RM Framework

Question 1

What acronym is used to describe the RM Framework

Answer 1

RASP
The purpose of the risk management framework is to assist with integrating risk management into all activities and functions. The effectiveness of risk management will depend on integration into governance and all other activities of the organisation, including decision-making.

Question 2

Name the 6 parts of Risk Management Architecture

Answer 2

Forms part of the FRAMEWORK ( governance org chart)
DEFINES HOW RISK IS COMMUNICATED THROUGHOUT ORG
* Committee structure and TORS
* R&R’s
* Internal reporting REQUIREMENTS
* External reporting CONTROLS
* TM assurance arrangements
* Budget and agreement on resources

Question 3

Name the 7 parts of Risk Management Strategy

Answer 3

RM philosophy
Arrangements for embedding RM (using STOC)
Risk Appetite and attitude to risk
Benchmark tests for significance
Specific risk statements/policies
Risk assessment techniques
Risk priorities for present year

Question 4

Name the 9 parts of RM protocols

Answer 4

SYSTEMS, STANDARDS AND PROCEDURES TO FULFIL THE RISK STRATEGY
Tools and techniques
Risk classification system
Risk assessment procedures
Risk control rules and procedures
Responding to incidents, issues and events
Documentation and record keeping
Training and comms
Audit procedures and protocols
Reporting, disclosures, certification

Question 5

Risk Architecture overview

Answer 5

Architecture is structure of RM process aligned to structure of Org
Structure of RM team might differ depending on centralised, decentralised or hybrid (agency theory)
Each Org will have its own architecture and therefore its own R&R’s

Question 6

Whether you use 31000, COSO or OB, the four simple steps of RM remain the same. They are:

Answer 6

Define context and objectives
Assess the risks
Manage the risks
Monitor, review and Report

Question 7

Summary of 31000 FW

Answer 7

1. Leadership and commitment, including:
   * aligning risk management with the strategy, objectives and culture of the organisation;
   * issuing a statement or policy that establishes a RM approach, plan or course of action;
   * making necessary resources available for managing risk; and
   * establishing the amount and type of risk that may or may not be taken (risk appetite).
2. Integration, including: * determining management accountability and oversight roles and responsibilities; and
   * ensuring risk management is part of, and not separate from, all aspects of the organisation.
3. Design, including:
   * understanding the organisation and its internal and external context;
   * articulating risk management commitment and allocating resources; and
   * establishing communication and consultation arrangements.
4. Implementation, including:
   * developing an appropriate implementation plan including deadlines;
   * identifying where, when and how different types of decisions are made, and by whom; and
   * modifying the applicable decision-making processes where necessary.
5. Evaluation, including:
   * measuring framework performance against its purpose, implementation and behaviours; and
   * determining whether it remains suitable to support achievement of objectives.
6. Improvement, including:
   * continually monitoring and adapting the framework to address external and internal changes;
   * taking actions to improve the value of risk management; and
   * improving the suitability, adequacy and effectiveness of the RM framework.

Question 8

Summary of 31000 process

Answer 8

The risk management process involves the systematic application of policies, procedures and practices to the activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording and reporting risk.
1. Communication and consultation, including:
* bringing different areas of expertise together for each step of the RM process;
* ensuring different views are considered when defining risk criteria and evaluating risks;
* providing sufficient information to facilitate risk oversight and decision-making; and
* building a sense of inclusiveness and ownership among those affected by risk.

2. Scope, context and criteria, including:
   * defining the purpose and scope of risk management activities;
   * identifying the external and internal context for the organisation;
   * defining risk criteria by specifying the acceptable amount and type of risk; and
   * defining criteria to evaluate the significance of risk and to support decision-making;
3. Risk assessment, including:
   * risk identification to find, recognise and describe risks that might help or prevent achievement of objectives and the variety of tangible or intangible consequences;
   * risk analysis of the nature and characteristics of risk, including the level of risk, risk sources, consequences, likelihood, events, scenarios, controls and their effectiveness; and
   * risk evaluation to support decisions by comparing the results of the risk analysis with the established risk criteria to determine the significance of risk.
4. Risk treatment, including:
   * selecting the most appropriate risk treatment option(s); and
   * designing risk treatment plans specifying how the treatment options will be implemented.
5. Monitoring and review, including:
   * improving the quality and effectiveness of process design, implementation and outcomes;
   * monitoring the RM process and its outcomes, with responsibilities clearly defined;
   * planning, gathering and analysing information, recording results and providing feedback; and
   * incorporating the results in performance management, measurement and reporting activities.
6. Recording and reporting, including:
   * communicating risk management activities and outcomes across the organisation;
   * providing information for decision-making;
   * improving risk management activities; and
   * providing risk information and interacting with stakeholders.

Question 9

What are four objectives of COSO cube

Answer 9

STOC

Question 10

What are 8 components of COSO cube

Answer 10

Internal Environment
Objective setting
Event ID
Risk assessment
Risk response
Control activities
Info and Comms
Monitoring

Question 11

What additional element did the COSO double helix cube bring in 2017

Answer 11

Integration with strategy and performance

Question 12

How many principals does the OB have

Answer 12

5
gov and leadership
integration
collaborative and informed by best info available
structured process
continuous improvement