Lesson 12

Question 1

1.1 Outline challenges related to data and information in entities (3)

Answer 1

1) Storage.

2) Transformation of data into information

3) Information overload.

Question 2

1.1 Define enterprise risk management taxonomy”

Answer 2

system of classification for identifying and categorizing risks that could affect the entity’s strategy and business objectives

provides the basis for supporting risk data and information. When an entity implements a taxonomy structure into its information systems, it is more likely to consistently aggregate risk data and information.

Question 3

1.2 Explain the significance of relevant information to enterprise risk management

Answer 3

In the context of enterprise risk management, it is the information that allows the entity to anticipate situations that may impede the achievement of strategy and business objectives and to be more agile in decision making, giving it a competitive advantage.

The process of identifying what information is required to be able to apply enterprise risk management practices is continual and specific to each component of the risk management framework.

The process considers what information is available to management (and what is needed) and the cost of obtaining that information.

Question 4

1.2 Explain the significance of quality information to enterprise risk management

Answer 4

Quality information is essential for enterprise risk management. If the underlying data is inaccurate or incomplete, management may not be able to make sound judgments, estimates or decisions.

Question 5

1.3 What are 4 components of ERM and examples of information sources needed to support them

Answer 5

1) The Risk Governance and Culture component. Information on the standards of conduct and individual performance relative to those standards.

2) The Risk Strategy and Objective Setting component. Information on stakeholder expectations of risk appetite.

3) The Risk Information, Communicating and Reporting component. Information on competitor actions to assess changing risk.

4) The Monitoring Enterprise Risk Management Performance component. Information on baseline performance in terms of enterprise risk management trends.

• This type of information can be collected by attending enterprise risk management conferences and monitoring industry-specific blogs.

Question 6

1.4 Outline characteristics of high-quality information (6)

Answer 6

1) Accessible

2) Accurate

3) Appropriate

4) Current

5) Reliable

6) Has integrity - protected from manipulation and error

Question 7

1.5 Explain this statement: Data requirements are based on information requirements. Provide an example

Answer 7

When data is processed and organized it becomes a source of knowledge. Therefore the data you need is based upon the knowledge you are looking for

Question 8

1.6 Describe the components of effective data management within enterprise risk management (3)

Answer 8

1) The governance of data management - standardization

2) Data management processes and controls - reinforce the reliability of data or correct it as needed

3) Data management architecture - ensures the data can be reliably read integrated and used in systems and in the entity

Question 9

1.7 Provide examples of organizational processes that an entity can use to assess the relevance of data (5)

Answer 9

1) Data Consistency - Measures the consistency between the data used by analytics and modelling.

2) Data redundancy - is data held in separate places

3) Data availability - Measures whether data is available at a required level of performance in varying situations.

3) Data accuracy - correctness

5) Data quality thresholds - precision

Question 10

Explain how and ERM taxonomy can support effective ERM

Answer 10

An ERM taxonomy is a set of risk categories used across the entity

Many entities develop risk taxonomies within a particular function are, such as internal audit.

Use of a taxonomy helps to aggregate risk data to understand exposures and identify risks that could affect the entity’s strategy and business objectives.

Question 11

2.2 List 8 factors that an entity will consider when selecting or developing IT to support information systems in the ERM process

Answer 11

Consider how the tool will be used t support:

1) Scope - of requirements

2) Aggregation - How the tech is used to aggregate risks

3) Information quality

4) Consistancy and standards

5) Risk assessments

6) Reporting

7) Integration

8) Cost/benefits

Question 12

2.3 Provide examples of the types of changes that can lead to the need to update information system requirements (3)

Answer 12

1) Continually evolving regulations

2) Shifting customer expectations

3) Innovations in technology may present alternatives to change and improve information systems - for example risk information may be electronically shared with a broader audience using cloud services

An entity that operates in a highly dynamic environment may experience continual changes

Question 13

3.1 Describe the types of risk data and information that can be conveyed through an entity’s communication channels (6)

Answer 13

1) The importance, relevance and value of ERM

2) The characteristics, desired behaviours and core values that define the entity’s culture

3) The entity’s strategy and business objectives

4) The risk appetite and acceptable variation in performance

5) The overarching expectations of management and EEs in relation to ERM and performance management

6) The expectations of the entity on any important matters relating to ERM including weaknesses deterioration or nonadherence

Question 14

3.2 Identify factors that contribute to effective communication regarding risk between the board and management and other stakeholders who participate in decision making (5)

Answer 14

1) Risk responsibilities are clearly defined and allocated in the risk governance structure at the board, management and other levels and whether the structure supports the desired risk dialogue

2) Board of directors and management have a shared understanding of risk and its relationship to strategy and business objectives

3) Directors have a deep understanding of the business, value drivers and strategy and associated risks

4) Board is open to and continually discusses risk appetite with management

5) Board uses the entity’s risk appetite as a touchstone in communications.

Question 15

3.3 Describe common communication approaches used by management to assist the entity’s board of directors in fulfilment of its risk management oversight responsibilities (6)

Answer 15

1) Address risks as determined by the entity’s strategy and business objectives

2) Capture and align information at a level that is consistent with directors’ risk oversight responsibilities and with the level of information determined necessary by the board

3) Present the entity’s risk profile as aligned with its risk appetite statement and link reported risk information to policies for exposure and tolerances

4) Provide a report of risk exposures explaining trends and looking forward in relation to current positions

5) Update at a frequency consistent with the pace of risk evolution and severity of risk

6) Use standardized templates to support consistent presentation and structure of risk information over time

Question 16

3.4 Describe circumstances that may require the use of special communication channels within an entity

Answer 16

Separate lines of communication are needed when normal channels are inoperative or insufficient for communicating matters that require heightened attention.

ie whistleblower hotlines

Question 17

4.1 Identify potential users o reports on risk, culture and performance (5)

Answer 17

1) Management and the board of directors responsible for governance and oversight of the entity

2) Risk owners accountable for the effective management of identified risks

3) Assurance providers seeking insight into performance of the entity and effectiveness of risk responses

4) External stakeholders (regulators, rating agencies, community groups)

5) Other parties requiring reporting of risk in order to fulfill their roles and responsibilities

Question 18

4.2 Identify types of risk reporting and the associated report contents that support effective ERM (9)

Answer 18

1) Portfolio view of risk—which outlines the severity of the risks at the entity level

2) Profile view of risk—which is similar to the portfolio view in that it outlines the severity of risks, but it focuses on different levels within the entity

3) Analysis of root causes—which enables users to understand assumptions and changes underpinning the portfolio and profile views of risk.

4) Sensitivity analysis—which measures the sensitivity of changes in key assumptions embedded in strategy and the potential impact on strategy and business objectives.

5) Analysis of new, emerging and changing risks—which provides a forward looking view to anticipate changes in the risk universe

6) Key performance indicators and measures—which outline the acceptable variation in performance of the entity and potential risk

7) Trend analysis—which demonstrates movements and changes in the portfolio view of risk, risk profile and performance of the entity.

8) Disclosure of incidents, breaches and losses—which provides insight into the effectiveness of risk responses.

9) Tracking reports of enterprise risk management plans and initiatives—which provides a summary of the plan and initiatives

Question 19

4.3 Identify the types of reporting that may assist in measuring an entity’s risk culture (6)

Answer 19

1) Analytics of cultural trends

2) Benchmarking to other entities or standards

3) Compensation plans and the potential influence on decision making

4) “Lessons learned” analyses

5) Reviews of behavioural trends

6) Surveys of risk attitudes and risk awareness.

Question 20

4.4 Explain the role of key rick indicators in the risk reporting process

Answer 20

Used to predict risk manifesting, Quantitative, or qualitative

Key risk indicators are reported to the levels of the entity that are best positioned to respond

Key risk indicators can be reflected in a single measure

Question 21

4.5 Describe factors that influence the frequency and quality of information required in risk reporting

Answer 21

• severity and priority of risk
• should enable management or other decision makers to determine the types and amount of risk assumed
• should have a frequency commensurate with the type of information that is desired

Question 22

5.1 Describe how substantial change can impact risks experienced by an entity and how that entity can respond

Answer 22

Substantial changes may lead to new or changed risks that need to be considered for impact on business context, culture and strategy.

In the case of a acquisition integrating the acquired company’s operations could impact the existing culture and risk ownership

Substantial changes could be internal or external environmental changes

Identifying changes and evaluating their impact is an iterative process

Question 23

5.2 Provide examples of substantial changes in the internal environment that could affect ERM (3)

Answer 23

1) Rapid growth

2) New technology

3) Substantial changes in leadership and employees

Question 24

5.3 Provide examples of substantial changes in the external environment that could affect ERM (3)

Answer 24

1) Regulatory changes

2) Economic environmental changes

3) Competitive pressures

Question 25

5.4 Provide examples of substantial changes in an entity’s culture that could have an impact on its risk management process (2)

Answer 25

1) Mergers and Acquisitions

2) Restructuring can change a company’s culture

Question 26

6.1 Identify sources of continual improvement in ERM (5)

Answer 26

1) New technology—May offer opportunity to improve efficiency.

2) Historical shortcomings—Monitoring can identify these and causes of past failures to improve enterprise risk management.

3) Organizational change—Pursuing continual improvement can identify the need for organizational changes, such as a change in the governance model.

4) Risk appetite—Monitoring provides clarity on factors that affect risk appetite, giving management an opportunity to refine its risk appetite.

5) Risk taxonomy—Continual monitoring of changes and pursuit of improvements can identify patterns as the business changes, which can lead revisions in an entity’s risk taxonomy.

6) Communications—Monitoring can identify outdated or poorly functioning communication processes.

7) Peer comparison—Monitoring industry peers can help determine if an entity is operating outside of industry performance boundaries.

8) Rate of change in internal and external environments—The rate of change in the environment can trigger need/opportunities to improve enterprise risk management.

Question 27

6.2 Explain the role of baseline information in ERM

Answer 27

Understanding the current and desired future state of ERM provides useful baseline information for improving.

In order to measure improvements a baseline is needed. A baseline should be done for each of the 5 components.

Question 28

6.3 Explain how risk profiles can be used to monitor performance.

Answer 28

Management can analyze the risk profile to determine whether the current level of performance risk is greater, less or as expected compared with the risk assessment results.

Question 29

6.3 What are 4 things that a representation of a risk profile can be used to determine

Answer 29

(a) Has the entity performed as expected and achieved its target?

(b) What risks are occurring that may be impacting performance?

(c) Was the entity taking enough risk to obtain its target?

(d) Was the estimate of risk accurate?