M2 Enterprise Risk Management Frameworks Flashcards
Framework to assist organizations in developing a comprehensive response to risk management
COSO - Enterprise Risk Management (ERM)
The possibility that events will occur and affect the achievement of strategy and business objectives
RISK
Defined by the entity type but usually shaped by strategies that balance market opportunities against the risks of pursing those opportunities
Value
Management decisions will affect the development of value, including its ___, ___, ___, ____ (CPER)
C = Creation P = Preservation E = Erosion R = Realization
Value (CPER) - when benefits of value exceed the costs of resources used
Value creation
Value (CPER) - faulty strategy and inefficient/ineffective operations cause value to decline
Value erosion (cost > benefit)
Value (CPER) - when ongoing operations efficiently and effectively sustain created benefits (sustainable operating profit)
Value Preservation
Value (CPER) - when benefits created by the organization are received by stakeholders in either monetary or nonmonetary form
Value Realization
As defined by COSO - the culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving and realizing value
Enterprise risk management (ERM)
Mnemonic to remember the definition of Enterprise Risk Management (CCPIS)
Culture
Capabilities
Practices
Integration with Strategy-setting and performance
Represents the types and amounts of risk, on a broad level, that an organization is willing to accept in pursuit of value; range provides guidance on the practices an organization is encouraged to pursue or not pursue
Risk appetite
All risk that could impact an entity
Risk Inventory
the amount of risk of having strategy and business objectives that is appropriate for an entity, recognizing that no one can predict risk with precisioin
Reasonable Expectation
What are the 5 components of Enterprise Risk Management
GOPRO
G = Governance and culture (DOVES)
O = strategy and Objective setting (SOAR)
P = Performance (VAPIR)
R = Review & Revision (SIR)
O = information, communication, and reporting (ONGOING) (TIP)
Component of Enterprise Risk Management that together form a base for all other components of ERM; sets entity tone at the top and is reflected in decision making
Governance and Culture (G in GOPRO)
What are the 5 principles of Governance and culture (G in GOPRO)
DOVES
D = defines Desired culture
O = exercises board Oversight
V = demonstrates commitment to core VALUES
E = attracts, develops an retains capable EMPLOYEES
S = establishes operating STRUCTURE
Component of Enterprise Risk Management that considers both internal and external factors and their effect on risk framed by business context; risk appetite, and allow strategy to be put into practice and shape the entity’s day-to-day operations and priorities
strategy and OBJECTIVE-setting (O in GOPRO)
What are the 4 principles of strategy and Objective-Setting (O in GOPRO)?
SOAR S = evaluates alternative STRATEGIES O = formulates business OBJECTIVES A = ANALYZES business context R = defines RISK appetite
Component of ERM that identifies and assesses risks that may affect and entity’s ability to achieve its strategy and business objectives represent the performance component; risk is prioritized according to severity; responses are selected and monitored; resulting portfolio view
Performance (P in GOPRO) - similar to risk assessment in internal control framework
What are the 5 principles of Performance (P in GOPRO)?
VAPIR V = develops portfolio VIEW A = ASSESSES severity of risk P = PRIORITIZES risk I = IDENTIFIES risk R = implements risk RESPONSES (ARTS)
What are the risk responses (ARTS)?
A = Avoid R = Reduce (diversification) T = Transfer (sharing - joint ventures, insurance) S = Self-insured
Risk Responses (ARTS) Chart
Frequency/Likelihood
HIGH LOW
Severity HIGH
LOW
Frequency/Likelihood
HIGH LOW
Severity HIGH Avoid Transfer (share)
LOW Reduce Self-insured (accept)
Component of ERM that allows an organization to consider how well the enterprise risk management capabilities and practices have increased value over time and will continue to drive value in light of substantial changes
Review and Revision (R in GOPRO)
What are the 3 principles of Review and Revision (R in GOPRO)
SIR
S = assess SUBSTANTIAL change
I = pursues IMPROVEMENT in ERM
R = REVIEWS risk and performance
Component of ERM that is the continual, iterative process of obtaining information and sharing it throughout the entity; both internal and external
Information, communication and Reporting (ONGOING) (O in GOPRO)
What are the 3 principles of ONGOING information, communication and reporting? (O in GOPRO)
TIP
T = leverages information & TECHNOLOGY (OIE)
I = communicates risk INFORMATION
P = reports on risk, culture, and PERFORMANCE
Risk to an organization if management does nothing to alter the likelihood or impact of a negative event
Inherent Risk
Risk to an organization after management takes actions to reduce the likelihood or impact of a negative events
Residual Risk
= Inherent risk - impact of management actions
An organizations risk appetite has been exceed when the combined likelihood and impact of ___ events
When the combined likelihood and impact of negative events significantly exceed residual risks
All risk that could impact an entity
Risk Inventory
The amount of risk of having strategy and business objectives that is appropriate for an entity, recognizing that no one can predict risk with precision
Reasonable expectation
The trends, events, relationship, and other factors that may influence, clarify or change an entity’s current and future strategy and business objectives
Business context
The maximum amount of risk that an entity is able to absorb in the pursuit of strategy and business objectives
Risk Capacity
A composite view of the risk assumed at a particular level of the entity of aspect of the business that positions management to consider the types, severity, and inter-dependencies of risk and how they may affect performance relative to the strategy and business objectives
Risk profile
A composite view of the risk the ENTITY FACES (parent level) which positions management and the board to consider the types, severity and interdependencies of risk and how they may affect the entity’s performance relative to its strategy and business objectives
Portfolio view
The ability of an entity to withstand the impact of large-scale events (i.e. financial crisis)
Organizational sustainability
the measurement of efforts to achieve or exceed the strategy and business objectives
Performance management
