Risk-management frameworks and standards Flashcards
What is implicit risk-management activity?
What is the problem with implicit risk-management?
Why does an organisation need a formal, explicit risk-management framework? (2)
When designing and implementing a risk-management framework, who decides what is appropriate for the organisation and its stakeholders?
Implicit = subconscious RM = doing RM without even realising it
Unlikely to yield successful results in the long run as hundreds of RM decision need to be made on daily basis = implicit RM will lead to inconsistent and incorrect RM decisions
To ensure that the level of risk-taking within the organisation:
(1) supports the achievement of its strategic objectives
(2) is consistent with the risk preferences of its stakeholders
The board, SM, any RM professionals
Why is there no single, best way to design a risk-management framework?
What are the 4 factors with could influence the design of a risk-management framework?
An organisation’s risk-management framework consists of what 4 things?
Because organisations differ in terms of the nature, scale, and complexity of their activities
- the structure and reporting lines of the organisation
- its culture
- the human and financial resources it has available
- the regulations with which it is expected to comply
various (1) policies, (2) procedures, (3) processes and (4) RM activities
An organisation’s risk-management framework consists of various policies, procedures, processes and activities. What is the purpose of these?
What is the aim of a risk-management framework?
How is this achieved? (4)
(at a minimum a risk-management framework for an organisation will include mechanisms for what?)
What are these 4 activities commonly known as?
To provide a a coherent structure for RM activities and decisions (to ensure risks are managed in a consistent manner by all decision-makers, in accordance with the interests of the organisation and its stakeholders)
= to add value to an organisation to ensure it operates in a successful and sustainable way over the long term
Through:
1. Identification of risks which could impact the organisation either in a positive or negative manner
2. Assessing the significance of identified risks to prioritise management’s attention and financial resources
3. Monitor to detect changes to exposure to the identified risks
4. Control the organisation’s exposure to the risks that have been identified
Identify, assess, monitor, and control = the RM process, but it is common for organisations to add further elements
What is the role of risk-management standards?
Are standards compulsory?
What are the 3 core areas ‘a structured approach to Enterprise Risk Management and requirements of ISO 31000’ report refers to?
= to provide a universal benchmark for good RM practice = helps organisations (irrespective of their market sector or business model) to improve the effectiveness of their RM practices
Not compulsory = not every organisation will need to incorporate all of the good practice contained within a standard
A. RM architecture (committees, reporting structures and so on);
B. RM strategy (risk policies and risk appetite, for example)
C. RM protocols (processes and procedures)
RISK-MANAGEMENT POLICY
An organisation will usually have a risk management policy which outlines what 4 things?
A large or complex organisation may have what?
RISK-MANAGEMENT PROCEDURES
Why will an organisation have risk-management procedures? (2)
- aims and objectives for RM
- the processes, procedures, and activities of the RM framework
- governance arrangements for RM (e.g., risk committee)
- the allocation of roles and responsibilities for RM
Multiple RM policies (for different categories of risk etc), but usually also an overarching RM policy to ensure any sub-policies are consistent with the overall objectives of the organisation
(1) = to specify how its employees and managers should perform specific tasks and activities, e.g., procedures for operating machinery or financial procedures such as payroll
(2) Dedicated RM procedures may be used to help control certain types of risk = reporting suspicious financial transactions, escalating control failures etc.
RISK-MANAGEMENT INFORMATION SYSTEMS (RMIS)
Why might an organisation use a RMIS?
How can an organisation obtain a RMIS?
What are the 2 advantages of a RMIS?
What is the disadvantage?
Organisations may a RMIS to support their risk assessment, monitoring and control activities
Systems may be built in-house or purchased from external specialists
Advantages:
1. Can help improve an organisation’s ability to co-ordinate its RM activities
2. Can reduce the time and effort required to produce RM reports on the organisation’s risk exposures or the effectiveness of its controls
Disadvantage = is expensive
RISK REPORTS
Why do organisations produce a risk report?
What does the frequency of risk reporting depend on? (2)
RISK APPETITE STATEMENT
What is a risk appetite statement?
Can an organisation have more than 1 risk appetite statement?
To help management understand the organisation’s risk exposures and make effective RM decisions
(1) how quickly risk exposures are changing or (2) the materiality of the principal risks = Risk reporting can be real time in areas such as information security (For the board, it might be monthly, quarterly, annually etc.)
= a statement that outlines the types and levels of risk that an organisation is willing to take in the pursuit of its objectives, as well as the risks that it is not willing to take or will only tolerate in specific circumstances
Internally yes = statements may exist for specific categories of risk or for different business units because an organisation may have a different appetite for these
Externally = PLCs will include info on their risk appetite in the ARA
RISK TRAINING AND AWARENESS ACTIVITIES
What are the 4 things risk-management and risk-awareness training courses (online or face-to-face) help employees and managers to understand/reinforce.
SPECIALIST STAFF AND FUNCTIONS
Why are risk management specialists often recruited?
Name 3 risk-management specialists that medium to large organisations will often recruit.
- The importance of RM for the organisation and its stakeholders = the costs and benefits associated with taking specific risks
- The types of risk relevant to them
- How to identify, assess, monitor and control these risks in an effective manner
- The policies and procedures to operate the RM process and use RMIS
= to support the operation and ongoing improvement of organisation’s RM framework
- Auditors
- Compliance managers
- H&S professionals
RISK-GOVERNANCE AND COMPLIANCE ARRANGEMENTS
What do risk-governance and compliance arrangements do?
Why are they needed/created? (3)
Name an example.
= support the direction of the design and operation of RM policies, processes and procedures
To ensure:
(1) compliance with internal policies and procedures and/or external laws, regulations, and contracts
(2) compliance with the RM framework
(3) that any weaknesses in the RM framework design or application are identified and addressed promptly
= the activities of external and internal auditors
RISK COMMITTEES, OR AUDIT AND RISK COMMITTEES
What is the purpose of a risk committee?
Name 3 activities this will include / what is the role of a risk committee?
Generally, only large organisations will have a dedicated risk-management committee and small and medium-sized may have a combined audit and risk committee.
Why do merged audit and risk committees require careful management?
RC = to oversee and co-ordinate the design and operation of an organisation’s RM framework
A. Ensure risks are managed in a consistent and objective way
B. Ensure adequate resources are devoted to RM
C. Balance differing risk preferences of stakeholders
Responsibilities of audit committee can conflict with that of a risk committee:
(i) Focus of AC = ensure accurate financial reporting and internal control to limit the risks that could threaten an organisation (reducing risks)
(ii) Focus of RC = consider taking risk in a proactive manner to support the achievement of organisational strategy and objectives (increasing risk)
A&R Committee members need to be reminded or potential conflict to ensure they apply the right risk mindset to each agenda item
A DETAILED LOOK AT ISO 31000:2018
What is ISO 31000:2018 and what is its objective (/what does it provide)?
Why was ISO 31000 updated in 2018?
Why should an organisation follow the principles and guidance within ISO 31000:2018 if it is not a regulatory document or compliance compulsory?
What are the 3 main topic areas ISO 31000:2018 is centred on? (triangle diagram)
How are these topics connected?
ISO 31000:2018 = the international standard for RM
* Provides internationally recognised principles and guidelines for managing risk in all types of organisations, regardless of size, activities or industry sector
* Is a universal benchmark but does not promote a uniform approach
The revised guidance reflects changes in risk exposure and RM practice
Organisations can use the standard to identify gaps between their current RM framework and good practice and then take action to improve the effectiveness of RM practices
- PRINCIPLES for risk-management
- core elements of an effective RM FRAMEWORK
- the RM PROCESS
ISO 31000:2018 distinguishes between a RM framework, principles and process, but notes these elements are not independent
*Principles and process elements feed into the framework element (direction of arrows)
A DETAILED LOOK AT ISO 31000:2018
The standard covers a wide range of topics, including what 5 things?
- Definitions for key terms
- The importance of managing opportunities and downsides that may come from exposure to risk
- The basic principles for RM = developing risk-aware culture that supports strategic objectives
- How to design, implement, review, and improve an effective RM framework
- The key components of an effective RM process for identifying, assessing, monitoring, and controlling risk
A DETAILED LOOK AT ISO 31000:2018 - PRINCIPLES
What is the core principle of the standard and the 5 additional principles the standard calls for risk-management frameworks to be?
A DETAILED LOOK AT ISO 31000:2018 - FRAMEWORK
In terms of designing an effective risk management framework, what does the standard highlight?
What does ISO:31000 emphasise in relation to risk-management frameworks?
Core principle = RM activity should help protect and create value in organisations
* Additional principles = RM frameworks should be
1. customised
2. integrated
3. Structured and comprehensive
4. Inclusive
5. Dynamic and continuous
Highlights how the external (regulation, technological development and market forces) and internal (culture and structure) context of an organisation will influence the design, implementation and ongoing review and improvement of the framework
Emphasises the importance of leadership and commitment in designing, implementing, reviewing and improving effective RM frameworks = a tangible commitment to effective RM is needed from managers, SM, and board
A DETAILED LOOK AT ISO 31000:2018 - PROCESSES
What are the 3 core elements of risk-management processes?
What are the 3 activities that support the core elements?
CORE ELEMENTS:
1. Establishing the context = understanding the internal and external drivers that may affect an organisation’s exposure to risk
- Risk assessment = organisation should identify, analyse and evaluate its exposure to all sources of risk to its objectives
- Risk treatment = another term for risk control = ensure risk exposure not too high or low (influenced by risk appetite)
SUPPORTED BY:
4. Communication and consultation
*Communicating RM information in a timely, accurate and factual way
*Communication = promote awareness and understanding of risk and how to deal with it
* Consulting with key stakeholders
* Consultation = obtaining feedback and information to support decision making
- Recording and reporting
* Recording = ensuring that (1) identified risks and (2) process and procedures are understood and documented properly (help implement coherently)
* Reporting = reporting on an organisation’s risk exposures and the measures taken to control these exposures to relevant decision-makers and stakeholders - Monitoring and review = learning, improving, and adapting to ensure remain fit for purpose
NATIONAL GUIDANCE ON IMPLEMENTING ISO 31000:2018
What are the 2 pieces of guidance produced for implementing ISO 31000 in the UK and Ireland?
What does each do?
- British Standard Institute = BS 31100
* gives practical and specific recommendations on how to implement the RM principles, framework, and process as outlined in ISO 31000
(Suitable for any organisation operating in the UK)
E.g., how to manage risk in a proactive rather than a reactive manner
- National Standards Agency of Ireland
= outlines various RM methods and techniques that Irish organisations can use to implement an effective RM framework
