Lesson 9 Flashcards
1.1 Define enterprise risk management
The culture, capabilities and practices integrated with strategy setting and its execution the entities rely on to manage risk
1.1 List 5 areas that enterprise risk management emphasizes
1) Recognizing culture and capabilities
2) Applying practices
3) Integrating with strategy setting and its execution
4) Manage risk to strategy and business objectives
5) Linking to creating, preservice and realizing value
1.2 Define culture in the context of enterprise risk management
Risk culture is defined as attitudes, behaviours, and understanding about risk, both positive and negative, that influence decisions and reflect the mission, vision and core values of the entity
1.2 Define capability in the context of enterprise risk management
a core capability important to an entity in its pursuit of competitive advantages to create value.
Enterprise risk management helps the entity develop the skills it needs to execute the mission and vision to anticipate the challenges that may impede success
1.2 Define practices in the context of enterprise risk management
risk practices are the methods and approaches deployed within an entity related to managing risk.
Practices used in enterprise risk management are applied from the highest levels and flow down to decision making at all levels in the entity
1.3 Outline the premises that underpin the benefits of taking an enterprisewide approach to risk management
Based on the premise that every entity exists to provide a value for its stakeholders.
A related premise is that all entities face uncertainty.
Effective enterprise risk management allows decision makers to balance exposure against opportunity
1.4 define stakeholders and differentiate between external and internal
Stakeholders are parties that have a genuine or vested interest in an entity.
Internal are parties working within the entity such as employees, management and the board.
External stakeholders aren’t directly engaged in the entity’s operation but are directly impacted by it. Such as as group benefits plan, beneficiaries of plan members, plan service providers, regulatory bodies.
1.5 explain how the value of an entity is influenced by management decisions (4)
1) Value is created when the value of deployed resources is less than the benefit derived from that deployment
2) Value is preserved when the value of resources deployed in day-to-day operations sustains created benefits
3) Value is realized when stakeholders derive benefits created by the entity. Benefits may be non monetary
4) Value is eroded when management implements strategies that don’t yield expected outcomes of fails to execute day-to-day tasks
1.6 Explain how enterprise risk management interfaces with strategy
Strategy refers to an entity’s plan to achieve its mission and vision and apply its core values.
Enterprise risk management informs the entity on risks that may arise from a strategy and evaluates the assumptions that underlie a strategy and looks at sensitivity to changes in the assumptions
1.7 Explain how enterprise risk management can influence an entity’s ability to adapt survive and prosper
Risks are always present and changing.
While it may not be possible to manage all potential outcomes of risk they can improve how they adapt to changing circumstances.
Focuses on managing risks to reduce likelihood of adverse events and manage outcomes if they do occur
1.8 Outline benefits of integrating enterprise risk management with strategy setting and performance management processes (5)
1) Expand the range of opportunities for creating value. Considering all reasonable possibilities, might surface opportunities
2) Identify and manage entity wide risks, brings data together to respond effectively
3) Reduce surprises and losses - have already identified risks and prepared responses
4) Reduce performance variability - in some organizations consistency is key
5) Improve resource deployment - allows for assessment of resource needs and enhanced resource allocation
2.1 Explain how events, uncertainty and severity impact risk
An event is an occurrence or a set of occurrences.
Uncertainty is a state of not knowing and severity is the measurement of such considerations as the impact of the event and time to recover.
In the context of risk events are broad and uncertain
2.2 Explain why an event with a positive outcome can also pose a risk
The event that is beneficial to one objective may be detrimental to another.
For example higher than forecasted sales may produce supply chain issues
3.1 Outline 4 things that an entity is better positioned to understand when enterprise risk management, strategy setting and strategy execution are aligned
1) How mission, vision, and core values form the initial expression of acceptable types and amount of risk when setting strategy
2) Possibility of strategies and business objectives not aligning with the mission, vision, and core values
3) Types and amount of risk the entity potentially exposes itself to from the strategy that has been chosen
4) Types and amount of risk to executing its strategy and achieving business objectives
3.2 Define mission
Mission is the entity’s core purpose, which establishes what it wants to accomplish and why it exists
3.2 Define vision
The entity’s aspirations for its future state or what it hopes to achieve over time
3.2 Define core values
The entity’s beliefs and ideals about what is acceptable. This influences the behaviour of an entity and how it wants to conduct business
3.2 Explain how mission, vision and core values relate to an entity’s purpose
Together these elements communicate to stakeholders the entity’s purpose.
For most entities these remain stable and are reaffirmed over time. Though they may evolve as stakeholder expectations change
3.2 Explain the significance of alignment among strategy, mission, vision, and values to enterprise risk management
Mission and vision help to establish boundaries for strategy and bring focus to understanding how decisions may affect strategy.
Mission, vision, and core value statements guide in determining the types and amount of risk an entity is likely to encounter and accept
If these are not aligned the ability to realize the mission and vision may be reduced
3.4 Describe the focus of enterprise risk management in the context of strategy execution. Provide an example
The focus of risk management is on understanding the strategy and the risks to its relevance and viability. There is always a risk to executing strategy
For example a health care provider has a goal of providing quality care. The provider considers EE capability, treatment options, legislative requirements. If one option is risky, understaffing for example,
3.5 Explain the roles of the governance and operating models in enterprise risk management
An entity’s governance model defines and establishes authority, responsibility, and accountability.
It aligns the roles and responsibilities to the operating model at all levels - from the board of directors to management, division, operating units and functions
Operating model describes how management organizes and executes its day-to-day operations. It is typically aligned with the legal structure and management structure.
Both models influence the ability to identify, assess, and respond to risks to the achievement of strategy
3.6 Explain the significance of an entity’s legal structure in risk management
How an entity is structured legally influences how it operates. A variety of factors, including size of the entity and any relevant regulatory, taxation or shareholder structures influence the suitability of different legal structures.
A small entity may operate as a single legal entity and risks can be aggregated across the entity.
For large entities consisting of several district legal entities. risks may be segregated.
4.1 Explain the relationship between performance targets and level of uncertainty
Performance describes how actions are carried out as measured against a preset target.
The level of uncertainty varies with the level of performance desired.
For example airlines have a certain amount of uncertainty about their ability to operate 100% of flights on schedule. They are less uncertain that they can operate 90% of scheduled flights
4.2 Explain the concept of risk profile in the context of enterprise risk management (define + 4 points needed to develop one)
A risk profile is a composite view o the risks for an entity as a whole or as a division, project or initiative
To develop a risk profile requires an understanding of:
1) Strategy or relevant business objectives
2) Performance target and acceptable variations in performance
3) Capacity and appetite for risk
4) Severity of the risk to the achievement of the strategy and business objectives
4.3 describe a risk profile
varies, could be displayed as a chart with risk on the Y axis and performance on the x-axis. Looking at how performance increases or decreases in relation to risk
4.4 Explain the concept of risk appetite and its relationship to strategy setting
Risk appetite means the type and amount of risk an entity is willing to accept in its pursuit of value. Knowing the risk appetite is essential to enterprise risk management
The risk appetite may affect the strategy and visa versa
4.5 Compare risk capacity to risk appetite
Risk capacity is the maximum amount of risk that an entity is able to absorb in the pursuit of strategy and business objectives.
Risk capacity must be considered when setting risk appetite
5.1 Explain the premise of the COSO framework
The premise is that the entity’s mission, vision and core values drive the development of strategy and objectives which in turn impact the performance.
5.1 What are the 5 interrelated components of the COSO framework
1) Risk governance and culture
2) Risk, strategy and objective setting
3) Risk in execution
4) Risk information, communication and reporting
5) Monitoring enterprise risk management performance
5.2 In the context of enterprise risk management outline: risk governance and culture
Form a basis for other components of risk management
Governance sets the company’s tone and culture pertains to ethical values, desired behaviour and understanding of risk in the entity
5.2 In the context of enterprise risk management outline: Risk, strategy and objective setting
These integrate into the strategic plan. With an understanding of the business context the entity can gain insight into internal and external factors and their impact to risk. An entity sets its risk appetite in conjunction with strategy setting.
The business objectives allow this to be put into the context of day-to-day operations
5.2 In the context of enterprise risk management outline: Risk in execution
Prioritizes risks according to the severity and risk appetite.
The entity selects a risk response and monitors performance for change. It develops a portfolio view of the amount of risk the entity has assumed in pursuing its strategy and business objectives
5.2 In the context of enterprise risk management outline: Risk information, Communication and Reporting
Communication is the continual process of gathering and sharing information.
Relevant and quality information from both internal and external sources is used to support risk management.
5.2 In the context of enterprise risk management outline: Monitoring Enterprise Risk Management Performance
An entity considers how well the enterprise risk management components are functioning over time and during times of substantial change
5.3 Outline 5 criteria an entity may consider for assessing the overall effectiveness of enterprise risk management
1) Whether components and principles relating to enterprise risk management are present and functioning
2) Whether components relating to enterprise risk management are operating together in an integrated manner
3) Whether controls necessary to effect principles are present and functioning
4) Whether components relevant principles and controls to effect those principles that are functioning continue to operate to achieve strategy and business objectives
5) Whether components, relevant principles and controls to effect those principles that are present exist in the design and implementation of enterprise risk management to achieve strategy and business objectives
6.1 Outline factors that impact the establishment of roles and accountability for enterprise risk management in an entity (5)
1)Size
2) strategy
3) Business objectives
4) culture
5) external stakeholders
the roles, responsibilities and accountabilities are defined to allow for the clear ownership of strategy and risk that fits within the governance structure, reporting lines and culture.
6.1 Who in a company is ultimately responsible for enterprise risk management
The leader (CEO or president)
They should have a deep understanding of the entity’s strategy and business objectives
6.2 Outline oversight practices for the Risk Governance and Culture component of the COSO Framework (9)
1) Assessing the appropriateness of the entity’s strategy; alignment to the mission vision and core values and the risk inherent in that strategy
2) Defining the board risk governance role and structure, including subcommittees
3) Engaging with management to define the suitability of enterprise risk management
4) Overseeing evaluations of the culture and ensuring that management remediates any gaps
5) Promoting risk aware mindset that aligns the maturity of the entity with its culture
6) Challenging the potential biases and tendencies of management and fulfilling its independent and unbiased oversight rule
7) Understanding the strategy, operating model, industry and issues and challenges affecting the entity
8) Overseeing the alignment of business performance, risk taking and incentives/ compensation to balance short term and long term strategy achievement
9) Understanding how risk is monitored by management
6.3 Outline oversight practices for the risk, strategy and objective setting component of the COSO framework (5)
1) Setting expectations for integration if ERM into strategic planning
2) Discussing and understanding risk appetite and considering whether it aligns with its expectations
3) Engaging in discussion with management to understand the changes to business context that may impact the strategy and its linkage to new, emerging or manifesting risks
4) Encouraging management to think about the risks inherent in the strategy and underlying business assumptions
5) Requiring management to demonstrate an understanding of the risk capacity of the entity to withstand large unexpected events
6.4 Outline oversight practices for risk in the Execution component of the COSO framework (5)
1) Reviewing strategy and underlying assumptions
2) Setting expectations for risk reporting, including metrics and external disclosures
3) Understanding how management identifies and communicates the most severe risks
4) Reviewing and understanding the most significant risks and response scenarios
5) Understanding the plausible scenarios that could change the portfolio view
What are the 5 components of the COSO framework
1) Control environment
2) Risk assessment and management
3) Control Activities
4) Information and Communication
5) Monitoring
What are the 5 components of the COSO framework
1) Control environment
2) Risk assessment and management
3) Control Activities (Execution’s)
4) Information and Communication
5) Monitoring
6.5 Outline oversight practices for the Risk Information Communication and reporting component of the COSO framework (3)
1) Establishing the information underlying data and formats to execute board oversight
2) Accessing internal and external information and insights conducive to effective risk oversight
3) Obtaining input from internal audit, external auditors and other independent parties regarding management perceptions and assumptions
6.6 Outline oversight practices for the Monitoring ERM performance component of the COSO framework
1) Asking management about any risk manifesting in actual performance (both positive and negative)
2) Asking management about the enterprise risk management processes and challenges and asking management to demonstrate the suitability and functioning of those processes
7.1 Describe the 3 tiers of indicators used by OSFI to detect risks that impact federally regulated pension plans. Provide examples of each
Tier 1 - Detect issues that require immediate attention and may have a significant impact on both the current state and future risk within the plan. e.g. Non-remittance of contributions, contribution holidays in excess of surplus or a plan sponsor facing serious financial issues
Tier 2 - Identify potential risks with the pension plan that may lead to more serious issues. e.g. Investment returns that don’t meet benchmarks, large changes in membership, high proportion of liabilities relating to retired members
Tier 3 - Capture situations that may require greater diligence or controls on the part of the plan administrator but may not have significant impact on risk within the plan if properly managed.
e.g. Whether a plan’s provisions contain benefits that are subject to the plan administrator’s discretion or if there has been a history of late filings for the plan
