ERM Flashcards
ERM Manual
A document outlining policies and procedures for managing risks and carrying out ERM processes at PC Limited, applying to all sub-functional areas within the ERM function.
Risk Appetite
A guide used to determine the acceptable level of risk at PC Limited,
PC Limited’s approach to measuring identified risks related to its business processes
Risk Assessment Approach
Four Risk Treatment Approaches adopted by PC Limited for risk treatment
Tolerate (Acceptance)
Treat (Reduce)
Transfer (Share)
Terminate (Avoid)
Risk Map
Illustrates the effect of implemented mitigation plans on gross risk, resulting in residual risk moving towards the bottom left-hand corner of the grid.
Quality Assurance and Improvement Program
Involves ongoing assessment and monitoring of GRC’s performance and effectiveness at PC Limited, covering all main aspects of quality assurance.
How often QAQC assessments are carried out
internal assessments conducted annually and
external assessments every three years.
PC Quality Assurance Review Tool
A key tool used to
- check the quality assurance of the GRC Function at PC Limited,
- documenting variance analysis results and
- defining next steps for each GRC team member involved in reviews.
Investigation Processes and Procedures
Established for conducting investigations into alleged incidents of bribery, corruption, fraud, and misconduct,
Whistle-blower Policy
Outlines the requirements for reporting whistle-blower complaints to the GRC Function at PC Limited.
Investigation Planning Phase
Includes
- protocols for information storage and sharing,
- report distribution lists at PC Limited. - Third parties need to be notified of certain allegations to be investigated.
> regulators,
> external auditors, and
> law enforcement agencies may
PC Risk approach is based on
likelihood ranking criteria provided in the ERM manual.
How is the level of risk obtained?
A combination of likelihood of occurrence and magnitude of impact
Approach adopted by PC Limited to improve risk management
Enterprise risk management (ERM)
How is the company risk apetite derived
derived from annual strategy/goal setting processes and based on strategic, operational, compliance, and reporting objectives.
Responsible for investigations processes and procedures with review and administration.
GRC Function and the Chief Compliance Officer
Risk is
The probability that the occurrence of an event may positively or
negatively impact the achievement of the organization’s objectives.
Four (4) key elements
of PC Limited’s ERM model:
a) Risk strategy and appetite;
b) Risk culture;
c) Risk governance; and
d) Risk management process.
Purpose of ERM manual
Sets out policies, guidelines and practices to be adopted in
managing risks and carrying out ERM processes.
Who grants exceptions to ERM policy
GCEO, ratified by Board
Review and update of ERM takes place
every 2 years
ERM Key result Areas
Enterprise Risk
- Identification
- Assessment
- Mitigation and Control
- Monitoring and Reporting
ERM SIPOC Suppliers
Business Units
ERM SIPOC Outputs
- Risk Register
- Risk Heat map/Assessment report
- Risk & Control Register
- Risk report
Risk Register (SIPOC)
BU - Strategy & Action Plans - Risk Identification - BU/ERM/GRC
Risk Heat map/Assessment report (SIPOC)
BU - Risk Ratingss - Risk Assessment - Risk Heat map - Audit /BU
Risk & Control Register (SIPOC)
BU - Mitigation action plans - Risk mitigation - Control Register - Audit / BU
Risk report (SIPOC)
BU - Info requirements - Monitoring & Reporting - Reports - ERM/Audit/GRC/BU
PC Risk management strategy
Establish and sustain a
robust ERM model that is proactive and embedded in all processes to
ensure that responses to risks are effective and dynamic.
Risk appetite is
The amount of risk PC Limited is willing to accept in order
to be in alignment with its strategic objectives.
Risk appetite purpose
- Guide to determine how much risk is acceptable;
- A benchmark for key risk indicators;
- Guide in strategy and goal setting process.
ERM Action “I” means
Initiate
ERM Action “C” means
Consult
ERM Action “R” means
Recommend
ERM Action “E” means
Endorse
ERM Action “A” means
Approve
ERM Action “IMP” means
Implement
ERM Action “INF” means
Inform
ERM roles include
- PC Ltd Board
- Board Audit OCmmittee (BAC)
- Management Committee
- HODs / Process owners / Project managers
- Risk & COntrol Function
P26
Risk three lines of defence
- Risk Management (BOD, BAC, MRC, Heads)
- Risk Oversight
- Assurance (Audit fn, External Audit, Regulators)
Who doubles as the chief risk officer?
Chief compliance officer P32
4 major components addressed by ERM Process
- Risk Identification
- Risk Assessment
- Risk Mitigation
- Risk monitoring and reporting
2 Types of Risk Ranking Criteria used in PC Ltd
Likelihood and Impact (Non-financial & Financial)
What are the risk likelihood factors used in PC Ltd.?
- Rare (Not expected) 1-19%
- Unlikely (little chance of 1 in 3yrs) 20-39%
- Possible (50% chancce in 3 yrs) 40-64%
- Likely (>50% chance in 3 yrs) 65-89%
- Almost Certain (at least 1 in 3 yrs) 90-100%
Risk Impact criteria are:
- Insignificant
- minor
- Moderate
- Major
- Extreme
The level of risk is a combination of
Likelihood of occurence and
Magnitude of impact
results in heat map - Hight, Medium, low
Risk levels are
high - material influence on objectives - BOD, SMT
medium - influence short term objectives - BOD, SMT, Middle Mgt.
low - negligible influence - middle mgt
RCSA means
Risk and control self-assessment
