Module 2 - Unit 2: Risk Strategy & Framework Flashcards
Name three documents that are central to an organisation’s risk architecture.
Any of these:
a) risk policy
b) terms of reference for the risk committee and the head of risk management
c) risk appetite and tolerance statement
d) risk register
e) key risk indicators and risk dashboard
f) risk models
g) issues and events log.
Give four areas of responsibility for a group risk committee in a large corporation.
- Advise the Board on risk management
- Foster a culture that emphasizes the benefits of a risk-based approach to risk management
- Recommendations to the Board on significant matters relating to risk strategy and policy
- Monitor performance of risk management systems, review of reports
- Review effectiveness of RM infrastructure, including RM procedures, risk audit reports, findings of RM reviews and assessment of new ventures and stretegic initiatives).
- Review risk exposure of the org vis-a-vis risk appetite and risk capacity
- Consider whether disclosure of RM policies and key risk exposures is in accordance with FRS (Financial Reporting Standards)
Hopkin p262, table 22.3
Who would you look to in an organisation to provide risk information for reporting to senior management?
The provision of risk information, data and risk status assessments are usually the responsibility of the stated risk owner. Production of the information may be delegated to the risk owner’s department staff.
Describe three key functions that are likely to be addressed in an organisation’s risk protocols.
- The techniques used in risk identification
- The format and content of the organisation’s risk register, how it is to be completed and the requirements for regular updates
- How risk and control ownership is assigned to staff
- Requirements on entering risk events into the issues and events log, and the upward notification of events based on their materiality
- Reporting requirements – such as weekly or monthly reports and risk analysis, performance against key risk indicators.
- Approval processes for expenditure on risk improvement actions
- Control and sign-off processes for entering into contracts
- Template documents for risk assessments and (where required) certification
(Study guide, p.25)
What are the main advantages and disadvantages of using an RMIS? Which companies are most likely to benefit most from using an RMIS?
An RMIS serves as a coordinated risk repository and assists in analysing and managing the risk information in an organisation. The danger is risk information will become irrelevant to the org’s managers, because the risk info being entered into the RMIS becomes a separate task and not aligned with other MIS in the org, and therefore not as embedded into day to day activities. Also, entering a substantial amount of info into an RMIS can be time consuming. In general, RMIS becomes more valuable when risks are complex or a large amount of data needs to be recorded. Therefore, large firms stand to gain the most from RMIS. (Hopkin, p317-8)
List four types of info you might find in an RMIS
- Risk Management policy and protocols
- Risk profile data, values and information
- Emergency contact arrangements and contact detail
- Insurance values and cost of risk data
- Insurance claims handling and management process
- Historical loss/claims experience/information
- Insurance policy coverage
- Risk management action plans (risk register)
- Business continuity plans and responsibilities
- Disaster recover plans and responsibilities
- Corporate governance arrangements and reports
Hopkin, p317-8
Give two purposes of internal controls
- Achievement of objectives (the primary purpose of internal control activities)
- Safeguard and protect assets
- Ensure accurate records are kept
- Promote operational effectiveness and efficiency
- Adhere to policies & procedures
- Enhance reliability of internal and external reporting
- Ensure compliance with regulations
- Safeguard interests of stakeholders/shareholders
Hopkin, p388
List four pieces of information that might be held in an RMIS
- Risk management policy and protocols
- Risk profile data, values and information
- Emergency contact arrangements and contact details
- Insurance values and cost of risk data
- Insurance claims handling and management protocols
- Historical loss/claims experience/information
- Insurance policy coverage and other information
- Risk management action plans (risk register)
- Risk improvement plans and implementation
- Business continuity plans and responsibilities
- Disaster recovery plans and responsibilities
- Corporate governance arrangements and reports
Hopkin p316
Describe the role of a non-executive director
Not employed by the company and are therefore independent
Challenges and develops strategy
Scrutinises management performance
Challenges financial info
Seeks assurance that financial controls and RM is robust
Determines the appropriate remuneration for exec. directors
Seeks to maintain confidence in the conduct of the company
Independent in judgement and promotes openness and trust
Is well informed about the company and the external environment in which it operates
Hopkin, p256
A framework is made up RASP. What does this stand for?
Risk architecture Strategy Protocols
Explain the ways in which organisations structure their risk management activities
Largely based on the prevailing management style in the wider organisation.
- Centralised approach - strategy and operations directed by Head Office or central team.
- Decentralised approach - management responsibility is delegated to unit or divisional managers, with little direction from the centre.
- Hybrid approach - discretion in design and operation of subsidiaries is allowed in certain areas, but in others (brand management, H&S, banking arrangements) the corporate approach must be adopted.
(Study guide, p.22)
How does COSO highlight the expectations of the information, communication and reporting component of ERM?
- “Information, Communication and Reporting: ERM requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down and across the organisation.”
(from ERM: Integrating with Strategy and Performance Framework, Executive Summary. COSO 2017)
Who in the organisation is responsible for supplying risk information to the risk function?
Various managers of divisions, regions, business units etc.
Supecialists in the organisation who manage particular aspects of risk, for example:
- Head of Legal
- Business Continuity manager
- Head of internal audit
- Head of clinical safety
- Compliance Officer
- Money Laundering reporting officer
- Head of Credit Risk
- Head of Security
- Corporate Insurance manager
- Head of HR
(Study guide, p27)