Risk-management frameworks and standards

Question 1

Why is there a need for a formal, explicit risk-man system, and not to simply rely on intuitive, instinctive, implicit risk-man? (3)

Answer 1

• Relying on intuition will lead to inconsistencies and incorrect decisions
• Formal system ensures risk-man decisions support achievement of strategic objectives
• Formal system ensures risk preferences of shareholders are taken into account

Question 2

What does a framework include? (4)

Answer 2

• Policies
• Procedures
• Processes
• Tools

Question 3

What is the ultimate aim of a risk-man framework?

Answer 3

Add value to an organisation, helping it to operate in a successful and sustainable way over the long term

Question 4

At a minimum, a typical risk-man framework will include mechanisms for: (4)

Answer 4

Risk identification - identification of risks that could impact org in positive or negative way

Risk assessment - assessing significance of identified risks, in order to prioritise attention and resources

Risk monitoring - monitoring to help detect any changes in the org’s exposure to identified risks

Risk control - controlling the org’s exposure to the identified risks

Question 5

Risk identification, assessment, monitoring and control are often known collectively as:

Answer 5

the risk-management process

Question 6

ISO 31000:2018 - 3 core elements around which risk-man process will be designed

Answer 6

• Risk-man architecture (committees, reporting structures, etc.)
• Risk-man strategy (policies, appetite, etc.)
• Risk-man protocols (processes and procedures)

Question 7

10 key components of typical risk-man system

Answer 7

• risk-man policy or series of policies
• risk-man procedures
• risk-man information systems
• risk reports
• risk-appetite statement
• assessments of risk culture
• training and awareness activities
• risk-governance and compliance arrangements
• specialist staff and functions
• risk committees (or audit and risk committees)

Question 8

An org’s risk-man policy/policies outline/s: (4)

Answer 8

• its aims and objectives & how these support wider strategic objectives
• processes, procedures and activities that comprise framework
• governance arrangements, such as a risk committee
• allocation of roles and responsibilities

Question 9

A risk management procedure will…

Answer 9

relate to the assessment and control of related risk

Question 10

3 examples of risk-man procedures

Answer 10

• Manual handling procedures for heavy objects
• Operating machinery
• Procedures for making financial transactions

Question 11

2 benefits of using a risk-man information system (RMIS) to support risk assessment, monitoring and control activities

Answer 11

• Eases coordination of risk-man activities
• Reduce time and effort required to produce risk-man reports on exposures and effectiveness of controls

Question 12

What is a purpose of a risk report?

Answer 12

To help management understand the organisation’s risk exposures and to make effective risk-man decisions

Question 13

What may dictate that risk reporting needs to be more frequent?

Answer 13

If risk exposures are changing quickly

Question 14

What will a risk-appetite statement outline?

Answer 14

The types and levels of risk that an organisation is willing to take in the pursuit of its objectives, as well as the risks it is not willing to take (or will only tolerate in specific circumstances)

Question 15

Will risk-appetite statements be made public?

Answer 15

It can be, but doesn’t need to be, so sometimes (if there is a benefit)

Question 16

Risk-man training and awareness will:

Answer 16

• help employees understand how to identify, assess, monitor and control risks
• explain the importance of risk-man for org and stakeholders
• explain benefits and costs associated with taking specific risks
• reinforce the contents of policies and procedures, use the RMIS, etc.

Question 17

What are the aims of risk-governance and compliance arrangements?

Answer 17

• to ensure compliance with policies, processes and procedures that comprise a risk-man framework
• to identify and address any weakness in design and application of framework

Question 18

Which risk-man specialist staff may be recruited? (5)

Answer 18

• H&S professionals
• Information security professionals
• Business continuity managers
• General risk managers
• Compliance managers

Question 19

What is the purpose of a risk committee?

Answer 19

Oversee and coordinate the design and operation of risk-man framework

Question 20

Risk committees activities will include: (4)

Answer 20

• Ensuring that risks are managed in a consistent and objective-supporting way
• Monitoring more significant risks
• Balances risk preferences of stakeholders
• Ensuring adequate resources are devoted to risk-man

Question 21

Generally, which orgs will have dedicated risk-man committees? Why will others not?

Answer 21

Only large orgs - small to medium-sized orgs will often incorporate risk-man oversight into their audit committee

Question 22

What is the objective of the ISA 31000:2018?

Answer 22

To provide a set of internationally recognised principles and guidance on the practice of risk-man in organisations, to help improve design and implementation of frameworks with orgs

Question 23

3 main topic areas of ISO 31000:2018

Answer 23

• Principles for risk-man
• Core elements of an effective risk-man framework
• The risk-man process

Question 24

ISO 31000:2018 - core principle for risk-man & 6 supporting principles

Answer 24

• Risk-man activity should help protect and create value in orgs
  Frameworks should be:
• structured
• inclusive
• customised
• dynamic
• responsive
• integrated

Question 25

ISO 31000:2018 on leadership (2)

Answer 25

Argues that - A tangible commitment of effective risk-man is needed from org's leaders - Support for risk-man should be evidenced by what these leaders say and do

Question 26

ISO 31000:2018 - 3 core elements of risk-man process & 3 supporting activities

Answer 26

Elements: - Establishing the context - Risk assessment - Risk treatment Activities - Communication and consultation - Recording and reporting - Monitoring and review

Question 27

ISO 31000:2018 - risk-man process - establishing the context (2)

Answer 27

- Includes understanding internal and external drivers affecting exposure to risk - Understanding types of risk that may affect org, and assessment and control tools available

Question 28

ISO 31000:2018 - risk-man process - risk assessment (2)

Answer 28

- Identify, analyse and evaluate exposure to all sources of risk - May involve use of statistical models or qualitative judgement

Question 29

ISO 31000:2018 - risk-man process - risk treatment (3)

Answer 29

- Another term for risk control - Ensure level of exposure is controlled (not too high or to low) - Influenced by risk appetite

Question 30

ISO 31000:2018 - risk-man process - communication and consultation (3)

Answer 30

- Communicating risk-man info in timely, accurate and factual way - Communicating to promote awareness and understanding of risk and how to deal with it - Consulting with key stakeholders to ensure they understand risks and are satisfied with approach

Question 31

ISO 31000:2018 - risk-man process - recording and reporting (2)

Answer 31

- Properly documenting identified risks, and processes and procedures - Reporting to decision-makers and stakeholders on risk exposures and measures taken to control exposures

Question 32

ISO 31000:2018 - risk-man process - monitoring and review (3)

Answer 32

- Review on regular basis in order to learn, improve and adapt - Declining risk-man performance indicates that efficiency and effectiveness of framework has declined, so changes may be required - Risk-man framework may need to be changed if strategy and activities change

Question 33

What is the British Standard BS 31100

Answer 33

UK's national guidance on developing, implementing and maintaining proportionate and effective risk-man - designed to be suitable for any org operating in UK

Question 34

Guidance in BS 31100 includes: (4)

Answer 34

- How to manage risk proactively rather than reactively - The operation of effective risk-man oversight - Providing assurance to board and senior management on effectiveness of risk-man activities - Reporting to stakeholders

Question 35

The Institute of Risk-management standard (3)

Answer 35

- Very similar to ISO 31000 - Free to download in 14 languages and shorter than ISO 31000 - Has not been updated as recently is ISO 31000

Question 36

UK Governments 'The Orange Book' (2)

Answer 36

- Aimed at gov orgs and departments (but useful to other types of org) - Adopts principle based approach to risk-man

Question 37

When did the COSO ERM Framework undergo a major revision?

Answer 37

2017

Question 38

At which organisations is the COSO ERM Framework aimed?

Answer 38

Organisations of all sizes and sectors?

Question 39

For what reason is COSO ERM Framework different in approach to most conventional risk-man frameworks?

Answer 39

To emphasise the performance-enhancing focus for risk-man that COSO believes is important

Question 40

COSO ERM Framework's principles are organised into these 5 inter-related components:

Answer 40

1. Governance and culture 2. Strategy and objective setting 3. Performance 4. Review and revision 5. Information, communication and reporting

Question 41

COSO ERM Framework's 5 inter-related components - Governance and culture (2)

Answer 41

- About ensuring that employees and other relevant stakeholders behave in manner consistent with org's values and codes of conduct, and support org's objectives - Includes overseeing management decisions to ensure opportunities are exploited and threats are mitigated

Question 42

COSO ERM Framework's 5 inter-related components - Strategy and objective setting (2)

Answer 42

- Risk-man and strategy are complementary in that they each play their part in enhancing org performance - Org must determine appetite for different types of risk, and then plan strategy that is less likely to result in any associated risk exposures that exceed this level of risk appetite

Question 43

COSO ERM Framework's 5 inter-related components - Performance (2)

Answer 43

- Concerned with identifying and assessing risks that may affect achievement of an org's objectives - Threatening risks are compared against appetite, and controlling actions taken if required

Question 44

COSO ERM Framework's 5 inter-related components - Review and revision - 3 objectives

Answer 44

- Org should identify and assess substantial changes that may affect strategy or achievement of objectives - Org should evaluate performance in light of chosen strategy and risk response - Based on outcomes of above, org should evaluate continued appropriateness of risk-man arrangements and revise accordingly

Question 45

COSO ERM Framework's 5 inter-related components - Information, communication and reporting

Answer 45

- Information should continuously be shared up, down and across the org to ensure that all decision-makers have necessary information - Some frameworks rely on periodic sharing, but COSO considers this ineffective as an org's environment changes constantly

Question 46

What is the COBIT 2019 framework (inc. what it stands for) (2)

Answer 46

- Control Objectives for Information and Related Technologies is a good-practice risk-man framework for IT governance - Business oriented, linking IT goals to business goals, providing example metrics and benchmark maturity models

Question 47

5 elements of the COBIT framework

Answer 47

- Code governance principles - Generic process descriptions for governance of IT risks - Control objectives - Management guidelines - Process maturity models