Module 6 - Unit 2 - Case Studies in Risk Management Flashcards
Maintaining an awareness of risk events that occur in the world is a vital part of the role of the risk manager. It is instructive to look at what?
- The root cause of an event
- The circumstances by which the event developed and expanded,
- The organisation’s response to the event and
- The ultimate financial and other effects.
How can emerging risks be divided?
Emerging risks can be divided into three categories, as follows:
• New risks that have emerged in the external environment, but are associated with the existing strategy of the organization – new risks in known context;
• Existing risks that were already known to the organization, but have developed or changed circumstances have triggered the risk – known risks in new context;
• Risks that were not previously faced by the organization, because the risks are associated with changed core processes – new risks in new context
What three behaviors are necessary in order to achieve increased resilience?
There are three behaviours that should be achieved by an organization if it is to achieve increased resilience:
- Awareness of changes in the external, internal and risk management environments, so that constant attention to resilience is ensured;
- ‘Prevent, protect and prepare’ in relation to all types of resources, including assets, networks, relationships and intellectual property;
- ‘Respond, recover and review’ in relation to disruptive events, including the ability to respond rapidly, review lessons learnt and adapt.
What headings are normally used in order to evaluate the risk-aware culture within an organization using the CoCo approach?
- Purpose, vision and mission;
- Commitment to integrity and ethical values;
- Capability, authority and responsibilities;
- Learning and development of competence.
What are two key areas for the future developments in the practice of ERM?
Future developments in the practice of ERM are likely to be focused on two key areas:
- Ensuring risk management activities are fully embedded in the core business processes of the organization
- Demonstrating measurable financial benefits associated with the implementation of an enterprise risk management initiative.
What are the four steps in internal audit?
The steps involved are:
• Planning the internal audit exercise
• Undertaking the fieldwork during which controls are tested
• Producing the audit report
• Ensuring that there is adequate follow-up
What responsibilities are allocated to internal audit?
● giving assurance on risk management processes
● giving assurance that risks are correctly evaluated
● evaluating risk management processes
● evaluating the reporting of key risks
● reviewing the management of key risks
What responsibilities are allocated to risk management?
● facilitating identification and evaluation of risks
● coaching management in responding to risks
● co-ordinating ERM activities
● consolidated reporting on risks
● maintaining and developing the ERM framework
● championing establishment of ERM
● developing RM strategy for board approval
What responsibilities are allocated to senior management?
● setting the risk appetite ● imposing risk management processes ● management assurance on risks ● taking decisions on risk responses ● implementing risk responses on behalf of management ● accountability for risk management
What are the five lines of defence?
- Operational management
- Specialist Risk functions
- Internal audit
- External audit
- Regulators
What are the five lines of assurance?
- The board of directors with overall responsibility for ensuring that effective risk management processes are in place and the other lines are managing risk to within appetite.
- Senior executives and senior managers with overall responsibility for building and maintaining a robust risk management process and delivering reliable information on the principal risks.
- Business unit leaders with assigned ownership or responsibility for reporting on specific risks, and ensuring resources are protected and objectives are being achieved.
- Specialist units providing expertise on specific types of risk, such as treasury, safety, environment, legal and insurance with responsibility for related risk management processes.
- Internal audit activities, providing independent and timely information to the board on reliability of the risk management processes in the organization and producing consolidated reports.
Whom does Sarbannes Oxley relate to?
The primary purpose of SOX is to ensure that information disclosed by companies listed on the stock exchanges in the United States is accurate.
The SOX requirements apply to subsidiaries of US companies operating in other countries.
They will also apply to organizations based in other countries if the company has a listing on a US stock exchange.
What are the public sector government risk reporting principles?
Openness and transparency - Government will be open and transparent about its understanding of the nature of risks to the public and about the process it is following in handling them.
Involvement - Government will seek wide involvement of those concerned in the decision process.
Proportionality - Government will act proportionately and consistently in dealing with risks to the public.
Evidence - Government will seek to base decisions on all relevant evidence.
Responsibility - Government will seek to allocate responsibility for managing risks to those best placed to control them.
What are some examples of KRI’s?
Examples include:
• staff turnover rates – on an annual rolling basis
• new legal cases brought against the company
• material damage to assets (for example, above £5,000)
• injury to employees
• product fault rates
• loss of existing business
• complaints/praises
• lack of new sales
