Risk-management processes, perspectives, and responsibilities Flashcards
2 key characteristics of the standard risk-man process
- Sequential, one element precedes the next
- Circular process in continuous use, with no clear distinction of start and end
4 elements of the standard risk-man process
Identify risks > Assess exposure > Monitor exposure > Control exposure > identify …
3 techniques that can be used to identify risk
- Checklists
- Root-cause analysis
- Delphi technique
Formula for risk exposure (re. assessment)
Probability (likelihood) of risk event x impact (severity) of risk event = exposure to risk event
What will a risk assessment allow
For risks to be placed in an order to establish their priority
Purpose of risk monitoring
Provide a comprehensive picture of current risk profile in relation to objectives, with an indication of how this might change
Risk monitoring involved the collection and dissemination of a wide range of data, including: (4)
- loss data on previous risk events
- a range of other risk, control and performance indicators
- production of risk reports for board & management
- external risk reports for stakeholders
Risk control involves: (2)
- Application of tools and techniques to influence probability and impacts of a risk event
- Mitigating any secondary disruption effects that may follow initial risk event
Risk control tools include: (4) & example of each
- Physical devises, such as door looks
- Financial tools, such as derivatives
- Transferring risk, such as with insurance
- Detecting tools, such as smoke alarms
What does ERM stand for?
Enterprise risk-management
What is the concept of ERM? *very basic
An extension of the standard risk-man process
Why is ERM not always better than standard risk-man? (3)
- It may not be the right fit for every org
- Its effectiveness depends on how it is implemented
- Poorly implemented ERM processes can do more harm than good
Common definition of ERM
A process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives
3 essential characteristics distinguishing ERM from standard risk-man process
Holistic - A holistic focus
Value added - An emphasis on value-added risk-man
Formal and informal factors - The blending of formal and informal risk-man tools and activities
ERM characteristics - Holistic (3)
- ERM should be applied across an org to embrace all types of risk in every part of an org, recognising interconnectedness
- Avoids issues of standard risk-man which ignores gaps, overlaps and correlations between categories due to silo approach
- Can be implemented with creation of an integrated risk function under the control of a chief risk officer (CRO)
ERM characteristics - Value added (2)
- Risk-man, if applied correctly according to ERM, should create and protect value for an org through effective strategic level risk-man
- This fights against perhaps instinctive view of risk-man as an activity to prevent downside risks, which is therefore inconsistent with (or counter to) strategy and objectives
ERM characteristics - Formal and informal factors
- Recognises equal importance of formal and informal factors in influencing exposure to risk (standard risk-man generally focusses on only formal)
- Formal factors are the tangible systems, processes, procedures, etc. that exist
- Informal factors are things like organisational culture, social networks, perception of risk and risk-man
5 org wide benefits of ERM
- Improved reporting to support strategic decision-making (through holistic understanding)
- Avoidance of silos (to recognise gaps and overlaps in risk profile)
- Improved operational efficiency and cost effectiveness (through better coordination and less duplication)
- Improved profitability and equity value (through improved efficiency and cost effectiveness, and reduction in risk events)
- Improved ability to achieve other business objectives (as more time to focus on them)
3 benefits of ERM to local business unit or department
- Consistent decision-making (eg. not having other departments push a risk you are mitigating, as everyone is on the same page re. risk)
- Effective resource allocation for risk-man (allocation of funds on risk-exposure basis)
- Spreading risk ownership, allowing management of risks by local experts (therefore, avoiding pitfalls of managing everything from central risk function)
An effective ERM process should include the following in addition to the core elements of standard risk-man process: (6)
- ERM policies and procedures
- Risk appetite
- Enterprise risk reporting
- Risk and audit committees
- Escalation and whistleblowing
- Business continuity management
An ERM policy should include: (7)
- Overarching approach to risk, how this is aligned to mission, vision, values, objectives
- Specific risk-man, governance, internal control and compliance objectives
- How threats and opportunities are balanced
- High-level overview of ERM process used
- Statement regarding risk culture
- Roles and responsibilities for ERM
- Reporting structure for ERM, including lines into the CRO
Risk reports under ERM should:
Provide a holistic organisation-wide picture, without drowning boards and senior managers in large amounts of detail
2 considerations from an ERM perspective on risk and audit committees
- Harder to get into a more risk-positive opportunity mindset where risk and audit is combined as audit committees are focused on internal control and risk reduction - good to separate to avoid this conflict
- Risk committee must consider all categories of risk, and all risks which may have significant effect on strategy and business objectives
ERM - escalation and whistleblowing (3)
- Important part of risk monitoring
- Procedures should always be org wide
- All concerns should be reported in a consistent manner to a single point of contact (usually CRO, their delegate, or CoSec)
