Unit 2 Flashcards
Principles of a standard
They describe what good risk management looks like and are based on the purpose of ERM
Purpose of ERM
Creation and protection of value
How do principles contribute to an org fulfilling its purpose?
They apply practices designed to achieve the best possible outcome (ie. Reducing uncertainty)
ISO 31000 8 principles of effective rM
1) Framework and processes shall be proportionate
2) Appropriate involvement of stakeholders is necessary
3) Comprehensive approach is required
4) RM is integral to all organisations
5) RM anticipates, acknowledges and responds to changes
6) RM considers limitations of available info
7) Human and cultural factors influence all RM
8) RM continuously improved by learning and experience
Coso (2017) 5 components of ERM
1) Governance and culture (board risk oversight is exercised)
2) strategy and objective setting (risk appetite is defined)
3) performance (a portfolio view of risk is developed)
4) Review and revision (substantial change is assessed)
5) Info, communicating and reporting (info systems are leveraged)
Orange Book (2020) principles of ERM
Sets out the what and the why but not the how for the design, implementation and maintenance of ERM:
1) Governance and leadership
2) Integration
3) collaboration and best info
4) RM processes
5) continual improvement
IRM 5 attributes of effective RM
PACED
P = Proportionate, rm has to be tailored to suit the org
A = Aligned, rm has to be aligned with the b/s in order to be integrated with other organisation activities
C = Comprehensive. Rm considers all risks and controls across the org and outside of it
E = Embedded into the b/s activities of the organisation. RM changes the culture, behaviours and attitudes of people thus the value of ERM is embedded in the org.
D = Dynamic, rm is active management that develops alongside changes in the internal and external contexts.
What is the RM Framework
RASP
Architecture = this is the structure of the risk management process. This is composed of roles
RACI Chart
Used in project risk management to depict roles and responsibilities.
A risk responsibility matrix that lists stakeholders and their level of involvement: responsible, accountable, consulted, informed
Strategy component of the risk management framework
Strategy = components of the strategy include risk philosophy, risk appetite, benchmarks, assessment techniques, risk priorities and responsibilities terms of references, committee structure.
The strategy is about the tone from the top and describes what the purpose of risk management is for the organisation.
Risk appetite
Governs whether or not a org responds to a risk
It is the acceptable level of risk, where no further action is required, except for monitoring. It is the level of risk the organisation is willing to take in pursuit of its long term objectives
Risk tolerance
The level of risk that you can accept for a short time but are actively managing to bring back to an acceptable level
Risk capacity
The level of risks that is unacceptable.
Protocols component of a RM framework
Organisations uses protocols to deliver the strategy and architecture
They are the ‘how’ of risk management delivery. They are the tangible practices used during the RM process (ie. Templates, techniques)
RMIS
Risk management information system
A tool for storing information on risks and controls. Supports the implementation of RM.
ISO 31000 (2018) RM Process: 8 steps
1) Communication and consultation
2) Scope, context and criteria
3) Risk assessment - identify
4) Risk assessment - analysis
5) Risk assessment - evaluate
6) Risk treatment
7) Monitoring and review
8) Recording and reporting
COSO (2004) RM Process: 8 steps
Focus on controls
1) Internal environment
2) Objective setting
3) Event identification
4) Risk assessment
5) Risk response
6) Control activities
7) information and communication
8) monitoring
COSO (2017) RM Process
The process and RM framework are woven together
Governance and culture: understand context and objectives
Strategy and objectives: same step in the process as above
Performance: identify risk, assess severity, priorities, implement response, develop portfolio view
Review and revision: step in itself
Information, communication, reporting: steps in themselves