RISK Flashcards
what is the four lines of defence framework
The four lines of defence framework helps organisations ANALYSE the overall STRENGTH of their CONTROL, supervision and review processes. It enables management to ascertain the level of comfort each stage provides and also determine what should be included at later stages to remedy limitations of earlier controls.
what are the four lines of defence?
1)day-to-day controls and control framework
2)Management review
3) internal audit
4) external audit
explain the first line of defence
control frameworks and day to day controls
-oversight by staff who are familiar with the business, and their knowledge and commitment provide assurance.
-ensures fewer mistakes and more reliable external reporting.
-However, its main weakness is the lack of independence, self review bias
second line of defence- management review
-separate management or specialist reviews outside day-to-day operations.
-Includes risk, compliance, and financial controls oversight, as well as board oversight.
-May incorporate additional quality control reviews, especially in response to customer complaints.
-Provides some independence and objectivity compared to the first line of defense.
-Still involves reviewers who are part of the same management team.
-Effectiveness depends on reviewers’ expertise.
-Requires clarity in the purpose of reviews and their scope selection.
internal audit- third line of defence
-Depends on the scope of its terms of reference, which may cover various aspects like operational efficiency, asset safeguarding, and reporting reliability.
-Can address specific risks not fully covered by the first two lines of defense.
-Plays a crucial role during organizational changes and shifts in structures, reporting processes, and information systems.
-Relies on the quality of its risk assessment and its alignment with actual work.
-Benefits from assurance mapping for effectiveness.
-Is conducted by independent staff separate from operational management.
-Gains strength through direct reporting to the board and audit committee, allowing for candid discussions.
-May still face limitations due to internal politics and organizational constraints.
-Its effectiveness relies on the board and senior management’s commitment to implementing its recommendations.
4th line of defence, external audit
External audit:
Advantages:
Impartial assurance due to the independence of external auditors.
Brings a broader perspective based on knowledge from auditing various organizations.
Disadvantages:
Limited knowledge of the organization due to annual visits.
Focus primarily on financial statements, with less emphasis on other risk and control areas.
Additional work may be needed to provide assurance on non-financial aspects.
what is assurance mapping
Assurance mapping is like a puzzle that connects four defense lines in a company. It looks at different risks and how each of these defenses helps to deal with them. It also connects these risks with important performance measures and other ways the company reports things. This helps the company report about risks and how they manage them in a reliable way.
it’s made in a table form eg.
RISK: unauthorised access to computer controls
risk assessment if no controls are in place: impact: high likelihood: high
first line: job
second line: job
risk assessment after first two lines:
third line: job
4th line: job
advantages of assurance mapping
-Assurance mapping connects risks to control systems.
-It helps identify where there might be limited assurance that controls are working effectively.
-This information improves reporting on internal control.
-It enables more efficient control management, filling gaps, and avoiding overlap in staff responsibilities.
-It helps determine what kind of assistance is needed from internal audit in terms of resources and scope of work.
what is COSO
COSO, formed in the 1980s to study financial fraud causes, now aims to improve internal control, risk management, governance, and fraud deterrence.
Its non-mandatory guidance provides influential frameworks for assessing and enhancing risk management and internal controls, especially in the wake of corporate scandals and regulatory efforts to improve corporate behavior.
what is the coso cube? used to be pyramid ERM model
The COSO Cube is like a simple model that helps organizations manage their internal controls and risks effectively. It has three main parts:
1)Components: These are the basic building blocks of control and risk management, like creating a good control environment, assessing risks, and monitoring activities.
2) Objectives: These are the goals an organization wants to achieve, such as running operations efficiently, reporting financial information accurately, and following laws and rules.
3) Levels: The cube shows how these components and objectives apply to the entire organization (entity level) and its different parts (divisional levels).
In simple terms, the COSO Cube is a tool that organizations use to make sure they have good controls and manage risks properly to achieve their goals.
In exam if the words risk management framework are used, use COSO to write the answer
Otherwise if the word RISK MANAGEMENT ONLY is used just use identify,assess,mitigate and monitor
what are the components of the COSO cube?
1) Internal environment:
-sets the tone.
-influences risk appetite, attitudes, ethical values
-tone is set by board members
-line managers may undermine the good tone set by directors, if they are not responsible
2) Objective setting
-board shud set goals in line with co’s mission
-should consider business risks before setting goals
-consider risk appetite
-align risk tolerance with risk appetite
-cosnider if certain aspects of control systems can be used for strategic purposes
3) Event identification- identify events that will affect achievement of objectives
-focus on events relating to both operational and strategic goals,
4) Risk assessment: assess likelihood and impacts
-do a combo of qualitative and quantitative risk assessment methods
5) Risk response:four main responses – reduce, accept, transfer or avoid.
take a portfolio review of risk
realistic responses
6) Control activities: design, implement, segregation of duties
7) Information and communication: ensure data is
8) Monitoring: audit and IA are key players
criticism of ERM model/aka coso cube?
-One criticism of the ERM model has been that it starts at the wrong place. It begins with the internal and not the external environment. Critics claim that it does not reflect sufficiently the impact of the competitive environment, regulation and external stakeholders on risk appetite and management and culture.
-An excessive focus on internal factors, for which the model has been criticised, could result in a concentration on operational risks and a failure to analyse strategic dangers sufficiently.
-been criticised for encouraging an over-simplified approach to risk assessment. It’s claimed that it encourages an approach that views the materialisation of risk as a single outcome. This outcome could be an expected outcome or it could be a worst-case result. Many risks will have a range of possible outcomes if they materialise – for example, extreme weather – and risk assessment needs to consider this range.
define stategic risk, what are the two types of strategic risks?
Strategic risks arise from key decisions made by directors regarding an organization’s goals and objectives. These risks can be divided into two main categories:
Business risks: Stem from decisions about products, services, marketing, economic factors, and technological changes related to what the organization offers.
Non-business risks: Arise from factors like long-term financing choices and are not directly tied to the organization’s products or services. These risks are influenced by the organization’s position in its environment and can be affected by competitor actions and technological developments.
Who is responsible for managing strategic risks
he board of directors is responsible for managing strategic risks. They make important decisions about the organization’s goals and direction. To do this effectively, they should have a set list of decisions they are in charge of, such as big acquisitions, investments, and financial policies. This recommendation comes from the UK Cadbury report. The board also needs to know how well the business is doing and understand what’s happening in the economy and technology. It’s important for the board to have a diverse group of people with different skills and knowledge. But even if the board follows all the right rules for making decisions, it doesn’t guarantee they will always make the best choices.
how to manage strategic risks?
1) Strategic Risks for Growth: Organizations often need to take strategic risks to expand and ensure long-term sustainability. For instance, developing new products can involve significant uncertainties and competition but may be necessary for growth.
2)Managing Strategic Risks: Organizations may accept short-term strategic risks but work to reduce or eliminate them over time. An example is dealing with fluctuations in the supply of a critical raw material by redesigning production processes.
3)Avoiding Certain Risks: Some risks should be avoided, especially those with potentially severe consequences, such as threats to safety. Directors may make “go errors” when pursuing opportunities with insufficient returns.
4) Importance of Not Missing Opportunities: Directors should also be aware of “stop errors,” which occur when they fail to pursue valuable opportunities. Competitors may seize these opportunities and gain a competitive advantage.
In essence, strategic risks are an inherent part of business growth, and organizations need to carefully balance the pursuit of opportunities and the avoidance of risks to achieve long-term succes
