Section II Flashcards

1
Q

Risk prioritization

A

Ranking risks, formally or informally, from the highest to the lowest.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Acceptable risk level

A

A risk level derived from an organization’s legal and regulatory compliance responsibilities, its threat profile, and its business drivers and impacts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Risk appetite

A

The amount of risk an organization’s willing to accept in pursuit of value.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Risk measurement

A

The evaluation of the magnitude of risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Control deficiency

A

A condition that warrants attention as a potential or real shortcoming that leaves the organization excessively at risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Risk tolerance

A

The acceptable level of variation relative to the achievement of objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Adequate control

A

A level of control that is present if management has planned and organized in a manner that provides reasonable assurance that the organization’s risks have emanated effectively and that the organization’s goals and objectives will be achieved efficiently and economically.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Compliance

A

The conformity and adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Risk classification

A

The assignment of risk into categories such as financial risk, operational risk, strategic risk, or reputation risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Risk Assessment

A

The identification of risk, the measurement of risk, and the process of prioritizing risk or selecting alternatives based on risk.

AKA risk analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Risk management

A

A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of an organization’s objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Benchmarking

A

The comparison of an organization or project to similar internal or external organizations or projects

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Pervasive risk

A

The type of risk found throughout the environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Absolute risk

A

The risk derived from the environment without the mitigating effects of internal control.

AKA inherent risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Opportunity

A

As related to risk, an uncertain event with a positive consequence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Control processes

A

The policies, procedures, and activities that are part of a control framework, designed to ensure that risks are contained within the risk tolerances established by the risk management processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Inherent risk

A

The risk derived from the environment without the mitigating effects of internal controls.

AKA absolute risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Control environment

A

The attitude and actions of the board and management regarding the significance of control within the organization; provides the discipline and structure for the achievement of the primary objectives of the system of internal control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Inherent limitations

A

Limitations of risk management, control, and governance related to human judgement, resource limitation, and the need to balance the costs of controls in relation to expected benefits.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Risk response

A

The actions taken to manage risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Enterprise risk management (ERM)

A

A structured, consistent, and continuous process across the whole organization for identifying, assessing, deciding on responses to, and reporting on opportunities and threats that affect the achievement of its objectives.

22
Q

Residual risk

A

The risk remaining after management takes action to reduce the impact and likelihood of an adverse event, including control activities in responding to a risk.

23
Q

Risk identification

A

The method of recognizing possible threats and opportunities.

24
Q

Acceptable risk

A

A type of risk that revolves around the business impact that would be experienced if certain risks were realized.

25
Q

Risk analysis

A

The identification of risk, the measurement of risk, and the process of prioritizing risk or selecting alternatives based on risk

26
Q

Elements of the control environment

A
  1. Integrity and ethical values
  2. Management’s philosophy and operating style
  3. Organizational structure
  4. Assignment of authority and responsibility
  5. HR policies and procedures
  6. Competence of personnel
27
Q

Audit risk

A

The risk that the internal auditors may arrive at the wrong conclusion and opinions of the work they have undertaken.

28
Q

Control risk

A

The potential that control activities will fail to reduce controllable risk to an acceptable level due to loss in effectiveness.

29
Q

Event

A

An incident or occurrence resulting from internal or external sources that affects the implementation of strategy or achievement of objectives.

30
Q

Impact

A

The result, effect, or consequence of an event.

31
Q

Likelihood

A

The probability that a given event will occur.

32
Q

Risk

A

The possibility of a event occurring that will have an impact on the achieve to of objectives; it is measured in terms of impact and likelihood.

33
Q

Uncertainty

A

A condition where the outcome can only be estimated.

34
Q

COSO ERM objectives

A
  1. Strategic - tied to high organization goals and aligns with the mission
  2. Operations - effective and efficient use of organizational resources
  3. Reporting - reliability of reporting
  4. Compliance - organizational compliance with applicable laws and regulations

These enhance the likelihood of management making better, more informed decisions.

35
Q

What are the COSO ERM components?

A
  1. Internal Environment - the tone of an organization and sets the basis for how risk is viewed and addressed by an entity’s people
  2. Objective Setting - processes and set objectives that support and align with the entity’s mission and risk appetite
  3. Event Identification - internal and external events affecting the achievement of the entity’s objectives
  4. Risk Assessment - Analyzing risks based on likelihood and impact
  5. Risk Response - avoiding, accepting, reducing, or sharing risk to align with risk tolerance and appetite
  6. Control Activities - policies and procedures to ensure that the risk responses are effectively carried out
  7. Information and Communication - Communicate relevant information in a timely manner up, down, and across an entity.
  8. Monitoring - management monitors ERM and makes modifications as necessary.
36
Q

The Board’s role in COSO ERM Oversight

A
  1. knowing the extent to which management has established effective ERM in the organization
  2. Being aware of ad concurring with the risk appetite
  3. Reviewing the entity’s portfolio view of risk and considering it against the risk appetite
  4. Being appraised of the most significant risks and whether management is responding appropriately
37
Q

The CEO’s role in COSO ERM Oversight

A
  1. Providing leadership and direction to senior management
  2. meeting periodically with senior managers responsible for major functions to understand risks, responses, control improvements and status of ongoing initiatives
  3. Monitoring activities and risks in relation to the organization’s risk appetite.
38
Q

Senior Manager’s role in COSO ERM Oversight

A
  1. Convert risk management strategies into operation
  2. Provide tactical, hands-on role in devising and executing specific risk management procedures
  3. Report n the status and recommend improvements to upper-level managers.
39
Q

The risk officer’s role in COSO ERM Oversight

A
  1. Establish relevant policies
  2. Define roles and responsibilities and helping to set implementation goals
  3. Framing related authority and accountability in business units
  4. Promoting competence throughout the entity.
  5. Guiding the integration with other business planning and management activities
  6. Establishing a common risk management language and common measures
  7. Facilitating reporting protocols
  8. Reporting the status to the CEO and recommended actions.
40
Q

The Financial Executive’s role (CFO, Chief Accounting Officer and Controller) in COSO ERM Oversight

A
  1. Budget and financial planning

2. Tracking and analyzing performance and reporting performance

41
Q

External party’s role in COSO ERM Oversight

A
  1. External Auditors - provide an independent and objective view
  2. Legislators and Regulators - require entities to establish minimum risk management and control systems to meet laws and regulations
  3. Business Associates (Customers, vendors, creditors) - add input toward the achievement of strategic, operations, reporting, or compliance objectives.
  4. Outsourcing Providers - capitalizing on expertise of other firs that are more efficient, effective, or knowledgeable at specialized tasks. CANNOT DELEGATE RISK MANAGEMENT ACTIVITIES TO EXTERNAL PROVIDERS
  5. Financial Analysts, Bond Rating Agencies, and News Media - formulate an opinion about the soundness of an organization and its worthiness as an investment
42
Q

ISO 31000

A

provides principles, framework and a process for managing risk.

43
Q

Advantages of ISO 31000

A
  1. It can be utilized by any size or type of organization
  2. It is more intuitive and easier to explain to management and the Board
  3. Benchmarks an organization’s risk against other organizations adopting ISO 31000
  4. Generates transparency and credibility within the risk management function
44
Q
Risk Avoidance
(Definition and examples)
A

Action is taken to exit the activities given rise to risk.

E.g., exiting a product line, declining expansion to a new geographical market, or selling a division due to potential operational interruptions or high probability of unstable cash flows

45
Q

Risk Sharing

Definition and examples

A

Action is taken to reduce the risk by transferring risk

E.g., transferring the risk by joint venture/partnerships, contractual agreements with suppliers/customers, purchasing insurance to cover losses

46
Q

Risk Reduction

Definition and examples

A

Action is take to reduce the risk likelihood or impact or both through everyday business decisions.

E.g., diversifying product offerings, maintaining large cash reserves, investing in technology upgrades to reduce likelihood of system failures, or reallocating funds among operating units

47
Q

Risk Acceptance

Definition and examples

A

No action is taken to affect impact or likelihood

E.g., accepting risk conforming to risk tolerance, deciding not to insure against losses due to costs and deductibles exceeding the replacement costs.

48
Q

Hedging

A

trading futures with the objective of reducing or controlling risks by transferring the risk to the speculator.

49
Q

Factoring

A

Selling accounts receivable to third parties at a discount, thus transferring the risk of uncollectable accounts to the factor.

50
Q

Roles or Responsibilities in the Risk Management Framework

Management -
Board or Audit Committee -
Internal Audit Activity -

A

Management - Responsibility
Board or Audit Committee - Oversight
Internal Audit Activity - Advisory/Assistance/Assurance