Units 1 & 2

Question 1

How does ISO31000 define a risk?

Answer 1

The effect of uncertainty on objectives.

Question 2

What do we mean by the ‘effect ‘ of a risk?

Answer 2

Deviation from the expected.

Question 3

How does ISO31000 define traditional risk management?

Answer 3

Coordinated activities to direct and control an organization with regard to risk.

Question 4

How does ERM differ to traditional risk management?

Answer 4

• led from the top-down
• reducing silos
• having a holistic risk profile
• identifying critical risks & responsibilities
• finding interdependencies

Question 5

What’s the general timeline of the history of risk management?

Answer 5

• in the middle ages people were superstitious and believed risk events were an ‘act of god’
  -then story telling began to show the first records of cause and event
  -700-800 years ago the Hindu-Arabic numbering system reached Europe and allow for the beginnings of mathematical probability
  -in the 17th century the probability theory was introduced (principally designed for gambling)
• then modern beauratic states formed and began collecting vast data sets
  -banks and insurance companies started using specific, quantitative forms of RM
• in 1995-2004 the first risk management standards were introduced e.g. COSO ERM Cube
• and between 2004-2018 the RM focus has shifted to include ESG

Question 6

When did risk management first become recognized as a formal profession?

Answer 6

1970s- mainly in finance and insurance sectors

Question 7

How do the IRM describe the objectives of ERM?

Answer 7

MADE2
-mandatory
-assurance
-decision-making
-efficient and effective processes

Question 8

How doo the IRM describe the benefits of ERM?

Answer 8

STOC
-Strategy
-Tactics
-Operations
-Compliance

Question 9

How does ERM relate to organizational strategy?

Answer 9

• understanding overall risk exposure
• comparing overall risk exposure to risk appetite
• ensuring a balance between the cost/benefit of controls
• supporting a return on investment

Question 10

How does ERM relate to Governance?

Answer 10

• creating accountability
  -ensuring the prioritization of limited resources
• enhancing the efficiency of reporting and decision-making
• embedding a risk-aware culture

Question 11

How does ERM relate to Resilience?

Answer 11

• preparing for changes in the context
• avoiding negative surprises
• supporting quick/agile responses
• coping with crises

Question 12

How do SATALA (consultants) describe the steps of the RM process?

Answer 12

1. Define the context and objectives
2. Assess the risk
3. Manage the risk
4. Monitor, review and report the risk

Question 13

What do SATARLA say are the two choices we can make when understanding if it’s possible to achieve an objective?

Answer 13

1. direct more resource towards the management of the associated risk/s
2. OR rescope the objective so that it’s more realistic

Question 14

How does the Orange Book describe ERM integration?

Answer 14

ERM should be used to assess costs & benefits and inform decision-making by exploring alternative ways to meet objectives.

Question 15

What is a RM standard?

Answer 15

Standards set out the overall RM approach, including a description of the process along with the framework that supports the integration of that process.

Question 16

What is a RM framework?

Answer 16

Frameworks define the risk management context, including the architecture, strategy and protocols (RASP)

Question 17

What is a RM process?

Answer 17

Processes describe the steps in how you manage risks.

Question 18

What’s the latest date of ISO31000?

Answer 18

2018

Question 19

What’s included in the ISO31000 standard?

Answer 19

• 8 principles
• 6 framework stages
• 6 process steps

Question 20

What are the 8 ISO31000 principles?

Answer 20

Integrated, structured and comprehensive, customized, inclusive, dynamic, best available information, human and cultural factors & continual improvement.

Question 21

What are the 6 ISO31000 framework stages?

Answer 21

Leadership and commitment, integration, design, implementation. evaluation, improvement.

Question 22

What are the 6 ISO31000 process steps?

Answer 22

Communication & consultation, scope context and criteria, risk assessment (identification, analysis and evaluation), risk treatment, risk monitoring and review and risk recording and reporting.

Question 23

What’s included on the different faces of the COSO 2004 ERM Cube?

Answer 23

8 x principles (front face)
Business areas (right face)
4x objectives (top face)

Question 24

What are the 5 components of the COSO 2017 Rainbow-Double Helix?

Answer 24

1. Governance and culture
2. Strategy and objectives
3. Performance
4. Review and revision
5. Information and reporting

Question 25

What are the main things to remember about Sarbanes-Oxley?

Answer 25

• written in 2002
• applicable to the United States
• highlighted in the financial crisis of 2008
• requires accuracy of financial reporting
• supports the COSO approach

Question 26

What are the main things to remember about the Orange Book?

Answer 26

• updated in 2023
• applicable to UK Government organizations
• has five principles (governance and leadership, integration, collaboration & best information, process, continual improvement)

Question 27

How does the IRM summarize the attributes of effective ERM?

Answer 27

PACED. Proportionate, Aligned, Comprehensive, Embedded, Dynamic.

Question 28

RASP. What’s included in the risk architecture?

Answer 28

• expected flow of information
• roles and responsibilities
• terms of reference
• committee structures

Question 29

RASP. What does RACI stand for?

Answer 29

Responsible, accountable, consulted, informed.

Question 30

RASP. What’s the role of the director?

Answer 30

• to promote organizational success
• to delegate to a CRO (where appropriate)
• to ensure divisions are bought together (breaking silos)
• to ensure risk information is monitored and used to make improvements.

Question 31

RASP. What’s the role of a risk manager?

Answer 31

• take responsibility for implementation of the risk framework (RASP)
• share corporate learning and ERM benefits

Question 32

RASP. What’s the role of a local manager?

Answer 32

• identify and assess business unit risks
• escalate through the central risk function (ensuring oversight and establishment of priorities)

Question 33

RASP. What’s the role of the Board?

Answer 33

• overall responsibility for the organization’s risks
• form and monitor performance of the strategy
• determine risk appetite
• monitor control effectiveness

Question 34

RASP. What’s the role of the audit committee?

Answer 34

• evaluate RM processes

Question 35

RASP. What IS NOT the role of the audit committee?

Answer 35

• implement RM responses

Question 36

RASP. What’s included in the risk strategy?

Answer 36

• sets the tone-from-the -top
• includes the philosophy, attitudes and appetite to risk taking
• explains what the organization wants to achieve in terms of STOC
• is outlined in the policy

Question 37

RASP. What’s included in the risk policy?

Answer 37

• the strategy
• commitment from the Board
• roles and responsibilities
  -provision of resources

Question 38

RASP. What’s the definition of risk appetite?

Answer 38

The amount of risk an organization is willing to seek or accept in pursuit of long-term objectives.

Question 39

RASP. What’s the definition of risk capacity?

Answer 39

The maximum amount of risk an organization can afford.

Question 40

RASP. What does an organization’s capacity depend on?

Answer 40

Their capabilities.

Question 41

RASP. What’s included in the risk protocols?

Answer 41

HOW we implement risk management, including common terminology, steps, tools and techniques.