Random abbreviations or key terms Flashcards
Attributes of a risk classification system
Combination of event / source, impact/consequences categories
They help orgs define the scope of RM, providing a structure for risk identification and giving an opportunities to aggregate similar kinds of risks
They help orgs to better identify risk appetite, risk capacity and total risk exposure
Consequence of people having different risk perceptions
Significance of some risk may be incorrectly determined
What determines an organisations attitude to risk
Maturity of an organisation. Seen in the different attitudes of start ups compared to mature organisations
And the area of activity
Highest level of rM is related to what
Achievement of benefits (perform stage)
Three things necessary to evaluate the effectiveness of controls of an inherent risk
Inherent and current level of risk
A measure for the inherent / current levels = likelihood or impact scales
Responsibilities of the RM committee
Advise the Board on RM and to make recommendations on all things risk and policies related to this
Risk management process (H&T) STEPS
- Identifying, analysis, evaluating, treating, monitoring and review
Upside of risk
The org will be able to undertake activities that it would not otherwise have the appetite that it would not otherwise have the appetite to undertake
The ability to pursue a business opportunity that competitions would be unwilling to embrace
What does a demanding market require
Agility to gain competitive advantage
The Co13 coso internal control framework replace what framework and what year was it created
1992
ICFR
Internal control over financial reporting
SOX act mandates that US listed companies report on the effective’s of their ICFR using a framework (COSO)
What is the corporate governance more concerned with, internal control or risk management
Internal control
A internal control framework used by UK listed companies and an alternative to COSO
FRC internal control framework (2014)
Internal control
SCOR objectives not STOC
The challenges and risks orgs face, without internal control, may threaten a health care organization’s operational, compliance and reporting objectives
COSO (2013) definition of internal control
The set of standards, policies, procedures, processes, and structures etc. used to carry out internal control by an org
5 components of COSO (2013) framework
1) Control environment
2) Risk assessment = risks are evaluated and a decision made whether and how to respond to manage the impact of the risk
3) Control activities = actions that support the management of risks to ensure the achievement of objectives
4) Information and communication = info has to be gathered from internal and external sources to support internal controls (ie. Ensure they are up to date, what the control is actually responding to). Communication is used to disseminate info as needed to respond to and meet requirements
5) Monitoring activities = period reviews / evaluations to evaluate the effectiveness of the controls.
Definition of entity level controls (according to SEC)
These are controls that have a pervasive effect on the entity’s system of internal control, such as high level controls related tot he whole control environment.
This is important when changing / implementing a control framework as the maturity / existing maturity of the entity-level control structure will affect the assessment of risks and associated results.
Risk and control matrix
A document that identifies all internal controls in the process in addition to specific descriptions and category attributes relating to the control
Remediation plan
Action to change a risk
Risk based decision making is part of what context; internal, external or risk management
Internal
Long term consequences are related to what parts of an org
STOC
Core processes relate to what part of an org
SCOR
Coso internal cube (2013) definition of internal control
Focus on the objectives that internal control contributes to
Internal control is the process effected by the Board of directors, management and other staff, designed to provide reasonable assurance regarding the achievement of the following categories of objectives: efficiency and effectiveness of operations, reliability of reporting, and compliance with regs and laws
Coco (1995) definition of internal control
Focus on the components / criteria (like in the name) of internal control
Internal control is all the elements of the org that support people int he achievement of the orgs objectives. The elements includes resources, systems, procedures, culture, structure and TASKS.
IIA definition of internal control
Internal control is a set of processes, functions, activities, sub systems and people who are either grouped or consciously segregated to ensure the achievement of an orgs objectives!
Business impact analysis
Analysis to assess the potential damage, loss or disruption to an organisation that could be caused by the failure of one of its core business processes or functions.
It identifies and prioritises the most critical functions of an org which is critical for BCP, suggesting where resources should be invested
Business model
CORR
Customer offering that utilises resources and underpinned by resilience
Customer offering = what and how a org delivers services and or products. Therefore, risks attach to this
Business objectives
Separate to strategic ones
Based on the annual budget of an org and shaped by the business model.
Most common risks associated with business objectives are the robustness and efficiency of the business model
Tactics
How to org will get to the strategy
Tactics ensure that effective and efficient core process deliver the desired outcomes in the most cost effective manner
What is the desired state of an organisation in regards to operations
The continuity of normal efficient operations with no unplanned disruption
What are the four components of reputation
CASE
C = capabilities (purpose and resources)
A = activities (processes and finances)
S = standards (services and support)
E = ethics (values and integrity)
RIMS definition of ERM
Differentiator = ERM is classed as a strategic business discipline
“ERM is a strategic business disciple in that supports the achievement of an org objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio”
COSO (2017) definition of ERM
Focus on strategy
“The culture, capabilities, and practices that orgs integrate with strategy setting and apply when they carry out the strategy, with the purpose of managing risk in creating, preserving and realising value@
IIA Definition of ERM
Focus on financial risk
“A rigorous and co ordinated approach to assessing and responding to all risks that affect the achievement of an orgs strategic and financial objectives”
Orange Book definition of ERM
Focus on internal control
“The co ordinated activities designed and operated to manage risks and exercise internal control within an org”
GRC
Governance, risk and compliance approach.
It is an integrated approach to risk management and assurance based on the 3LOD. It has a overall view that the board is responsible for governance issues across the whole org. Therefore, in looks at the three lines of defence to ensure adequate attention is paid to risk. The NEDS will also look to internal audit to provide assurance on the broad range of compliance issues within the org
Risk criteria can literally be the description of likelihood and impact ;
Low likelihood /impact risks is a criteria in itself. It is the description of what low is that is important (e.g., lower than 2 % is a low significance risk). Subsequently, this reflects tolerance levels chosen by the firm (some firms may think that 2% is a high significance)
Risk attitude is described by risk criteria
ISO Guide 73 definition of risk management
Co ordinated activities to direct and control an org in regards to risk
IRM definition of rM
Process which aims to help organisations understand, evaluate and take action on all their risks with a view to increasing the probability of success and reducing the likelihood of failure
HM Treasury (Orange Book) definition of risk
The coordinated activities designed and operated to manage risk and exercise internal control within an org
LSE definition of rm
Selection of those risks a business should take and those that should be avoided or mitigated, followed by action to reduce risk
6 Cs of insurance buying
Cost, coverage, capacity, capabilities, claims (if a buyer makes a claim they need to ensure that the insurer has the financial security to pay that claim), compliance
Captive insurance
The insurer is a subsidiary of the Organization it is insuring
Sources / risks of operational disruption
4 PS
Business Process re engineering
Approach that ensures that orgs have the most effective processes and operations in place. It does so by identifying stakeholders and their expectations, shaping the core process and operation to achieve these
CRSA
Control risk self assessment
Provides internal assurance
FMEA
Failure modes effects analysis
Quantitative analysis technique for the possibility of a risk occurring
Applied to manufacturing operations
Governance
It is the system by which companies are directed and controlled. This system is made up of plans, priorities, authorities and accountabilities, aswell as oversight over decision making and performance. RM has to be an essential part of these components
