Module 2 - Past Paper (November 2018)

Question 1

List four ways in which a risk manager could effectively and efficiently monitor their organisation’s business and risk environment

Answer 1

• Newsfeeds
• The media
• Industry or sector journals
• Reputable websites
• Consulting company research and analysis reports
• Global surveys

(see Study Guide p6-7)

Question 2

Describe how a professional internal audit service should add value to its organisation

Answer 2

The IIA’s Definition of internal auditing helps describe how internal audit adds value:

“Internal auditing is an independant, objective assurance and consulting activity designed to add value and improve an organisation’s operations.

It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance process.”

(see Study guide p73, quoted from IIA 2013)

Question 3

Organisation X’s business premises has been destroyed by fire.

According to Hopkin’s risk categorisations, state what type of risk has materialised.

Answer 3

A hazard or pure risk.

(see Hopkin p17)

Question 4

Describe what is meant by the UK Corporate Governance Code’s ‘comply or explain’ requirement.

Answer 4

Ultimately compliance with the Code is not a legal requirement.

However, listed companies are required to publish in their annual report and accounts areas where they are not complying with the Code.

The thinking is that is shareholders do not agree with the explanation in any areas of non-compliance, then they will seek to influence change, or withdraw their investment.

(see Study guide p52)

Question 5

In respect of the positive management of an organisation’s risk culture, complete the following sentence by entering the four missing words: Organisations face numerous risks and build a/an ________ environment that senior managers believe will manage the effects of risks at a cost that is acceptable. The aim is to create a risk _________ that sits within the organisation’s risk _________ and __________.

Answer 5

Organisations face numerous risks and build a control environment that senior managers believe will manage the effects of risks at a cost that is acceptable. The aim is to create a risk profile that sits within the organisation’s risk appetite and tolerances.

(see study guide p34)

Question 6

Define the term ‘operational risk’

Answer 6

Hopkin states that Operational risks are ‘the type of risk that will disrupt normal, everyday activities’

(see Hopkin, p58)

Question 7

Summarise five key components of a risk aware culture and state how each can help to improve the risk culture of an organisation.

Answer 7

The five key components of a risk aware culture include:

• Leadership - can improve risk culture by…
• Involvement - can improve risk culture by…
• Learning - can improve risk culture by…
• Accountability - can improve risk culture by…
• Communication - can improve risk culture by…

(‘LILAC’, see Hopkin, p87)

Question 8

Explain the difference between risk appetite and risk tolerance, giving an example of each.

Answer 8

Risk appetite

Appetite refers to the core mission or strategy of the organisation.

It is often considered to be the positive aspects of risk that organisations seek.

e.g., the development of new products that will bring high returns, but carry the potential to fail and result in losses.

Risk Tolerance

Tolerance refers to the limit of negative effects of risk that an org is willing to accept before taking some further risk treatment action to address the underlying drivers of risk.

(see Study guide, p41, 48)

Question 9

Describe what is meant by the term ‘risk protocols’, giving two examples of what they may detail in practice.

Answer 9

Risk protocols are the means (the tools, procedures and instructions) by which the selected risk strategy and architecture are delivered in practice.

Risk protocols may detail:

• Risk identification techniques
• Format / content of the risk register
• How risk and control ownership is allocated
• Reporting requirements
• Approval processes for risk expenditure
• etc

(see Study guide, p24)

Question 10

Describe the five key elements of effective corporate governance.

Answer 10

Five key elements of effective corporate governance include:

• Leadership (Board) - describe
• Effectiveness - describe
• Accountability - describe
• Remuneration - describe
• Relations and shareholders - describe

(see Study guide, p52)

Question 11

Define what the acronym ‘PACED’ stands for in respect of ERM.

Answer 11

According to Hopkin, PACED stands for:

• Proportionate
• Aligned
• Comprehensive
• Embedded
• Dynamic

(see Hopkin, p99)

Question 12

“It is insufficient to leave an organisation’s risk culture to chance”.

Describe three ways in which senior management could take a positive stance on risk culture.

Answer 12

Explain three of the following:

• Good communication
• Effective policy
• Inductions
• Job Descriptions
• Training Programmes
• Investment in IT security