Unit 1 Flashcards
IRM definition of risk
Uncertainties that matter. The term risk is used to denote the effect of uncertainty of objectives, considering both threats and opportunities
ISO 31000 definition of RM
Coordinated activities to direct and control an organisation in regards to risk.
Effective risk management allows organisations to identify, understand and manage risks
IRM definition of ERM
To support ALL organisational activities, RM has evolved into ERM. This recognises that risks are all interrelated and that the culture, capabilities and practices within an organisation are just as important to add value as the processes, policies and procedures.
4 steps of risk based decision making
Define context and objectives
Assess the risks
Manage the risks
Monitor, review and report
PRAM
Project risk analysis and management
Approach and guidance to dealing with project risk. Project risk management is a RM specialism
Common themes of projects are uniqueness, time constraints, reliance on third parties, complex etc. These bring a range of uncertainty
ISO 31000 (2018) risk management standard
Risk management is based on the principles (what good risk management looks like), framework (what is needed to implement effective rm) and the processes (what the steps are in rM)
COSO (2004) risk management standard
It was first written to combat fraudulent.
It is a cube made up of:
Top face = 4 categories of organisational objectives (STOC)
Front face = 8 steps of the RM process
Side face = 4 categories of the implementation process
COSO (2017) risk management standard
ERM rainbow double helix.
Created to provider greater insight into the link between strategy, risk and performance
It considers how to enhance performance in line with an orgs strategy and how to manage risks in a way aligned to the strategy.
Comprised of 20 principle
Risks can be considered as having long, medium or short term impacts
This is a way of analysing the risk exposure of an organisation.
Long = strategy. Impact over years after the event occurs or the decision is taken.
Medium = tactics. They have their impact some time after the event occurs, will be about a year later. Associated with projects.
Short = operation. They have their impact immediately after the event occurs, and cause immediate disruption to normal efficient operations
COBIT
Standard applicable to IT risk management
How does the US RM association (RIMS) define ERM
A strategic business discipline that supports the achievement of an orgs objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio.
Maturity levels of RM (4)
Inform = unaware of obligations
Reform = awareness of non compliance
Conform = actions to ensure compliance
Perform = achieve business opportunities
Deform = inactivity caused by obsession
5 objectives of RM
MADE2:
M = mandatory
A = assurance
D = decision making
E = effective
E= and efficient core process
What does compliance management provide
Risk governance
What does hazard management do?
Makes outcomes less negative
What does control management reduce
The range of possible outcomes
What does opportunity management do
Maximise the benefits of possible outcomes
ISO 31000 definition of risk
Effect of uncertainty on objectives
Hillson (2016) defines risk as
Uncertainties that matter
ISO 31000 (2018) notes that an effect is
A deviation from the expected. It can be positive or negative or both, and can address, create or result in opportunities and threats
IRM (2002) RM Standard considers risk as
A combo of the probability of an event and its consequences. Consequences can range from pos to neg
IRM considers risk as
Uncertainties that matter
IS0 31000 definition of rM
Coordinated activities to direct and control an org with regard to risk
Risk exposure
The total assessment that ERM enables orgs to do. ERM stresses the need to consider the interdependency between risks
The definitions of risks include three concepts
Something that is uncertain, can be both positive and negative, something that will impact what we are trying to achieve
What year were rm frameworks developed since
1995
2004 - 2018 is a period when what occurred in relation to rm
International standards and frameworks developed
GRC approach
Governance, risk and compliance. The EY Board Priorities 2022 report suggests that a way to achieve objectives, while addressing uncertainty, requires these three things, where there should be an integrated appraoch to compliance, risk management, internal controls, and internal audit
RM specialism = finance
Heavily regulated and key focus on management risks that can have a financial impact
Sarbanes o ley law mandates certain practices in financial record keeping and reporting for corporation
Banking sector regulator
International Basel accord
Insurance sector regulator
European Union Solvency 2
What year was the health and safety act created
1974
What is a risk standard
A published guide for managing risk, compromising of a risk framework and a risk process
Coso (2017) update to the cube
- update to reflect changing complexity of risks and the evolving business enviornment
- it emphasises that orgs that integrate eRM throughout the entity can realise many more benefits
- Update provides insight into the links between strategy, risk and performance, and highlights the inter connectedness of risks and the effect that risk culture has on the implemention of rm
Three distinct approaches followed in standards
- risk management approach = iso
- internal control = COSO and FRC
- risk aware culture = COCO
