Module 1 - Unit 3 (Enterprise Risk Management) Flashcards
Identify two features of an ‘enterprise wide’ approach to risk management that sets it apart from a ‘traditional’ approach to risk management.
• Traditional Risk Management approach:
- Focus on risk identification and analysis.
- Risks as individual hazards.
- Focus on all risks managed in separate areas.
- Risk mitigation.
- Risk with no owners.
- Risk is insurance.
- Risk is not my responsibility.
• Aspects of an ERM approach
- Risk in the context of the business strategy.
- Risk portfolio developments with risk interconnectiveness.
- Focus on critical risks.
- Risk is entity-wide.
- Identifying and defining risk responsibilities.
- Monitoring and measuring risks.
- Risk is embedded into everyone’s responsibility.
- Takes an integrated or holistic approach
- Is concerned with the management of risks that can impact the objectives, key dependencies, core processes, or stakeholder expectations of the organisation.
Enterprise Risk Management (ERM) is considered to have significant advantages over traditional risk management approaches because ERM
A. Ensures that an organisation’s objectives will be achieved.
B. Takes an integrated or holistic approach.
C. Addresses strategic, tactical, and operational risk management.
B. Takes an integrated or holistic approach.
According to RIMS, define ‘Enterprise Risk Management’.
- ERM is a strategic business discipline
- that supports the achievement of an organisation’s objectives
- by addressing the full spectrum of its risks
- and managing the combined impact of those risks as an interrelated risk portfolio.
COSO has recognised that there needs to be a stronger link between strategy, risk, and performance, therefore an updated ERM framework was published in 2017.
State three reasons for the updated ERM framework.
- More clearly connect ERM stakeholder expectations.
- Position risk in the context or an organisation’s performance.
- Enable organisation’s to better anticipate risk.
- Provide an understanding that change creates opportunities.
- To elevate discussion of the strategy, enhance the alignment between performance and ERM and more explicitly link ERM to decision-making.
Explain why the COSO ERM framework puts so much emphasis on embedding risk management from the top of the organisation.
- This goes to the heart that ERM in risk management starts at the top of the organisation, by the management of entity-wide risks and then the same methodology spreads from there down and across the organisation.
- These entity-wide risks might well be the strategic type or risk that if they occur will impact upon the whole of the organisation.
List three driving forces in the development of ERM in your sector or country.
Some of the major influences might be:
- Laws and regulation.
- Cultures in both the country and sector.
- Competitor behaviour.
- The influences of powerful stakeholders.
The risk assessment that is required as part of the risk management process, and the business impact analysis that is the basis of business continuity planning (BCP) are closely related. Explain why this statement is true.
- The output from a business impact analysis is the identification of the critical activities that must be maintained for the organisation to continue to function.
- Both approaches are based on the identification of the key dependencies and functions that must be in place for the continuity and success of the business.
Explain what is meant by ‘establishing the context’ and describe the aspects of the organisation’s risk management context, internal context, and external context.
- Establishing the context defines the internal and external parameters that organisations must consider when they manage risk.
- ISO 31000 states that the first stage in the risk management process is to establish the context (scope, context, and criteria).
The context has three components:
- The risk management context
- The internal context
- The external context
The aspects of the risk management context are:
• risk architecture, strategy, and protocols (or risk management framework) RASP
• the framework provides support for the RM process within the organisation
• Ensure the outputs from the RM process are communicated to internal and external stakeholders.
• Includes responsibilities and identifies resources that will be required
• Establishment of the risk appetite (risk criteria), and of the overall total risk exposure.
• Important to deliver RM strategy and develop a risk-aware culture (LILAC)
• Identify emerging risks
Aspects of the internal context are: • The culture of the organisation • The available resources • Objectives and strategy • Core processes • Decision making • Risk Management governance • Internal stakeholders and their expectations.
Aspects of the external context are: • Sector • The environment within which the organisation exists • Industry • External stakeholders and their expectations • External financial environment • Industry regulations and regulators • Behaviour of competitors
The FIRM Risk Scorecard provides a structure for carrying out detailed evaluation of the context of the organisation.
State which components are evaluating the internal context, and which are evaluating the external context.
Internal Context:
• Financial
• Infrastructure
External Context:
• Reputational
• Marketplace
Explain five reasons why setting business objectives can be difficult.
- It’s hard to choose a range of suitable business objectives to support the strategic mission
- organisation’s have to balance the conflicting expectations of stakeholders
- the result can be a range of compromises or potentially conflicting objectives - The organisation’s strategies and objectives need to be continuously questioned because the internal and external context of an organisation is constantly changing
- If there is an inappropriate strategic mission/mission is not clear and understood at all levels of your organisation, people are likely to interpret the mission in different ways.
- The formal objectives might be at variance with the informal objectives
- an organisation might issue a range of objectives to its staff, but if these objectives are not fully accepted by those people charged to deliver them, then you can already see risks arising even in the objective-setting process. - It is likely to increase its risk exposure if it sets its objectives as being over-ambitious
Explain how objectives can be set at different levels within the organisation.
A. Organisations must set the overall, organisation-wide strategic objectives.
• all objectives should be supporting of, and be aligned with the strategic mission and purpose of the business
B. Organisations must then agree on compatible tactical objectives
• at the level of departments, divisions, or business units
• these will focus on the implementation of strategy, and these will typically cover timescales of around 1-3 years
C. The tactical objectives will be further delegated into the operational objectives
• of teams and even individual personnel
• covering a much shorter period of time, ranging typically from days to months.
Draw a diagram to represent the three levels of objective setting.
See study guide Figure 3.2 ‘The three levels of objective setting’.
(3.4)
List two major objectives of internal control
- Safeguard and protect the assets of the organisation
- Ensure the keeping of accurate records
- Ensure compliance with laws and regulations
- Safeguard the interests of shareholders/stakeholders
Describe four barriers that can occur when an organisation seeks to implement enterprise risk management (ERM).
State one action to overcome each barrier that you have identified.
- Lack of understanding of risk management and belief that it will suppress entrepreneurship
• Establish a shared understanding, common expectations and consistent language across an organisation. - Lack of support or commitment from senior management
• Identify a sponsor on the main board of the organisation and confirm shared and common priorities. - Seen as just another initiative so relevance and importance not accepted.
• Agree a strategy that sets out the anticipated outcomes and confirms the benchmarks for anticipated benefits. - Benefits not perceived as being significant.
• Complete a realistic analysis of what can be achieved and the impact on the mission of the organisation. - Not seen as a core part of business activity and too time-consuming.
• Align effort with core processes and achievement of the mission of the organisation - Approach too complicated and over-analytical
• Establish appropriate level of sophistication for risk management framework and undertaking risk assessments - Responsibilities unclear and need for external consultants unclear
• Establish agreed risk architecture with clear roles and accepted risk responsibilities. - Risk separated from where they arose and should be managed
• Include risk management in job descriptions to ensure risks are managed within the context that gives rise to them. - Risk management seen as a static activity and not appropriate for a dynamic organisation.
• Align risk management efforts with the mission of the organisation and with the business decision-making activities. - Risk management too expansive and seeking to take over all aspects of the company.
• Be realistic: do not claim that all of the business activities within the organisation are risk management by another name.
List three actions that would help to avoid a repeat of the global financial crisis.
- There should be a common process, terminology, and practices for managing risks of all kind.
- It is essential that risk tolerances be fully understood, communicated and monitored across the enterprise.
- Risk management practices should be incorporated into all key business processes and decisions.
- Management should make risk-related decisions using dedicated high-quality risk information.
