Module 12 - Optimizing Risk Communication, Reporting and Monitoring to Improve Decision Making Flashcards
Outline challenges related to data and information in entities and how having an enterprise risk taxonomy helps to address these challenges.
“Data” is the collection of raw facts that can be analyzed, used or referenced. Advances in technology and business have resulted in exponential growth in volume of data and heightened attention on data. These dynamics and interrelationships have created several challenges for entities working with data:
(a) Storage: An enormous quantity of data and the wide variety of data types and sources must be stored, and at high speed.
(b) Transformation of data into information: Once data is processed, organized andstructured into information about a particular fact or circumstance, such as stakeholders, products, markets and competitor actions, it becomes a source for
knowledge.
(c) Information overload: With so much data available (often in real time and to more people in an entity), it is important to provide the right information, in the right form, at the right level of detail, to the right people, at the right time.
An “enterprise risk management taxonomy” (i.e., system of classification for identifying and categorizing risks that could affect the entity’s strategy and business objectives) provides the basis for supporting risk data and information. When an entity implements a taxonomy structure into its information systems, it is more likely to consistently aggregate risk data and information.
Explain the significance of relevant information and quality information to enterprise risk management.
Relevant information is information that is needed to make informed business decisions. In the context of enterprise risk management, it is the information that allows the entity to anticipate situations that may impede the achievement of strategy and business objectives and to be more agile in decision making, giving it a competitive advantage.
The process of identifying what information is required to be able to apply enterprise risk management practices is continual and specific to each component of the risk management framework. The process considers what information is available to management (and what is needed) and the cost of obtaining that information.
Quality information is essential for enterprise risk management. If the underlying data is inaccurate or incomplete, management may not be able to make sound judgments, estimates or decisions.
Provide examples of information sources that support each of the components of enterprise risk management.
(a) The Risk Governance and Culture component:
Information on the standards of conduct and individual performance relative to those standards. For example, professional service firms have specific standards of conduct to help maintain independent relationships with clients. Annual staff training reinforces those standards, and testing of staff knowledge provides management with relevant information on individuals’ comprehension of their desired behaviours as they relate to the entity’s independence.
(b) The Risk Strategy and Objective Setting component: Information on stakeholder expectations of risk appetite. Stakeholders such as investors and customers may express their expectations through analyst calls, blog postings, contract terms and conditions, etc. These provide relevant information on the types and amount of risk an entity may be willing to accept and strategy they pursue.
(c) The Risk Information, Communicating and Reporting component: Information on competitor actions to assess changing risk. For example, a large residential real estate company may assess the risk of losing market share to smaller boutique firms. To understand the potential impact to its market share, the real estate company can review its competitors’ commission pricing models and online marketing strategies. Information they are looking for is whether the competitors’ commission rates are low and aggressive and how widespread their online presence is.
(d) The Monitoring Enterprise Risk Management Performance component: Information on baseline performance in terms of enterprise risk management trends. This type of information can be collected by attending enterprise risk management conferences and monitoring industry-specific blogs.
Outline characteristics of high-quality information.
High-quality information is:
(a) Accessible
(b) Accurate
(c) Appropriate, purposeful and sufficient
(d) Current
(e) Reliable
(f) Has integrity
Explain this statement: Data requirements are based on information requirements. Provide an example.
When data is processed, organized and structured into information about a particular fact or circumstance, it becomes a source for knowledge (e.g., analysis of comments posted on social media to identify potential risks to the entity’s reputation). Therefore, data requirements are based on information requirements.
For example, a pharmaceutical company’s strategy is to expand its market share by developing a new drug targeted to a specific population. To receive approval for its new product, the entity must provide the regulators with information that meets specific compliance requirements such as conclusions regarding the safety of the drug. These conclusions may be based on various data such as demographics of the testing population, number of side effects, duration of studies and type of application. The entity determines its data requirements based on the need to provide compliance information to an external stakeholder.
Describe the components of effective data management within enterprise risk management.
(a) The governance of data management: This helps to deliver standardized, high-quality data to end users in a timely, verifiable and secure manner. It also helps to standardize data architecture, authorize standards, assign accountability and maintain quality. Effective data governance aligns policies, standards, procedures, organization and technology and defines clear roles and responsibilities for data owners and risk owners (i.e., those responsible for identifying and managing the risk).
(b) Data management processes and controls: Embedded in the entity’s information system these reinforce the reliability of data or correct it as needed. For example, entities may use measures to identify instances and patterns of both low- and high-quality data and the relevance of that data in meeting requirements.
(c) Data management architecture: This refers to the fundamental design of the business and technology that supports data management. It is composed of models, policies, rules or standards that dictate which data is collected and how it is stored, arranged, integrated and used in systems and in the entity. These ensure the data can be reliably read, sorted, indexed, retrieved and shared with both internal and external stakeholders, ultimately protecting its long-term value.
Provide examples of organizational processes that an entity can use to assess the relevance of data.
(a) Data consistency: Measures the consistency between the data used by analytics and modelling.
(b) Data redundancy: Measures whether data is held in separate places.
(c) Data availability: Measures whether data is available at a required level of performance in varying situations.
(d) Data accuracy: Measures whether data is correct and whether it is retained in a consistent and unambiguous form.
(e) Data quality thresholds: Measure the precision of data used for management decisions.
Explain how an enterprise risk management taxonomy can support effective enterprise risk management.
An enterprise risk management taxonomy is a comprehensive, common and stable set of risk categories used across the entity. Many entities develop risk taxonomies within a particular functional area, such as internal audit, information management or operational risk management. Taxonomies can be based on the size, scale and complexity of the entity with risks organized in subcategories, which makes using the taxonomy more manageable.
Use of a taxonomy helps to aggregate risk data and information consistently in order to understand exposures, identify concentrations of risk and identify risks that could affect the entity’s strategy and business objectives. Taxonomies allow the entity to define specific data attributes, such as risk drivers, risk events or impacts, and serve as the basis for effective and consistent enterprise risk reporting on the entity’s risk profile.
Outline factors that an entity will consider when selecting or developing technology that will support its information system and, in turn, support its enterprise risk management process.
The decision about what technology to implement to support its information system depends on many factors, including entity goals, marketplace needs, competitive requirements and the associated costs and benefits. Benefits of obtaining and managing information are weighed against the costs of selecting or developing supporting technologies. Factors to consider include:
(a) Scope
(b) Aggregation
(c) Information quality
(d) Consistency and standards
(e) Risk assessment
(f) Reporting
(g) Integration
(h) Cost/benefits
Provide examples of the types of changes that can lead to the need to update information system requirements.
As entities adapt their strategy and business objectives to respond to changes in the business context in which they operate, they must also review their information systems.
Changes in the entity’s business context that may require such a review include:
(a) Continually evolving regulations may require changes to how individuals or functions (e.g., legal) interact with and rely on subject matter experts.
(b) Shifting customer expectations may require changes to the system to allow for more timely information gathering and more active monitoring of social media.
(c) Innovations in technology may present alternatives to change and improve information systems. For example, risk discussions may occur through videoconferences and real-time collaborative tools that replace in-person meetings, and risk information may be electronically shared with a broader audience using cloud services.
An entity that operates in a highly dynamic environment may experience continual changes such as innovative competitors, shifting customer expectations, evolving regulatory requirements, globalization and technology innovation. In response, management reviews existing information system requirements and adjusts its technology requirements.
Describe the types of risk data and information that can be conveyed through an entity’s communication channels.
Communication channels can be used to convey:
(a) The importance, relevance and value of enterprise risk management
(b) The characteristics, desired behaviours and core values that define the entity’s culture
(c) The entity’s strategy and business objectives
(d) The risk appetite and acceptable variation in performance
(e) The overarching expectations of management and employees in relation to enterprise risk and performance management
(f) The expectations of the entity on any important matters relating to enterprise risk management, including instances of weaknesses, deterioration or nonadherence.
Identify factors that contribute to effective communication regarding risk between the board and management and other stakeholders who participate in decision making.
Factors that contribute to effective communication regarding risk between the board and management and other stakeholders who participate in decision making include:
(a) Risk responsibilities are clearly defined and allocated in the risk governance structure (who needs to know what and when they need to act) at the board, management and other levels and whether the structure supports the desired risk dialogue
(b) Board of directors and management have a shared understanding of risk and its relationship to strategy and business objectives
(c) Directors have a deep understanding of the business, value drivers, and strategy and associated risks
(d) Board is open to and continually discusses risk appetite with management
(e) Board uses the entity’s risk appetite as a touchstone in communications, using it to identify those risks that are on or off strategy, to monitor the entity’s risk profile and to track the effectiveness of enterprise risk management programs.
Describe common communication approaches used by management to assist the entity’s board of directors in fulfillment of its risk management oversight responsibilities.
There is no single correct method for communicating the information the board needs to fulfill its oversight responsibilities information. Communication should:
(a) Address risks as determined by the entity’s strategy and business objectives
(b) Capture and align information at a level that is consistent with directors’ risk oversight responsibilities and with the level of information determined necessary by the board
(c) Present the entity’s risk profile as aligned with its risk appetite statement, and link reported risk information to policies for exposure and tolerances
(d) Provide a longitudinal perspective of risk exposures including historical data, explanations of trends and forward-looking trends explained in relation to current positions
(e) Update at a frequency consistent with the pace of risk evolution and severity of risk
(f) Use standardized templates to support consistent presentation and structure of risk information over time.
Describe circumstances that may require the use of special communication channels within an entity.
Separate lines of communication are needed when normal channels are inoperative or insufficient for communicating matters that require heightened attention. For example, many entities provide a means to communicate anonymously to the board of directors or a board delegate—such as a whistle-blower hotline. Many entities also establish escalation protocols and policies to facilitate communication when there are exceptions in standards of conduct or when inappropriate behaviours are occurring.
Identify potential users of reports on risk, culture and performance.
Reporting supports employees at all levels in understanding the relationships between risk, culture and performance as well as improved decision making in strategy and objective setting, governance and day-to-day operations. Report users may include:
(a) Management and the board of directors responsible for governance and oversight of the entity
(b) “Risk owners” accountable for the effective management of identified risks
(c) Assurance providers seeking insight into performance of the entity and effectiveness of risk responses (e.g., a certified public accounting firm)
(d) External stakeholders (e.g., regulators, rating agencies, community groups)
(e) Other parties requiring reporting of risk in order to fulfill their roles and responsibilities.