Module 5 - Mid-Term Pt 1 Flashcards
COSO ERM: Component 3
Performance
Five Principles of Performance
- Identifies Risk
- Assesses the Severity of Risk
- Prioritizes Risk
- Implements Risk Responses
- Develops Portfolio View
Risk Assessment
The process of identifying, assessing, prioritizing, and responding to risks that can impact an entity’s ability to meet its business objectives
The Purpose of Risk Assessment
to assess how big the risks are, individually and collectively, in order to focus management’s attention on the most important threats and opportunities and to lay the groundwork for risk response
Risk Identification & Analysis three main steps
(1) Identify (2) Assess (3) Respond
Principle 10
Identifies Risk
Why identify risks?
- Know which risks can impact an entity’s ability to meet its strategic objectives and its risk profile
- Allow organizations to assess the potential severity of the risks and identify opportunities
What are new, emerging, and changing risks and where do they come from?
- Changes in strategy, business objectives, business context, or discovery of a new business context
- Discovery of a new risk that didn’t apply before
- A risk that was known, evolves
What are some recent events/trends that could lead to a shift in the risk profile?
- New technologies
- Labor shortages
- Evolving role of big data/data analytics
- Shifts in demographics/lifestyles
- Changes in the political landscape and shifts in social/environmental concerns
A variety of tools and techniques to identify risks
- Workshops
- Interviews
- Key Risk Indicators
- Data Tracking
- Cognitive Computing
- Process Analysis
The end result of risk identification is
risk inventory
Risk inventory
a comprehensive list of relevant risks
Two important aspects of risk inventories
- How you say it matters!
- Think impact!
Principle 11
Assesses Risk Severity
Assesses Risk Severity
to understand the severity/impact of each risk on the achievement of strategy/business objectives.
- to focus resources/capabilities on the most significant risks
Assesses Risk Severity Key elements
- standardized risk definitions
- severity measures of impact & likelihood
- groups common risks across divisions/functions
(grouping may impact severity level) - understand risk interdependencies
- time horizon used to assess business strategy
- Be cognizant of bias
Cognitive biases can distort…
the perception of risk in ways that are not always aligned with objective reality, impacting decisions in personal, business, and policy contexts
Cognitive Bias leads to two types of things
- Overestimating Risk
- Underestimating Risk
Availability Heuristic
People tend to overestimate the likelihood of risks that are more easily recalled or vivid in their memory,
often due to recent exposure to similar events (e.g., news coverage of a plane crash). The more available the information, the higher the perceived risk.
Dread Risk Bias
This refers to the tendency to overestimate risks that evoke strong emotions, particularly fear (e.g., terrorism or natural disasters). When people dread an outcome, they assume it is more probable than it actually is.
Anchoring Bias
This occurs when individuals rely too heavily on an initial piece of information (the “anchor”) when
estimating risks. If the anchor suggests a high-risk scenario, they may overestimate the likelihood of
that risk occurring.
Negativity Bias
People are prone to focus more on negative information than positive, which can lead to
overestimating risks associated with negative outcomes, such as financial losses or disasters.
Confirmation Bias
Individuals may seek out and prioritize information that confirms their pre-existing beliefs about certain
risks, leading to an overestimation of risks they are already predisposed to believe in.
Zero-risk Bias
This is the preference for the complete elimination of a risk, no matter how small it is, leading to an overestimation of its actual threat in comparison to more probable risks.
Types of Overestimating Risk
- Availability Heuristic
- Dread Risk Bias
- Anchoring Bias
- Negativity Bias
- Confirmation Bias
- Zero-risk Bias
