Unit 1 Flashcards
IRM definition of risk
Uncertainties that matter. The term risk is used to denote the effect of uncertainty of objectives, considering both threats and opportunities
ISO 31000 definition of RM
Coordinated activities to direct and control an organisation in regards to risk.
Effective risk management allows organisations to identify, understand and manage risks
IRM definition of ERM
To support ALL organisational activities, RM has evolved into ERM. This recognises that risks are all interrelated and that the culture, capabilities and practices within an organisation are just as important to add value as the processes, policies and procedures.
4 steps of risk based decision making
Define context and objectives
Assess the risks
Manage the risks
Monitor, review and report
PRAM
Project risk analysis and management
Approach and guidance to dealing with project risk. Project risk management is a RM specialism
Common themes of projects are uniqueness, time constraints, reliance on third parties, complex etc. These bring a range of uncertainty
ISO 31000 (2018) risk management standard
Risk management is based on the principles (what good risk management looks like), framework (what is needed to implement effective rm) and the processes (what the steps are in rM)
COSO (2004) risk management standard
It was first written to combat fraudulent.
It is a cube made up of:
Top face = 4 categories of organisational objectives (STOC)
Front face = 8 steps of the RM process
Side face = 4 categories of the implementation process
COSO (2017) risk management standard
ERM rainbow double helix.
Created to provider greater insight into the link between strategy, risk and performance
It considers how to enhance performance in line with an orgs strategy and how to manage risks in a way aligned to the strategy.
Comprised of 20 principle
Risks can be considered as having long, medium or short term impacts
This is a way of analysing the risk exposure of an organisation.
Long = strategy. Impact over years after the event occurs or the decision is taken.
Medium = tactics. They have their impact some time after the event occurs, will be about a year later. Associated with projects.
Short = operation. They have their impact immediately after the event occurs, and cause immediate disruption to normal efficient operations
COBIT
Standard applicable to IT risk management
How does the US RM association (RIMS) define ERM
A strategic business discipline that supports the achievement of an orgs objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio.
Maturity levels of RM (4)
Inform = unaware of obligations
Reform = awareness of non compliance
Conform = actions to ensure compliance
Perform = achieve business opportunities
Deform = inactivity caused by obsession
5 objectives of RM
MADE2:
M = mandatory
A = assurance
D = decision making
E = effective
E= and efficient core process
What does compliance management provide
Risk governance
What does hazard management do?
Makes outcomes less negative