Module 3 - Quiz 2

Question 1

What is Risk Assessment

Answer 1

The process of identifying, assessing, prioritizing, and responding to risks that can impact an entity’s ability to meet its business objectives

Question 2

The purpose of Risk Assessment

Answer 2

assess how big the risks are, individually and collectively, in order to focus management’s attention on the most important threats and opportunities and to lay the groundwork for risk response

Question 3

Risk Identification & Analysis: Three main steps

Answer 3

1) Identify (2) Assess (3) Respond

Question 4

Steps in Assessing Risk

Answer 4

• Develop Assessment Criteria
• Asses Risks
• Asses Risk Interactions
• Prioritize Risks

Question 5

Risk Assessment, Principles

Answer 5

• Clear objective
• Risks to business objectives
• Considers potential for fraud
• Identifies, assesses changes

Question 6

Clear objective

Answer 6

specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives

Question 7

Risks to business objectives

Answer 7

identifies risks to the achievement of its objectives
across the entity and analyzes risks as a basis for determining how the risks should be managed

Question 8

Considers potential for fraud

Answer 8

The organization considers the potential for fraud in assessing risks to the achievement of objectives

Question 9

Identifies, assesses changes

Answer 9

identifies and assesses changes that could significantly impact the system of internal control

Question 10

Identify Risks

Answer 10

Step 1: This first step to “Identify Risks” comes before “Assessment”. This first step produces a comprehensive list of risks.

• Risks are organized by risk category
• Risks are identified for different levels of the organization
• A common methodology/taxonomy for all
  risks needs to be developed and used across the firm

Question 11

Develop Assessment Criteria

Answer 11

Step 2.1: First step in the “Assess” part of Risk Assessment involves developing a common set of criteria to be deployed across the firm to assess risk.

Question 12

Impact (or consequence)

Answer 12

refers to the extent to which a risk event might affect the entity

(criteria may include financial, reputational, regulatory, health, safety, security, etc.)

(used during Develop Assessment Criteria)

Question 13

Common scales

Answer 13

Common scales allow comparison and aggregation of all risks across the organization in

(used during Develop Assessment Criteria)

Question 14

Most common, common scales

Answer 14

Five-point scales

Question 15

Assess Risks

Answer 15

Step 2.2: Second step in the “Assess” part of Risk Assessment consists of assigning values to each risk using the defined criteria.

• May be accomplished in two stages where an initial screening of risks is performed using qualitative techniques followed by a more quantitative analysis of the most important risks
• Both qualitative and quantitative techniques can be used for different risks and decision-
  making needs

Question 16

Qualitative assessment techniques

Answer 16

interviews, cross-functional workshops, surveys,
benchmarking, and scenario analysis

(used during Assessing Risks)

Question 17

Quantitative analysis

Answer 17

requires numerical values for both impact and likelihood using data from a variety of sources

(used during Assessing Risks)

Question 18

Assess Risk Interactions

Answer 18

Step 2.3: Third step in the “Assess” part of Risk Assessment recognizes that risks do not exist in isolation; risks can interact to cause greater damage or create significant opportunities

Question 19

Prioritize Risks

Answer 19

Step 2.4: Final step in the “Assess” part of Risk Assessment is the process of determining risk management priorities by comparing the level of risk against predetermined target risk levels and tolerance thresholds

• Risks are ranked according to criteria
• Ranking is reviewed
• Risk prioritization needed to allocate resources
• To help prioritize and monitor / report risks (heat map for example)

Question 20

Respond to Risks

Answer 20

Step 3: Final step in the entire process. Once risks are assessed, risk owners take one of the following formal actions and develop a risk response.

• Reduce / Mitigate
• Share / Transfer
• Avoid
• Accept

Question 21

Reduce / Mitigate

Answer 21

Many of the control examples discussed in Session 2 would apply here (e.g., segregation of duties, training programs, reconciliations, IT automation).

(Used during Respond to Risks)

Question 22

Share / Transfer

Answer 22

Activities with low likelihood, but large financial impact can be transferred (a portion or all of the risk) to a third party. By doing so, we are compensated when an adverse event happens (e.g., insurance, hedging strategies using derivatives).

(Used during Respond to Risks)

Question 23

Avoid

Answer 23

Activities with a high likelihood and large financial impact can be avoided (e.g., risky product / business line or merger – just don’t do it!)

(Used during Respond to Risks)

Question 24

Accept

Answer 24

If the cost-benefit analysis determines the cost to mitigate risk is higher than cost to bear the risk, then the best response is to accept and continually monitor the risk

(Used during Respond to Risks)

Question 25

Communicating Pursuit of Value

Answer 25

• MISSION STATEMENT
• VISION
• CORE VALUES
• STRATEGY

Question 26

Does ERM create strategy?

Answer 26

No, ERM does not create strategy—it influences its development!

Question 27

MISSION STATEMENT

Answer 27

“Core Purpose” – what it wants to accomplish and why it exists

Question 28

VISION

Answer 28

Aspirations for the future – what it aims to achieve over time

Question 29

CORE VALUES

Answer 29

Beliefs of what is acceptable and not acceptable as the organization strives to achieve its mission – influences the behavior of the organization

Question 30

STRATEGY

Answer 30

Entity’s plan on how to achieve its mission and vision; core values guide behaviors during this process

Question 31

ERM: Key Focus Points

Answer 31

1. Focus on integrating ERM with strategy setting and
   performance (execution of strategy)
2. Emphasize value
3. Manage risks that can impact strategy and business objectives
4. Recognize the importance of culture
5. ERM practices are integrated throughout the organization
6. Focus on developing capabilities; increasing resilience

Question 32

ERM Benefits

Answer 32

✔ Increase the range of opportunities
✔ Increase positive outcomes and reduce negative surprises
✔ Identify and manage entity-wide risks
✔ Reduce performance variability
✔ Improve resource deployment