Module 2 - Unit 2 - Risk Strategy and Framework

Question 1

What are the three components of context?

Answer 1

The three components of context may be considered as follows:

• Risk management context – The risk architecture, strategy and protocols (“RASP”) or the risk management framework within the organization.
• Internal context refers to the organization itself, the activities it undertakes, the range of skills and capabilities available within the organization, and how it is structured. Internal stakeholders and their expectations are part of the internal context. This may be considered to be the strengths and weaknesses within the organization.
• External context is the environment within which the organization exists. This environment will include consideration of the business sector within which the organization operates, external stakeholders and their expectations and the external financial environment. This may be considered to be the opportunities and threats facing the organization.

Question 2

What is the purpose of the risk management framework?

Answer 2

The risk management framework must fulfil two functions:

1) Provide support for the risk management process within the organization; and
2) Ensure that the outputs from the risk management process are communicated to internal and external stakeholders.

Question 3

What does the risk management context include?

Answer 3

The risk management context step covers:
• Who is responsible for risk
• What resources will be available
• Establishment of risk appetite or risk criteria
• Identifying a means of measuring overall risk exposure
• The organization’s ‘risk radar’

Question 4

What does the internal context relate to?

Answer 4

The internal context relates to:

• Culture
• Resources
• Ensuring output of the risk management process is received and influences behaviors
• Supports and provide governance of risk and risk management
• Objectives
• Capacity and capabilities of the organisation
• Business core processes
• How does the organisation make decisions?
• Can be evaluated by using the FIRM scorecard (Financial and Infrastructure), SWOT or PESTLE

Question 5

What does the external context relate to?

Answer 5

The external context relates to:

• Stakeholder expectations
• Industry regulations and regulators
• Behaviour of competitors
• General economic environment
• The drivers and trends affecting the organisation and its ability to achieve objectives
• Can be evaluated using the FIRM score card (Reputation and Marketplace), SWOT analysis or PESTLE.

Question 6

What is a risk register?

Answer 6

A risk register is defined in the ISO Guide 73 as the ‘document used for recording risk management process for identified risks’. The guide adds that the purpose of the risk register is to facilitate ownership and management of each risk.

Question 7

What are key elements of a risk register?

Answer 7

The risks set out in the register need to be precisely defined so that the cause, source, event, magnitude and impact of any risk event can be clearly identified.

Question 8

How can emerging risks be categorised?

Answer 8

Emerging risks can be divided into three categories, as follows:

• New risks that have emerged in the external environment, but are associated with the existing strategy of the organization – new risks in known context;
• existing risks that were already known to the organization, but have developed or changed circumstances have triggered the risk – known risks in new context;
• risks that were not previously faced by the organization, because the risks are associated with changed core processes – new risks in new context

Question 9

What are the three behaviours that should be achieved by an organisation if it is to achieve increased resilience?

Answer 9

• Awareness of changes in the external, internal and risk management environments, so that constant attention to resilience is ensured;
• ‘Prevent, protect and prepare’ in relation to all types of resources, including assets, networks, relationships and intellectual property;
• ‘Respond, recover and review’ in relation to disruptive events, including the ability to respond rapidly, review lessons learnt and adapt.

Question 10

What makes up risk management architecture?

Answer 10

● Committee structure and terms of reference
● Roles and responsibilities
● Internal reporting requirements
● External reporting controls
● Risk management assurance arrangements

Question 11

What makes up risk management strategy?

Answer 11

● Risk management philosophy
● Arrangements for embedding risk management
● Risk appetite and attitude to risk
● Benchmark tests for significance
● Specific risk statements/policies
● Risk assessment techniques
● Risk priorities for the present year

Question 12

What makes up risk management protocols?

Answer 12

● Tools and techniques
● Risk classification system
● Risk assessment procedures
● Risk control rules and procedures
● Responding to incidents, issues and events
● Documentation and record keeping
● Training and communications
● Audit procedures and protocols
● Reporting/disclosures/certification

Question 13

Briefly summarise risk architecture, strategy, and protocols.

Answer 13

• The risk architecture defines how information on risk is communicated throughout the organization.
• The risk strategy defines the overall objectives that the organization is trying to achieve with respect to risk management.
• The risk protocols are the systems, standards and procedures that are put in place in order to fulfil the defined risk strategy.

Question 14

What are the main risk management responsibilities for the CEO

Answer 14

• Determine strategic approach to risk
• Establish the structure for risk management
• Understand the most significant risks
• Consider the risk implications of poor decisions
• Manage the organization in a crisis

Question 15

What are the main risk management responsibilities for the location manager

Answer 15

• Build risk-aware culture within the location
• Agree risk management performance targets for the location
• Evaluate reports from employees on risk management matters
• Ensure implementation of risk improvement recommendations
• Identify and report changed circumstances/risks

Question 16

What are the main risk management responsibilities for individual employees?

Answer 16

• Understand, accept and implement RM processes
• Report inefficient, unnecessary or unworkable controls
• Report loss events and near-miss incidents
• Cooperate with management on incident investigations
• Ensure that visitors and contractors comply with procedures

Question 17

What are the main risk management responsibilities for the risk manager?

Answer 17

• Develop the risk management policy and keep it up-to-date
• Facilitate a risk-aware culture within the organization
• Establish internal risk policies and structures
• Coordinate the risk management activities
• Compile risk information and prepare reports for the board

Question 18

What are the main risk management responsibilities for specialist risk management function?

Answer 18

• Assist the company in establishing specialist risk policies
• Develop specialist contingency and recovery plans
• Keep up-to-date with developments in the specialist area
• Support investigations of incidents and near misses
• Prepare detailed reports on specialist risks

Question 19

What are the main risk management responsibilities for internal audit manager?

Answer 19

• Develop a risk-based internal audit programme
• Audit the risk processes across the organization
• Provide assurance on the management of risk
• Support and help develop the risk management processes
• Report on the efficiency and effectiveness of internal controls

Question 20

How do the following groups fit with the three lines of defence idea?

CEO, Location manager, Employee, Risk Manager, Specialist risk management function, Internal audit.

Answer 20

First line of defence - CEO, Location manager, Employee
Second line of defence - Risk manager, specialist risk management function
Third line of defence - Internal audit

Question 21

What are the roles of a non executive director?

Answer 21

• Strategy – Constructively challenge and help develop proposals on strategy
• Performance – scrutinize the performance of management
• Risk – Challenge the integrity of the financial information
• Controls – Seek assurance that financial controls and systems of risk management are robust and defensible
• People – Determine the appropriate level of remuneration for the executive directors and have a prime role in succession planning
• Confidence – Seek to establish and maintain confidence in the conduct of the company
• Independence – Be independent in judgement and promote openness and trust
• Knowledge – Be well informed about the company and the external environment in which it operates, with a strong command of relevant issues

Question 22

What are the roles of an insurance manager?

Answer 22

1. To establish the risk management strategy for protecting company property and people.
2. To coordinate the company insurance programme through the captive insurance company.
3. To work with the manager of the captive to maximize the contribution made by the captive insurance company.
4. To maintain key insurer relationships, monitor service providers and ensure cost effective placement of insurance contracts.
5. To measure and monitor cost of risk performance of the group and individual group companies.
6. To ensure safekeeping and adequate retention of all insurance contracts and agreements.
7. To supervise the coordination of service provider activities and place the group and global insurances.
8. To coordinate the property survey programme, risk management procedures and incentive schemes.

Question 23

What are the roles of a risk committee

Answer 23

• To advise the board on risk management and to foster a culture that emphasizes and demonstrates the benefits of a risk-based approach to risk management.
• To make appropriate recommendations to the board on all significant matters relating to the risk strategy and policies of the company.
• To monitor the performance of the risk management systems and review reports prepared by relevant parties.
• To keep under review the effectiveness of the risk management infrastructure of the company, including:
o assessment of risk management procedures in accordance with changes in the operating environment;
o consideration of risk audit reports on the key business areas to assess the level of business risk exposure;
o consideration of any major findings of any risk management reviews and the response of management;
o assessment of the risks of new ventures and other strategic, project and operational initiatives.
• To review the risk exposure of the company in relation to the risk appetite of the board and the risk capacity of the company.
• To consider the development of risk management and make appropriate recommendations to the board.
• To consider whether disclosure of information regarding risk management policies and key risk exposures is in accordance with financial reporting standards.

It is important that risks be managed in a proactive manner as an executive responsibility and therefore the risk committee should sit distinct from any non-executive role.