Lesson 9

Question 1

1.1 Define enterprise risk management

Answer 1

The culture, capabilities and practices integrated with strategy setting and its execution the entities rely on to manage risk

Question 2

1.1 List 5 areas that enterprise risk management emphasizes

Answer 2

1) Recognizing culture and capabilities

2) Applying practices

3) Integrating with strategy setting and its execution

4) Manage risk to strategy and business objectives

5) Linking to creating, preservice and realizing value

Question 3

1.2 Define culture in the context of enterprise risk management

Answer 3

Risk culture is defined as attitudes, behaviours, and understanding about risk, both positive and negative, that influence decisions and reflect the mission, vision and core values of the entity

Question 4

1.2 Define capability in the context of enterprise risk management

Answer 4

a core capability important to an entity in its pursuit of competitive advantages to create value.

Enterprise risk management helps the entity develop the skills it needs to execute the mission and vision to anticipate the challenges that may impede success

Question 5

1.2 Define practices in the context of enterprise risk management

Answer 5

risk practices are the methods and approaches deployed within an entity related to managing risk.

Practices used in enterprise risk management are applied from the highest levels and flow down to decision making at all levels in the entity

Question 6

1.3 Outline the premises that underpin the benefits of taking an enterprisewide approach to risk management

Answer 6

Based on the premise that every entity exists to provide a value for its stakeholders.

A related premise is that all entities face uncertainty.

Effective enterprise risk management allows decision makers to balance exposure against opportunity

Question 7

1.4 define stakeholders and differentiate between external and internal

Answer 7

Stakeholders are parties that have a genuine or vested interest in an entity.

Internal are parties working within the entity such as employees, management and the board.

External stakeholders aren’t directly engaged in the entity’s operation but are directly impacted by it. Such as as group benefits plan, beneficiaries of plan members, plan service providers, regulatory bodies.

Question 8

1.5 explain how the value of an entity is influenced by management decisions (4)

Answer 8

1) Value is created when the value of deployed resources is less than the benefit derived from that deployment

2) Value is preserved when the value of resources deployed in day-to-day operations sustains created benefits

3) Value is realized when stakeholders derive benefits created by the entity. Benefits may be non monetary

4) Value is eroded when management implements strategies that don’t yield expected outcomes of fails to execute day-to-day tasks

Question 9

1.6 Explain how enterprise risk management interfaces with strategy

Answer 9

Strategy refers to an entity’s plan to achieve its mission and vision and apply its core values.

Enterprise risk management informs the entity on risks that may arise from a strategy and evaluates the assumptions that underlie a strategy and looks at sensitivity to changes in the assumptions

Question 10

1.7 Explain how enterprise risk management can influence an entity’s ability to adapt survive and prosper

Answer 10

Risks are always present and changing.

While it may not be possible to manage all potential outcomes of risk they can improve how they adapt to changing circumstances.

Focuses on managing risks to reduce likelihood of adverse events and manage outcomes if they do occur

Question 11

1.8 Outline benefits of integrating enterprise risk management with strategy setting and performance management processes (5)

Answer 11

1) Expand the range of opportunities for creating value. Considering all reasonable possibilities, might surface opportunities

2) Identify and manage entity wide risks, brings data together to respond effectively

3) Reduce surprises and losses - have already identified risks and prepared responses

4) Reduce performance variability - in some organizations consistency is key

5) Improve resource deployment - allows for assessment of resource needs and enhanced resource allocation

Question 12

2.1 Explain how events, uncertainty and severity impact risk

Answer 12

An event is an occurrence or a set of occurrences.

Uncertainty is a state of not knowing and severity is the measurement of such considerations as the impact of the event and time to recover.

In the context of risk events are broad and uncertain

Question 13

2.2 Explain why an event with a positive outcome can also pose a risk

Answer 13

The event that is beneficial to one objective may be detrimental to another.

For example higher than forecasted sales may produce supply chain issues

Question 14

3.1 Outline 4 things that an entity is better positioned to understand when enterprise risk management, strategy setting and strategy execution are aligned

Answer 14

1) How mission, vision, and core values form the initial expression of acceptable types and amount of risk when setting strategy

2) Possibility of strategies and business objectives not aligning with the mission, vision, and core values

3) Types and amount of risk the entity potentially exposes itself to from the strategy that has been chosen

4) Types and amount of risk to executing its strategy and achieving business objectives

Question 15

3.2 Define mission

Answer 15

Mission is the entity’s core purpose, which establishes what it wants to accomplish and why it exists

Question 16

3.2 Define vision

Answer 16

The entity’s aspirations for its future state or what it hopes to achieve over time

Question 17

3.2 Define core values

Answer 17

The entity’s beliefs and ideals about what is acceptable. This influences the behaviour of an entity and how it wants to conduct business

Question 18

3.2 Explain how mission, vision and core values relate to an entity’s purpose

Answer 18

Together these elements communicate to stakeholders the entity’s purpose.

For most entities these remain stable and are reaffirmed over time. Though they may evolve as stakeholder expectations change

Question 19

3.2 Explain the significance of alignment among strategy, mission, vision, and values to enterprise risk management

Answer 19

Mission and vision help to establish boundaries for strategy and bring focus to understanding how decisions may affect strategy.

Mission, vision, and core value statements guide in determining the types and amount of risk an entity is likely to encounter and accept

If these are not aligned the ability to realize the mission and vision may be reduced

Question 20

3.4 Describe the focus of enterprise risk management in the context of strategy execution. Provide an example

Answer 20

The focus of risk management is on understanding the strategy and the risks to its relevance and viability. There is always a risk to executing strategy

For example a health care provider has a goal of providing quality care. The provider considers EE capability, treatment options, legislative requirements. If one option is risky, understaffing for example,

Question 21

3.5 Explain the roles of the governance and operating models in enterprise risk management

Answer 21

An entity’s governance model defines and establishes authority, responsibility, and accountability.

It aligns the roles and responsibilities to the operating model at all levels - from the board of directors to management, division, operating units and functions

Operating model describes how management organizes and executes its day-to-day operations. It is typically aligned with the legal structure and management structure.

Both models influence the ability to identify, assess, and respond to risks to the achievement of strategy

Question 22

3.6 Explain the significance of an entity’s legal structure in risk management

Answer 22

How an entity is structured legally influences how it operates. A variety of factors, including size of the entity and any relevant regulatory, taxation or shareholder structures influence the suitability of different legal structures.

A small entity may operate as a single legal entity and risks can be aggregated across the entity.

For large entities consisting of several district legal entities. risks may be segregated.

Question 23

4.1 Explain the relationship between performance targets and level of uncertainty

Answer 23

Performance describes how actions are carried out as measured against a preset target.

The level of uncertainty varies with the level of performance desired.

For example airlines have a certain amount of uncertainty about their ability to operate 100% of flights on schedule. They are less uncertain that they can operate 90% of scheduled flights

Question 24

4.2 Explain the concept of risk profile in the context of enterprise risk management (define + 4 points needed to develop one)

Answer 24

A risk profile is a composite view o the risks for an entity as a whole or as a division, project or initiative

To develop a risk profile requires an understanding of:

1) Strategy or relevant business objectives

2) Performance target and acceptable variations in performance

3) Capacity and appetite for risk

4) Severity of the risk to the achievement of the strategy and business objectives

Question 25

4.3 describe a risk profile

Answer 25

varies, could be displayed as a chart with risk on the Y axis and performance on the x-axis. Looking at how performance increases or decreases in relation to risk

Question 26

4.4 Explain the concept of risk appetite and its relationship to strategy setting

Answer 26

Risk appetite means the type and amount of risk an entity is willing to accept in its pursuit of value. Knowing the risk appetite is essential to enterprise risk management

The risk appetite may affect the strategy and visa versa

Question 27

4.5 Compare risk capacity to risk appetite

Answer 27

Risk capacity is the maximum amount of risk that an entity is able to absorb in the pursuit of strategy and business objectives.

Risk capacity must be considered when setting risk appetite

Question 28

5.1 Explain the premise of the COSO framework

Answer 28

The premise is that the entity’s mission, vision and core values drive the development of strategy and objectives which in turn impact the performance.

Question 29

5.1 What are the 5 interrelated components of the COSO framework

Answer 29

1) Risk governance and culture

2) Risk, strategy and objective setting

3) Risk in execution

4) Risk information, communication and reporting

5) Monitoring enterprise risk management performance

Question 30

5.2 In the context of enterprise risk management outline: risk governance and culture

Answer 30

Form a basis for other components of risk management

Governance sets the company’s tone and culture pertains to ethical values, desired behaviour and understanding of risk in the entity

Question 31

5.2 In the context of enterprise risk management outline: Risk, strategy and objective setting

Answer 31

These integrate into the strategic plan. With an understanding of the business context the entity can gain insight into internal and external factors and their impact to risk. An entity sets its risk appetite in conjunction with strategy setting.

The business objectives allow this to be put into the context of day-to-day operations

Question 32

5.2 In the context of enterprise risk management outline: Risk in execution

Answer 32

Prioritizes risks according to the severity and risk appetite.

The entity selects a risk response and monitors performance for change. It develops a portfolio view of the amount of risk the entity has assumed in pursuing its strategy and business objectives

Question 33

5.2 In the context of enterprise risk management outline: Risk information, Communication and Reporting

Answer 33

Communication is the continual process of gathering and sharing information.

Relevant and quality information from both internal and external sources is used to support risk management.

Question 34

5.2 In the context of enterprise risk management outline: Monitoring Enterprise Risk Management Performance

Answer 34

An entity considers how well the enterprise risk management components are functioning over time and during times of substantial change

Question 35

5.3 Outline 5 criteria an entity may consider for assessing the overall effectiveness of enterprise risk management

Answer 35

1) Whether components and principles relating to enterprise risk management are present and functioning

2) Whether components relating to enterprise risk management are operating together in an integrated manner

3) Whether controls necessary to effect principles are present and functioning

4) Whether components relevant principles and controls to effect those principles that are functioning continue to operate to achieve strategy and business objectives

5) Whether components, relevant principles and controls to effect those principles that are present exist in the design and implementation of enterprise risk management to achieve strategy and business objectives

Question 36

6.1 Outline factors that impact the establishment of roles and accountability for enterprise risk management in an entity (5)

Answer 36

1)Size
2) strategy
3) Business objectives
4) culture
5) external stakeholders

the roles, responsibilities and accountabilities are defined to allow for the clear ownership of strategy and risk that fits within the governance structure, reporting lines and culture.

Question 37

6.1 Who in a company is ultimately responsible for enterprise risk management

Answer 37

The leader (CEO or president)

They should have a deep understanding of the entity’s strategy and business objectives

Question 38

6.2 Outline oversight practices for the Risk Governance and Culture component of the COSO Framework (9)

Answer 38

1) Assessing the appropriateness of the entity’s strategy; alignment to the mission vision and core values and the risk inherent in that strategy

2) Defining the board risk governance role and structure, including subcommittees

3) Engaging with management to define the suitability of enterprise risk management

4) Overseeing evaluations of the culture and ensuring that management remediates any gaps

5) Promoting risk aware mindset that aligns the maturity of the entity with its culture

6) Challenging the potential biases and tendencies of management and fulfilling its independent and unbiased oversight rule

7) Understanding the strategy, operating model, industry and issues and challenges affecting the entity

8) Overseeing the alignment of business performance, risk taking and incentives/ compensation to balance short term and long term strategy achievement

9) Understanding how risk is monitored by management

Question 39

6.3 Outline oversight practices for the risk, strategy and objective setting component of the COSO framework (5)

Answer 39

1) Setting expectations for integration if ERM into strategic planning

2) Discussing and understanding risk appetite and considering whether it aligns with its expectations

3) Engaging in discussion with management to understand the changes to business context that may impact the strategy and its linkage to new, emerging or manifesting risks

4) Encouraging management to think about the risks inherent in the strategy and underlying business assumptions

5) Requiring management to demonstrate an understanding of the risk capacity of the entity to withstand large unexpected events

Question 40

6.4 Outline oversight practices for risk in the Execution component of the COSO framework (5)

Answer 40

1) Reviewing strategy and underlying assumptions

2) Setting expectations for risk reporting, including metrics and external disclosures

3) Understanding how management identifies and communicates the most severe risks

4) Reviewing and understanding the most significant risks and response scenarios

5) Understanding the plausible scenarios that could change the portfolio view

Question 41

What are the 5 components of the COSO framework

Answer 41

1) Control environment

2) Risk assessment and management

3) Control Activities

4) Information and Communication

5) Monitoring

Question 41

What are the 5 components of the COSO framework

Answer 41

1) Control environment

2) Risk assessment and management

3) Control Activities (Execution’s)

4) Information and Communication

5) Monitoring

Question 42

6.5 Outline oversight practices for the Risk Information Communication and reporting component of the COSO framework (3)

Answer 42

1) Establishing the information underlying data and formats to execute board oversight

2) Accessing internal and external information and insights conducive to effective risk oversight

3) Obtaining input from internal audit, external auditors and other independent parties regarding management perceptions and assumptions

Question 43

6.6 Outline oversight practices for the Monitoring ERM performance component of the COSO framework

Answer 43

1) Asking management about any risk manifesting in actual performance (both positive and negative)

2) Asking management about the enterprise risk management processes and challenges and asking management to demonstrate the suitability and functioning of those processes

Question 44

7.1 Describe the 3 tiers of indicators used by OSFI to detect risks that impact federally regulated pension plans. Provide examples of each

Answer 44

Tier 1 - Detect issues that require immediate attention and may have a significant impact on both the current state and future risk within the plan. e.g. Non-remittance of contributions, contribution holidays in excess of surplus or a plan sponsor facing serious financial issues

Tier 2 - Identify potential risks with the pension plan that may lead to more serious issues. e.g. Investment returns that don’t meet benchmarks, large changes in membership, high proportion of liabilities relating to retired members

Tier 3 - Capture situations that may require greater diligence or controls on the part of the plan administrator but may not have significant impact on risk within the plan if properly managed.
e.g. Whether a plan’s provisions contain benefits that are subject to the plan administrator’s discretion or if there has been a history of late filings for the plan