Risk Management Flashcards
What are the 4 types of risk?
Risk management
The 4 types of risk are as follows:
- Hazard risks
- Financial risks
- Operational risks
- Strategic risks
What are Hazard risks?
Risk management
Hazard risks are risks that are insurable (i.e. natural disasters, the incapacity or death of senior officers, sabotage and terrorism
What are Financial risks?
Risk management
Financial risks encompass interest-rate risk, exchange-rate risk, commodity risk, credit risk, liquidity risk and market risk
What are Operational risks?
Risk management
Operational risks are the risks related to the enterprise’s ongoing, everyday operations
Operational risk is the risk of loss from inadequate or failed internal processes, people and systems
These failures can relate to:
a. Human resource (i.e. inadequate hiring or training practices)
b. Business processes (poor internal controls)
c. Product failure (customer ill will, lawsuits)
d. Occupational safety and health incidents
e. Environmental damage and business continuity (power outages, natural disasters)
Operational risk includes:
a. Legal risk (making the enterprise subject to civil or criminal penalties)
b. Compliance risk (the risk that processes will not be carried out in accordance with best practices)
What are Strategic risks?
Risk management
Strategic risks include global economic risk, political risk and regulatory risk
What is the relationship between volatility and time?
Risk management
Anytime uncertainty increases, risk increases
Thus, as the volatility or duration of a project or investment increases, so does the associated risk
What is the concept of capital adequacy?
Risk management
Capital adequacy is a term normally used in connection with financial institutions. A bank must be able to pay those depositors that demand their money on a given day and still be able to make new loans
Capital adequacy can be discussed in terms:
a. Solvency (the ability to pay long-term obligations as they mature)
b. Liquidity (the ability to pay for day-to-day ongoing operations)
c. Reserves (the specific amount a bank must have on hand to pay depositors) or sufficient capital
How can risk be quantified?
Risk can be quantified as a combination of two factors:
- Severity of consequences
- Likelihood of occurrence
The expected value of a loss due to a risk exposure can thus be stated numerically as the product of the two factors
The unexpected loss or maximum possible loss is the amount of potential loss that exceeds the expected amount
What is Risk avoidance?
Strategies for risk response
Risk avoidance is bringing to an end the activity from which the risk arises (i.e. the risk of having a pipeline sabotaged in an unstable region can be avoided by simply selling the pipeline)
What is Risk retention?
Strategies for risk response
Risk retention is the acceptance of the risk of an activity by the organization. This term is becoming synonymous with the phrase “self insurance”
What is Risk reduction (mitigation)?
Strategies for risk response
Risk reduction (mitigation) is the act of lowering the level of risk associated with an activity (i.e. the risk of systems penetration can be reduced by maintaining a robust information security function within the organization)
What is Risk sharing?
Strategies for risk response
Risk sharing is the offloading of some loss potential to another party
Common examples are the purchase of insurance policies, engaging in hedging operations and entering into joint ventures
It is synonymous with risk transfer
What is Risk exploitation?
Strategies for risk response
Risk exploitation is the deliberate courting of risk in order to pursue a high return on investment. Examples include the wave of Internet-only businesses that crested in the late 1990s and cutting-edge technologies (such as genetic engineering)
What is Residual risk?
Residual risk is the risk of an activity remaining after the effects or any avoidance, sharing or mitigation strategies
What is Inherent risk?
Inherent risk is the risk of an activity that arises from the activity itself (i.e. uranium prospecting is inherently riskier than retailing)
What are the benefits of risk management?
The benefits of risk management are as follows:
- Efficient use of resources - only after risks are identified can resources be directed toward those with the greatest exposure
- Fewer surprises - after a comprehensive, organization-wide risk assessment has been performed, the odds that an incident that has never been considered will arise are greatly reduced
- Reassuring investors - corporations with strong risk management functions will probably have a lower cost of capital
What are the key steps in the risk management process?
The key steps in the risk management process are as follows:
- Identify risks
- Assess risks
- Prioritize risks
- Formulate risk responses
- Monitor risk responses
What does the risk identification step within the risk management process entail?
(Risk management process - Step 1)
Step 1 of the risk management process is identify risks
Every risk that could affect the success of the organization must be considered . Note that this does not mean every single risk that is possible (only those that could have an impact on the organization)
Risk identification must be performed for the entire organization, down to its lowest operating units. Some occurrences may be inconsequential for the enterprise as a whole but disastrous for an individual unit
What does the risk assessment step within the risk management process entail?
(Risk management process - Step 2)
Step 2 of the risk management process is assess risks
Every risk identified must be assessed as to its probability and potential impact
Not all assessments need be made in quantitative terms. Qualitative terms (i.e. high, medium, low) are sometimes useful
What does the risk prioritization step within the risk management process entail?
(Risk management process - Step 3)
Step 3 of the risk management process is prioritize risks
In large and/or complex organizations, top management may appoint an ERM committee to review the risks identified by the various operating units and create a coherent response plan
The committee must include persons who are competent to make these judgments and are in a position to allocate the resources for adequate risk response (i.e. chief operating officer, chief audit officer, chief information officer)
What does the risk response formulation step within the risk management process entail?
(Risk management process - Step 4)
Step 4 of the risk management process is formulate risk responses
The ERM committee proposes adequate response strategies. Personnel at all levels of the organization must be made aware of the importance of the risk response appropriate to their levels
What does the risk monitoring response step within the risk management process entail?
(Risk management process - Step 5)
Step 5 of the risk management process is monitor risk responses
The two most important sources of information for ongoing assessments of the adequacy of risk responses (and the changing nature of the risks themselves) are:
- Those closest to the activities themselves. The manager of an operating unit is in the best position to monitor the effects of the chosen risk response strategies
- The audit function. Operating managers may not always be objective about the risks facing their units (especially if they had a stake in designing a particular response strategy). Analyzing risks and responses are among the normal duties of internal auditors
What is Risk appetite?
The degree of willingness of upper management to accept risk is termed the organization’s risk appetite
If top management has a low appetite for risk, the risk response strategies adopted will be quite different from those of an organization whose management is willing to accept a high level of risk
What is an insurance policy?
An insurance policy is a contract that shifts the risk of financial loss caused by certain specified occurrences from the insured to the insurer in exchange for a periodic payment called a premium
What does liability insurance provides an organization?
Liability insurance provides an organization with financial protection against damage caused to consumers by faulty products or injury to persons suffered on the organization’s premises
What is hazard insurance?
Hazard insurance is the same as homeowner’s or automobile driver’s insurance. It protects the organization against damage caused to its facilities by accident or natural disaster
What are qualitative risk assessment tools?
Precise numeric quantification of risk is not necessarily required to have a sound risk management structure
Qualitative tools are crucial for upper and operational management to describe the risks they face
The following are key qualitative risk assessment tools:
- Risk identification
- Risk ranking
- Risk mapping
What does Risk identification within qualitative risk assessment entail?
(Qualitative risk assessment tools)
Risk identification - the very first step in the process does not lend itself to quantitative techniques. Intuitive and thought-provoking methods are required to identify all the areas of organizational vulnerability
The first round of risk identifications can begin with a simple question to management at all levels: What aspects of the organization keep you up at night?
A list of generic risk areas can be distributed to inspire managers about possible points of vulnerability in their domains (foreign exchange risk, supply chain risk, regulatory risk, competitive risk, computer hacker risk, etc.)
A brainstorming session among managers is a simple technique to get the risk identification process started
What does Risk ranking within qualitative risk assessment entail?
(Qualitative risk assessment tools)
Risk ranking is also necessary an intuitive process. Managers have a “feel” for how much risk a given vulnerability presents to their domains
What does Risk mapping within qualitative risk assessment entail?
(Qualitative risk assessment tools)
Risk mapping is a visual tool for depicting relative risks. The probabilities of the identified events can be graphed on one axis and the severity of the consequences on the other
What is the Value at risk (VaR) technique?
Quantitative risk assessment tools
Value at risk (VaR) is a technique that employs the statistical phenomenon known as the normal distribution (bell curve)
The potential gain or loss resulting from a given occurrence can be determined with statistical precision
What is the Cash flow at risk technique?
Qualitative risk assessment tools
Cash flow at risk and earnings at risk are identical in application to Var. The difference between them is that the dollar amount in question is cash flow or accrual-basis earnings, respectively
What is the Earnings distributions technique?
Qualitative risk assessment tools
Earnings distributions (in total or on a per-share basis) are also applications of statistical techniques. Just as in the value-at-risk plot, the potential returns are plotted on the x-axis and the probabilities on the y-axis
However, earnings distributions are unlikely to be symmetrical. A skewed distribution is more typical
What is the COSO framework definition of risk?
Risk is the possibility that an event will occur and adversely affect the achievement of objectives
What is the COSO framework definition of risk management?
Risk management at any level of the organization is designed to identify potential events that may affect the entity, manage risk to be within its risk appetite and to provide reasonable assurance regarding the achievement of entity objectives
What is the COSO framework definition of risk management applied to an enterprise as a whole?
Risk management applied to the enterprise as a whole can be defined as follows:
Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity and manage risk to be within its risk appetite to provide reasonable assurance regarding the achievement of entity objectives
What is the objective of Enterprise Risk Management (ERM)?
The objective of an ERM program is quite simply to assist the organization in achieving its existing strategic, operational, reporting and compliance objectives
What are the four categories that risk must be identified and managed?
Risk must be identified and managed in all four of these categories:
- Strategic - these are the high-level goals that map out the entity’s pursuit of its mission statement
- Operational - these are the entity’s goals concerning the efficient and effective deployment of its resources
- Reporting - the entity must have reasonable assurance that its external (and internal) reports are free of material misstatement
- Compliance - the entity must comply with applicable laws and regulations
What are the eight interrelated components of an ERM program according to the COSO Framework?
The COSO Framework identifies 8 interrelated components of an ERM program:
- Internal environment
- Objective setting
- Event identification
- Risk assessment
- Risk response
- Control activities
- Information & Communication
- Monitoring
What does the Internal environment COSO framework component of an ERM program entail?
(COSO Framework - ERM program component)
Internal environment - management sets a philosophy regarding risk and establishes a risk appetite. The internal environment sets the basis for how risk and control are viewed and addressed by an entity’s people
The core of any business is its people - their individual attributes, including integrity, ethical values and competence - and the environment in which they operate
What does the Objective setting COSO framework component of an ERM program entail?
(COSO Framework - ERM program component)
Objective setting - objectives must exist before management can identify potential events affecting their achievement
Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite
What does the Event identification COSO framework component of an ERM program entail?
(COSO Framework - ERM program component)
Event identification - potential events that might have an impact on the entity must be identified. Event identification involves identifying potential events from internal or external sources affecting achievement of objectives
It includes distinguishing between events that represent risks, those representing opportunities and those that may be both
Opportunities are channeled back to management’s strategy or objective-setting processes
What does the Risk assessment COSO framework component of an ERM program entail?
(COSO Framework - ERM program component)
Risk assessment - identified risks are analyzed in order to form a basis for determining how they should be managed. Risk are associated with objectives that my be affected
Risks are assessed on both an inherent and a residual basis, with the assessment considering both risk likelihood and impact
What does the Risk response COSO framework component of an ERM program entail?
(COSO Framework - ERM program component)
Risk response - personnel identify and evaluate possible responses to risks, which include avoiding, accepting, reducing and sharing risk
Management selects a set of actions to align risks with the entity’s risk tolerances and risk appetite
What does the Control activities COSO framework component of an ERM program entail?
(COSO Framework - ERM program component)
Control activities - policies and procedures are established and executed to help ensure the risk responses management selects are effectively carried out
What does the Information & Communication COSO framework component of an ERM program entail?
(COSO Framework - ERM program component)
Information and Communication - relevant information is identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities
Information is needed at all levels of an entity for identifying, assessing and responding to risk
Effective communication also occurs in a broader sense, flowing down, across and up the entity. Personnel receive clear communications regarding their role and responsibilities
What does the Monitoring COSO framework component of an ERM program entail?
(COSO Framework - ERM program component)
Monitoring - the entirety of enterprise risk management is monitored and modifications made as necessary. In this way, it can react dynamically, changing as conditions warrant
Monitoring is accomplished through ongoing management activities, separate evaluations of enterprise risk management or a combination of the two
What are the benefits of adopting an ERM program according to the COSO framework?
The COSO Framework lists 3 significant benefits accruing to an organization that adopts an ERM program:
- Reducing operational surprises and losses - entities gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses
- Seizing opportunities - by considering a full range of potential events, management is positioned to identify and proactively realize opportunities
- Improving deployment of capital - obtaining robust risk information allows management to effectively assess overall capital needs and enhance capital allocation
How is an event defined according to the COSO Framework?
According to the COSO Framework, an event is an incident or occurrence emanating from internal or external sources that affects implementation of strategy or achievement of objectives
Events may have positive or negative impact, or both. Events with a positive impact are considered opportunities, those with negative impact are risks
What does the COSO Framework say about methods of identifying risks?
The COSO Framework say’s the following about methods of identifying risks:
An entity’s event identification methodology may comprise a combination of techniques, together with supporting tools (i.e. management may use interactive group workshops as part of its event identification methodology, with a facilitator employing any of a variety of technology-based tools to assist participants)
Event identification techniques look to both the past and the future. Techniques that focus on past events and trends consider such matters as payment default histories, changes in commodity prices and lost-time accidents
Techniques that focus on future exposures consider such matters as shifting demographics, new market conditions and competitor actions
What are the Specific event identification techniques according to the COSO Framework?
Specific event identification techniques include the following:
- Event inventories
- Internal analysis
- Escalation or threshold triggers
- Facilitated workshops and interviews
- Process flow analysis
- Leading event indicators
- Loss event data methodologies
What does the Event inventories specific event identification technique entail?
(COSO Framework - Specific event identification technique)
Event inventories - these are detailed listings of potential events common to companies within a particular industry or to a particular process or activity common across industries
Software products can generate relevant lists of generic potential events, which some entities use as a starting point for event identification (i.e. a company undertaking a software development project draws on an inventory detailing generic events related to software development projects
What does the Internal analysis specific event identification technique entail?
(COSO Framework - Specific event identification technique)
Internal analysis - this may be done as part of a routine business planning cycle process (typically via a business unit’s staff meetings)
Internal analysis sometimes utilizes information from other stakeholders (customers, suppliers, other business units) or subject matter expertise outside the unit (internal or external functional experts or internal audit staff)
For example: a company considering introduction of a new product utilizes its own historical experience, along with external market research identifying events that have affected the success of competitors’ products
What does the Escalation or threshold triggers specific event identification technique entail?
(COSO Framework - Specific event identification technique)
Escalation or threshold triggers - these triggers alert management to areas of concern by comparing current transactions (or events) with predefined criteria
Once triggered, an event may require further assessment or an immediate response (i.e. a company’s management monitors sales volume in markets targeted for new marketing or advertising programs and redirects resources based on results)
Another company’s management tracks competitors’ pricing structures and considers changes in its own prices when a specified threshold is met
What does the Facilitated workshops & interviews specific event identification technique entail?
(COSO Framework - Specific event identification technique)
Facilitated workshops and interviews - these techniques identify events by drawing on accumulated knowledge and experience of management, staff and other stakeholders through structured discussions
The facilitator leads a discussion about events that may affect achievement of entity or unit objectives
For example: A financial controller conducts a workshop with members of the accounting team to identify events that have an impact on the entity’s external financial reporting objectives. By combining the knowledge and experience of team members, important events are identified that otherwise might be missed
What does the Process flow analysis specific event identification technique entail?
(COSO Framework - Specific event identification technique)
Process flow analysis - this technique considers the combination of inputs, tasks, responsibilities and outputs that combine to form a process
By considering the internal and external factors that affect inputs to or activities within a process, an entity identifies events that could affect achievement of process objectives
For example: a medical laboratory maps its processes for receipt and testing of blood samples. Using process maps, it considers the range of factors that could affect inputs, tasks and responsibilities, identifying risks related to sample labeling, handoffs within the process and personnel shift changes
What does the Leading event indicators specific event identification technique entail?
(COSO Framework - Specific event identification technique)
Leading event indicators - By monitoring data correlated to events, entities identify the existence of conditions that could give rise to an event
For example: financial institutions have long recognized the correlation between late loan payments and eventual loan default and the positive effect of early intervention
Monitoring payment patterns enables the potential for default to be mitigated by timely action
What does the Loss event data methodologies specific event identification technique entail?
(COSO Framework - Specific event identification technique)
Loss event data methodologies - repositories of data on past individual loss events are a useful source of information for identifying trends and root causes
Once a root cause has been identified, management may find that it is more effective to assess and treat it than to address individual events
For example: a company operating a large fleet of automobiles maintains a database of accident claims and through analysis finds that a disproportionate percentage of accidents, in number and monetary amount are linked to staff drivers in particular units, geographies and age bracket
This analysis equips management to identify root causes of events and take action
How was risk management perceived prior to enterprise risk management (ERM)?
Before the arrival of ERM, risk management was perceived as simply another line function, concerned only with the adequacy of the organization’s hazard and liability insurance
With risk management recognized as an enterprise-wide function, corporate governance becomes crucial. Each enterprise should establish a risk committee that reports to the board of directors and name a chief risk officer (CRO). The internal audit function must participate in any effective ERM program
What is risk analytics?
Risk analytics is the use of software tools to calculate risk exposures based on user input. Portfolio management is an important tool in addressing financial risk
What guidance does the COSO Framework provide as to preparing a cost-benefit analysis?
The application techniques portion of the COSO framework provides the following guidance on preparing a cost-benefit analysis:
Virtually every risk response will incur some direct or indirect cost that is weighted against the benefits it creates. The initial cost to design and implement a response (processes, people and technology) is considered, as is the cost to maintain the response on an ongoing basis
The costs (and associated benefits) can be measured quantitatively or qualitatively, with the unit of measure typically consistent with that used in establishing the related objective and risk tolerance
