Section II

Question 1

Risk prioritization

Answer 1

Ranking risks, formally or informally, from the highest to the lowest.

Question 2

Acceptable risk level

Answer 2

A risk level derived from an organization’s legal and regulatory compliance responsibilities, its threat profile, and its business drivers and impacts.

Question 3

Risk appetite

Answer 3

The amount of risk an organization’s willing to accept in pursuit of value.

Question 4

Risk measurement

Answer 4

The evaluation of the magnitude of risk.

Question 5

Control deficiency

Answer 5

A condition that warrants attention as a potential or real shortcoming that leaves the organization excessively at risk.

Question 6

Risk tolerance

Answer 6

The acceptable level of variation relative to the achievement of objectives.

Question 7

Adequate control

Answer 7

A level of control that is present if management has planned and organized in a manner that provides reasonable assurance that the organization’s risks have emanated effectively and that the organization’s goals and objectives will be achieved efficiently and economically.

Question 8

Compliance

Answer 8

The conformity and adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements.

Question 9

Risk classification

Answer 9

The assignment of risk into categories such as financial risk, operational risk, strategic risk, or reputation risk.

Question 10

Risk Assessment

Answer 10

The identification of risk, the measurement of risk, and the process of prioritizing risk or selecting alternatives based on risk.

AKA risk analysis

Question 11

Risk management

Answer 11

A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of an organization’s objectives.

Question 12

Benchmarking

Answer 12

The comparison of an organization or project to similar internal or external organizations or projects

Question 13

Pervasive risk

Answer 13

The type of risk found throughout the environment.

Question 14

Absolute risk

Answer 14

The risk derived from the environment without the mitigating effects of internal control.

AKA inherent risk

Question 15

Opportunity

Answer 15

As related to risk, an uncertain event with a positive consequence

Question 16

Control processes

Answer 16

The policies, procedures, and activities that are part of a control framework, designed to ensure that risks are contained within the risk tolerances established by the risk management processes.

Question 17

Inherent risk

Answer 17

The risk derived from the environment without the mitigating effects of internal controls.

AKA absolute risk

Question 18

Control environment

Answer 18

The attitude and actions of the board and management regarding the significance of control within the organization; provides the discipline and structure for the achievement of the primary objectives of the system of internal control.

Question 19

Inherent limitations

Answer 19

Limitations of risk management, control, and governance related to human judgement, resource limitation, and the need to balance the costs of controls in relation to expected benefits.

Question 20

Risk response

Answer 20

The actions taken to manage risk.

Question 21

Enterprise risk management (ERM)

Answer 21

A structured, consistent, and continuous process across the whole organization for identifying, assessing, deciding on responses to, and reporting on opportunities and threats that affect the achievement of its objectives.

Question 22

Residual risk

Answer 22

The risk remaining after management takes action to reduce the impact and likelihood of an adverse event, including control activities in responding to a risk.

Question 23

Risk identification

Answer 23

The method of recognizing possible threats and opportunities.

Question 24

Acceptable risk

Answer 24

A type of risk that revolves around the business impact that would be experienced if certain risks were realized.

Question 25

Risk analysis

Answer 25

The identification of risk, the measurement of risk, and the process of prioritizing risk or selecting alternatives based on risk

Question 26

Elements of the control environment

Answer 26

1. Integrity and ethical values
2. Management’s philosophy and operating style
3. Organizational structure
4. Assignment of authority and responsibility
5. HR policies and procedures
6. Competence of personnel

Question 27

Audit risk

Answer 27

The risk that the internal auditors may arrive at the wrong conclusion and opinions of the work they have undertaken.

Question 28

Control risk

Answer 28

The potential that control activities will fail to reduce controllable risk to an acceptable level due to loss in effectiveness.

Question 29

Event

Answer 29

An incident or occurrence resulting from internal or external sources that affects the implementation of strategy or achievement of objectives.

Question 30

Impact

Answer 30

The result, effect, or consequence of an event.

Question 31

Likelihood

Answer 31

The probability that a given event will occur.

Question 32

Risk

Answer 32

The possibility of a event occurring that will have an impact on the achieve to of objectives; it is measured in terms of impact and likelihood.

Question 33

Uncertainty

Answer 33

A condition where the outcome can only be estimated.

Question 34

COSO ERM objectives

Answer 34

1. Strategic - tied to high organization goals and aligns with the mission
2. Operations - effective and efficient use of organizational resources
3. Reporting - reliability of reporting
4. Compliance - organizational compliance with applicable laws and regulations

These enhance the likelihood of management making better, more informed decisions.

Question 35

What are the COSO ERM components?

Answer 35

1. Internal Environment - the tone of an organization and sets the basis for how risk is viewed and addressed by an entity’s people
2. Objective Setting - processes and set objectives that support and align with the entity’s mission and risk appetite
3. Event Identification - internal and external events affecting the achievement of the entity’s objectives
4. Risk Assessment - Analyzing risks based on likelihood and impact
5. Risk Response - avoiding, accepting, reducing, or sharing risk to align with risk tolerance and appetite
6. Control Activities - policies and procedures to ensure that the risk responses are effectively carried out
7. Information and Communication - Communicate relevant information in a timely manner up, down, and across an entity.
8. Monitoring - management monitors ERM and makes modifications as necessary.

Question 36

The Board’s role in COSO ERM Oversight

Answer 36

1. knowing the extent to which management has established effective ERM in the organization
2. Being aware of ad concurring with the risk appetite
3. Reviewing the entity’s portfolio view of risk and considering it against the risk appetite
4. Being appraised of the most significant risks and whether management is responding appropriately

Question 37

The CEO’s role in COSO ERM Oversight

Answer 37

1. Providing leadership and direction to senior management
2. meeting periodically with senior managers responsible for major functions to understand risks, responses, control improvements and status of ongoing initiatives
3. Monitoring activities and risks in relation to the organization’s risk appetite.

Question 38

Senior Manager’s role in COSO ERM Oversight

Answer 38

1. Convert risk management strategies into operation
2. Provide tactical, hands-on role in devising and executing specific risk management procedures
3. Report n the status and recommend improvements to upper-level managers.

Question 39

The risk officer’s role in COSO ERM Oversight

Answer 39

1. Establish relevant policies
2. Define roles and responsibilities and helping to set implementation goals
3. Framing related authority and accountability in business units
4. Promoting competence throughout the entity.
5. Guiding the integration with other business planning and management activities
6. Establishing a common risk management language and common measures
7. Facilitating reporting protocols
8. Reporting the status to the CEO and recommended actions.

Question 40

The Financial Executive’s role (CFO, Chief Accounting Officer and Controller) in COSO ERM Oversight

Answer 40

1. Budget and financial planning

2. Tracking and analyzing performance and reporting performance

Question 41

External party’s role in COSO ERM Oversight

Answer 41

1. External Auditors - provide an independent and objective view
2. Legislators and Regulators - require entities to establish minimum risk management and control systems to meet laws and regulations
3. Business Associates (Customers, vendors, creditors) - add input toward the achievement of strategic, operations, reporting, or compliance objectives.
4. Outsourcing Providers - capitalizing on expertise of other firs that are more efficient, effective, or knowledgeable at specialized tasks. CANNOT DELEGATE RISK MANAGEMENT ACTIVITIES TO EXTERNAL PROVIDERS
5. Financial Analysts, Bond Rating Agencies, and News Media - formulate an opinion about the soundness of an organization and its worthiness as an investment

Question 42

ISO 31000

Answer 42

provides principles, framework and a process for managing risk.

Question 43

Advantages of ISO 31000

Answer 43

1. It can be utilized by any size or type of organization
2. It is more intuitive and easier to explain to management and the Board
3. Benchmarks an organization’s risk against other organizations adopting ISO 31000
4. Generates transparency and credibility within the risk management function

Question 44

Risk Avoidance
(Definition and examples)

Answer 44

Action is taken to exit the activities given rise to risk.

E.g., exiting a product line, declining expansion to a new geographical market, or selling a division due to potential operational interruptions or high probability of unstable cash flows

Question 45

Risk Sharing

Definition and examples

Answer 45

Action is taken to reduce the risk by transferring risk

E.g., transferring the risk by joint venture/partnerships, contractual agreements with suppliers/customers, purchasing insurance to cover losses

Question 46

Risk Reduction

Definition and examples

Answer 46

Action is take to reduce the risk likelihood or impact or both through everyday business decisions.

E.g., diversifying product offerings, maintaining large cash reserves, investing in technology upgrades to reduce likelihood of system failures, or reallocating funds among operating units

Question 47

Risk Acceptance

Definition and examples

Answer 47

No action is taken to affect impact or likelihood

E.g., accepting risk conforming to risk tolerance, deciding not to insure against losses due to costs and deductibles exceeding the replacement costs.

Question 48

Hedging

Answer 48

trading futures with the objective of reducing or controlling risks by transferring the risk to the speculator.

Question 49

Factoring

Answer 49

Selling accounts receivable to third parties at a discount, thus transferring the risk of uncollectable accounts to the factor.

Question 50

Roles or Responsibilities in the Risk Management Framework

Management -
Board or Audit Committee -
Internal Audit Activity -

Answer 50

Management - Responsibility
Board or Audit Committee - Oversight
Internal Audit Activity - Advisory/Assistance/Assurance