Module 12 - Optimizing Risk Communication, Reporting and Monitoring to Improve Decision Making

Question 1

Outline challenges related to data and information in entities and how having an enterprise risk taxonomy helps to address these challenges.

Answer 1

“Data” is the collection of raw facts that can be analyzed, used or referenced. Advances in technology and business have resulted in exponential growth in volume of data and heightened attention on data. These dynamics and interrelationships have created several challenges for entities working with data:

(a) Storage: An enormous quantity of data and the wide variety of data types and sources must be stored, and at high speed.

(b) Transformation of data into information: Once data is processed, organized andstructured into information about a particular fact or circumstance, such as stakeholders, products, markets and competitor actions, it becomes a source for
knowledge.

(c) Information overload: With so much data available (often in real time and to more people in an entity), it is important to provide the right information, in the right form, at the right level of detail, to the right people, at the right time.

An “enterprise risk management taxonomy” (i.e., system of classification for identifying and categorizing risks that could affect the entity’s strategy and business objectives) provides the basis for supporting risk data and information. When an entity implements a taxonomy structure into its information systems, it is more likely to consistently aggregate risk data and information.

Question 2

Explain the significance of relevant information and quality information to enterprise risk management.

Answer 2

Relevant information is information that is needed to make informed business decisions. In the context of enterprise risk management, it is the information that allows the entity to anticipate situations that may impede the achievement of strategy and business objectives and to be more agile in decision making, giving it a competitive advantage.

The process of identifying what information is required to be able to apply enterprise risk management practices is continual and specific to each component of the risk management framework. The process considers what information is available to management (and what is needed) and the cost of obtaining that information.

Quality information is essential for enterprise risk management. If the underlying data is inaccurate or incomplete, management may not be able to make sound judgments, estimates or decisions.

Question 3

Provide examples of information sources that support each of the components of enterprise risk management.

Answer 3

(a) The Risk Governance and Culture component:
Information on the standards of conduct and individual performance relative to those standards. For example, professional service firms have specific standards of conduct to help maintain independent relationships with clients. Annual staff training reinforces those standards, and testing of staff knowledge provides management with relevant information on individuals’ comprehension of their desired behaviours as they relate to the entity’s independence.

(b) The Risk Strategy and Objective Setting component: Information on stakeholder expectations of risk appetite. Stakeholders such as investors and customers may express their expectations through analyst calls, blog postings, contract terms and conditions, etc. These provide relevant information on the types and amount of risk an entity may be willing to accept and strategy they pursue.

(c) The Risk Information, Communicating and Reporting component: Information on competitor actions to assess changing risk. For example, a large residential real estate company may assess the risk of losing market share to smaller boutique firms. To understand the potential impact to its market share, the real estate company can review its competitors’ commission pricing models and online marketing strategies. Information they are looking for is whether the competitors’ commission rates are low and aggressive and how widespread their online presence is.

(d) The Monitoring Enterprise Risk Management Performance component: Information on baseline performance in terms of enterprise risk management trends. This type of information can be collected by attending enterprise risk management conferences and monitoring industry-specific blogs.

Question 4

Outline characteristics of high-quality information.

Answer 4

High-quality information is:

(a) Accessible
(b) Accurate
(c) Appropriate, purposeful and sufficient
(d) Current
(e) Reliable
(f) Has integrity

Question 5

Explain this statement: Data requirements are based on information requirements. Provide an example.

Answer 5

When data is processed, organized and structured into information about a particular fact or circumstance, it becomes a source for knowledge (e.g., analysis of comments posted on social media to identify potential risks to the entity’s reputation). Therefore, data requirements are based on information requirements.

For example, a pharmaceutical company’s strategy is to expand its market share by developing a new drug targeted to a specific population. To receive approval for its new product, the entity must provide the regulators with information that meets specific compliance requirements such as conclusions regarding the safety of the drug. These conclusions may be based on various data such as demographics of the testing population, number of side effects, duration of studies and type of application. The entity determines its data requirements based on the need to provide compliance information to an external stakeholder.

Question 6

Describe the components of effective data management within enterprise risk management.

Answer 6

(a) The governance of data management: This helps to deliver standardized, high-quality data to end users in a timely, verifiable and secure manner. It also helps to standardize data architecture, authorize standards, assign accountability and maintain quality. Effective data governance aligns policies, standards, procedures, organization and technology and defines clear roles and responsibilities for data owners and risk owners (i.e., those responsible for identifying and managing the risk).

(b) Data management processes and controls: Embedded in the entity’s information system these reinforce the reliability of data or correct it as needed. For example, entities may use measures to identify instances and patterns of both low- and high-quality data and the relevance of that data in meeting requirements.

(c) Data management architecture: This refers to the fundamental design of the business and technology that supports data management. It is composed of models, policies, rules or standards that dictate which data is collected and how it is stored, arranged, integrated and used in systems and in the entity. These ensure the data can be reliably read, sorted, indexed, retrieved and shared with both internal and external stakeholders, ultimately protecting its long-term value.

Question 7

Provide examples of organizational processes that an entity can use to assess the relevance of data.

Answer 7

(a) Data consistency: Measures the consistency between the data used by analytics and modelling.

(b) Data redundancy: Measures whether data is held in separate places.

(c) Data availability: Measures whether data is available at a required level of performance in varying situations.

(d) Data accuracy: Measures whether data is correct and whether it is retained in a consistent and unambiguous form.

(e) Data quality thresholds: Measure the precision of data used for management decisions.

Question 8

Explain how an enterprise risk management taxonomy can support effective enterprise risk management.

Answer 8

An enterprise risk management taxonomy is a comprehensive, common and stable set of risk categories used across the entity. Many entities develop risk taxonomies within a particular functional area, such as internal audit, information management or operational risk management. Taxonomies can be based on the size, scale and complexity of the entity with risks organized in subcategories, which makes using the taxonomy more manageable.

Use of a taxonomy helps to aggregate risk data and information consistently in order to understand exposures, identify concentrations of risk and identify risks that could affect the entity’s strategy and business objectives. Taxonomies allow the entity to define specific data attributes, such as risk drivers, risk events or impacts, and serve as the basis for effective and consistent enterprise risk reporting on the entity’s risk profile.

Question 9

Outline factors that an entity will consider when selecting or developing technology that will support its information system and, in turn, support its enterprise risk management process.

Answer 9

The decision about what technology to implement to support its information system depends on many factors, including entity goals, marketplace needs, competitive requirements and the associated costs and benefits. Benefits of obtaining and managing information are weighed against the costs of selecting or developing supporting technologies. Factors to consider include:

(a) Scope

(b) Aggregation

(c) Information quality

(d) Consistency and standards

(e) Risk assessment

(f) Reporting

(g) Integration

(h) Cost/benefits

Question 10

Provide examples of the types of changes that can lead to the need to update information system requirements.

Answer 10

As entities adapt their strategy and business objectives to respond to changes in the business context in which they operate, they must also review their information systems.

Changes in the entity’s business context that may require such a review include:

(a) Continually evolving regulations may require changes to how individuals or functions (e.g., legal) interact with and rely on subject matter experts.
(b) Shifting customer expectations may require changes to the system to allow for more timely information gathering and more active monitoring of social media.
(c) Innovations in technology may present alternatives to change and improve information systems. For example, risk discussions may occur through videoconferences and real-time collaborative tools that replace in-person meetings, and risk information may be electronically shared with a broader audience using cloud services.

An entity that operates in a highly dynamic environment may experience continual changes such as innovative competitors, shifting customer expectations, evolving regulatory requirements, globalization and technology innovation. In response, management reviews existing information system requirements and adjusts its technology requirements.

Question 11

Describe the types of risk data and information that can be conveyed through an entity’s communication channels.

Answer 11

Communication channels can be used to convey:

(a) The importance, relevance and value of enterprise risk management
(b) The characteristics, desired behaviours and core values that define the entity’s culture
(c) The entity’s strategy and business objectives
(d) The risk appetite and acceptable variation in performance
(e) The overarching expectations of management and employees in relation to enterprise risk and performance management
(f) The expectations of the entity on any important matters relating to enterprise risk management, including instances of weaknesses, deterioration or nonadherence.

Question 12

Identify factors that contribute to effective communication regarding risk between the board and management and other stakeholders who participate in decision making.

Answer 12

Factors that contribute to effective communication regarding risk between the board and management and other stakeholders who participate in decision making include:

(a) Risk responsibilities are clearly defined and allocated in the risk governance structure (who needs to know what and when they need to act) at the board, management and other levels and whether the structure supports the desired risk dialogue
(b) Board of directors and management have a shared understanding of risk and its relationship to strategy and business objectives
(c) Directors have a deep understanding of the business, value drivers, and strategy and associated risks
(d) Board is open to and continually discusses risk appetite with management
(e) Board uses the entity’s risk appetite as a touchstone in communications, using it to identify those risks that are on or off strategy, to monitor the entity’s risk profile and to track the effectiveness of enterprise risk management programs.

Question 13

Describe common communication approaches used by management to assist the entity’s board of directors in fulfillment of its risk management oversight responsibilities.

Answer 13

There is no single correct method for communicating the information the board needs to fulfill its oversight responsibilities information. Communication should:

(a) Address risks as determined by the entity’s strategy and business objectives
(b) Capture and align information at a level that is consistent with directors’ risk oversight responsibilities and with the level of information determined necessary by the board
(c) Present the entity’s risk profile as aligned with its risk appetite statement, and link reported risk information to policies for exposure and tolerances
(d) Provide a longitudinal perspective of risk exposures including historical data, explanations of trends and forward-looking trends explained in relation to current positions
(e) Update at a frequency consistent with the pace of risk evolution and severity of risk
(f) Use standardized templates to support consistent presentation and structure of risk information over time.

Question 14

Describe circumstances that may require the use of special communication channels within an entity.

Answer 14

Separate lines of communication are needed when normal channels are inoperative or insufficient for communicating matters that require heightened attention. For example, many entities provide a means to communicate anonymously to the board of directors or a board delegate—such as a whistle-blower hotline. Many entities also establish escalation protocols and policies to facilitate communication when there are exceptions in standards of conduct or when inappropriate behaviours are occurring.

Question 15

Identify potential users of reports on risk, culture and performance.

Answer 15

Reporting supports employees at all levels in understanding the relationships between risk, culture and performance as well as improved decision making in strategy and objective setting, governance and day-to-day operations. Report users may include:

(a) Management and the board of directors responsible for governance and oversight of the entity
(b) “Risk owners” accountable for the effective management of identified risks
(c) Assurance providers seeking insight into performance of the entity and effectiveness of risk responses (e.g., a certified public accounting firm)
(d) External stakeholders (e.g., regulators, rating agencies, community groups)
(e) Other parties requiring reporting of risk in order to fulfill their roles and responsibilities.

Question 16

Identify types of risk reporting and the associated report contents that support effective enterprise risk management.

Answer 16

Risk reporting may include:

(a) Portfolio view of risk; which outlines the severity of the risks at the entity level that may impact the achievement of strategy and business objectives and highlights the greatest threats to the entity, interdependencies between specific risks and opportunities. It is typically found in management and board reporting.

(b) Profile view of risk; which is similar to the portfolio view in that it outlines the severity of risks, but it focuses on different levels within the entity.

(c) Analysis of root causes; which enables users to understand assumptions and changes underpinning the portfolio and profile views of risk.

(d) Sensitivity analysis; which measures the sensitivity of changes in key assumptions embedded in strategy and the potential impact on strategy and business objectives.

(e) Analysis of new, emerging and changing risks; which provides a forward-looking view to anticipate changes in the risk universe, effects on resource requirements and allocation, and the anticipated performance of the entity.

(f) Key performance indicators and measures; which outline the acceptable variation in performance of the entity and potential risk to a strategy or business objective.

(g) Trend analysis; which demonstrates movements and changes in the portfolio view of risk, risk profile and performance of the entity.

(h) Disclosure of incidents, breaches and losses; which provides insight into the effectiveness of risk responses.

(i) Tracking reports of enterprise risk management plans and initiatives; which provides a summary of the plan and initiatives in establishing or maintaining enterprise risk management practices. Investment in resources and the urgency by which initiatives are completed may also reflect the commitment to enterprise risk management and culture by organizational leaders in responding to risks.

Question 17

Identify the types of reporting that may assist in measuring an entity’s risk culture.

Answer 17

An entity’s culture is grounded in behaviour and attitudes, and measuring it is often a very complex task. Reporting on culture may be embodied in:

(a) Analytics of cultural trends
(b) Benchmarking to other entities or standards
(c) Compensation plans and the potential influence on decision making
(d) “Lessons learned” analyses
(e) Reviews of behavioural trends
(f) Surveys of risk attitudes and risk awareness.

Question 18

Explain the role of key risk indicators in the risk-reporting process. Provide an example.

Answer 18

“Key risk indicators” are used to predict a risk manifesting. They are usually quantitative but can be qualitative. For example, an entity wants to retain competent individuals and has targeted its turnover rate (i.e., performance indicator) at less than 5% per year. A key risk indicator would be the percentage of people eligible to retire that year. Anything higher than 5% indicates that risk to the performance target is potentially manifesting.

Key risk indicators are reported to the levels of the entity that are in the best position to manage the onset of a risk where necessary, along with corresponding performance targets and acceptable variations. Where an entity lies on the risk culture spectrum, whether risk averse or risk aggressive, helps determine the key risk indicators and key performance indicators that are tracked as well as the acceptable variation in performance.

Key risk indicators and key performance indicators can be reflected in a single measure. For example, in a manufacturing company, production volumes above the target can be seen as potential risks to quality, and production volumes below the target can suggest potential risk around the infrastructure that supports the process.

Question 19

Describe factors that influence the frequency and quality of information required in risk reporting.

Answer 19

The frequency of reporting should be commensurate with the severity and priority of the risk. Reporting should enable management or other decision makers to determine the types and amount of risk assumed, its ongoing appropriateness and the effectiveness of existing risk responses. Information reported must be accurate, clear and complete. For example, changes in stock prices, or competitor pricing in the hospitality or airline industries, may be reported daily, commensurate with the potential changes in risk. In contrast, reporting the risks emanating from an entity’s progress toward long-term strategic projects and initiatives may be monthly or quarterly.

Management works with report users to identify what information is required, how often they need the reports and preferences as to how reports are presented.

Question 20

Describe how substantial change can impact risks experienced by an entity and how the entity can respond to that change.

Answer 20

Substantial change may lead to new or changed risks that need to be considered for impact on business context, culture and strategy. For example, substantial changes such as acquiring an entity or implementing a new system could potentially change the entity’s portfolio view of risk or impact how enterprise risk management functions. In the case of an acquisition, integrating the acquired company’s operations could impact the existing culture and risk ownership. Implementing a new system could present new exposures related to information security, which could influence how data is captured and managed.

Internal and external environmental changes can affect business context enterprise risk management and the achievement of strategy and business objectives. This requires identifying changes related to the business context as well as to changes in culture. Monitoring should be built into business processes and performed continually.

Identifying substantial changes, evaluating their impact and responding to the changes are iterative processes that can affect several components of enterprise risk management. It is useful to conduct a “postmortem” after a risk event to review how well the entity responded and to consider the lessons learned that could be applied to future events.

Question 21

Provide examples of substantial changes in the internal environment that could affect enterprise risk management.

Answer 21

Examples of substantial change in the internal environment are:

(a) Rapid growth

(b) New technology

(c) Substantial changes in leadership and employees.

Question 22

Provide examples of substantial changes in the external environment that could affect enterprise risk management.

Answer 22

Substantial changes in the external environment include changing regulatory or economic environment. This can result in increased competitive pressures, changes in operating requirements, and different risks. If a large-scale failure in operations, reporting and compliance occurs in one entity, regulators may introduce broad regulations that affect all entities within an industry. For instance, if toxic material is released in a populated or environmentally sensitive area, new industrywide transportation restrictions may be introduced that affect an entity’s shipping logistics. If a publicly traded company is seen to have poor transparency, enhanced regulatory reporting requirements may be introduced for all publicly traded companies. The revelation of patients being treated poorly in a care facility may prompt additional care requirements for all care facilities. A more competitive environment may drive individuals to make decisions that are not aligned with the entity’s risk appetite and increase the risk exposures to the entity. These changes may require an entity to closely examine the design and application of its enterprise risk management.

Question 23

Provide examples of substantial changes in an entity’s culture that could have an impact on its risk management process.

Answer 23

Examples of substantial changes in the culture are:

(a) Mergers and acquisitions can result in changes to the culture that may affect enterprise risk management. New leadership may have a different attitude and philosophy about enterprise risk management. Additionally, an acquisition could alter an entity’s mission and vision and affect decision making.
(b) Restructuring can change a company’s culture, affecting enterprise risk management. For example, a claims administration provider currently operates in a decentralized manner with the multiple divisions in other locations. Management decides to centralize operations and relocate all the divisions to one location. As a result, some employees must relocate, and some jobs are eliminated to avoid duplication. Management’s decision will affect the overall culture through instability, which may affect overall employee productivity and job satisfaction. In response, management should reevaluate its strategy and business objectives during the planning for restructuring.

Question 24

Identify sources of continual improvement in enterprise risk management. Provide examples of how those sources effect improvements in enterprise risk management.

Answer 24

New technology—May offer opportunity to improve efficiency.

Historical shortcomings—Monitoring can identify these and causes of past failures to improve enterprise risk management.

Organizational change—Pursuing continual improvement can identify the need for organizational changes, such as a change in the governance model.

Risk appetite—Monitoring provides clarity on factors that affect risk appetite, giving management an opportunity to refine its risk appetite.

Risk taxonomy—Continual monitoring of changes and pursuit of improvements can identify patterns as the business changes, which can lead revisions in an entity’s risk taxonomy.

Communications—Monitoring can identify outdated or poorly functioning communication processes.

Peer comparison—Monitoring industry peers can help determine if an entity is operating outside of industry performance boundaries.

Rate of change in internal and external environments—The rate of change in the environment can trigger need/opportunities to improve enterprise risk management.

Question 25

Explain the role of baseline information in enterprise risk management.

Answer 25

Understanding the current and desired future state of enterprise risk management provides useful baseline information for improving its efficiency and usefulness. When assessing opportunities to improve, it is necessary to understand how management has designed and implemented enterprise risk management within each of the five components. It is also important to understand the entity’s desired future state within each of the five components so potential improvements for efficiency and usefulness can be identified and continual improvement can occur.

Enterprise risk management varies among entities. Consequently, opportunities must be tailored to accommodate each entity. If an entity does not have a baseline understanding of enterprise risk management, it may need to increase monitoring. When change occurs within any of the five components, the baseline may need to be evaluated or updated to better assess future opportunities.

Question 26

Explain how risk profiles can be used to monitor performance.

Answer 26

Management can analyze the risk profile to determine whether the current level of performance risk is greater, less or as expected compared with the risk assessment results. Representations can be used to determine:

(a) Has the entity performed as expected and achieved its target?
(b) What risks are occurring that may be impacting performance?
(c) Was the entity taking enough risk to obtain its target?
(d) Was the estimate of risk accurate?

Management considers whether a change in performance has created new factors that influence the shape of the curve. Based on this analysis, management can take correction action.