RM in Organisations Flashcards
What are two principal purposes of risk management in organisations?
- Reducing uncertainty: RM as information-gathering tool for more effective risk control.
- Anticipation/resilience: Supports prediction and more efficient response to risk:
- Identifying many (but not all) germane organisational risks.
- Assessment/monitoring prioritises scarce control resources against risks.
What is a black swan event?
- Risk events that are high improbable or extremely difficult to predict and quantify statistically.
- ‘Unknown unknowns’ - unacknowledged, unknown events.
- Typically, extremely negative events, with far-reaching impacts.
What are the four RM cycle steps that help support internal control?
- Risk:
- Identification;
- Assessment;
- Monitoring; and
- Control. - RM is supported by compliance reviews:
- Risk-based compliance reviews;
- Internal audits; and
- External audits.
What does a risk-based compliance review typically entail?
Review of employee, management and organisational compliance with laws and regulations:
- Often risk-based - effective RM key;
- Usually involve detailed and frequent reviews where impacts of non-compliance are high; and
- Risk assessment and monitoring suggest a higher non-compliance risk.
What is the function of internal and external audit?
- Internal audit:
- Verification of effective design and implementation of internal policies;
- Review of efficiency of operational processes;
- Compliance review usage re. applicable laws and regulations; and
- Outcome = potential reduction in control failure numbers - failures identified sooner during review, reducing possibility of risk event arising. - External audit:
- Annual review of adequacy of organisational reporting controls;
- Assurance that AR&A are accurate and free of material financial misstatements; and
- Broader controls review indicates whether organisation may continue as a going concern.
=> Effective compliance review and internal audit promotes generally promotes more streamlined external audit completion.
What is the board’s role in RM?
- Formal approval of risk appetite statement (aggregate risk that may be taken).
- Defining strategy that is reflective of organisational values, behaviours and culture.
- Challenging management on risk appetite assunmptions.
- Seeking comprehensive management assurance on non-financial risk monitoring.
- Retention of independent advisors for risk evaluation.
- Provision of strategic advisory guidance to management.
What is value through risk?
- Contemporary tenet of RM that complements reduction of likelihood and impact of negative outcomes.
- Value through risk relates to increasing the probability and impact of positive risk outcomes, using risk-taking as a means of generating additional organisational value.
- Strategic risk refers to organisational appetite to make strategic commercial decisions that may increase total rewards (e.g. Facebook acquisition of Instragram at early stage; entry of tobacco companies into e-cigarettes/vaping but cf. Yahoo declined takeover of Google; Kodak reticient to enter digital photography).
What is adverse risk?
Excessive risk-taking that may cause an organisation to assume greater and less justifiable risks that may jeopardise organisational value.
What are the four key steps in the RM process?
- Risk identification.
- Exposure asssessment.
- Exposure monitoring.
- Exposure control.
Performed sequentially but RM may commence at any of the defined steps.
What does the risk identification stage comprise?
- Identification of negative and positive risks that an organisation is exposed to.
- Variety of tools may be used, including checklists, root cause analyses and the Delphi technique.
What does the risk assessment stage entail?
- In summary: risk probability x risk impact = exposure.
- However, assessment outcomes may not be singular - a range of outcomes is conceivable.
What does the risk monitoring stage involve?
- Provision of a comprehensive overview of the organisation’s prevailing risk profile in relation to its objectives.
- Monitoring therefore refers to activities that:
- Monitor and report upon potential changes to risk exposures; and
- Monitor effectiveness of risk control and risk management activities in general.
What does the risk control stage comprise?
Application of tools and techniques to influence probability and impacts of a risk event, or to mitigate secondary business disruption and reputational effects that may follow an initial risk event.
What is enterprise risk management?
- Extension of traditional risk management process.
- COSO - ERM is a process, effected by entity, applied in strategy-setting and across the enterprise, to identify potential events affecting the organisation and to manage risk within risk appetite.
- Essential characteristics:
- Holistic focus upon all risks across organisation apprised (though this may be achieved with different tools).
- Value-added risk managemet (upside risks managed alongside downside risks); and
- Blending of formal and informal risk management techniques (RM processes, committees, hierarchies v. culture, RM perceptions, behaviours).
What are the key differences between traditional RM and ERM?
- Traditional RM:
- Reactive / incident-based and often bottom-up.
- Possible process divergence re. dissimilar risks.
- Focus on adverse events, with operational/financial impact, using probabilities and financial metrics.
- Limited cross-discipline collaboration. - ERM:
- Proactive, multi-disciplinary with external and internal risk identification.
- Common framework, processes and risk mitigation techniques.
- Cross-organisational analysis of risk impacts.
- Emphasis on synergistic impact of cross-organisational risks.
- Recognises risks may be negative/loss-causing or may result in something positive/revenue-generating not occurring.
- Comprises bottom-up and top-down approaches.
What are the key do-s and don’t-s of ERM?
- Do:
- Gain top-down board and management support.
- Engage broadly with employees and management, together with existing functional expertise.
- Address key risks first and develop incrementally.
- Embed ERM into organisational behaviour.
- Take holistic, portfolio risk view. - Don’t:
- Treat ERM as a project (- continuing process).
- Focus on detail (- strategic and forward-looking).
- Rely on limited staff (- should be overarching topic).
- Silo risks and impacts.
- Overemphasise risk categorisation.
- Assume risk register is complete, given ‘unknown, unknowns’.
What are the key benefits of ERM?
- Improved reporting to support strategic decision-making.
- Avoidance of risk siloes.
- Improved operational efficiency and cost effectiveness.
- Improved profitability and equity value.
- Improved ability to achieve other business objectives.
What six ERM considerations need to be addressed in addition to traditional RM deliverables?
- ERM policies and procedures;
- Risk appetite;
- Enterprise risk reporting;
- Risk and audit committees;
- Escalation and whistleblowing; and
- Business continuity management.
=> Overarching recognition that ERM alignment of risk and business strategies, recognising risks as both a source of hazard and opportunity.
What six things should ERM policies and procedures include?
- Organisation’s overarching approach to risk, establishing guiding principles for risk-taking.
- RM and allied governance, audit and compliance objectives.
- Risk appetite - reconciliation of risk and opportunity.
- Risk culture statement.
- Roles and responsibilities for ERM - board, management, business units and functions etc..
- ERM reporting structure.
May follow ISO:31000/2018 RASP (risk architecture, strategy and protocols) structure re. (1) risk architecture [roles/responsibility; reporting structure], (2) risk strategy [risk appetite; objectives] and (3) risk protocols [identification; monitoring; assessment; control].
How should risks be effectively reported under an ERM framework?
- Should not be unduly detailed but provide sufficient granularity for the local business unit, function or department.
- Holistic, organisation-wide reporting framework should be developed.
How are the audit and risk committees related?
- Audit committees focussed on internal control, risk reduction and assurance => greater emphasis on risk-reduction.
- Risk committees consider all categories of risk across an organisation (though not necessarily each risk singularly).
- Possible for audit and risk committees to be consolidated into single forum however there is a potential conflict of interest amongst an audit committee’s risk reduction remit and a risk committee’s interest in promoting judicious, value-creating risk-taking.
How are escalation and whistleblowing procedures accommodated via ERM?
- Consistent reporting approach promoted, via a single escalation point - typically, CRO or delegate.
- Whisteblowing procedures should be organisation-wide (and not silo-ed to specific functions) due to the seriousness of potential complaints.
- However, reporting procedures for risk events may include some concession for local instances - local management may be used to address local issues, where these may be better accommodated locally and do not have an organisation-wide impact. Escalation protocols should inform how local- and organisation-wide processes may be invoked.
Who are the six key organisation personnel responsible for ERM implementation?
- CEO/board - ultimate responsibility for defining risk appetite and attendant processes/structure, with accountability for the same.
- Business unit manager - development responsibility for establishing risk culture and reporting on agreed risk metrics.
- Employees - understand, accept and implement risk processes.
- Risk manager - development of RM policy, reporting and wider coordination of RM activities.
- Specialist risk managers - development of contingency and recover plans, and specialist risk policies.
- Internal auditor - development of risk-based audit programme, together with auditing and assurance on RM and effectiveness of related controls.