Introducing ERM Flashcards

Question 1

Q

What is the definition of ERM by ISO 31000

Answer

A

Coordinated activities to direct and control an organisation with regard to risk.’

Question 2

Q

When did risk management frameworks develop?

Answer

A

From 1995

Question 3

Q

What year did risk management become more focussed, following a financial crisis and why?

Answer

A

2008, as a result of the financial crisis risk management due to increases in regulation and to hold people responsible (GRC), governance, risk and compliance, particularly in the financial services sector.

Question 4

Q

What is a definition of Risk

Answer

A

The effect of uncertainty on objectives.

Question 5

Q

What are the 4 categories of risk

Answer

A

Hazard risks - negative risks
Compliance - mandatory risks
Control risks- uncertainty
Opportunity risks- positive risks

Question 6

Q

What should ERM look like to be successful

Answer

A

ERM makes a company more successful by creating a single view of all risks and managing those risks in a consistent way up, down and across the enterprise

Question 7

Q

What are the aspects of a traditional risk management approach

Answer

A

Risks as individual hazards
Risk mitigation only
Risks with no owners
Risk is insurance
Risk is not my responsibility

Question 8

Q

What is the COSO definition of ERM

Answer

A

The culture, capabilities, and practises integrated with strategy setting and it’s execution, that organisations rely on to manage risk in creating, preserving and realising value

Question 9

Q

What benefits can risk management bring

Answer

A

Soft people benefits such as improving working relationships
Hard benefits such as a higher return on investment

Question 10

Q

What is corporate governance

Answer

A

The UK corporate governance institute defines governance as the system of rules, practices and processes by which a company is directed and controlled

Question 11

Q

What is a GRC approach?

Answer

A

GRC is governance, risk and compliance, where there should be an integrated approach to compliance, risk management, internal controls and internal audit

Question 12

Q

5 benefits of ERM

Answer

A

Builds confidence in stakeholders and investors
Comply with relevant legal and regulatory requirements
Improve resilience
Increase the likelihood of a business meeting its objectives
Optimise the allocation of resources

Question 13

Q

What are the four easy steps of risk management

Answer

A

Define context and objectives
Assess the risks
Manage the risks
Monitor, review and report

Question 14

Q

What are the SATARLA risk management steps

Answer

A

Context and Objectives
Assess Risks - identification (which could be very broad), understanding (values of organisation and how risks can impact objectives & risk velocity or clock speed), so what (can we leave a risk or do we need to manage these)
Management of risks - controls and understanding of controls
Monitoring of whether the management of risks is working, or any changes to context, review & reporting, communication out to key stakeholders.
Combined this creates risk based decision making

Question 15

Q

What are the financial risk management regulations

Answer

A

Sarbanes Oxley law mandates certain practices in financial record keeping and reporting for corporations in the US
The Basel accord regulations regulate the banking sector
European Union Solvency II regulates the insurance sector

Question 16

Q

What does the Basel committee on banking supervision (2021) define operational risk as?

Answer

A

Risk of loss resulting from inadequate or failed internal processes, people and systems from external events

Question 17

Q

What does RIDDOR stand for?

Answer

A

Reporting of injuries, diseases, and dangerous occurrence regulations (RIDDOR)

Question 18

Q

What does COSHH stand for?

Answer

A

Control of substances hazardous to health

Question 19

Q

What is the definition of projects

Answer

A

Unique, transient endeavours (Association for Project Management (APM)

Question 20

Q

Common themes of projects

Answer

A

They have elements of uniqueness
They are temporary - have a beginning and an end
Are focussed
Have elements of complexity
Are reliant on third parties
Are based on assumptions

Question 21

Q

What 3 factors does ISO 31000 consider in relation to risk management

Answer

A

The principles - what good risk management looks like
The framework - what is needed to implement effective risk management
The process - what the steps are in risk management

Question 22

Q

When was ISO 31000 first invented

Answer

A

2009 and updated in 2018

Question 23

Q

Can ISO 31000 be used for certification purposes

Question 24

Q

What is RASP

Answer

A

Risk architecture, strategy and protocols and is a supportive structure of the risk management process

Question 25

Q

What are the various components of the COSO ERM CUBE

Answer

A

The face is the risk management process, consisting of 8 items
The top of the face describes the four categories of organisational objectives
The side shows the implementation process of the standard

Question 26

Q

What does COSO 2017 include

Answer

A

This includes the rainbow double helix. This reflects the changing complexity of risks and the evolving business environment

Question 27

Q

What are the three distinct approaches to risk management as cited by hopkin and Thompson

Answer

A

Risk management approach, followed by ISO 31000
Internal control approach, developed by COSO internal control framework and by the FRX risk guidance
Risk aware culture approach, developed by the Canadian institute of chartered accountants, known as the CoCo framework

Question 28

Q

What are the principles of risk management

Answer

A

Focus on the premise that it delivers value to the organisation by applying practices designed to achieve the best possible outcome, reducing volatility and uncertainty

Question 29

Q

What is the purpose of risk management according to ISO 31000

Answer

A

The creation and protection of value

Question 30

Q

What are the eight principles of risk management by ISO 31000

Answer

A

Framework and processes should be customised and proportionate e
Appropriate and timely involvement of stakeholders is necessary
Structured and comprehensive approach is required
Risk management is an integral part of all organisational activities
Risk management anticipates, detects, acknowledges and responds to changes
Risk management explicitly considers any limitations of available information
Human and cultural factors influence all aspects of risk management
Risk management is continually improved through learning and experience

Question 31

Q

What are the orange book (2020) principles?

Answer

A

A) Governance and Leadership
B) Integration
C) Collaboration and Best Information
D) Risk Management Processes
E) Continual Improvement

Question 32

Q

What are the attributes of effective risk management?

Answer

A

PACED - Proportionate (tailored to the organisation)
Aligned (the process is integrated with other organisational activities) so that business can continue as usual
Comprehensive (the process encourages consistency in the risk management process)
Embedded (the ERM framework and process encourages a change in risk attitudes)
Dynamic (the process does not finish with the completion of the risk register)

Question 33

Q

What is Risk Architecture?

Answer

A

Committee structure and terms of reference
Roles and responsibilities
Internal reporting requirements
External reporting controls
Risk management assurance arrangements
Budget and agreement on resources

Question 34

Q

What is agency theory?

Answer

A

The concept used to explain the important relationships between principals and their relative agent. The principal is someone who heavily relies on an agent to execute specific financial decisions and transactions that can result in fluctuating outcomes

Question 35

Q

What is a hybrid approach to risk management?

Answer

A

Where discretion in the design and operation of a subsidiary is allowed in certain areas, but others such as brand management is held corporately

Question 36

Q

What is a RACI chart?

Answer

A

A RACI chart or Responsible, Accountable, Consulted and Informed is used as a responsibility assignment matrix which lists relevant stakeholders and their level of involvement in the project

Question 37

Q

What can FIRM be used for

Answer

A

Assessing the benefits of a fully implemented and effective ERM framework. Benefits of ERM can also be assessed by MADE2

Question 38

Q

What can ERM implementation demonstrate

Answer

A

ERM implementation is not really a type of risk management but rather a view on risk management maturity in an organisation.

Question 39

Q

What is PIML

Answer

A

Planning, implementing, measuring and learning

Question 40

Q

What are the factors that can influence timescales in implementing ERM

Answer

A

The start position - what can the organisation use that is already in place
The commitment from the top
The size and complexity of the enterprise
The extent to which the enterprise is a global actor
The resources available to support implementation

Question 41

Q

How long does it take to implement ERM

Answer

A

Some say it’s around 3-5 years. Others say in larger, complex and decentralised organisations it can take 5-10+ years. Effective ERM is long term to derive the relevant benefits

Question 42

Q

Should risk management reflect the cadence of meetings that are already in place?

Answer

A

Yes, this will help embed ERM into governance and reporting lifecycle or structure of an organisation.

Question 43

Q

What are the components of risk strategy as interpreted by Hopkin and Thompson

Answer

A

Risk management philosophy
Arrangements for embedding risk management
Risk appetite and attitude to risk
Benchmark tests for significance
Specific statements / policies
Risk assessment techniques
Risk priorities

Question 44

Q

Is a risk management policy common?

Answer

A

Yes, a risk policy adopted by the board and used across the organisation is common. This is sometimes achieved in an ERM policy that outlines the philosophy of risk management in the organisation, states who should be responsible for it and commits to provide the resources necessary to manage risks to an acceptable level

Question 45

Q

What does the IRM define risk appetite as?

Answer

A

The amount of risk that an organisation is willing to seek or accept in the pursuit of long term objectives

Question 46

Q

What is risk tolerance

Answer

A

The level of risk that you can accept for a short period of time, and which you will be actively managing to bring to an acceptable level

Question 47

Q

Risk capacity

Answer

A

The level of risk that is unacceptable. This is the tipping point that the organisation cannot or does not wish to go over.

Question 48

Q

Risk procedures - what are they

Answer

A

They are the ‘how’ regarding the delivery of good quality risk management.

Question 49

Q

What may a risk protocol contain?

Answer

A

Techniques used in risk identification
The format and content of the risk register; how it is to be completed and how often
Requirements on entering risk events into the log and upwards escalation depending on severity
Detailed reporting requirements
Approval processes for expenditure on risk improvement actions

Question 50

Q

Are tools and techniques usually in a risk management procedure?

Answer

A

No, tools and techniques can be referenced in a risk management procedure

Question 51

Q

What are the eight steps of COSO (2004)

Answer

A

Internal environment
Objective setting
Event identification
Risk assessment
Risk response
Control activities
Information and communication
Monitoring

Question 52

Q

What are the orange book (2020) risk management principles

Answer

A

Risk management shall be:
An essential part of governance and leadership (A)
Integral to all operational activities (B)
Collaborative and informed by the best available information (C)
Have structured processes (D)
Continually improved (E)

Question 53

Q

What does principle D of the orange book risk management principles comprise of?

Answer

A

Risk identification and assessment
Risk treatment
Risk monitoring
Risk reporting

Question 54

Q

What are the four main steps in the risk management process

Answer

A

Define context and objectives
Assess the risks
Manage the risks
Monitor, review and report

Question 55

Q

What are the three components of context as cited by Hopkin and Thompson

Answer

A

The organisations risk management context
The internal context
The external context

Question 56

Q

What does the internal context include?

Answer

A

The organisations divisions, departments, internal stakeholders, staff, the board, approach to corporate governance, competencies and capabilities

Question 57

Q

What is the extended enterprise

Answer

A

The IRM defines the extended enterprise as ‘a structure where a number of organisations come together in a joint endeavour in order to achieve outcomes that none of them could have achieved on their own’

Question 58

Q

What are five techniques that can be used for risk assessment according to Hopkin and Thompson?

Answer

A

Checklists and questionnaires
Workshops and brainstorming
Inspections and audits
Flowcharts and dependency analysis
Crowd sourcing technology

Question 59

Q

What are emerging risks?

Answer

A

A risk which is new or a familiar risk in a new or unfamiliar context of under next context conditions (re-emerging)

Question 60

Q

Why do organisations choose to classify risks?

Answer

A

Because it provides a structure to the process of risk identification which can facilitate the identification of more risks
It also helps with the development of consistent risk terminologies across an organisation

Question 61

Q

How can risks be classified

Answer

A

They can be classified in terms of short term, medium term and long term.
Short term risks are those with an immediate impact such as operational activities
Medium term risks with tactics - few months to a year
Long term risks with strategy - one to five years after the event

Question 62

Q

What is a second dimension to the FIRM risk scorecard to classify risks?

Answer

A

Risks can be classified depending on where they derive such as internal (staff fraud) which can be seen as financial and infrastructural risks. The source of internal risk is the internal context
External (exchange rate variability) which can be seen as reputational and marketplace risks. The source is the external context

Question 63

Q

Which risks are overlooked more often, internal or external?

Answer

A

External risks are often overlooked as people know the inner workings of their organisation better than they do externally

Question 64

Q

How can likelihood be measured?

Answer

A

Probability - as a value between 0 and 1 - there is a 2% chance of rain in the city of Jeddah. Probability is used when risks might only occur once in the timeframe considered
Frequency - in just one day in 2005, hurricane Katrina resulted in a one in a hundred-year flood in New Orleans. Frequency is commonly used for risks that might occur more than once in the timescale considered.

Answer 64

A

The amount of action needed to bring a risk to an acceptable level

Answer 65

A

Avoids unnecessary debate on likelihood
Prioritises attention on the risks that require immediate focus
Prompts robust discussion and action regarding the extent to which risks truly need to be managed

Answer 66

A

How close a risk is to occurring or how soon a risk can happen.

Answer 67

A

How fast a risk can impact an organisation once it occurs - Hopkin and Thompson say this is timescale of risk impact

Answer 68

A

Slow clock speed risks are those where enough thinking time is available
Fast clock speed risks are at or close to real time

Answer 69

A

The range between how well organisations can deal with fast clock speed risks and slow clock speed risks and still function effectively

Answer 70

A

Inherent - this is the level of risk before any controls have been put in place or actions taken to manage the risk and change the likelihood or impact. This is useful to understand the real exposure an organisation has to a risk should the controls fail. It also helps to identify when risks might be over or under controlled. This is sometimes called the raw , total or gross level of risk.
The current risk - the risk taking into account current controls in place to manage it, working at their current effectiveness ‘net’ or ‘residual’ sometimes describe this.
Target - this is the levels of risk that is desired to bring the risk to an acceptable level. This rating is often missed by organisations but is important to consider in how much effort is needed to manage risks to an acceptable level.

Answer 71

A

Residual risks where the level of risk represents current controls working effectively and / or taking account of additional planned actions to manage the risk.

Answer 72

A

The highest, otherwise the averaged out scores may ignore the real effect of risk.

Answer 73

A

They are high impact low probability risks, which because of their low likelihood are often perceived as risks that do not need much attention, such as COVID-19

Answer 74

A

This is the decision point in which we decided whether to respond to risk or not to respond to risk

Answer 75

A

We treat by comparing the current risk rating with the target risk rating (usually our risk appetite). If the current risk rating exceeds the risk appetite, we will manage it.

Ben we re-analyse the current risk after treatment. If the current risk rating still exceeds risk appetite then we will treat it again to manage the risk further towards our target.

Then we re analyse the current risk again, only when the current rating has reached our target rating do we stop implementing additional actions to manage the risk. If we cannot reach the target rating sufficiently or economically then we might have to consider revising our objectives and beginning the process again.

Answer 76

A

A control is a measure that maintains and/or modifies a risk

Answer 77

A

They should take charge and modify the risk - either by tackling the causes and changing the likelihood of the risk occurring, or the consequences and changing the impact should the risk occur.

Answer 78

A

Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk

Taking or increasing the risk to pursue an opportunity

Removing the risk source

Changing the likelihood

Changing the consequences

Sharing the risk

Retaining the risk by informed decision

Answer 79

A

Explore - start up operations
Expands - this is during the growth phase - for example making investment or making sales
The operation may decide to exit through a successful and profitable sale or if investment is outside risk appetite
Exploit - as a mature operation the opportunity is exploited further
Exist - operations in decline have not change and will just exist

Answer 80

A

Loss prevention - controls designed to stop a risk occurring
Damage limitation - controls designed to reduce the size of the risk as soon as it has occurred
Cost containment - controls designed to reduce the long term effect of the risk such as business continuity management

Answer 81

A

Preventative controls - these are suggested as being the most important approach but prevention is not always cost effective - so it is necessary to do a cost benefit analysis

Corrective - these are where preventative controls are not feasible, desirable or cost-effective. Corrective controls need to be developed prior to the risk occurring but become effective once the risk has occurred
Directive - these are a common type of control and are based on giving directions to another person as to how they should behave in certain circumstances but as it is dependent upon behaviour, these may not be very reliable. Directive controls on their own are not real controls such as guidance and data in covid and need to be supported with other controls
Detective controls - these detect a risk occurring such as a fire alarm or audit of a project off track

Answer 82

A

Directive and preventative controls are pre - event manifestation
Corrective and defective controls are post- event manifestation

Answer 83

A

These controls are forward looking, similar to directive controls but they tend to be more long term and strategic in nature

Answer 84

A

Elimination - physically remove the hazard
Substitution - replace the hazard
Engineering controls - isolate people from the hazard
Administrative controls - change the way people work
PPE - protect the worker with equipment and this should be the last resort to protect against risks.

Answer 85

A

The purpose of monitoring and review is to assure and improve the quality and effectiveness of process design, implementation and outcomes. Monitoring is ongoing whereas review is periodic

Answer 86

A

Reviewing the status of risk, controls, causes, consequences and any changes in these as well as changes in context and objectives

Answer 87

A

Reviewing is checking the effectiveness of controls in place to manage risks and the risk management process, with the review being perhaps ok a less regular basis

Answer 88

A

Key risk indicators, key control indicators and risk status

Answer 89

A

They provide information on the changes in risks

Answer 90

A

They measure the effectiveness of controls and changes of controls - it could include
Number of unauthorised trades
Percentage of employees receiving supervision
Regularity of disaster recovery plan testing

Answer 91

A

Leading indicators look into the future and provide an early warning of changes - measures of customer engagement and brand reputstion

Lagging indicators look into the past and measure outcomes and results, such as financial results including profit or loss, number of audit findings
KRIs and KCIs tend to be lagging measures

Answer 92

A

This is a quadrant which compares internal / external data and human / machine sourced information

Answer 93

A

Draft - the risk has only just been raised and needs to be assessed to ensure it is a real risk and that it belongs in the scope of activity being addressed
Active - we are actively dealing with a real risks, and further actions are required to manage it to an acceptable level. These risks and controls should be monitored regularly to ensure controls are effect and the risk is moving from the current to target level
Ongoing - we have managed the risk to an acceptable level but it should not be closed and may changed. Ongoing risks are reviewed less frequently but KRIs and KCIs should be developed to help recognise any underlying changes to the risk
Closed / managed - this risk can be closed to successful management and lessons can be learnt to ensure that risks of this type are managed in a similar manner in the future
Closed / occurred - this risk can be closed because it has occurred and lessons can be learnt to ensure risk of this type can be better managed in the future

Answer 94

A

The review of risks is carried out to provide assurance that risks are being managed effectively - they are usually held on a planned basis and are retrospective.

Answer 95

A

This is often on a three year cycle which allows for review to be undertaken, improvements identified, agreed and implemented and give time for those improvements to take effect

Answer 96

A

At least annually

Answer 97

A

By industry standards such as health and safety
By risk management standards and frameworks such as ISO 31000
Relevant industry or sector best practices based on subject matter experts knowledge and experience

Answer 98

A

Improvemejts in risk management activities

Answer 99

A

The controls that reduce the organisations most key risks (sometimes called critical controls)

Answer 100

A

To ensure responses are effective and effecient, including the identifying and closing of any holes or gaps in control defences
To identify and manage potential adverse side effects and unintended consequences
To build up knowledge to improve risk identification and analysis
To better link risks to objectives, key dependencies, core processes and stakeholder expectations
To detect and prepare for changes in our internal and external context
To detect and prepare for changes in trends in our risks
To identify and prepare for new and emerging risks
To identify good risk management practices, build on them and disseminate it to other parts of the organisation

Answer 101

A

This can understand;
Why it occurred
Whether we had a previously identified it as a possible risk
Why it did not have a big impact
Whether we had correctly analysed its likelihood and impact

Answer 102

A

Continual and iterative processes that an organisation conducts to provide, share or obtain information, and to engage in dialogue with stakeholders regarding the management of risk

Answer 103

A

Communication seeks to promote awareness and understanding of risk whereas consultation involves obtaining feedback and information to support decision making

Answer 104

A

Level of confidence that objectives can be met
Important changes - in risks, controls, context, objectives and so on
Any significant new and emerging risks
Any new themes or trends
The progress on actions needed to bring risks to an acceptable level
Actions needed to manage risks further
Update on the effectiveness of controls

Answer 105

A

The principal risks
Whether directors have a reasonable expectation that they company will be able to continue to operate to meet its liabilities
The going concern basis of accounting
A review of and the main features of risk management and the internal control system

Answer 106

A

Given the context in which we are working, and the risks faced (be those opportunities or threats) that are faced, and the exterminator to which they are managed, it is possible to achieve the objectives previously set?

Answer 107

A

Analytical - analyse data and look at evidence, require more data but have a tolerance for ambiguity
Conceptual - big picture thinkers willing to take risk - have a high tolerance for ambiguity and are creative.
Directive - quick decisive thinkers with little tolerance for ambiguity - focuses on the task with little consultation and can be aggressive in nature
Behavioural - focuses on relationships rather than the task and evaluates feelings of others with a low tolerance for ambiguity, have a persuasive nature

Answer 108

A

The ideas, customs, knowledge, beliefs and behaviours shared by a group of people whether in society or within organisations

Answer 109

A

The values, beliefs, knowledge and understanding about risk shared by a group of people with a common focus, in particular the employees of an organisation or groups within an organisation

Answer 110

A

Good communication of the organisations expectations to all staff
Convincing employees that they will personally benefit from good risk management practises
Involvement in the risk identification process will achieve greater buy in
Training programmes that instil the right practices and knowledge
Investment in the use of effective IT security tools and active and transparent monitoring of IT usage that is made clear to all employees

Answer 111

A

To recognise that having a best in class ERM approach does not add value where a positive risk culture does not support it

Answer 112

A

These assess an individuals predisposition towards risk, measuring a persons preparedness to take risk and their resilience in the face of risk

Answer 113

A

Objective reality (the likelihood that it will or will not rain tomorrow)

Subjective (the human perception of the risk, shaped by psychological factors, cultural factors and other intangibles)

Answer 114

A

Organisations may manage the same risks inconsistently, depending on the individual who must manage that risk, thus increasing the overall organisational uncertainty
Risk managed could seek to achieve greater kudos amongst their stakeholders by focussing efforts on managing stakeholders fears over what they perceive to be the most significant risks rather than what actually are significant risks

Answer 115

A

Confirmation bias - basing decisions on what we want to believe because information confirms our existing preconception or beliefs
Conformity bias - choices of a group or the majority influence how we think, even if against our own personal judgement
Authority bias - where we favour the ideas of an authority figure
Bandwagon bias - where we favour ideas already adopted by others
Anchoring bias - where we are influenced by information we already know, and have trouble moving outside that pre-existing knowledge

Answer 116

A

Leadership, involvement, learning, accountability and communication

Answer 117

A

Risk attitude - the chosen position adopted by an individual or group towards risk, influenced by risk perception

Risk behaviour - the external observable risk related actions of individuals

Risk culture - the values, beliefs, knowledge and understanding about risk shared by a group of people with a common purpose.

Answer 118

A

The long term view of the organisation to risk defined by the 4Cs of comfort, cautious, concerned and critical

Answer 119

A

Sociability - the people focus based on how well people interact socially - vertical axis of the model
Solidarity - the task focus based on goals and team performance - horizontal axis of the model

Answer 120

A

Organisation wide surveys. Which can be done as a proxy if too burdensome
Interviews - a more personal approach and help understand the reasons for a risk culture but need to be based on a standard set of questions. These can be especially helpful when looking to gather views of executives or board members
Surveys - gathering a wider and more diverse understanding of culture which is a mechanistic approach to a very subjective subject.

Answer 121

A

This looks at culture in eight aspects which are grouped together into four themes:
Tone from the top - risk leadership and dealing with bad news

Governance - accountability and transparency

Decisions - informed risk decisions and reward

Competency - risk resources and risk skills

Answer 122

A

Evaluate the current risk culture
Assess the impact of the current culture
Identify areas of improvement
Plan and implement cultural change
Monitor and adapt to change

Answer 123

A

Acknowledging interconnectedness - what is acceptable in one part of an organisation might not be acceptable in another
Measurability - ability to measure the risk appetite to ensure a consistent view on what is acceptable
Variability - need for a range of appetites for different risks
Maturity - recognition that the maturity of ERM within an organisation, both in the understanding and effective management of risk will influence appetite to take risk.

Answer 124

A

Determining the nature and extent of the principal risks faced and those risks which the organisation is willing to take in achieving its strategic objectives

Answer 125

A

The range of risks which could impact, either positively or negatively, on the ability of the organisation to achieve its long term objectives’

Answer 126

A

The insurance industry where questions regarding the size of deductible or maximum size of insurance cover have been considered in relation to financial capacity

Answer 127

A

An areas where risks can be tolerated for an amount of time (if push comes to shove), while active risk management is undertaken to bring those risks to an acceptable level. This is sometimes referred to as the wiggle room an organisation has outside of their acceptable level of risk.

Answer 128

A

The amount of risk an organisation is willing to seek or accept in pursuit of its long term objectives

Answer 129

A

As an organisation will have very little tolerance for some risks, such as health and safety or bribery but it may have more tolerance for other risks such as project risks. The closer the risk to capacity, the more effort required to bring the risk to an acceptable level.

Answer 130

A

Risk appetite and tolerance

Answer 131

A

In terms of a tolerance and optimal position:
The optimal position is the level of risk with which an organisation aims to operate
The tolerable position is the level of risk with which the organisation is willing to operate, given its constraints.

Answer 132

A

Reducing uncertainty
Improving consistency across governance and decision making
Focusing on priority areas
Improving resource prioritisation

Answer 133

A

The directors and senior management should explicitly consider their degree of appetite and tolerance regarding how they want the strategy and objectives to be achieved

Answer 134

A

Identify stakeholders and their expectations
Define organisation wide risk exposure
Establish the desired level of risk exposure
Reconcile the current and desired risk appetite and tolerances
Formalise and ratify the risk appetite statement and communicate it

Answer 135

A

They can be complex
It needs to be measurable
It is not a single, fixed concept
It should be developed in line with an organisations risk management capability and maturity
It must take account of different views at strategic, tactical and operational levels
It must be integrated with the control culture

Answer 136

A

Capacity - financial, infrastructure, reputation, people and knowledge
Maturity - business context, risk systems, risk management culture and risk processes

Answer 137

A

Because these ensure that sensitive information is not unnecessarily shared but provides information on the direction of an organisations risk appetite in key areas or against key risks

Answer 138

A

Opposed - avoidance of risk
Minimalist - preference for safe options with a low degree of inherent risk
Cautious - preference for safe options with a low degree of residual risk
Mindful / open - willing to consider all options and choose one that is most likely to result in successful delivery
Enterprise - eager to be innovative and choose options based on maximising opportunities / accept greater uncertainty

Answer 139

A

Triggered action response plans

Answer 140

A

Because this means that HILPs are given a higher focus on a risk matrix than if probability and impact were given equal treatment

Answer 141

A

High level - high level risk capacity , risk appetite statements measures and limits
Directional - key risk drivers, risk related appetite statements, measures and limits
Specific - specific principles and policies to operationalise risk appetite
Detailed - detailed risk appetite measures and limits

Answer 142

A

Leadership - every company should be headed by an effective board which is collectively responsible for the long term success of the company

Division of responsibilities - there should be a clear division of responsibilities between leadership of board and execs

Composition, succession and evaluation - the board and its committees should have a combination of skills, experience and knowledge

Audit, risk and internal control - the board should establish procedures to manage risk, oversee the internal control framework and determine the nature and extent of the principal risks the company is willing to take in its pursuit of its long term strategic objectives

Remuneration - the remuneration policies should be designed to support strategy and promote long term sustainable success, executive remuneration should be aligned to company purpose and values be clearly linked to the successful deliver of the company long term strategy

Answer 143

A

It only applies to companies listed on the London stock exchange

Answer 144

A

The board receives more detailed information and has greater involvement in the organisation, being closer to organisational strategy.

Answer 145

A

From an external perspective there is little distinction between management and supervision and conflicts of interest and loss of independence may develop

Answer 146

A

Although executives have more control over the appointment of NEDs, members are appointed on their expertise. There is a reduction in bias decision making as the CEO is prevented from serving as the chair of the supervisory board.

Answer 147

A

They tend to be larger than unitary boards

Answer 148

A

Nomination - appointment of new directors and ensuring a succession plan is in place for the board and exec level beneath
Remuneration - setting exec pay and ensuring an organisation can attract and retain exec directors but not paying them too much
Audit - responsible for an organisations financial reporting and reviewing the effectiveness of internal controls and risk management. Also conduit for whistleblowing and following up on any issues of bad conduct

Answer 149

A

Risk appetite generally
Effect of strategy changes and strategic transactions on risk appetite
Principal risks and their management
Emerging risks
Outcomes of stress testing effectiveness
Appropriateness of values, culture and reward system

Answer 150

A

They regulate auditors, accountants, actuaries by setting corporate governance, reporting and auditing standards and hold those responsible for delivering them to accounts

Answer 151

A

The UK corporate governance code, the related guidance on board effectiveness and the wates corporate governance principles for latter companies

Answer 152

A

Provide creative contribution to the board by providing independent oversight and constructive challenge to executive directors

Strategic direction

Provide a creative and informed contribution and to act as a constructive critic in looking at the objectives and plans devised by the chief executive and the executive team

Monitor performance
Remuneration
Communication
Risk
Audit

Answer 153

A

Ensure the design and implementation of appropriate risk management and internal control systems that identify the risks facing the company and enable the board to make a robust risk assessment of the principal risks

Determine the nature and extent of the principal risks faced and those risks which the organisation is willing to take in achieving its strategic objectives

Ensure that appropriate culture and reward systems have been embedded throughout the organisation

Agree how principal risks should be managed or mitigated to reduce the likelihood of their incidence or their impact

Monitor and review the risk management and internal control systems, and the managements process of monitoring and reviewing, and satisfying itself that they are functioning effectively and that corrective action is being taken where necessary

Ensure sound internal and external information and communication processes and taking responsibility for external communication on risk management and internal control.

Answer 154

A

An independent, objective asssurancr and consulting activity designed to add value and improve an organisations operations

Answer 155

A

Indicate the information and analysis that is provided to managers and directors with regard to the status of the risk and control environment in an organisation - it is the internal process used to create checks and balances within our governance and risk frameworks

Answer 156

A

A means of identifying and mapping the main sources of assurance in an organisation across the four lines of defence and coordinating them to best effect

Answer 157

A

According to BDO, the main issues are the assumption that the liens are distinct from each other and the risk management and internal controls apply vertically and linearly. This creates a rigid approach where silos have been created causing gaps and overlaps

There are sometimes lines providing other lines of assurance and the focus on defence means that opportunities may have been ignored

Answer 158

A

The audit committee must conduct a tender process and recommend to the board the appointment, reappointment or removal of the external auditors

Review and monitor the external auditors independence and objectivity

Review the effectiveness of the external audit process

Develop and implement policy on the engagement of the external auditor to supply non audit services

Answer 159

A

Primarily the shareholders or external stakeholders of an organisation

Answer 160

A

Culture measurement

Audit reports

Unit reports

Performance of the unit

Unit documentation

Answer 161

A

Self certification or control risk self assessment where by local management complete a regular (often annual) return and level of assurance has been achieved in that local area

Answer 162

A

This is the statement where organisations state that they have a reasonable expectation that they will be able to continue in operation and meet their liabilities as they fall due over the period of assessment. This period of assessment is expected to be significantly longer than 12 months from the approval of the financial statements

Answer 163

A

Control activities

Information and communications processes

Processes for monitoring the continuing effectiveness of the system of internal control

Answer 164

A

Be embedded in the operations of the company and form part of its risk culture

Be capable of responding quickly to evolving risks to the business arising from factors within the company and to changes in the business environment

Include procedures for reporting immediately, to appropriate levels of management, any significant control failings or weaknesses that are identified together with details of corrective action

Answer 165

A

Purpose - understanding the purpose of a task

Commitment - commitment to perform a task well

Capability - support in the implementation of the task

Monitoring and learning - monitoring of the task to learn lessons and improve

Answer 166

A

The criteria of control framework, developed in 1995 as a structure means of measuring the quality of control environment within an organisation. This means it is another means of providing assurance on risk management and internal control

Brainscape's Knowledge GenomeTM

Introducing ERM Flashcards

Brainscape's Knowledge Genome^TM