Module 10: Monitoring and communication Flashcards
Key information in the documentation as part of the risk management process (5)
- risks and their assessment and risk responses in a risk register
- risk management decisions made and the reasons for those decisions
- systems
- financial models, including the assumptions and data employed
- management failures, including nature of failure and losses incurred
General considerations in communication as part of the risk management process (3)
- clarity and relevance
- timeliness vs volume and detail
- reliability
Communication can be (2)
- formal or informal
- external or internal
Risk metrics
Measures / indicators of where a company is operating relative to its risk appetite and limits.
Metrics:
- can be quantitative or qualitative
- should be designed to indicate a change in risk profile
- provide an early warning of a likely breach of a risk limit so that pre-emptive actions can be taken.
Key Risk Indicators (KRIs)
Where risk metrics form a key part of an organisation’s risk management framework, they are typically referred to as Key Risk Indicators (KRIs).
A good KRI is one that is useful in (strategic) decision making.
8 Desirable properties of risk reports
Risk reports should:
- be clear, relevant, timely and reliable
- be a role-based summary with the ability to drill down to more detail
- link clearly to decisions that the organisation needs to make
- provide a single point of access to data collected from different sources
- consist of a mixture of qualitative and quantitative data (eg KRIs)
- contain tabular or graphical formats to aid understanding
- use a traffic light system to highlight priority areas
- provide an opportunity for users to provide comment / analysis.
Outline 4 key processes and systems that should be properly documented
Processes and systems which should be properly documented include:
- risk management decisions made and the reasons for those decisions
- systems (eg systems specification and user-acceptance testing of IT systems)
- financial models, including the assumptions and data employed in the model.
- risk management failures, including the nature of failure and losses incurred.
List the desirable features of information used for monitoring and/or reporting purposes
Information needs to be:
- delivered to the users in a timely manner
- reliable (ie free from error)
There is also a trade-off between collecting too much information, so that processing it cannot be usefully digested, and too little, so that it is uninformative.
Describe 5 types of communication
Communication can be:
- INTERNAL (management information)
information about what is happening inside the business, eg cashflow position, sales, inventory levels - EXTERNAL (inwards)
collecting relevant information about what is happening outside the company, eg competitors’ sales - EXTERNAL (outwards)
distributing information about the company to interested parties, eg media, shareholders and regulators - INFORMAL
by word-of-mount (or the technological equivalents, such as social media) - FORMAL
through a corporate intranet, management information systems, reports and/or corporate newsletters
Describe a tool that is essential to avoiding problems such as duplications or omissions in internal risk communications
Having a consistent “risk language” (taxonomy) is key to avoiding problems such as duplication or omission of risks.
This common risk language should serve to increase the speed with which ERM becomes embedded in an organisation, and is particularly important for multi-national companies, where the use of different terminology in different domains can confound the ERM process.
Outline how managers might use a KRI
Managers may use Key Risk Indicators (KRIs) to identify when risk limits are close to being exceeded (or actually have been exceeded).
They prompt actions designed to keep the organisation within its risk tolerances.
Describe the factors an organisation should consider when deciding what KRIs should be used
In order to decide what KRIs should be used, an organisation will consider:
- its policies and regulations (eg regulatory limits)
- its strategies and objectives (eg volatility of results)
- past losses and incidents (to help judge what is significant)
- stakeholder requirements (eg variables monitored by credit rating agencies)
- its risk assessments (some areas may require closer scrutiny than others)
List desirable features of a KRI
- should be quantifiable
- based on consistent methodologies and standards
- incorporates key risk drivers (exposure, probability, severity and correlation)
- quantifiable
- tracked over time
- tied to objectives
- linked to an accountable individual
- useful in decision making
- able to be benchmarked externally
- timely
- cost effective to measure
- simple (not simplistic)
State what is meant by a feedback loop, and outline the key purpose in incorporating feedback loops into the ERM framework and associated processes
A feedback loop is a process by which management and other stakeholders are informed of any significant issues or changes in the business and/or the environment.
Information about changes may come from sources that provide information about past events, the present or expectations for the future.
Incorporating feedback loops is one way in which an organisation can ensure that its ERM framework is able to identify and respond appropriately to such changes.
Outline the key components of a risk report to a Board
A risk report to a Board should include:
- both qualitative and quantitative information
- a summary of losses and incidents
- a summary of business risks and the key discussions and decisions required from the Board
- a narrative from management on important data and trends
- key performance indicators (KPIs) against key risk indicators (KRIs) with important deviations and trends highlighted
- important events / milestones - eg a regulatory visit