Module 3 - Quiz 2 Flashcards
What is Risk Assessment
The process of identifying, assessing, prioritizing, and responding to risks that can impact an entity’s ability to meet its business objectives
The purpose of Risk Assessment
assess how big the risks are, individually and collectively, in order to focus management’s attention on the most important threats and opportunities and to lay the groundwork for risk response
Risk Identification & Analysis: Three main steps
1) Identify (2) Assess (3) Respond
Steps in Assessing Risk
- Develop Assessment Criteria
- Asses Risks
- Asses Risk Interactions
- Prioritize Risks
Risk Assessment, Principles
- Clear objective
- Risks to business objectives
- Considers potential for fraud
- Identifies, assesses changes
Clear objective
specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives
Risks to business objectives
identifies risks to the achievement of its objectives
across the entity and analyzes risks as a basis for determining how the risks should be managed
Considers potential for fraud
The organization considers the potential for fraud in assessing risks to the achievement of objectives
Identifies, assesses changes
identifies and assesses changes that could significantly impact the system of internal control
Identify Risks
Step 1: This first step to “Identify Risks” comes before “Assessment”. This first step produces a comprehensive list of risks.
- Risks are organized by risk category
- Risks are identified for different levels of the organization
- A common methodology/taxonomy for all
risks needs to be developed and used across the firm
Develop Assessment Criteria
Step 2.1: First step in the “Assess” part of Risk Assessment involves developing a common set of criteria to be deployed across the firm to assess risk.
Impact (or consequence)
refers to the extent to which a risk event might affect the entity
(criteria may include financial, reputational, regulatory, health, safety, security, etc.)
(used during Develop Assessment Criteria)
Common scales
Common scales allow comparison and aggregation of all risks across the organization in
(used during Develop Assessment Criteria)
Most common, common scales
Five-point scales
Assess Risks
Step 2.2: Second step in the “Assess” part of Risk Assessment consists of assigning values to each risk using the defined criteria.
- May be accomplished in two stages where an initial screening of risks is performed using qualitative techniques followed by a more quantitative analysis of the most important risks
- Both qualitative and quantitative techniques can be used for different risks and decision-
making needs
Qualitative assessment techniques
interviews, cross-functional workshops, surveys,
benchmarking, and scenario analysis
(used during Assessing Risks)
Quantitative analysis
requires numerical values for both impact and likelihood using data from a variety of sources
(used during Assessing Risks)
Assess Risk Interactions
Step 2.3: Third step in the “Assess” part of Risk Assessment recognizes that risks do not exist in isolation; risks can interact to cause greater damage or create significant opportunities
Prioritize Risks
Step 2.4: Final step in the “Assess” part of Risk Assessment is the process of determining risk management priorities by comparing the level of risk against predetermined target risk levels and tolerance thresholds
- Risks are ranked according to criteria
- Ranking is reviewed
- Risk prioritization needed to allocate resources
- To help prioritize and monitor / report risks (heat map for example)
Respond to Risks
Step 3: Final step in the entire process. Once risks are assessed, risk owners take one of the following formal actions and develop a risk response.
- Reduce / Mitigate
- Share / Transfer
- Avoid
- Accept
Reduce / Mitigate
Many of the control examples discussed in Session 2 would apply here (e.g., segregation of duties, training programs, reconciliations, IT automation).
(Used during Respond to Risks)
Share / Transfer
Activities with low likelihood, but large financial impact can be transferred (a portion or all of the risk) to a third party. By doing so, we are compensated when an adverse event happens (e.g., insurance, hedging strategies using derivatives).
(Used during Respond to Risks)
Avoid
Activities with a high likelihood and large financial impact can be avoided (e.g., risky product / business line or merger – just don’t do it!)
(Used during Respond to Risks)
Accept
If the cost-benefit analysis determines the cost to mitigate risk is higher than cost to bear the risk, then the best response is to accept and continually monitor the risk
(Used during Respond to Risks)
Communicating Pursuit of Value
- MISSION STATEMENT
- VISION
- CORE VALUES
- STRATEGY
Does ERM create strategy?
No, ERM does not create strategy—it influences its development!
MISSION STATEMENT
“Core Purpose” – what it wants to accomplish and why it exists
VISION
Aspirations for the future – what it aims to achieve over time
CORE VALUES
Beliefs of what is acceptable and not acceptable as the organization strives to achieve its mission – influences the behavior of the organization
STRATEGY
Entity’s plan on how to achieve its mission and vision; core values guide behaviors during this process
ERM: Key Focus Points
- Focus on integrating ERM with strategy setting and
performance (execution of strategy) - Emphasize value
- Manage risks that can impact strategy and business objectives
- Recognize the importance of culture
- ERM practices are integrated throughout the organization
- Focus on developing capabilities; increasing resilience
ERM Benefits
✔ Increase the range of opportunities
✔ Increase positive outcomes and reduce negative surprises
✔ Identify and manage entity-wide risks
✔ Reduce performance variability
✔ Improve resource deployment
