Subunit 3: COSO ERM Framework

Question 1

The COSO ERM Framework is designed to do what?

Answer 1

Enhance awareness and oversight of enterprise risk management to allow organizations to improve their approach to managing risk

Question 2

Effective integration of the COSO ERM framework provides what benefits?

Answer 2

1. Improves decision making
2. Enhances performance

Question 3

How can effective ERM help an organization?

Answer 3

1. Increase the range of opportunities
2. Identify and manage risk entity-wide
3. Increase positive outcomes and advantages while reducing negative surprises
4. Reduce performance variability
5. Improve resource deployment
6. Enhance enterprise resilience

Question 4

How is enterprise risk management (ERM) defined in COSO’s Enterprise Risk Management – Integrating with Strategy and Performance? (MEMORIZE VERBATIM)

Answer 4

ERM is defined as the (1) culture, (2) capabilities, and (3) practices, integrated with (4) strategy-setting and (5) performance, that organizations rely on to (6) manage (7) risk in creating, preserving, and realizing (8) value.

Question 5

What does culture consist of?

Answer 5

The attitudes, behaviors, and understanding about risk, both positive and negative, that influence the decisions of management and personnel and reflect the mission, vision, and core values of the organization
Mission is the entity’s core purpose (what it wants to accomplish and why it exists)
Vision is the entity’s aspirations for what it intends to achieve over time
Core values are the entity’s essential beliefs about what is acceptable or unacceptable

Question 6

What are capabilities?

Answer 6

The skills needed to carry out the entity’s mission and vision

Question 7

What are practices?

Answer 7

The collective methods used to manage risk

Question 8

When does a business consider risk?

Answer 8

In setting strategy, business objectives, performance targets, and tolerance

Question 9

What is a risk profile?

Answer 9

A composite view of the types, severity, and interdependencies of risk related to a specific strategy or business objectives and their effects on performance. It may be created at any level or aspect of the org.

Question 10

What is the portfolio view?

Answer 10

A composite view of the risks related to entity-wide strategy and business objectives and their effects on entity performance.

Question 11

What are the key concepts related to managing risk?

Answer 11

1. Risk: the possibility that events will occur and impact achieving strategy and business objectives
2. Opportunity: any action or potential action that creates or alters goals or approaches for creating, preserving, and realizing value
3. Reasonable expectation: (not absolute assurance) the risk assumed is appropriate and provided by effective ERM practices
4. Risk inventory: consists of all identified risks that could affect strategy and business objectives
5. Risk capacity: the maximum amount of risk the entity can assume
6. Risk appetite: the amount and types of risks the organization is willing to accept in pursing value
7. Inherent risk: risk absent of management actions to alter severity (actual residual risk remains)
8. Risk response: action taken to bring identified risks within the org’s risk appetite (included in a residual risk profile)
9. Target residual risk: risk the entity prefers to assume knowing that management has acted or will act to alter its severity
10. Actual residual risk: risk remaining after taking management actions to alter severity; should be equal to or less than target residual risk

Question 12

When should an entity consider risk appetite:

Answer 12

1. Aligning with developing strategy
2. Aligning with business objectives
3. Prioritizing risks
4. Implementing risk responses

Question 13

What is the difference between inherent risk and residual risk?

Answer 13

• Inherent risk is the risk in the absence of a risk response by management.
• Residual risk is the risk remaining after taking a risk response action by management.

Question 14

What are the components of value?

Answer 14

• It is created when the benefits obtained from the resources used exceed costs
• It is preserved when the value of resources used is sustained
• It is realized when benefits are transferred to stakeholders
• It is eroded when management’s strategy does not produce expected results or management does not perform day-to-day tasks

Question 15

Who has ERM roles and what are their responsibilities?

Answer 15

• The board provides risk oversight of ERM culture, capabilities, and practices. Certain board committees may be formed and include an audit committee, a risk committee that directly oversees ERM, an executive compensation committee, and a nomination or governance committee.
• Management has overall responsibility for ERM and usually day-to-day risk management, including implementing and developing the COSO framework. The CEO has ultimate responsibility for ERM and achieving strategy and business objectives.
• Orgs may designate a risk officer as a centralized coordinator to facilitate risk management

Question 16

What are the three lines of management accountability?

Answer 16

• Principal owners of risk: manage performance and risks taken to achieve strategy and business objectives
• Supporting (business-enabling) functions: provide guidance on performance and ERM requirements, evaluate adherence to standards, and challenge the first line to take prudent risks
• Assurance functions: perform ERM audits, identify issues and improvements, make recommendations, and inform the board and executives of matters needing resolution

Question 17

When assessing the risks to achieve objectives, what should management consider?

Answer 17

(1) the risk capacity,
(2) the risk appetite,
(3) the inherent risk,
(4) the target residual risk,
(5) the risk response,
(6) the actual residual risk, and
(7) the risk inventory.

Question 18

What are the five components of enterprise risk management (ERM)?

Answer 18

Supporting aspect components: governance and culture; information, communication, and reporting
Common process components: strategy and objective-setting; performance; review and revision

Question 19

What are the five principles relating to the governance and culture component of COSO’s Enterprise Risk Management – Integrating with Strategy and Performance?

Answer 19

1. Board oversight
2. Organizational operating structures
3. Definition of desired culture
4. Commitment to core values
5. Attraction, development, and retention of capable individuals

Question 20

When is risk oversight by the board most effective?

Answer 20

1. When the board has the necessary skills, experience, and business knowledge to understand the org’s strategy and industry, and maintains this understanding as the business context changes
2. Is independent of the org
3. Determines whether ERM capabilities and practices enhance value
4. Understands the organizational biases influencing decision making and challenges management to minimize them

Question 21

What is the difference between a company’s legal structure and management structure?

Answer 21

Legal structure determines how the entity operates. Management structure establishes reporting lines, roles, and responsibilities.

Question 22

What factors should a company consider when establishing and evaluating operating structures?

Answer 22

Strategy and business objectives, including related risks
Nature, size, and geographic distribution
Risks related to the entity’s strategy and business objectives
Assignment of authority, accountability, and responsibility at all levels
Types of reporting lines and communication channels
Reporting requirements

Question 23

What are the four principles relating to the strategy and objective-setting component of COSO’s Enterprise Risk Management – Integrating with Strategy and Performance?

Answer 23

1. Analysis of business context
2. Definition of risk appetite
3. Evaluation of alternative strategies
4. Establishment of business objectives

Question 24

Within the business context, what does the internal environment consist of?

Answer 24

Capital, people, processes, and technology

Question 25

Within the business context, what does the external environment consist of? (PESTLE analysis)

Answer 25

Political, economic, social, technological, legal, and environmental

Question 26

A business context may be:

Answer 26

Dynamic, complex, and unpredictable

Question 27

How does an organization define risk appetite?

Answer 27

a) considers its mission, vision, culture, prior strategies, and risk capacity
b) seeks the optimal balance of opportunity and risk (appetite is rarely set above capacity)
c) risk appetite may be expressed qualitatively or quantitatively
d) entities may express risk appetite using the terms targets, ranges, ceilings, or floors
e) board approves risk appetite, and management communicates it throughout the org

Question 28

Describe the three components of business objectives.

Answer 28

a) specific, measurable or observable, obtainable, and relevant
b) may relate to financial performance, operational excellence, compliance obligations, or other
c) establish performance measures, targets, and tolerances to evaluate achieving objectives

Question 29

What are the five principles relating to the performance component of COSO’s Enterprise Risk Management – Integrating with Strategy and Performance?

Answer 29

1. Identification of risks
2. Assessment of the severity of risks
3. Prioritization of risks
4. Identification and selection of risk responses
5. Development and evaluation of the portfolio view of risk

Question 30

The risk identification process includes:

Answer 30

a) identifying risks that disrupt operations and affect the reasonable expectation of achieving strategy and business objectives
b) identifying new, emerging, and changing risks, along with opportunities
c) risk identification methods and approaches include day-to-day activities, simple questionnaires, facilitated workshops, interviews, or data tracking
d) risk inventory consists of all risks that could affect the entity
e) risk and opportunity identification should be comprehensive across all entity levels and functions

Question 31

What does risk severity measure?

Answer 31

Impact, likelihood, and time to recover from events

Question 32

What are examples of agreed-upon criteria to evaluate risk characteristics and determine capacity?

Answer 32

Complexity: nature and scope of a risk
Velocity: speed at which a risk affects the entity
Persistence: how long a risk affects the entity, including the recovery time
Adaptability: entity’s capacity to adjust and respond to risks
Recovery: entity’s capacity (not the time) to return to tolerance (return to normal operations)

Question 33

List and describe the five categories of risk responses (AARPS)

Answer 33

Acceptance: no action is taken to alter severity; appropriate when the risk is within appetite
Avoidance: action is taken to remove the risk; suggests no response would reduce to acceptable levels
Reduction: action taken to reduce the risk severity so it is within the target residual risk profile and risk appetite
Pursuit: action taken to accept increased risk and improve performance without exceeding acceptable tolerance
Sharing: action taken to reduce severity by transferring a portion of the risk to another party

Question 34

What factors are considered in selecting and implementing risk responses?

Answer 34

a) they should be chosen for (or adapted to) the business context
b) costs and benefits should be proportionate to the severity and priority of the risk
c) should further compliance with obligations and achievement of expectations
d) should bring risk within risk appetite and result in performance outcomes within tolerances
e) should reflect risk severity

Question 35

What is the portfolio view of risk?

Answer 35

Identification, assessment, prioritization, and responses at the entity-wide perspective

Question 36

List the four risk views, their integration levels, and describe them.

Answer 36

Risk view (minimal integration): Risks are identified and assessed, but emphasis is on the event and not the business objective
Risk category view (limited integration): identified and assessed risks are categorized
Risk profile view (partial integration): risks are linked to the business objectives they affect, and any dependencies between objectives are identified and assessed
Portfolio view (full integration): composite view of risks related to entity-wide strategy and business objectives and their effects on performance; at top level, greater emphasis is on strategy (responsibility for risks and objectives cascades throughout the entity)

Question 37

What are the three principles relating to the review and revision component of COSO’s Enterprise Risk Management – Integrating with Strategy and Performance?

Answer 37

1. Identification and assessment of changes
2. Review of entity performance and risk
3. Pursuit of improvement

Question 38

Performance results that deviate from target performance or tolerance may indicate what?

Answer 38

Unidentified risks, improperly assessed risks, new risks, opportunities to accept more risk, or the need to revise target performance or tolerance

Question 39

What are the three principles relating to the information, communication, and reporting component of COSO’s Enterprise Risk Management – Integrating with Strategy and Performance?

Answer 39

1. Leverage of information systems
2. Use of communication channels
3. Reporting

Question 40

Limitations of ERM result from the possibility of what?

Answer 40

(1) faulty human judgment
(2) cost-benefit considerations
(3) simple errors or mistakes
(4) collusion
(5) management override

Question 41

What are the eight steps for the implementation of an effective ERM program?

Answer 41

(1) seek board and senior management involvement and oversight
(2) identify and position a leader to drive the ERM initiative
(3) establish a management working group
(4) inventory the existing risk management practices of the organization
(5) conduct an initial assessment of key strategies and related risks
(6) develop a consolidated action plan and communicate to board and management
(7) develop and/or enhance risk reporting
(8) develop the next phase of action plans and ongoing communications

Question 42

What can cause cyber risks?

Answer 42

(1) poor information system design
(2) unintentional security breaches
(3) intentional security breaches

Question 43

List the different classifications of cyber threat actors.

Answer 43

• Nation-states and spies
• Organized criminals
• Terrorists
• Hacktivists
• Company insiders

Question 44

Which risk response is not effective for managing cyber risks?

Answer 44

Cyber risk avoidance is ineffective or nearly impossible due to the constantly evolving nature of cyber risks.

Question 45

List the three criteria for choosing a communication channel based on the specific needs of the communication.

Answer 45

1. Nature
2. Urgency
3. Sensitivity

Question 46

Depending on the impact and severity of cybersecurity issues, to whom should the issues be reported?

Answer 46

Impact Level of Reporting
Minor Cyber risk management team
Major Executive management
NOTE: In certain circumstances, such as cybersecurity breaches by executive management, the issues are reported to the board of directors.