IRM

Question 1

What does a good risk register look like?

Answer 1

Collates risks & controls
Tailored to your organisation Updated regularly
Informs decision making
Enable team to prioritise & manage their risks

Question 2

What is risk policy?

Answer 2

Risk policy is the ‘what’, framework and guidelines to manage risks

Question 3

What are risk procedures?

Answer 3

Procedures is the ‘how’

Question 4

What are the ISO 31000, 8 key RM steps?

Answer 4

Communication & Consultation; Scope, Context & Criteria; Risk Identification; Risk Analysis; Risk Evaluation; Risk Treatment; Monitoring & Review; Recording & Reporting

Question 5

What are the COSO (2004), 8 Key RM steps?

Answer 5

Internal Environment; Objective Setting; Event Identification; Risk Assessment; Risk Response; Control Activities; Info, Comms, Monitoring

Question 6

What are the 4 RM standards?

Answer 6

ISO 31000, COSO (2004), COSO (2017), The Orange Book

Question 7

What are the 5 components of COSO (2017)?

Answer 7

Governance & Culture; Strategy & Objective Setting; Performance; Review & Revision; Info, Comms & Reporting

Question 8

What is Principle A of the Orange Book?

Answer 8

RM as an essential part of governance & leadership

Question 9

What is Principle B of the Orange Book?

Answer 9

RM an integral part of all organisational activities to support decision making

Question 10

What is Principle C of the Orange Book?

Answer 10

RM shall be collaborative
and informed by the best available
information and expertise

Question 11

What is Principle D of the Orange Book?

Answer 11

RM to have structured processes incl, risk identification & assessment, risk treatment, risk monitoring risk reporting

Question 12

What is Principle E of the Orange Book?

Answer 12

RM shall be continually
improved through learning and experience

Question 13

What are the 3 components of context?

Answer 13

Internal, External, Risk Management

Question 14

What is the purpose of establishing context according to ISO 31000?

Answer 14

To enable effective risk assessment & treatment

Question 15

What is the extended enterprise?

Answer 15

Organisation’s come together to achieve objectives they could not achieve on their own

Question 16

What are the key elements of the extended enterprise?

Answer 16

Core activities, key inputs & outputs, external influences

Question 17

What does PESTLE help to do?

Answer 17

Anlysis an organisation’s context

Question 18

What is Mendelow’s matrix?

Answer 18

Helps with stakeholder mapping

Question 19

What are some difficulties in setting objectives?

Answer 19

Picking ones that support the mission; conflicting stakeholder expectations; context constantly changing;

Question 20

What is the attachment of risk?

Answer 20

The process of transferring or assigning a specific risk or liability from one party to another

Question 21

What are the 3 stages of risk assessment?

Answer 21

Risk identification, risk analysis, risk evaluation

Question 22

What is the purpose of risk identification?

Answer 22

To find, recognise and describe risks that might prevent/help org from achieving its objectives

Question 23

What is a cause? risk? consequence?

Answer 23

Thing happening now or has happened. The uncertainty. Impact on objectives.

Question 24

What are Hopkins 5 techniques for risk assessment?

Answer 24

Checklists & questionnaires; workshops & brainstorming; inspections & audits; flowcharts & dependency analysis; crowd sourcing technology

Question 25

Words to describe emerging risks?

Answer 25

Ambiguous, chaotic, complete, uncertain, volatile

Question 26

What is the definition of an emerging risk?

Answer 26

A risk that is new or a familiar risk in new/unfamiliar context/under new context conditions. Potentially signification but not fully understood, cannot allow RM with confidence.

Question 27

What is the importance of risk classification?

Answer 27

Structure to risk identification process; facilitate identification of more risks; consistent risk terminologies; assign responsibilities; estimate total exposure; bundle risk treatment

Question 28

What does FIRM help with and stand for?

Answer 28

Risk classification. Financial, Industrial, Reputational, Marketplace

Question 29

What are the 5/4 Ts for risk control?

Answer 29

Terminate, Treat, Transfer, Tolerate, Take

Question 30

Sartarla designed a flow chart to …?

Answer 30

Decide what is a real control? To challenge effectiveness.

Question 31

How does the ISO 31000 define a control?

Answer 31

A measure that maintains/modifies a risk

Question 32

What are the 5 response strategy types (5 E’s)?

Answer 32

Explore opportunities; opportunities Exploited further; opportunities in decline must Exit; Expand;Exist in maturing or decling markets.

Question 33

What is damage limitation?

Answer 33

Reducing the magnitude/severity of risk when it occurs, manage impacts

Question 34

What is loss prevention?

Answer 34

Reducing likelihood of risk and also impact if it does

Question 35

What is a preventative control?

Answer 35

Before risk occurs, internal control used to avoid undesirable event occuring

Question 36

What is cost containment?

Answer 36

When a hazard risk materializes despite the efforts put into loss prevention and damage limitation, there may well still be a need to contain the cost of the event

Question 37

What is the most effective/best type of control?

Answer 37

Preventative control

Question 38

What is a directive control?

Answer 38

Directions for how to behave eg. contracts, pre-event

Question 39

What are detective controls?

Answer 39

Detect a risk eg. fire alarm, post event

Question 40

What are anticipatory controls?

Answer 40

Long-term & strategic

Question 41

What are corrective controls?

Answer 41

Implemented once risk has occured

Question 42

What controls are implemented pre-event?

Answer 42

Preventative, Directive

Question 43

What controls are implemented post-event?

Answer 43

Corrective, Detective

Question 44

What type of control is insurance?

Answer 44

Corrective, post-event

Question 45

What type of control is business continuity?

Answer 45

Corrective, post-event

Question 46

Is business continuity a loss prevention, damage limitation or cost containment?

Answer 46

Cost containment

Question 47

What is an engineering control?

Answer 47

Isolate people from the hazard

Question 48

What is an administrative control?

Answer 48

Change the way people work

Question 49

What is an elimination control?

Answer 49

Physically remove the hazard

Question 50

What is the substitution control?

Answer 50

Replace the hazard

Question 51

What is the swiss cheese model?

Answer 51

A slice of Swiss cheese is symbolic of a given measure taken to minimize risk

Question 52

What is the purpose of monitoring & reviewing according to ISO 31000?

Answer 52

To assess & improve the quality & effectiveness of process design implementation and outcomes

Question 53

What are some methods to monitor risk?

Answer 53

KRIs, KCIs

Question 54

Monitoring is …. but review is … & ….?

Answer 54

Monitoring is ongoing but review is periodic & changes

Question 55

What a are 4 ways to collect data?

Answer 55

Audits, Customer audits, internet of things, satellite data

Question 56

What is big data?

Answer 56

Data that contains variety, arriving in increasing volume & more velocity

Question 57

How does ISO 31000 define risk?

Answer 57

‘effect of uncertainty on objectives’

Question 58

What are Hopkins 4 categories of risk?

Answer 58

Hazard, Opportunity, Compliance, Control

Question 59

How does ISO 31000 define RM?

Answer 59

‘coordinated activities to direct & control an organisation with regard to risk’

Question 60

What is needed for ERM to work effectively?

Answer 60

High investment, high risk maturity, strong risk assurance

Question 61

When was RM introduced?

Answer 61

1995

Question 62

Why is it important to know about the history or RM?

Answer 62

To know, where we are now & where we might be in the future, conventional views have to be altered

Question 63

What is a downside risk?

Answer 63

Event whose outcomes are negative

Question 64

What does STOC stand for?

Answer 64

Strategy, Tactics, Operations, Compliance

Question 65

What is risk exposure?

Answer 65

Likelihood of risk materialising and impact when it does

Question 66

What is risk attitude?

Answer 66

Organisation’s approach to assess & pursue, retain, take or turn away risk

Question 67

What is risk appetite?

Answer 67

Amount & type of risk an organisation is willing to pursue or retain

Question 68

What does FIRM stand for?

Answer 68

Financial, Industrial, Reputation, Marketplace

Question 69

What are the 4Ts of Hazard RM?

Answer 69

Tolerate, Treat, Transfer, Terminate

Question 70

What is the Sartarla approach to ERM?

Answer 70

Define context & objectives; assess the risks; manage the risks; review & report

Question 71

What is a climate physical risk?

Answer 71

Impact from actual climate change

Question 72

What is climate transitional risk?

Answer 72

Changes as activities to move to a more sustainable approach

Question 73

What is a climate legal risk?

Answer 73

Knowingly continuing to contribute to climate warming

Question 74

What is the law that mandates certain practices in finance recording keeping & reporting called?

Answer 74

Sarbanes-Oxley law

Question 75

Name a banking regulator

Answer 75

International Basel Accordance

Question 76

Name an insurance regulation

Answer 76

European Union Solvency

Question 77

What is an operational risk?

Answer 77

Risk a company faces in the course of conducting its daily business activities, procedures, and systems

Question 78

What does PRAM stand for?

Answer 78

Project Risk Analysis Management Guide

Question 79

Definition of a project?

Answer 79

Unique, transient endevours undertaken to achieve objectives

Question 80

When was H&S legislation enacted?

Answer 80

1800s

Question 81

What does COSHH stand for?

Answer 81

The Control Of Substances Hazardous to Health

Question 82

What does RIDDOR stand for?

Answer 82

The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations

Question 83

When and where was the first RM standard?

Answer 83

1995, New Zealand

Question 84

What does the ISO 31000 include?

Answer 84

What good RM looks like - the Principles; what is needed to implement effective RM - the Framework; steps in RM - the Process

Question 85

What does RASP stand for?

Answer 85

Risk Architecture, Strategy & Protocols

Question 86

What is included in the COSO ERM Cube?

Answer 86

Includes RM PROCESS, ORGANISATIONAL activities & IMPLEMENTATION process of the standard

Question 87

What is the H&S standard?

Answer 87

ISO 45000

Question 88

What is the Legal standard?

Answer 88

ISO 31022

Question 89

What is the projects standard?

Answer 89

PRAM

Question 90

According to ISO 31000, what is the purpose of RM?

Answer 90

The creation & protection of value

Question 91

What does PACED stand for?

Answer 91

Proportionate, Aligned, Comprehensive, Embed, Dynamic

Question 92

What do the elements of PACED mean?

Answer 92

Proportionate- customised to suit org
Aligned - integrated with org activities
Comprehensive - consistency of RM process
Embed - change risk attitude, behaviour, culture
Dynamic - process does not finish with risk register, inc decision making & value

Question 93

What is Agency Theory?

Answer 93

The concept used to explain relationship between principles (someone who relies heavily) & their relative agent

Question 94

What is Risk Architecture?

Answer 94

Committe structure & terms of reference; roles & responsibilities; internal reporting requirements

Question 95

How does Hopkins advise you implement ERM?

Answer 95

PIML - Planning, Implementing, Measuring, Learning

Question 96

What does PIML stand for and represent?

Answer 96

Planning, Implementing, Measuring, Learning. How Hopkins advises you implement ERM.

Question 97

What must you consider in time it takes to implement ERM?

Answer 97

Start position, commitment from TOP, size & complexity, resources available, org as global actor

Question 98

What does risk status show?

Answer 98

Risk lifecycle

Question 99

What are the 8 risk status’?

Answer 99

Draft, Activity, Ongoing, Rejected, Escalated, Deleted, Expired, Closed/Managed, Closed/Occured

Question 100

What does ‘draft’ risk status mean?

Answer 100

Risk only just raised, needs to be assessed to ensure real risk

Question 101

What does ‘activity’ risk status mean?

Answer 101

Actively dealing with risk, further actions required to manage.

Question 102

What does ‘ongoing’ risk status mean?

Answer 102

Managed risk to acceptable level, not closed & may change. KRIs developed.

Question 103

What does ‘rejected’ risk status mean?

Answer 103

Problems & issues, not risks

Question 104

What does ‘escalated’ risk status mean?

Answer 104

Do not effect objectives of activity but effect other areas of business

Question 105

What does ‘deleted’ risk status mean?

Answer 105

No longer occurring due to external changes

Question 106

What does ‘expired’ risk status mean?

Answer 106

Passed in time and can no longer occur

Question 107

What does ‘closed/managed’ risk status mean?

Answer 107

Successfully managed

Question 108

What does ‘closed/occured’ risk status mean?

Answer 108

Has occured

Question 109

What is a consultation?

Answer 109

A process which impacts on a decision through influence rather than power. Input into decision making, not joint decision.

Question 110

What is some useful input shared in risk reports?

Answer 110

Level of confidence that objectives can be met; important changes - risks, controls, context objectives; emerging risks; new risks; themes/trends; actions

Question 111

What are 4 types of risk reporting according to The Orange Book?

Answer 111

The principal risk report; deep dive report; risk radar; risk moderation

Question 112

How many decision making steps does Druker have?

Answer 112

6

Question 113

Culture definition?

Answer 113

Ideas, customs, beliefs, behaviours, showed by groups of people

Question 114

Risk culture definition?

Answer 114

How people perceived, understand & manage risks

Question 115

How to take a positive stance on risk culture?

Answer 115

Good comms of org’s expectations of all staff; convincing employees they will benefit; involvement in risk identification process; training programs

Question 116

How does Hillson define risk attitude?

Answer 116

Chosen responses to uncertain situations, driven by whether uncertainty is perceived as favourable/neutral/hostile.

Question 117

What is anchoring bias?

Answer 117

Influenced by info we already know

Question 118

What are 5 types of bias?

Answer 118

Confirmation, conformity, authority, bandwagon, anchoring

Question 119

What 3 factors influence risk perception?

Answer 119

Conscious, subconscious, affective

Question 120

What does LILAC stand for and show?

Answer 120

Risk Culture Model. Leadership, Involvement, Learning, Accountability, Communication

Question 121

What is the ABC model?

Answer 121

Risk culture model. risk Attitude, risk Behaviour, risk Culture.

Question 122

What are 5 indicators of a positive safety culture?

Answer 122

Leadership - promoting positive safety culture; Involement of staff; Existence of learning culture; Existence of just culture

Question 123

Can you have a ‘risk-aware’ culture?

Answer 123

No, these are attitudes, so you can a have a ‘risk-aware ATTITUDE’

Question 124

Is ‘the way we do things around here’ risk behaviour or risk attitude?

Answer 124

Risk behaviour

Question 125

Hopkins definition of risk attitude?

Answer 125

The long term view of the organisation to risk determined by 4 C’s - comfort, cautious, concerned, critical

Question 126

What is Hopkins 4 C’s related to risk attitude?

Answer 126

Comfort, cautious, concerned, critical

Question 127

What is the Double S Model?

Answer 127

Culture having 2 dimensions.
Sociability - people focus
Solidarity - task focus

Question 128

What are some benefits of Sociability in the Double S Model?

Answer 128

Encourages cohesive & common purpose. People go beyond what is expected

Question 129

What is a negative of Sociability in the Double S Model?

Answer 129

Friendships may lead to poor performance

Question 130

What are some benefits of Solidarity in the Double S Model?

Answer 130

Risk controls & actions implemented. Relationships formed on mutual interest. Swiftly mobilise a team.

Question 131

What is a negative of Solidarity in the Double S Model?

Answer 131

They may ask ‘what’s in it for me’?

Question 132

How can you measure risk culture?

Answer 132

Surveys

Question 133

What are the elements of the risk culture aspects model?

Answer 133

Tone from the top; Governance; Competency; Decisions

Question 134

How to change risk culture according to IRM?

Answer 134

Plan & implement cultural change
Monitor & adapt to change
Evaluate current risk culture
Assess impact of current risk culture
Identify areas of improvement

Question 135

What are Hopkins risk appetite principles?

Answer 135

Acknowledging interconnectness; Measurability; Variability

Question 136

Define risk capacity

Answer 136

A measure of how much risk should/can take

Question 137

Define risk tolerance

Answer 137

The boundaries outside of which organisation will not venture

Question 138

What are the benefits of adopting a risk appetite?

Answer 138

Reducing uncertainty; Improve consistency; Focus on priority areas; Improve resource prioritisation

Question 139

How does the IRM define risk appetite?

Answer 139

Amount of risk org is willing to seek/accept in pursuit of long term objectives

Question 140

What is the optimal risk position?

Answer 140

Level of risk the organisation aims to operate

Question 141

What is the tolerable risk position?

Answer 141

Level of risk the organisation is willing to operate

Question 142

Who is responsible for the determining the nature & extent of risks willing to take?

Answer 142

The Board

Question 143

What are Hopkins’ stages in developing risk appetite statements?

Answer 143

Identify stakeholders & expectations
Define org wide risk exposure
Establish desired risk exposure
Define acceptable volatility
Formulate statement & communicate

Question 144

What are the 5 levels of risk appetite?

Answer 144

Opposed/adverse
Minimalist
Cautious
Mindful/open
Enterprise/eager

Question 145

What are IRMs key principles when designing risk appetite?

Answer 145

RA can be complex; needs to be measurable; not single, fixed concept; develop in line with org capability & maturity; strategic, tactical & operational level;

Question 146

What is maturity?

Answer 146

Context, culture, systems, processes

Question 147

What is capability?

Answer 147

Financial, reputational, people, infrastructure

Question 148

What does TARP stand for and what is it?

Answer 148

H&S Triggers. Triggered Action Response Plans

Question 149

What questions does the IRM ask to test RA statement?

Answer 149

Does it provide guidance for decision making? Do execs understand aggregated/interlinked level of risk to determine what is acceptable? Understand RA not constant? Decision make consideration of reward?

Question 150

What are Deloitte’s indicators that RA statements good?

Answer 150

People taking risks knowing what objectives they are supporting; principal risks are understood; RA language permeates org

Question 151

What are the 4 levels of risk appetite?

Answer 151

High level; directional; specific; detailed

Question 152

What are Hazard risks?

Answer 152

risks that can only inhibit achievement of corporate mission

Question 153

What are opportunity risks?

Answer 153

the risks that are deliberately sought or embraced by the organisation

Question 154

What are Control risks?

Answer 154

associated with uncertainty and cause doubt about the ability to achieve the organisations mission.

Question 155

What are compliance risks?

Answer 155

the threat to an organization’s finances, organization, and reputation due to violations of rules, regulations, and laws governing its activity