part 2 (8 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions