Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Risk Management > Risk-management processes, perspectives, and responsibilities > Flashcards

Risk-management processes, perspectives, and responsibilities Flashcards

1
Q

THE STANDARD RISK-MANAGEMENT PROCESS

The risk-management processes of organisations can differ depending on what 3 things?

What are the 4 steps in the standard risk-management process?

What are the 2 key characteristic of the standard risk-management processes?

A

The nature, scale, and complexity of an organisation

  1. Risk identification = activities associated with identifying the actual risks to which an organisation is exposed (for better or for worse)
  2. Risk assessment = activities concerned with assessing and prioritising an organisation’s exposure to identified risks, in terms of probability and impact
  3. Risk monitoring = activities used to monitor and report on potential changes in risk exposure or the effectiveness of risk controls and RM activities in general
  4. Risk control = application of tools and techniques to manipulate/influence specific risk exposures, in terms of probability and or impact

A. The process is performed sequentially = one element of the process precedes the next element
B. The process is circular in continuous use = not clear where process starts and ends

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

THE STANDARD RISK-MANAGEMENT PROCESS

RISK IDENTIFICATION

Name 3 tools and techniques that can be used to identify risk.

RISK ASSESSMENT

What is the purpose of risk assessment?

What is the equation normally used to assess risks?

What is the problem with this equation?

A
  1. Checklists = a list of common risks within an organisation is provided to management to help them identify the risks associated with a particular activity or decision
  2. Root-cause analysis
  3. Delphi technique

Purpose = determine the potential significance of the risk(s) in question = allows risks to be placed in rank order to help establish their priority = focus management’s attention and resources

Exposure = (probability of risk event) x (impact of risk event)
Exposure = likelihood x severity

Problem = equation assumes a very simple, binary outcome
* In reality it is much more likely that a range of risk outcomes are possible

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

THE STANDARD RISK-MANAGEMENT PROCESS

RISK MONITORING

What is the purpose of monitoring risks? (2)

What does risk monitoring involve?

Name 3 sources.

RISK CONTROL

Name 4 tools and techniques used to control risks.

A

A. To provide a comprehensive picture of an organisation’s current risk profile in relation to the objectives it pursues

B. To provide an indication of how this risk profile may change

Involves the collection and dissemination of a wide range of data from different sources including:
* Loss data, on past risk events
* Performance indicators i.e. customer complaints data
* Internal/external risk reports

  1. Physical devices = door locks
  2. Financial tools = derivatives
  3. Tools to transfer risk = insurance and outsourcing
  4. Tools to help detect potential risk events = smoke alarms
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

THE STANDARD RISK-MANAGEMENT PROCESS

What are the 2 disadvantages of the standard risk-management process?

What are gaps and overlays?

Name an example of each?

Which case highlights the problems of a silo approach to risk-management?

A

(1) Is generally only focused on formal factors

(2) Is a silo approach to RM = different categories of risk managed individually, often by different people or functions across the organisation = gaps and overlaps between risk categories may be ignored

Gaps = risks go undetected/unmanaged

E.g., Cyber security risks in 20th century were ignored because responsibility for management hadn’t been assigned to any individual/function/department

Overlaps = correlations between risk types may be ignored

E.g., Sales and marketing launch new product but could create operational risks that are ignored because operational risks don’t fall within sales and marketing area of responsibility

Perrier Benzene scandal:
* 1990, high levels of the toxic substance benzene were discovered in bottles of Perrier
* The company took steps to recall the product
* When the media first found out about the problem, Perrier did not know how to respond
* Perrier’s failure to recognise and manage the growing reputation risk led to an information vacuum that provoked much more consumer anxiety than there should have been
* The brand has never regained its pre-1990 sales volume

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

ENTERPRISE RISK-MANAGEMENT

ERM is a hard concept to define and there is no perfect definition.

How does COSOP define ERM and what 3 things is it designed to do?

What are the 3 essential characteristics that distinguish ERM from the standard risk-management processes?

What is the role of an integrated risk function?

A

ERM = a process, effected by board and SM, applied in strategy setting across the enterprise, designed to:
1. Identify potential events that may affect the entity
2. Manage risk to be within risk appetite
3. Provide reasonable assurance for achievement of objectives

(ERM is a process! = remains focused on the identification, assessment, monitoring and control of risk, but extends the standard RM process)

(1) A holistic focus = ERM should be applied across an organisation = embraces all types of risk in every part of organisation = recognises that different risks, functions, business lines, and processes are all interconnected
*ERM can be implemented through the creation of an integrated risk function

Integrated risk function = looks at all risks across all levels of the organisation to build a comprehensive picture of where risk lies within the organisation

(2) An emphasis on value-added RM = ERM (if applied correctly) should create and protect value for an organisation through effective strategic level RM decision-making and operations that function smoothly without costly interruption

(3) The blending of formal and informal RM tools and activities
*Formal factors = tangible systems, processes, procedures, policies, committees and forums that exist within organisations, as well as organisation structures and hierarchies

*Informal factors = organisational culture, social networks and how risk and RM are perceived e.g., risk viewed as threat or opportunity or RM as costly or value adding

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

ENTERPRISE RISK-MANAGEMENT

What are the 5 organisation-wide benefits of ERM?

A
  1. Improved reporting to support strategic decision-making
    = Board and SM should be able to make better strategic decisions by having a holistic understanding of risks = can achieve a better balance of risk and return (take risk where only justified by potential returns)
  2. Avoidance of silos
    = ensure gaps and unrecognised overlaps in risk profile are avoided
  3. Improved operational efficiency and cost effectiveness
    = reduce costs of RM activity by better co-ordinating RM activity across the organisation
    = reduce duplication of controls and learn from mistakes
  4. Improved profitability and equity value
    *For profit organisation = insulate organisation-wide cash flows from unnecessary volatility
    *NFP = reduce costly risk events
  5. Improved ability to achieve other business objectives
    = helps achieve non-commercial objectives (CSR and sustainability)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

ENTERPRISE RISK-MANAGEMENT

What are the 3 local (business units, departments, and functions) benefits of ERM?

A
  1. Consistent decision-making
    = helps ensure all decision-makers achieve an appropriate balance between risk and return that is consistent with the organisation’s appetite for risk and its strategy and objectives
  2. Effective resource allocation for RM
    = ensure funds are allocated on a risk-exposure basis = high-risk areas receive more resources and central support
  3. Spreading risk ownership, allowing risks to be managed by the local experts
    = operational and internal control risks are hard to manage via a central risk function because are diverse and require local insight
    = ERM allows local managers to manage operational and internal risks with escalation procedures, should a risk event occur
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

ENTERPRISE RISK-MANAGEMENT

What are the 2 consequences of implementing ERM processes poorly?

How can an organisation that uses ERM have an effective approach?

What are the 6 elements of an effective ERM process?

A

(1) can be costly
(2) may result in ineffective decision making at an organisation-wide and local level

Should go beyond the core elements of the standard RM process i.e.., consider the following 6 additional factors when implementing and effective ERM process

  1. ERM policies and procedures
  2. Risk appetite = an organisation has to take risks to achieve its objectives
  3. Enterprise risk reporting = provide board holistic picture without large amounts of detail
  4. Risk and audit committees
  5. Escalation and whistleblowing
  6. Business continuity management
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

ENTERPRISE RISK-MANAGEMENT - ERM POLOCIES AND PROCEDURES

Any formalised risk-management process requires a documented policy and an associated set of procedures to ensure that it is used correctly.

Explain the purpose of drafting an ERM policy / Why is an ERM policy needed? (2)

Name 3 things that an ERM policy should include?

One way to structure the contents of an ERM policy is to adopt the what?

A

An ERM policy is needed to:
(1) ensure that risks are managed in a consistent manner across an organisation and that risk exposures are kept within the organisation’s risk appetite
(2) make clear roles and responsibilities for RM at an organisation-wide and a local level

  1. The organisation’s overarching approach to risk
  2. Roles and responsibilities for ERM, including the role of the board and SM
  3. The reporting structure for ERM, including reporting lines into the CRO/ risk committee

The Risk Architecture, Strategy and Protocols (RASP) approach outlined in ISO 31000

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

ENTERPRISE RISK-MANAGEMENT - RISK AND AUDIT COMMITTEES

Almost all organisations should have an audit committee, though not all will have a risk committee (can be combined into one).

From an ERM perspective, what are the 2 key considerations for the committee? (Committee should consider?)

A
  1. The relevant committee should consider the potential for threats and opportunities
    * Audit committees are focused on internal control and risk reduction = where risk and audit committee is combined it can be hard to get into a more risk-positive opportunity mindset
    *Separate risk and audit committee to avoid any conflict of interest between internal control and opportunity-taking
  2. The risk committee must consider all categories of risk across the whole organisation = the committee should consider risks which, may have a significant effect on the strategy and business objectives
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

ENTERPRISE RISK-MANAGEMENT - ESCALATION AND WHISTLEBLOWING

Concerns regarding control failures or other unauthorised breaches of policies and procedures including criminal acts must be reported in what way and to who?

What should whistleblowing procedures be?

BUSINESS CONTINUITY MANAGEMENT

Given the impossibility of eliminating all risk, an effective ERM process must include mechanisms to ensure what?

A

Reported in a consistent manner across the organisation to a single point of contact = could be CRO, cosec, or gov. prof.

Whistleblowing procedures should only ever be organisation-wide, given the potential seriousness of the information provided
* However, for risk events or control failures that are not of organisation-wide significance, local management escalation processes may be required

To ensure that the initial impacts of risk events, and their longer-term effects on the continuity of the organisation’s operations, are properly managed and mitigated where it is cost effective to do so.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

ROLES AND RESPONSIBILITIES FOR RISK-MANAGEMENT - BOARD AND EXECUTIVE MANAGEMENT

What is the role of the board? (4)

Boards only need what information on risks?

A

(1) determine risk appetite

(2) periodically monitor the risk profile to ensure the organisation remains within the agreed appetite for risk

(3) must ensure that it receives appropriate assurance from management that the organisation has an appropriate risk-management process in place and that this process is used correctly

(4) have oversight responsibility

Board only needs information on risks that may cause the organisation to breach its risk appetite = these are the risks that may affect the strategy of an organisation and its ability to achieve its objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

ROLES AND RESPONSIBILITIES FOR RISK-MANAGEMENT - RISK COMMITTEES

What 2 factors will determine whether an organisation will have combined or separate risk committee?

Why do risk committees exist? (3)

Who does the risk committee report to?

A

Its (1) structural complexity and (2) whether it has an ERM process in place (if yes then usually separate)

Risk committees exist to:
1. take a more detailed look at the RM process, risk profile and risk appetite
2. review and approve RM policies and procedures (but board has final approval)
3. provide assurance and ensure that the organisational risk profile does not exceed appetite

Report directly to the board = board delegated committee

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

ROLES AND RESPONSIBILITIES FOR RISK-MANAGEMENT - CHIEF RISK OFFICER

Which organisations usually have a CRO?

What is the role of the CRO? (5)

A

Only large organisations or organisations that have implemented ERM process

Role:

  1. To support the board and risk committee in the fulfilment of their responsibilities
    *= including raising any concerns that the CRO may have regarding risks
  2. To direct the work of the organisation’s risk function
  3. To oversee the RM activities of the whole organisation
  4. Ensure that risks are managed consistently with the risk appetite, and RM policies and procedures
  5. To work with the compliance and internal audit functions to ensure that regulatory-compliant RM governance arrangements are in place across the organisation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

ROLES AND RESPONSIBILITIES FOR RISK-MANAGEMENT - RISK MANAGER AND RISK FUNCTION

Most organisations will have either a dedicated risk manager or an individual with responsibility for risk-management within their role.

What is the role of the risk manager and wider risk function? (5)

A
  1. oversee, co-ordinate and facilitate RM activity across an organisation
  2. Risk monitoring and reporting = collect risk-exposure and RM information from across the organisation to provide risk reports to board, CRO, risk committee
  3. Help with risk identification and assessment exercises = completion of risk registers
  4. Provide advice about how to effectively control specific risks and training on the organisation’s RM policies and procedures to other functions
  5. Support the design and implementation of RM processes = draft RM policies and procedures
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

ROLES AND RESPONSIBILITIES FOR RISK-MANAGEMENT - COMPLIANCE MANAGER AND COMPLIANCE FUNCTION

What is the role of the compliance manager or function? (4)

Why is it important that the compliance manager or function works closely with the risk manager or function?

A
  1. Ensure that the design and ongoing operation of an organisation’s RM processes are compliant with all applicable rules and guidance
  2. Ensuring that health-and-safety risks and environmental risks are managed appropriately
  3. Support oversight of the RM policy and processes to ensure that the compliance relevant elements are implemented appropriately across the organisation
  4. Act as an intermediary between the organisation and RM related regulatory and supervisory bodies = e.g. Providing RM information to them and answering questions

Because the compliance manager or function can help to ensure that RM processes are designed in a compliant manner

17
Q

ROLES AND RESPONSIBILITIES FOR RISK-MANAGEMENT - INTERNAL AUDIT

What is the role of internal audit? (3)

The risk and audit functions will usually work closely together, supporting each other’s activities, but what should be monitored?

A
  1. Provide assurance that the design and implementation of organisation’s RM process is effective
  2. May conduct audits of the risk function and RM process
    = Benchmarking this process against industry standards or audits to determine whether managers are using the process correctly
  3. May provide an opinion on whether the organisation (whole or specific functions) are keeping the risk profile within risk appetite

Such a close working relationship should not interfere with the independence of the internal audit function

18
Q

ROLES AND RESPONSIBILITIES FOR RISK-MANAGEMENT - COMPANY SECRETARY / GOVERNANCE PROFESSIONAL

How does the role of the company secretary / governance professional in relation to risk-management vary?

Where company secretaries have direct responsibility for risk management, what will their role be? (3)

Where company secretaries are not directly responsible for risk management, what will their role be? (2)

What will this include? (2)

A company secretary or governance professional will need to work closely with who and why?

A

Role may vary:
* In some organisations will have direct responsibility for RM
*In others they will play more of a supporting role

Involved in the oversight of RM activities across the organisation, might also have compliance related responsibilities, and be responsible for purchase of insurance

(1) Role will move closer to that of an audit function = provide assurance on the effectiveness of the design and implementation of RM process, policies, procedures and activities

(2) Ensure that the board fulfils its RM responsibilities:
1. conducting board effectiveness reviews (including RM skills and experience)
2. advising the board on its RM responsibilities and ensure board agendas devote sufficient time to RM

Work closely with the risk and compliance functions, and CRO, to ensure the board receives the risk reports and RM assurance it needs to fulfil its obligations

19
Q

ROLES AND RESPONSIBILITIES FOR RISK-MANAGEMENT - FINANCE FUNCTION

What is the role of the finance function? (2)

A

Role:
(1) ensure that it manages the risks associated with its activities consistently with RM policy and procedures and the risk appetite

(2) provide a range of financial information to the risk function to support risk monitoring and reporting

20
Q

ROLES AND RESPONSIBILITIES FOR RISK-MANAGEMENT

HEALTH AND SAFETY FUNCTION

What is the role of the health and safety manager/function? (3)

A

H&S function/manager:
1. Responsibility for overseeing H&S matters

  1. Be compliant with any relevant regulations and organisation’s RM policy and procedures
  2. report information about H&S risks to the risk manager to ensure they have a comprehensive picture of exposure to risk
21
Q

ROLES AND RESPONSIBILITIES FOR RISK-MANAGEMENT

HUMAN RESOURCE MANAGEMENT FUNCTION

What is the role of the HR manager or function? (4)

A

HR function/manager:
(1) to support the completion of risk assessments that have a people dimension

(2) responsible for ensuring that HR-related risk controls are operating effectively across the organisation, such as recruitment and disciplinary controls, escalating any concerns where appropriate

(3) supply the risk function with risk monitoring-related information, such as staff-turnover statistics or absence rates

(4) support the assessment and management of risk culture

22
Q

ROLES AND RESPONSIBILITIES FOR RISK-MANAGEMENT

INFORMATION SECURITY FUNCTION

What is the role of the information security function? (2)

A

Information Security:
1. Manage information security risk in a manner that is consistent with the organisation’s RM policy, process, and appetite for risk

  1. Supply information to the risk manager or function to support their risk monitoring and reporting activities
23
Q

ROLES AND RESPONSIBILITIES FOR RISK-MANAGEMENT

MARKETING AND PUBLIC RELATIONS FUNCTION

What is the role of marketing and PR function? (2)

A

Marketing and PR:
(1) to comply with all relevant RM policies and procedures

(2) help prevent adverse risk report (PR function can be an important source of information regarding any negative press reporting about the organisation)

24
Q

ROLES AND RESPONSIBILITIES FOR RISK-MANAGEMENT

OPERATIONS FUNCTION

What is the role of an operations manager? (2)

A

Operations managers must:
(A) ensure that day-to-day operational risks are managed in accordance with the relevant RM policies and procedures

(B) escalate any significant increases in risk exposure and information on any significant risk events that occur

Risk Management (15 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions