Module 1 - Unit 3 - ERM Principles Of Risk And Risk Management Flashcards
What are the three elements of context under ISO31000?
Risk management context
Internal context
External context
What is the risk management context ?
The risk architecture, strategy and protocols or risk management framework within the organisation.
What are the two functions of the the risk management context/Risk framework?
Provide support for the risk management process within the organisation
Ensure that the outputs from the risk management process are communicated to internal and external stakeholders
What’s elements make up the internal context?
The organisations divisions, departments, structures, systems, processes and accountability, cultures leadership strengths and weaknesses
Internal stakeholders - staff, mangers, and the board
It’s approach to corporate governance, it’s resources, competencies and capabilities, it’s culture, and the way it conducts itself
Factors that influence how the organisation will try to set and achieve its objectives
What elements make up the external context?
The social, cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment whether international, national, regional or local.
The industry, products, markets competitors, suppliers, customers, logistics and the regions and countries of operation
Key drivers and trends impacting on the objectives of the organisation
Relationships with and the perceptions and values of external stakeholders
What are the elements of a risk aware culture, LILAC?
Leadership Involvement Learning Accountability Communication
What are the elements of SMART.
Specific Measurable Achievable Realistic and resourced Time limited
What barriers exist to implementation of risk management?
Lack of understanding with a belief that it will suppress entrepreneurship.
Lack of support from senior management
Seen as just another initiative
Benefits not perceived as being significant
Not seen as core part of business activity and too time consuming
Approach too complicated and over analytical
Responsibilities unclear and need for external consultants unclear
Risks separated from where they arose and should be managed
Risk management seem as a static activity not appropriate for a dynamic organisation
Risk management too expansive and seeking to take over all aspects of the company
What are the features of an enterprise wide approach to risk management?
Encompasses all areas of organisational exposure to risk
Prioritises and manages those exposures as an interrelated risk portfolio
Evaluates the risk portfolio in the context of all significant internal and external contexts, systems, circumstances, and stakeholders
Recognises that individual risks across the organisation are interrelated and can create a combined exposure that differs from the sum of the individual risks
Provides a structured process for the management of all risks
Seeks to embed risk management as a component in all critical decisions throughout the organisation
Provides a means for the organisation to identify risks that it is willing to take in order to achieve strategic goals
Constructs a means of communicating risk issues, so that there is a common understanding of the risks faced by organisation and their importance
Supports the activities of internal audit by providing a structure for the provision of assurance to the board and audit committee
Views the effective management of risk as a competitive advantage that contributes to the achievement of business and strategic objectives.
How can an organisation assess the benefits of a fully implemented and effective ERM framework? AKA What are the outputs from ERM?
Mandatory obligations fulfilled
Assurance obtained
Decision making enhanced
Effective and efficient core processes
MADE2
NB an organisation can also assess the benefits of a fully implemented and effective ERM framework by way of a process called FIRM.
What are the benefits of ERM?
Achievement of goals under the FIRM scorecard.
What are the COSO (2017) components?
Governance and culture Strategy and objective setting Performance Review and revision Information, communication, and reporting
What factors can impact the implementation of a fully functioning ERM programme?
· The start position - what is already in place that the enterprise can build on?
· The commitment from the “top” – the greater commitment and involvement of the “C” suite the more quickly the programme will be implemented and embedded.
· The size and complexity of the enterprise.
· The extent to which the enterprise is a global actor
· The resources available to support implementation
Why is setting business objectives difficult and potentially a source of risk?
First, even if the organisation can agree on its strategic mission, it can be much harder to choose a range of suitable objectives that support the mission. When setting objectives, organisations have to balance the conflicting expectations of a range of stakeholders, and this might be very hard to do. The result can be a range of compromises or potentially conflicting objectives.
Second, the organisation’s strategies and objectives need to be continuously questioned because the internal and external context of an organisation is constantly changing. So what is a sensible mission today could become obsolete tomorrow.
Third, if there is an inappropriate strategic mission, or if the mission is not clear and understood at all levels of your organisation, and if that mission is not effectively cascaded down through the organisation in supportive tactical and operational objectives then, with the best of will, people are likely to interpret the mission in different ways and the result is likely to be anarchy and disorganisation.
Fourth, an organisation might issue a range of objectives to its staff, but if these objectives are not fully accepted by those people charged to deliver them, then you can already see risks arising even in the objective-setting process – the formal objectives might be at variance with the informal objectives.
Fifth, an organisation can reduce its risk exposures, at least in the short term, if it sets easy-to-achieve objectives, but is likely to increase its exposures if it sets its objectives as being over-ambitious.