Module 1 Unit 2 Strategic Planning for ERM Flashcards
Determine the most appropriate principles, FW and process for an org Formulate an appropriate risk management approach for an org by considering risk principles, FW and processes.
What’s the main principle of RM
delivers value to an org by applying practices to achieve best possible outcome,
reducing volatility or uncertainty
Which of the PRINCIPLES of the COSO rainbow double helix are clearly part of the simple risk management PROCESS
Define context and objectives
Assess risks
Manage risks
Monitor review and report
NOTE: this is SATARLA 2022
How many COMPONENTS (parts) does the COSO ERM Framework have
Four
Define context and objectives
Assess risks
Manage risks
Monitor review and report
How many PRINCIPLES does the COSO ERM Framework have:
20
So five components - (parts) ( which is basically the RM process) plus another 15 alongside this which are
(1) Define context and objectives = (6)Analyses the business context,
+ (8) Evaluates alternative strategies + (9) Formulates business objectives
(2) Assess risks = (10) Identifies risks + (11) assess the severity of risk, + (12) priorities risk
(3) Manage risks - (12) Implements risk responses
(4) Monitor review and report = (15) assess substantial change, + (16) reviews risk and performance + (19) communicates risk info, + (20) reports on risk culture and performance.
What is the meaning of RASP and when do you use it
Risk Strategy, Risk Architecture and Risk Protocol = RASP
This is the RM Framework
What is a centralised Org
Large with lots functional divisions
What is decentralised org
small with only oversight and direct held at the centre
What is hybrid Org
Certain functions are delegated to operating subsidiaries, such as HR, but with financial Mgt at centre.
What three things should you do to implement ERM
Appoint a CRO
Use PACED principles as part of ERM FW to get max benefits
Assess benefits using FIRM and MADE 2
What is the four step process for implementing ERM (acronym)
planning, implementing, measuring and learning – or PIML.
How many COSO principles are there?
COSO has 20 principles
Governance and culture
1. Exercises Board Risk Oversight
2. Establishes Operating Structures
3. Defines Desired Culture
4. Demonstrates Commitment to Core Values
5. Attracts, Develops, and Retains Capable Individuals
Strategy and objective-setting
6. Analyses Business Context
7. Defines Risk Appetite
8. Evaluates Alternative Strategies
9. Formulates Business Objectives
Performance
10. Identifies Risk
11. Assesses Severity of Risk
12. Prioritizes Risks
13. Implements Risk Responses
14. Develops Portfolio View
Review and revision
15. Assesses Substantial Change
16. Reviews Risk and Performance
17. Pursues Improvement in Enterprise Risk Management
Information, communication and reporting
18. Leverages Information Systems
19. Communicates Risk
20. Reports on Risk, Culture, and Performance
Orange book principals
A) Governance and Leadership
B) Integration
C) Collaboration and Best Information
D) Risk Management Processes
E) Continual Improvement.
What’s the AGENCY theory
the concept used to explain the important relationships between principles and their relative agent.
What are the components of a risk management standard?
A risk management standard is made up of a risk management framework and a risk management process.
What is a risk framework?
Also known as a risk management context. This comprises the risk management architecture, risk strategy, and risk protocols and forms the risk context which helps to drive the risk process (RaSP).
What is the IRM risk management process? NB NOT the IRM 2002 standard.
Identify the risks
Evaluate and prioritising the significant risks (and opportunities)
Managing the significant risks
What are the three main risk management standards?
The IRM (2002) model
The COSO ERM Cube
ISO 31000 (2018)
The 8Rs and 4Ts do not form part of and wider present day risk management standard but may still be a suitable framework.
What are the three elements relating to risk context?
RaSP
Internal context - divisions, departments, structures, culture, leadership, strengths and weaknesses
External context - industry, products, markets, logistics, supply chain, competitors, countries of operation
How many elements form the risk process of the COSO ERM Cube?
8
Internal environment - encompasses the tone of an organisation and sets the basis for how risk is viewed and addressed
Objective setting - these must exist before management can identify potential events affecting their achievement
Event identification - internal and external events affecting achievement of objectives must be identified, distinguishing between risks and opportunities
Risk assessment - risks are analysed, considering likelihood and impact as a basis for how they should be managed
Risk response - management selects the responses based on avoiding, accepting, reducing or sharing the risk
Control activities - policies and procedures to ensure effective performance of risk responses
Information and communication - relevant information identified, captured and communicated so that people can fulfil responsibilities
Monitoring - the entirety of ERM is monitored and modified as necesary
What are the four categories of organisational objective in the COSO ERM cube?
Strategy - high level goals aligned with support for organisational mission
Reporting - reliability of reporting
Operations - effective and efficient use of resources
Compliance - compliance with applicable laws and regualtions
What are the 4 elements on the side of the COSO ERM Cube?
Entity
Division
Business unit
Subsidiary
What are the elements of the ISO31000 risk management process?
Scope, context, and criteria
Risk assessment (risk identification, risk analysis, risk evaluation)
Risk treatment
These are bordered by communication and consultation
Monitoring and review. They are underpinned by recording and reporting.
What are the elements of the IRM (2002) risk management process.
Organisations strategic objectives
Risk assessment (risk analysis, risk identification, risk description, risk estimation, risk evaluation)
Risk reporting
Decision
Risk treatment
Residual risk reporting
Monitoring
Define the elements of RaSP.
Risk architecture - focuses on answering the question of who does what in relation to risk management.
Risk strategy - the agreed overriding purpose and aims of risk management in the organisation
Risk protocols - the set tools, procedures and instructions that the organisation has for managing risk. Involves publication of risk policy document and setting of risk appetite.
What are the Orange Books 5 principles of risk management?
Governance and leadership
Integration
Collaboration and best information
Risk management process
Continual improvement
