Introducing ERM Flashcards
What is the definition of ERM by ISO 31000
Coordinated activities to direct and control an organisation with regard to risk.’
When did risk management frameworks develop?
From 1995
What year did risk management become more focussed, following a financial crisis and why?
2008, as a result of the financial crisis risk management due to increases in regulation and to hold people responsible (GRC), governance, risk and compliance, particularly in the financial services sector.
What is a definition of Risk
The effect of uncertainty on objectives.
What are the 4 categories of risk
Hazard risks - negative risks
Compliance - mandatory risks
Control risks- uncertainty
Opportunity risks- positive risks
What should ERM look like to be successful
ERM makes a company more successful by creating a single view of all risks and managing those risks in a consistent way up, down and across the enterprise
What are the aspects of a traditional risk management approach
Risks as individual hazards
Risk mitigation only
Risks with no owners
Risk is insurance
Risk is not my responsibility
What is the COSO definition of ERM
The culture, capabilities, and practises integrated with strategy setting and it’s execution, that organisations rely on to manage risk in creating, preserving and realising value
What benefits can risk management bring
Soft people benefits such as improving working relationships
Hard benefits such as a higher return on investment
What is corporate governance
The UK corporate governance institute defines governance as the system of rules, practices and processes by which a company is directed and controlled
What is a GRC approach?
GRC is governance, risk and compliance, where there should be an integrated approach to compliance, risk management, internal controls and internal audit
5 benefits of ERM
Builds confidence in stakeholders and investors
Comply with relevant legal and regulatory requirements
Improve resilience
Increase the likelihood of a business meeting its objectives
Optimise the allocation of resources
What are the four easy steps of risk management
Define context and objectives
Assess the risks
Manage the risks
Monitor, review and report
What are the SATARLA risk management steps
- Context and Objectives
- Assess Risks - identification (which could be very broad), understanding (values of organisation and how risks can impact objectives & risk velocity or clock speed), so what (can we leave a risk or do we need to manage these)
- Management of risks - controls and understanding of controls
- Monitoring of whether the management of risks is working, or any changes to context, review & reporting, communication out to key stakeholders.
Combined this creates risk based decision making
What are the financial risk management regulations
Sarbanes Oxley law mandates certain practices in financial record keeping and reporting for corporations in the US
The Basel accord regulations regulate the banking sector
European Union Solvency II regulates the insurance sector
What does the Basel committee on banking supervision (2021) define operational risk as?
Risk of loss resulting from inadequate or failed internal processes, people and systems from external events
What does RIDDOR stand for?
Reporting of injuries, diseases, and dangerous occurrence regulations (RIDDOR)
What does COSHH stand for?
Control of substances hazardous to health
What is the definition of projects
Unique, transient endeavours (Association for Project Management (APM)
Common themes of projects
They have elements of uniqueness
They are temporary - have a beginning and an end
Are focussed
Have elements of complexity
Are reliant on third parties
Are based on assumptions
What 3 factors does ISO 31000 consider in relation to risk management
The principles - what good risk management looks like
The framework - what is needed to implement effective risk management
The process - what the steps are in risk management
When was ISO 31000 first invented
2009 and updated in 2018
Can ISO 31000 be used for certification purposes
No
What is RASP
Risk architecture, strategy and protocols and is a supportive structure of the risk management process
What are the various components of the COSO ERM CUBE
The face is the risk management process, consisting of 8 items
The top of the face describes the four categories of organisational objectives
The side shows the implementation process of the standard
What does COSO 2017 include
This includes the rainbow double helix. This reflects the changing complexity of risks and the evolving business environment
What are the three distinct approaches to risk management as cited by hopkin and Thompson
Risk management approach, followed by ISO 31000
Internal control approach, developed by COSO internal control framework and by the FRX risk guidance
Risk aware culture approach, developed by the Canadian institute of chartered accountants, known as the CoCo framework
What are the principles of risk management
Focus on the premise that it delivers value to the organisation by applying practices designed to achieve the best possible outcome, reducing volatility and uncertainty
What is the purpose of risk management according to ISO 31000
The creation and protection of value
What are the eight principles of risk management by ISO 31000
- Framework and processes should be customised and proportionate e
- Appropriate and timely involvement of stakeholders is necessary
- Structured and comprehensive approach is required
- Risk management is an integral part of all organisational activities
- Risk management anticipates, detects, acknowledges and responds to changes
- Risk management explicitly considers any limitations of available information
- Human and cultural factors influence all aspects of risk management
- Risk management is continually improved through learning and experience
What are the orange book (2020) principles?
A) Governance and Leadership
B) Integration
C) Collaboration and Best Information
D) Risk Management Processes
E) Continual Improvement
What are the attributes of effective risk management?
PACED - Proportionate (tailored to the organisation)
Aligned (the process is integrated with other organisational activities) so that business can continue as usual
Comprehensive (the process encourages consistency in the risk management process)
Embedded (the ERM framework and process encourages a change in risk attitudes)
Dynamic (the process does not finish with the completion of the risk register)
What is Risk Architecture?
Committee structure and terms of reference
Roles and responsibilities
Internal reporting requirements
External reporting controls
Risk management assurance arrangements
Budget and agreement on resources
What is agency theory?
The concept used to explain the important relationships between principals and their relative agent. The principal is someone who heavily relies on an agent to execute specific financial decisions and transactions that can result in fluctuating outcomes
What is a hybrid approach to risk management?
Where discretion in the design and operation of a subsidiary is allowed in certain areas, but others such as brand management is held corporately
What is a RACI chart?
A RACI chart or Responsible, Accountable, Consulted and Informed is used as a responsibility assignment matrix which lists relevant stakeholders and their level of involvement in the project
What can FIRM be used for
Assessing the benefits of a fully implemented and effective ERM framework. Benefits of ERM can also be assessed by MADE2
What can ERM implementation demonstrate
ERM implementation is not really a type of risk management but rather a view on risk management maturity in an organisation.
What is PIML
Planning, implementing, measuring and learning
What are the factors that can influence timescales in implementing ERM
The start position - what can the organisation use that is already in place
The commitment from the top
The size and complexity of the enterprise
The extent to which the enterprise is a global actor
The resources available to support implementation
How long does it take to implement ERM
Some say it’s around 3-5 years. Others say in larger, complex and decentralised organisations it can take 5-10+ years. Effective ERM is long term to derive the relevant benefits
Should risk management reflect the cadence of meetings that are already in place?
Yes, this will help embed ERM into governance and reporting lifecycle or structure of an organisation.
What are the components of risk strategy as interpreted by Hopkin and Thompson
Risk management philosophy
Arrangements for embedding risk management
Risk appetite and attitude to risk
Benchmark tests for significance
Specific statements / policies
Risk assessment techniques
Risk priorities
Is a risk management policy common?
Yes, a risk policy adopted by the board and used across the organisation is common. This is sometimes achieved in an ERM policy that outlines the philosophy of risk management in the organisation, states who should be responsible for it and commits to provide the resources necessary to manage risks to an acceptable level
What does the IRM define risk appetite as?
The amount of risk that an organisation is willing to seek or accept in the pursuit of long term objectives
What is risk tolerance
The level of risk that you can accept for a short period of time, and which you will be actively managing to bring to an acceptable level
Risk capacity
The level of risk that is unacceptable. This is the tipping point that the organisation cannot or does not wish to go over.
Risk procedures - what are they
They are the ‘how’ regarding the delivery of good quality risk management.
What may a risk protocol contain?
Techniques used in risk identification
The format and content of the risk register; how it is to be completed and how often
Requirements on entering risk events into the log and upwards escalation depending on severity
Detailed reporting requirements
Approval processes for expenditure on risk improvement actions
Are tools and techniques usually in a risk management procedure?
No, tools and techniques can be referenced in a risk management procedure
What are the eight steps of COSO (2004)
Internal environment
Objective setting
Event identification
Risk assessment
Risk response
Control activities
Information and communication
Monitoring
What are the orange book (2020) risk management principles
Risk management shall be:
An essential part of governance and leadership (A)
Integral to all operational activities (B)
Collaborative and informed by the best available information (C)
Have structured processes (D)
Continually improved (E)
What does principle D of the orange book risk management principles comprise of?
Risk identification and assessment
Risk treatment
Risk monitoring
Risk reporting
What are the four main steps in the risk management process
- Define context and objectives
- Assess the risks
- Manage the risks
- Monitor, review and report
What are the three components of context as cited by Hopkin and Thompson
The organisations risk management context
The internal context
The external context
What does the internal context include?
The organisations divisions, departments, internal stakeholders, staff, the board, approach to corporate governance, competencies and capabilities
What is the extended enterprise
The IRM defines the extended enterprise as ‘a structure where a number of organisations come together in a joint endeavour in order to achieve outcomes that none of them could have achieved on their own’
What are five techniques that can be used for risk assessment according to Hopkin and Thompson?
- Checklists and questionnaires
- Workshops and brainstorming
- Inspections and audits
- Flowcharts and dependency analysis
- Crowd sourcing technology
What are emerging risks?
A risk which is new or a familiar risk in a new or unfamiliar context of under next context conditions (re-emerging)
Why do organisations choose to classify risks?
Because it provides a structure to the process of risk identification which can facilitate the identification of more risks
It also helps with the development of consistent risk terminologies across an organisation
How can risks be classified
They can be classified in terms of short term, medium term and long term.
Short term risks are those with an immediate impact such as operational activities
Medium term risks with tactics - few months to a year
Long term risks with strategy - one to five years after the event
What is a second dimension to the FIRM risk scorecard to classify risks?
Risks can be classified depending on where they derive such as internal (staff fraud) which can be seen as financial and infrastructural risks. The source of internal risk is the internal context
External (exchange rate variability) which can be seen as reputational and marketplace risks. The source is the external context
Which risks are overlooked more often, internal or external?
External risks are often overlooked as people know the inner workings of their organisation better than they do externally
How can likelihood be measured?
Probability - as a value between 0 and 1 - there is a 2% chance of rain in the city of Jeddah. Probability is used when risks might only occur once in the timeframe considered
Frequency - in just one day in 2005, hurricane Katrina resulted in a one in a hundred-year flood in New Orleans. Frequency is commonly used for risks that might occur more than once in the timescale considered.
What is impact versus action?
The amount of action needed to bring a risk to an acceptable level
What are the benefits of impact versus action?
Avoids unnecessary debate on likelihood
Prioritises attention on the risks that require immediate focus
Prompts robust discussion and action regarding the extent to which risks truly need to be managed
What is risk proximity?
How close a risk is to occurring or how soon a risk can happen.
What is risk velocity
How fast a risk can impact an organisation once it occurs - Hopkin and Thompson say this is timescale of risk impact
Risk clock speed - what is it?
Slow clock speed risks are those where enough thinking time is available
Fast clock speed risks are at or close to real time
What is the risk clock speed window?
The range between how well organisations can deal with fast clock speed risks and slow clock speed risks and still function effectively
What are the three risk rating levels?
Inherent - this is the level of risk before any controls have been put in place or actions taken to manage the risk and change the likelihood or impact. This is useful to understand the real exposure an organisation has to a risk should the controls fail. It also helps to identify when risks might be over or under controlled. This is sometimes called the raw , total or gross level of risk.
The current risk - the risk taking into account current controls in place to manage it, working at their current effectiveness ‘net’ or ‘residual’ sometimes describe this.
Target - this is the levels of risk that is desired to bring the risk to an acceptable level. This rating is often missed by organisations but is important to consider in how much effort is needed to manage risks to an acceptable level.
What are residual (design) risks?
Residual risks where the level of risk represents current controls working effectively and / or taking account of additional planned actions to manage the risk.
Where a risk has different impact scales, which one should be plotted onto a risk matrix?
The highest, otherwise the averaged out scores may ignore the real effect of risk.
What are HILP risks
They are high impact low probability risks, which because of their low likelihood are often perceived as risks that do not need much attention, such as COVID-19
What is risk evaluation?
This is the decision point in which we decided whether to respond to risk or not to respond to risk
How do we treat risks?
We treat by comparing the current risk rating with the target risk rating (usually our risk appetite). If the current risk rating exceeds the risk appetite, we will manage it.
Ben we re-analyse the current risk after treatment. If the current risk rating still exceeds risk appetite then we will treat it again to manage the risk further towards our target.
Then we re analyse the current risk again, only when the current rating has reached our target rating do we stop implementing additional actions to manage the risk. If we cannot reach the target rating sufficiently or economically then we might have to consider revising our objectives and beginning the process again.
What is a control as defined by ISO 31000?
A control is a measure that maintains and/or modifies a risk
What should controls do?
They should take charge and modify the risk - either by tackling the causes and changing the likelihood of the risk occurring, or the consequences and changing the impact should the risk occur.
What are some of the risk response strategies ?
Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk
Taking or increasing the risk to pursue an opportunity
Removing the risk source
Changing the likelihood
Changing the consequences
Sharing the risk
Retaining the risk by informed decision
What are the 5Es
Explore - start up operations
Expands - this is during the growth phase - for example making investment or making sales
The operation may decide to exit through a successful and profitable sale or if investment is outside risk appetite
Exploit - as a mature operation the opportunity is exploited further
Exist - operations in decline have not change and will just exist
What are the three treatments for threats using loss control?
Loss prevention - controls designed to stop a risk occurring
Damage limitation - controls designed to reduce the size of the risk as soon as it has occurred
Cost containment - controls designed to reduce the long term effect of the risk such as business continuity management
What is PCDD?
Preventative controls - these are suggested as being the most important approach but prevention is not always cost effective - so it is necessary to do a cost benefit analysis
Corrective - these are where preventative controls are not feasible, desirable or cost-effective. Corrective controls need to be developed prior to the risk occurring but become effective once the risk has occurred
Directive - these are a common type of control and are based on giving directions to another person as to how they should behave in certain circumstances but as it is dependent upon behaviour, these may not be very reliable. Directive controls on their own are not real controls such as guidance and data in covid and need to be supported with other controls
Detective controls - these detect a risk occurring such as a fire alarm or audit of a project off track
Which controls are pre and post event manifestation
Directive and preventative controls are pre - event manifestation
Corrective and defective controls are post- event manifestation
What are anticipatory controls?
These controls are forward looking, similar to directive controls but they tend to be more long term and strategic in nature
What is the hierarchy of controls in HSE?
Elimination - physically remove the hazard
Substitution - replace the hazard
Engineering controls - isolate people from the hazard
Administrative controls - change the way people work
PPE - protect the worker with equipment and this should be the last resort to protect against risks.
What is monitoring and reporting
The purpose of monitoring and review is to assure and improve the quality and effectiveness of process design, implementation and outcomes. Monitoring is ongoing whereas review is periodic
What does monitoring include?
Reviewing the status of risk, controls, causes, consequences and any changes in these as well as changes in context and objectives
What does reviewing include?
Reviewing is checking the effectiveness of controls in place to manage risks and the risk management process, with the review being perhaps ok a less regular basis
What are the three core methods to monitor risks?
Key risk indicators, key control indicators and risk status
Key risk indicators - what are they?
They provide information on the changes in risks
What are key control indicators
They measure the effectiveness of controls and changes of controls - it could include
Number of unauthorised trades
Percentage of employees receiving supervision
Regularity of disaster recovery plan testing
What is the difference between leading and lagging indicators
Leading indicators look into the future and provide an early warning of changes - measures of customer engagement and brand reputstion
Lagging indicators look into the past and measure outcomes and results, such as financial results including profit or loss, number of audit findings
KRIs and KCIs tend to be lagging measures
What do risk datasets look at?
This is a quadrant which compares internal / external data and human / machine sourced information
What is risk status / lifecycle?
Draft - the risk has only just been raised and needs to be assessed to ensure it is a real risk and that it belongs in the scope of activity being addressed
Active - we are actively dealing with a real risks, and further actions are required to manage it to an acceptable level. These risks and controls should be monitored regularly to ensure controls are effect and the risk is moving from the current to target level
Ongoing - we have managed the risk to an acceptable level but it should not be closed and may changed. Ongoing risks are reviewed less frequently but KRIs and KCIs should be developed to help recognise any underlying changes to the risk
Closed / managed - this risk can be closed to successful management and lessons can be learnt to ensure that risks of this type are managed in a similar manner in the future
Closed / occurred - this risk can be closed because it has occurred and lessons can be learnt to ensure risk of this type can be better managed in the future
What are the characteristics of review of controls?
The review of risks is carried out to provide assurance that risks are being managed effectively - they are usually held on a planned basis and are retrospective.
How often is the risk management framework and process reviewed?
This is often on a three year cycle which allows for review to be undertaken, improvements identified, agreed and implemented and give time for those improvements to take effect
How often does the UK corporate governance code state that board should carry out a review of the risk management internal control systems?
At least annually
How are reviews of risk management benchmarked?
By industry standards such as health and safety
By risk management standards and frameworks such as ISO 31000
Relevant industry or sector best practices based on subject matter experts knowledge and experience
What is the primary objective of monitor and review
Improvemejts in risk management activities
What are key controls
The controls that reduce the organisations most key risks (sometimes called critical controls)
What are the benefits of undertaking reviews of the whole risk management process?
To ensure responses are effective and effecient, including the identifying and closing of any holes or gaps in control defences
To identify and manage potential adverse side effects and unintended consequences
To build up knowledge to improve risk identification and analysis
To better link risks to objectives, key dependencies, core processes and stakeholder expectations
To detect and prepare for changes in our internal and external context
To detect and prepare for changes in trends in our risks
To identify and prepare for new and emerging risks
To identify good risk management practices, build on them and disseminate it to other parts of the organisation
Why is it important to review near misses?
This can understand;
Why it occurred
Whether we had a previously identified it as a possible risk
Why it did not have a big impact
Whether we had correctly analysed its likelihood and impact
How is communication and consultation defined?
Continual and iterative processes that an organisation conducts to provide, share or obtain information, and to engage in dialogue with stakeholders regarding the management of risk
What are the differences between communication and consultation?
Communication seeks to promote awareness and understanding of risk whereas consultation involves obtaining feedback and information to support decision making
What is useful information that could be shared in risk reports?
Level of confidence that objectives can be met
Important changes - in risks, controls, context, objectives and so on
Any significant new and emerging risks
Any new themes or trends
The progress on actions needed to bring risks to an acceptable level
Actions needed to manage risks further
Update on the effectiveness of controls
What does the financial reporting council expect in annual reports and accounts regarding risk?
The principal risks
Whether directors have a reasonable expectation that they company will be able to continue to operate to meet its liabilities
The going concern basis of accounting
A review of and the main features of risk management and the internal control system
What is the central question of risk management?
Given the context in which we are working, and the risks faced (be those opportunities or threats) that are faced, and the exterminator to which they are managed, it is possible to achieve the objectives previously set?
What are the types of decision making?
Analytical - analyse data and look at evidence, require more data but have a tolerance for ambiguity
Conceptual - big picture thinkers willing to take risk - have a high tolerance for ambiguity and are creative.
Directive - quick decisive thinkers with little tolerance for ambiguity - focuses on the task with little consultation and can be aggressive in nature
Behavioural - focuses on relationships rather than the task and evaluates feelings of others with a low tolerance for ambiguity, have a persuasive nature
What is a definition of culture?
The ideas, customs, knowledge, beliefs and behaviours shared by a group of people whether in society or within organisations
What is risk culture?
The values, beliefs, knowledge and understanding about risk shared by a group of people with a common focus, in particular the employees of an organisation or groups within an organisation
What does risk culture require to be positive:
Good communication of the organisations expectations to all staff
Convincing employees that they will personally benefit from good risk management practises
Involvement in the risk identification process will achieve greater buy in
Training programmes that instil the right practices and knowledge
Investment in the use of effective IT security tools and active and transparent monitoring of IT usage that is made clear to all employees
How was the COSO framework updated in regards to risk culture
To recognise that having a best in class ERM approach does not add value where a positive risk culture does not support it
What are the personality profiling methodologies regarding risk?
These assess an individuals predisposition towards risk, measuring a persons preparedness to take risk and their resilience in the face of risk
What are the two elements of risk from a culture perspective
Objective reality (the likelihood that it will or will not rain tomorrow)
Subjective (the human perception of the risk, shaped by psychological factors, cultural factors and other intangibles)
What are the dangers associated with risk perception
Organisations may manage the same risks inconsistently, depending on the individual who must manage that risk, thus increasing the overall organisational uncertainty
Risk managed could seek to achieve greater kudos amongst their stakeholders by focussing efforts on managing stakeholders fears over what they perceive to be the most significant risks rather than what actually are significant risks
What are common biases?
Confirmation bias - basing decisions on what we want to believe because information confirms our existing preconception or beliefs
Conformity bias - choices of a group or the majority influence how we think, even if against our own personal judgement
Authority bias - where we favour the ideas of an authority figure
Bandwagon bias - where we favour ideas already adopted by others
Anchoring bias - where we are influenced by information we already know, and have trouble moving outside that pre-existing knowledge
What does LILAC stand for - a risk culture model?
Leadership, involvement, learning, accountability and communication
What are the ABC elements of risk culture?
Risk attitude - the chosen position adopted by an individual or group towards risk, influenced by risk perception
Risk behaviour - the external observable risk related actions of individuals
Risk culture - the values, beliefs, knowledge and understanding about risk shared by a group of people with a common purpose.
How do Hopkin and Thompson define risk attitude?
The long term view of the organisation to risk defined by the 4Cs of comfort, cautious, concerned and critical
What is the double ‘S’ model?
Sociability - the people focus based on how well people interact socially - vertical axis of the model
Solidarity - the task focus based on goals and team performance - horizontal axis of the model
How can risk culture be measured?
Organisation wide surveys. Which can be done as a proxy if too burdensome
Interviews - a more personal approach and help understand the reasons for a risk culture but need to be based on a standard set of questions. These can be especially helpful when looking to gather views of executives or board members
Surveys - gathering a wider and more diverse understanding of culture which is a mechanistic approach to a very subjective subject.
What is the culture aspects model?
This looks at culture in eight aspects which are grouped together into four themes:
Tone from the top - risk leadership and dealing with bad news
Governance - accountability and transparency
Decisions - informed risk decisions and reward
Competency - risk resources and risk skills
What are the steps to change risk culture?
Evaluate the current risk culture
Assess the impact of the current culture
Identify areas of improvement
Plan and implement cultural change
Monitor and adapt to change
What are the principles of risk appetite?
Acknowledging interconnectedness - what is acceptable in one part of an organisation might not be acceptable in another
Measurability - ability to measure the risk appetite to ensure a consistent view on what is acceptable
Variability - need for a range of appetites for different risks
Maturity - recognition that the maturity of ERM within an organisation, both in the understanding and effective management of risk will influence appetite to take risk.
What are one of the board responsibilities regarding risk appetite
Determining the nature and extent of the principal risks faced and those risks which the organisation is willing to take in achieving its strategic objectives
What is the risk universe?
The range of risks which could impact, either positively or negatively, on the ability of the organisation to achieve its long term objectives’
What has risk capacity tended to be associated with?
The insurance industry where questions regarding the size of deductible or maximum size of insurance cover have been considered in relation to financial capacity
What is risk tolerance?
An areas where risks can be tolerated for an amount of time (if push comes to shove), while active risk management is undertaken to bring those risks to an acceptable level. This is sometimes referred to as the wiggle room an organisation has outside of their acceptable level of risk.
What is meant by risk appetite?
The amount of risk an organisation is willing to seek or accept in pursuit of its long term objectives
Why is risk appetite not placed centrally within risk tolerance?
As an organisation will have very little tolerance for some risks, such as health and safety or bribery but it may have more tolerance for other risks such as project risks. The closer the risk to capacity, the more effort required to bring the risk to an acceptable level.
What should risk impact criteria be based upon?
Risk appetite and tolerance
How does the UK governments risk appetite paper consider risk?
In terms of a tolerance and optimal position:
The optimal position is the level of risk with which an organisation aims to operate
The tolerable position is the level of risk with which the organisation is willing to operate, given its constraints.
What are the benefits of adopting risk appetite?
Reducing uncertainty
Improving consistency across governance and decision making
Focusing on priority areas
Improving resource prioritisation
Who has the responsibility of setting risk appetite statements?
The directors and senior management should explicitly consider their degree of appetite and tolerance regarding how they want the strategy and objectives to be achieved
What are the stages for developing risk appetite statements?
Identify stakeholders and their expectations
Define organisation wide risk exposure
Establish the desired level of risk exposure
Reconcile the current and desired risk appetite and tolerances
Formalise and ratify the risk appetite statement and communicate it
What are the principles of risk appetite statements
They can be complex
It needs to be measurable
It is not a single, fixed concept
It should be developed in line with an organisations risk management capability and maturity
It must take account of different views at strategic, tactical and operational levels
It must be integrated with the control culture
What are the elements of risk appetite as defined by the IRM working team?
Capacity - financial, infrastructure, reputation, people and knowledge
Maturity - business context, risk systems, risk management culture and risk processes
Why are narrative risk appetite statements used for communicating risk appetite to external audiences
Because these ensure that sensitive information is not unnecessarily shared but provides information on the direction of an organisations risk appetite in key areas or against key risks
What is the 5 leg system for risk appetite according to the UK government?
Opposed - avoidance of risk
Minimalist - preference for safe options with a low degree of inherent risk
Cautious - preference for safe options with a low degree of residual risk
Mindful / open - willing to consider all options and choose one that is most likely to result in successful delivery
Enterprise - eager to be innovative and choose options based on maximising opportunities / accept greater uncertainty
What is TARP?
Triggered action response plans
Why do some organisations weight their risk matrices to emphasise risk impact over probability?
Because this means that HILPs are given a higher focus on a risk matrix than if probability and impact were given equal treatment
What are the different levels of risk appetite that could be seen in an organisation?
High level - high level risk capacity , risk appetite statements measures and limits
Directional - key risk drivers, risk related appetite statements, measures and limits
Specific - specific principles and policies to operationalise risk appetite
Detailed - detailed risk appetite measures and limits
What are the main features of the UK corporate governance code?
Leadership - every company should be headed by an effective board which is collectively responsible for the long term success of the company
Division of responsibilities - there should be a clear division of responsibilities between leadership of board and execs
Composition, succession and evaluation - the board and its committees should have a combination of skills, experience and knowledge
Audit, risk and internal control - the board should establish procedures to manage risk, oversee the internal control framework and determine the nature and extent of the principal risks the company is willing to take in its pursuit of its long term strategic objectives
Remuneration - the remuneration policies should be designed to support strategy and promote long term sustainable success, executive remuneration should be aligned to company purpose and values be clearly linked to the successful deliver of the company long term strategy
How does the UK corporate governance code apply?
It only applies to companies listed on the London stock exchange
What are the advantages of a unitary board?
The board receives more detailed information and has greater involvement in the organisation, being closer to organisational strategy.
What are the disadvantages of a unitary board?
From an external perspective there is little distinction between management and supervision and conflicts of interest and loss of independence may develop
What is the advantage of a two tier board?
Although executives have more control over the appointment of NEDs, members are appointed on their expertise. There is a reduction in bias decision making as the CEO is prevented from serving as the chair of the supervisory board.
What is the main disadvantage of a two tier board?
They tend to be larger than unitary boards
What are the three committees of the board?
Nomination - appointment of new directors and ensuring a succession plan is in place for the board and exec level beneath
Remuneration - setting exec pay and ensuring an organisation can attract and retain exec directors but not paying them too much
Audit - responsible for an organisations financial reporting and reviewing the effectiveness of internal controls and risk management. Also conduit for whistleblowing and following up on any issues of bad conduct
If an organisation appoints a further committee to oversee the effectiveness of risk management, What might they advise on?
Risk appetite generally
Effect of strategy changes and strategic transactions on risk appetite
Principal risks and their management
Emerging risks
Outcomes of stress testing effectiveness
Appropriateness of values, culture and reward system
What is the financial reporting council?
They regulate auditors, accountants, actuaries by setting corporate governance, reporting and auditing standards and hold those responsible for delivering them to accounts
What are the FRC responsible for?
The UK corporate governance code, the related guidance on board effectiveness and the wates corporate governance principles for latter companies
What are the responsibilities of a non executive director?
Provide creative contribution to the board by providing independent oversight and constructive challenge to executive directors
Strategic direction
Provide a creative and informed contribution and to act as a constructive critic in looking at the objectives and plans devised by the chief executive and the executive team
Monitor performance
Remuneration
Communication
Risk
Audit
What are the responsibilities of the board with regard to risk management?
Ensure the design and implementation of appropriate risk management and internal control systems that identify the risks facing the company and enable the board to make a robust risk assessment of the principal risks
Determine the nature and extent of the principal risks faced and those risks which the organisation is willing to take in achieving its strategic objectives
Ensure that appropriate culture and reward systems have been embedded throughout the organisation
Agree how principal risks should be managed or mitigated to reduce the likelihood of their incidence or their impact
Monitor and review the risk management and internal control systems, and the managements process of monitoring and reviewing, and satisfying itself that they are functioning effectively and that corrective action is being taken where necessary
Ensure sound internal and external information and communication processes and taking responsibility for external communication on risk management and internal control.
What is the role of internal audit?
An independent, objective asssurancr and consulting activity designed to add value and improve an organisations operations
What is risk assurance?
Indicate the information and analysis that is provided to managers and directors with regard to the status of the risk and control environment in an organisation - it is the internal process used to create checks and balances within our governance and risk frameworks
What is assurance mapping?
A means of identifying and mapping the main sources of assurance in an organisation across the four lines of defence and coordinating them to best effect
What are some of the downsides of the three lines of defence model?
According to BDO, the main issues are the assumption that the liens are distinct from each other and the risk management and internal controls apply vertically and linearly. This creates a rigid approach where silos have been created causing gaps and overlaps
There are sometimes lines providing other lines of assurance and the focus on defence means that opportunities may have been ignored
What does the uk corporate governance code state regarding external auditors and the audit committee?
The audit committee must conduct a tender process and recommend to the board the appointment, reappointment or removal of the external auditors
Review and monitor the external auditors independence and objectivity
Review the effectiveness of the external audit process
Develop and implement policy on the engagement of the external auditor to supply non audit services
Who do external auditors report to?
Primarily the shareholders or external stakeholders of an organisation
Where does internal assurance come from?
Culture measurement
Audit reports
Unit reports
Performance of the unit
Unit documentation
What is another form of internal assurance?
Self certification or control risk self assessment where by local management complete a regular (often annual) return and level of assurance has been achieved in that local area
What is a longer term viability statement?
This is the statement where organisations state that they have a reasonable expectation that they will be able to continue in operation and meet their liabilities as they fall due over the period of assessment. This period of assessment is expected to be significantly longer than 12 months from the approval of the financial statements
What does an internal control system include?
Control activities
Information and communications processes
Processes for monitoring the continuing effectiveness of the system of internal control
What should the system of internal control do?
Be embedded in the operations of the company and form part of its risk culture
Be capable of responding quickly to evolving risks to the business arising from factors within the company and to changes in the business environment
Include procedures for reporting immediately, to appropriate levels of management, any significant control failings or weaknesses that are identified together with details of corrective action
What are the components of CoCo?
Purpose - understanding the purpose of a task
Commitment - commitment to perform a task well
Capability - support in the implementation of the task
Monitoring and learning - monitoring of the task to learn lessons and improve
What is CoCo?
The criteria of control framework, developed in 1995 as a structure means of measuring the quality of control environment within an organisation. This means it is another means of providing assurance on risk management and internal control
