Unit 2 Flashcards
Principles of a standard
They describe what good risk management looks like and are based on the purpose of ERM
Purpose of ERM
Creation and protection of value
How do principles contribute to an org fulfilling its purpose?
They apply practices designed to achieve the best possible outcome (ie. Reducing uncertainty)
ISO 31000 8 principles of effective rM
1) Framework and processes shall be proportionate
2) Appropriate involvement of stakeholders is necessary
3) Comprehensive approach is required
4) RM is integral to all organisations
5) RM anticipates, acknowledges and responds to changes
6) RM considers limitations of available info
7) Human and cultural factors influence all RM
8) RM continuously improved by learning and experience
Coso (2017) 5 components of ERM
1) Governance and culture (board risk oversight is exercised)
2) strategy and objective setting (risk appetite is defined)
3) performance (a portfolio view of risk is developed)
4) Review and revision (substantial change is assessed)
5) Info, communicating and reporting (info systems are leveraged)
Orange Book (2020) principles of ERM
Sets out the what and the why but not the how for the design, implementation and maintenance of ERM:
1) Governance and leadership
2) Integration
3) collaboration and best info
4) RM processes
5) continual improvement
IRM 5 attributes of effective RM
PACED
P = Proportionate, rm has to be tailored to suit the org
A = Aligned, rm has to be aligned with the b/s in order to be integrated with other organisation activities
C = Comprehensive. Rm considers all risks and controls across the org and outside of it
E = Embedded into the b/s activities of the organisation. RM changes the culture, behaviours and attitudes of people thus the value of ERM is embedded in the org.
D = Dynamic, rm is active management that develops alongside changes in the internal and external contexts.
What is the RM Framework
RASP
Architecture = this is the structure of the risk management process. This is composed of roles
RACI Chart
Used in project risk management to depict roles and responsibilities.
A risk responsibility matrix that lists stakeholders and their level of involvement: responsible, accountable, consulted, informed
Strategy component of the risk management framework
Strategy = components of the strategy include risk philosophy, risk appetite, benchmarks, assessment techniques, risk priorities and responsibilities terms of references, committee structure.
The strategy is about the tone from the top and describes what the purpose of risk management is for the organisation.
Risk appetite
Governs whether or not a org responds to a risk
It is the acceptable level of risk, where no further action is required, except for monitoring. It is the level of risk the organisation is willing to take in pursuit of its long term objectives
Risk tolerance
The level of risk that you can accept for a short time but are actively managing to bring back to an acceptable level
Risk capacity
The level of risks that is unacceptable.
Protocols component of a RM framework
Organisations uses protocols to deliver the strategy and architecture
They are the ‘how’ of risk management delivery. They are the tangible practices used during the RM process (ie. Templates, techniques)
RMIS
Risk management information system
A tool for storing information on risks and controls. Supports the implementation of RM.
ISO 31000 (2018) RM Process: 8 steps
1) Communication and consultation
2) Scope, context and criteria
3) Risk assessment - identify
4) Risk assessment - analysis
5) Risk assessment - evaluate
6) Risk treatment
7) Monitoring and review
8) Recording and reporting
COSO (2004) RM Process: 8 steps
Focus on controls
1) Internal environment
2) Objective setting
3) Event identification
4) Risk assessment
5) Risk response
6) Control activities
7) information and communication
8) monitoring
COSO (2017) RM Process
The process and RM framework are woven together
Governance and culture: understand context and objectives
Strategy and objectives: same step in the process as above
Performance: identify risk, assess severity, priorities, implement response, develop portfolio view
Review and revision: step in itself
Information, communication, reporting: steps in themselves
The Orange Book (2020) RM Process
Combination of framework, principles and process. Rm shall be:
Principle 1) an essential part of governance
Principle 2) an important part of all operational activities
Principle 3) informed by best info
Principle 4) have structured processes. In this principle is the process of rm, steps are; risk identification and assessment, risk treatment, risk monitoring, risk reporting
Principle 5) Continually improved
IRM 4 Common Steps of a RM Process
1) Define context and objectives
2) Assess risks
3) Manage risks
4) Monitor, review and report
Definition of operational risk
Type of risk that will disrupt normal everyday activities adn this is inbuilt into the activities, processes and controls that deliver the main activities of an org
What do the BASEL 3 and Solvency 3 regulatory frameworks require of banks
THey are required to have sufficient capital reserves available to meet the actual and potential financial losses and obligations faced by the Organization in severe but plausible scenarios. Financial insitutions need to measure the level of operational risk that they face and could face under stressed conditions
Basel 2 capital adequacy regulations
They require banks take thier operational risk exposure into account in determine their capital requirements. This operation RM framework should include identification, measurement and monitoring, reporting, control and mitigation frameworks for operational risk. This assessment of capital requirements is called economic capital
BASEL 2 definition of operation risk identifies four types of risk categories
People, process, system and external events.
People = failure to comply with procedures and lack of segregation of duties
Process = process failures and inadequate controls
System = failure of applications systems to meet user requirements and the absence of built in control measures
External = action by regulators, unsatisfactory performance by service providers and external fraud.
What are the BASEL 3 requirements
It provides a standardised approach to measuring operational risk for regulatory capital purposes, which is a function of a banks income (captured through a business indicator) and historical losses (captured through the internal loss multiplier).
PRAM
Project risk analysis and managemen guide. There are five points in a project where particular benefit can be achieved from using the PRAM model:
Feasibility = the project is most flexible at this stage, enabling changes to be made that can reduce the risks at a low cost
Sanction = the client can view the risk exposure associated with the project and check that all steps to manage the risks are taken
Tendering = the contractor can ensure that all risks have been identified and that risk contingency limits set
Post - tender = the client can ensure that all risks have been identified by the contractor and assess the likelihood of programmes being achieved
During implementation = the likelihood of completing the poriejct to cost and timescale will increase if all risks are identified and correctly managed
ISO 28000:2000 Specification for Security Management Systems for the Supply Chain defines the supply chain as
A supply chain is a set of interconnected processes and resources that starts with the sourcing of raw materials and ends with the delivery of products and services to end users. Supply chains may include producers, suppliers, manufacturers, distributors, wholesalers, vendors, and logistics providers. They include facilities, plants, offices, warehouses, and branches and can be both internal or external to an organization.
Joint venture
A mechanism whereby an org can exploit benefits but with a lower risk exposure
ALARP
As low as reasonably practical
One of the fundamental principles of RM for health and safety risks.
It refers to managing risk tot he point where the cost of additional controls would exceed the benefits
Total risk exposure
Hazard risks will give rise to a hazard tolerance, control risks will give risk to a control acceptance and opportunity risks will give risk to an investment appetite.
Total risk exposure is the sum of the total risk that the org has taken .
Most orgs have no appetite for compliance risks
4 overriding principles of Risk Appetite
Acknowledging Inter connectedness
Measurability
Variability
Maturity
ISO Guide 73 definition of risk tolerance
the orgs or stakeholders readiness to bear the risk after risk treatment in order to achieve its objectives
Neautralizing or hedging risks
Sometimes risks are only accepted as part of an arrangement whereby one risk is balanced against another
BS 311000 definition of risk financing
Involves the cost of contingent arrangements for the provision of funds to meet the financial impact of a risk materialising. Normally provided by a insurer. Therefore, finance that is contingent upon cortina insured events taking place
ISO 31000 cost of risk financing
This should include the provision of funds to meet the cost of risk treatment.
What do the principles in the Orange book ensure
Compliance with the UK Corporate Governance Code
Agency theory
Concept used to explain the relationship between principals and their agent.
Principal = relies on an agent to execute financial decisions and transaction that can result in fluctuating outcomes
Principal = shareholders, members trustees
Agent = execs, directors, board, CEO
WHAT IS A good risk register
Collates risk and control knowledge
Tailored to the org
Updated regularly
Informs decision making
Enables teams, projects and orgs to prioritise and manage their risks
What is a open systems model
Emphasised in iso 31000. Focus on sustaining an open systems model that regularly exchanges feedback with its external environment to fit multiple needs and contexts
What makes up the rm context
Consideration of who will be reposnsible and identifies the resources that will be required to fulfill rm activities
Establishment of risk appetite or risk criteria.
Provide a means of establishing the overall total risk exposure
What method can be used to validate the business model
FIRM and SWOT analysis
What is the rm policy statement
Sets out the overall strategy of the org towards risk management.
BS 31100 states that it should include the objectives, mandate and commitment to manage risk (strategy) and the organisational arrangements that include plans, relaitonship, resources, processes (architecture), and that the framework should be embedded within the orgs overall strategic and operations policies and procedures (protocols)
Risk management responsibilities should be allocated to what aspects of managing risk
Development of risk strategy and standards
Implementation of the agreed standards and procedures
Auditing compliance with the agreed standards
Detailed rm protocols set out
Rm procedures
Risk control objectives
Risk resourcing arrangements
Reaction planning requirements
Risk assurance systems
ISO Guide 73 definition of risk owner
Person with authority and accountability to make the decision to treat, or not to treat a risk
