Module 1 - Unit 2 (Risk Management Standards)

Question 1

What is a risk management standard?

Answer 1

Risk management standard = Risk management framework + risk management process

• It’s a published guide for managing risk.
• It sets out the overall approach to the successful management of risk.
• Including a description of the risk management process, together with the suggested framework that supports the process (Hopkin)

Examples include ISO 31000, COSO ERM cube, and COSO Internal Control Framework

Question 2

What was the first ever risk management standard called, and in what year was it released?

Answer 2

• AS/NZS4360

* 1995

Question 3

Define ‘risk management process’.

Answer 3

The risk management process is the stages in the process of managing risks, which is driven mainly by how you set up the framework (but also affected by the internal and external environment).

Question 4

If an organisation decides to follow the structure of the IRM (2002) Risk Management Standard, list the 5 components of risk management it would have to include in its framework.

Answer 4

• Structure
• Responsibilities
• Administration
• Reporting
• Communication

Question 5

State the first stage in the risk management process according to ISO 31000.

Answer 5

“Establish the scope, context, and criteria”.

Question 6

Draw the risk management process for ISO31000.

Answer 6

See Figure 6.4 ‘RM process for ISO 31000 (2018)’ Hopkin (2018).

Question 7

As part of the ISO 31000 risk management process, ‘monitoring and review’ is best thought of as which of the following:

A. An extra stage
B. A feedback loop
C. Part of an iterative process

Answer 7

C - because each of the stages in the process may be executed multiple times before the risk evaluation is finalised and the appropriate risk treatment agreed.

Question 8

State the 5 components of the ISO 31000 risk management framework.

Answer 8

• The role of ‘leadership and commitment’ is noted in this section
• The framework is presented as a continuous improvement model, similar to the PIML model.
• The purpose = to assist with integrating risk management into all activities and functions.

The 5 components are as follows:
• Integration
• Design
• Implementation
• Evaluation
• Improvement

Question 9

State the 8 ISO 31000 risk management principles.

Answer 9

• The principles outlines what must be achieved, and the framework provides information on how to achieve the required integration.

Value, Creation, and Protection:

1. CUSTOMISED
2. INCLUSIVE
3. STRUCTURED and COMPREHENSIVE
4. INTEGRATED
5. DYNAMIC
6. Best available information
7. Human and cultural factors
8. Continued improvement

First 5 principles are similar to PACED

Question 10

Draw the COSO ERM Cube.

Answer 10

See Figure 6.3 ‘COSO ERM Cube’ Hopkin (2018).

Question 11

From COSO (2014), what are the four elements that make up the COSO ERM Business Model.

Answer 11

1. Business planning
2. Execution
3. Adapting
4. Monitoring

Question 12

State, and describe the 8 components (risk management process) of the COSO ERM Cube.

Answer 12

1. INTERNAL ENVIRONMENT
   • Encompasses the tone of the organisation and sets the basis for how risk is viewed and addressed
2. OBJECTIVE SETTING
   • Objectives must exist before management can identify potential events affecting their achievement
3. EVENT IDENTIFICATION
   • Internal and external events affecting the achievement of objectives must be identified, distinguishing between risks and opportunities.
4. RISK ASSESSMENT
   • Risks are analysed, considering the likelihood and impact, as a basis for determining how they should be managed.
5. RISK RESPONSE
   • Management selects risk responses: avoiding, accepting, reducing, or sharing risk.
6. CONTROL ACTIVITIES
   • Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
7. INFORMATION AND COMMUNICATION
   • Relevant information is identified, captured and communicated so that people can fulfil their responsibilities.
   • Effective communication also occurs in a broader sense, flowing down, across, and up the entity.
8. MONITORING
   • The entirety of ERM is monitored and modifications are made if necessary.

Question 13

State the four categories of organisational objectives of the COSO ERM Cube.

Answer 13

SORC

• Strategic
• Operations
• Reporting
• Compliance

Question 14

State the four categories that represent the implementation process of the COSO ERM Cube standard (entities)

Answer 14

• Entity-level
• Division
• Business Units
• Subsidiary

Question 15

COSO issued revised guidance in 2017, ‘Integrating with strategy and performance’, state the 5 components of the double helix.

Answer 15

1. Governance & Culture
2. Strategy & Objective Setting
3. Performance
4. Review & Revision
5. Information Communication & Reporting

Question 16

Draw a diagram which shows the relationship between the risk management context, risk management process, and the organisation’s context.

Answer 16

See Figure 7.1 ‘Three components of context’ Hopkin (2018).

Question 17

Define the following terms:

(i) Risk Management Framework
(ii) Risk strategy
(iii) Risk architecture
(iv) Risk protocols

Answer 17

(i) Risk strategy, architecture, and protocols fit into the wider risk management context, also known as the risk management framework, which helps drive the risk management process
(ii) Risk strategy is set out in the risk management policy statement: strategy, appetite, attitudes, and philosophy.
(iii) Risk architecture sets out the lines of communication for reporting on risk management issues and events, and roles and responsibilities are defined.
(iv) Risk protocols are defined in the risk guidelines of the organisation, and include the rules and procedures, as well as the risk management methodologies, tools, and techniques that should be used.

Question 18

Explain what is meant by ‘risk architecture’ of an organisation, and contrast the risk architecture with the ‘risk protocols’.o

Answer 18

Risk architecture:
•Risk architecture sets out the lines of communication for reporting on risk management issues and events, and roles and responsibilities are defined.
• An illustrative example could be an organisation chart that shows the committee structures relating to risk reporting and accountabilities, or a risk committee’s terms of reference.
• It is vital that the risk architecture reinforces the fact that responsibility for managing risks remains with the owner for that risk.
• It describes who does what in relation to risk management and how the reporting structure works.

Risk protocols:
• Risk protocols are defined in the risk guidelines of the organisation, and include the rules and procedures, as well as the risk management methodologies, tools, and techniques that should be used.
• Risk management guidelines normally refer to the standards that should be achieved. These procedures will provide direction for directors, managers, and staff within the company.
• They are vital for the delivery of the businesses risk management process and ensure that risk management is undertaken in a consistent and controlled way.
• For example, the risk register forms part of the risk protocols.

Therefore, the two are completely different, yet both are part of the wider subject of the risk management framework.

Question 19

List the components of the risk architecture, strategy, and protocols (RASP) which make up the risk management framework.

Answer 19

Risk Architecture:
• Committee structure and terms of reference
• Roles and responsibilities
• Internal reporting requirements
• External reporting controls
• RM assurance arrangements

Risk Strategy:
• RM statement/policy
• RM philosophy
• Arrangements for embedding RM
• Risk appetite and attitude to risk
• Benchmark tests for significance
• Risk assessment techniques
• Risk priorities for the present year

Risk Protocols:
• Tools and techniques
• Risk Classification System
• Risk assessment procedures
• Risk control rules and procedures
• Responding to incidents, issues and events
• Documentation and record keeping
• Training and communication
• Audit procedures and protocols
• Reporting/disclosures/certification

Question 20

Identify which category of RASP a risk management information system would best be placed.

Answer 20

Risk protocols

Question 21

In setting up the ‘risk architecture’, the board are considering whether the audit committee should report to the risk committee, or whether the risk committee should report to the audit committee.
State which of these two options is most preferable.

Answer 21

The risk management committee should report to the audit committee.

Question 22

Correct the following statement:

“The organisation’s risk priorities for the present year form part of the protocols for the risk management framework.”

Answer 22

Protocols should read ‘strategy’

Question 23

Define what is meant by a ‘risk register’.

Answer 23

A risk register is a document used for recording risk management process for identified risks.

Question 24

Explain why there is always a danger that the risk register could become a static document.

Answer 24

1. Static risk register means the risk register becomes out of date (it becomes a photo snapshot of risks in a particular time, rather than a movie).
2. There is an argument that the register needs to be updated and monitored continuously, so the organisation can record the latest true status of risks in the business.

Question 25

Explain the main differences between a ‘risk policy’ and a ‘risk manual’.

Answer 25

• The risk management strategy for the organisation will be set out in the risk management policy statement (part of the risk management strategy).
• The risk management policy includes an introduction, objectives and link to the risk management.
• The risk management manual will set out responsibilities for risk, as well as the arrangements for implementing the policy (part of the risk management protocols).

Question 26

Describe four benefits of developing a risk register for your new business.

Answer 26

1. It facilitates risk ownership.
2. It provides the means of quickly presenting in a standard format the most significant risks to those people who need to know.
3. It provides a universally agreed set of risks along with their severity.
4. It records the actions taken (or in some cases alerts on inactions) to deal with the risk along with a range of possible further actions.

Question 27

Which of the following would you expect to see in the context of risk strategy in the risk architecture, strategy, and protocols framework (RASP):

1. The risk and audit tram report to the board quarterly.
2. The tolerance level of risk is clearly defined.
3. Ownership of risk is delegated to business units.
4. The organisation has a defined risk appetite.

Answer 27

2 & 4

Question 28

List five components of an organisation’s external context.

Answer 28

Typically the organisation’s:
• Industry
• Products
• Markets
• Logistics
• Supply chain
• Competitors
• Countries of operation

Question 29

List five components of an organisation’s internal context.

Answer 29

Typically the organisation’s internal workings:
• Divisions
• Departments
• Structures
• Cultures
• Leadership
• Strengths and weaknesses

Question 30

Identify one reason why the risk management framework and process should be dynamic.

Answer 30

• Define ‘dynamic’
- iterative, and the organisation keeps up to date with changes to it’s risk management, internal, and external context.

• Because the internal and external context are constantly changing.
• So risk management activities (RASP and the process) should be flexible and dynamic enough to change with change and thus remain relevant.

Question 31

Name three alternative Risk Management Standards

Answer 31

• COBIT
• CoCo Framework (1995) - Canadian Criteria of Control
• The Orange Book (HM Treasury 2004)
• Basel III (Banking)
• Solvency II (Insurance)

Question 33

The Orange Book (HM Treasury, 2004) Risk Management Standard

Answer 33

• UK Government Sector
• Sector-specific risk management standard
• Had generic value in its own right

The Orange Book’s risk management model and process diagram:

1. The management of risk is not a linear process.
2. Specific risks cannot be addressed in isolation from each other.
3. The whole model has to function in an environment in which risk appetite has been defined.
4. Core risk management processes blend together, and not isolated, but takes place in a context.
5. Certain key inputs have to be given to the overall process in order to generate the outputs which will be derived from risk management.

Question 34

COBIT (Control Objectives for Information and Related Technology)

Answer 34

• Specialist standard in the IT sector
• Provides guidance on technology risk management
• Provides good practice across a domain - process framework
• Focus on control, less on execution
• Helps optimise:
- IT enabled investments
- Ensure service delivery
- Provide a measure against which to judge when things go wrong.

Question 35

Name the three different focus elements of risk management standards

Answer 35

1. Meeting or exceeding organisation’s objectives
2. Adhering to control-based objectives, rules and/or controls.
3. Complying with regulatory requirements

Question 36

Define what the overall approach of Governance, Risk, and Compliance is based on.

Answer 36

The separation of functions.