Management Systems and Risk Management

Flashcards covering essential terms and definitions related to management systems and risk management based on the lecture notes.

Management System

A framework of policies, processes, and procedures used by an organization to ensure that it can fulfill all the tasks required to achieve its purpose and objectives.

Quality Management System

Enables organisations to improve their product quality and consistency of products and/or services

ISO 9001

The best established international standard for quality management, updated in 2015 using the Annex SL format.

Annex SL

Guidance published by ISO, providing a common structure for management system standards.

COSO

Committee of Sponsoring Organizations of the Treadway Commission, known for its guidance on risk management and internal control.

Enterprise Risk Management (ERM)

A process to identify, assess, manage, and monitor risks to enhance organizational performance.

Scope and design, Control and develop

In order to undertake this comparison, and the subsequent evaluation of the COSO guidance, the Annex SL format components have been grouped into components that consider ________, followed by components that consider _______.

Context, leadership, support

The components relevant to the scope and design are ____, ____, and ______

Plan, Implement, Measure, Learn

The components relevant to control and develop are _____, _____, _____, & _____.

Scope and design

Represent the framework for supporting ERM

Control and develop

Represent the risk management process itself

Formalised management systems

Have defined, documented processes that are designed to explicitly manage processes within an organisation. These will be auditable standards developed for each activity or process.

Informal management systems

Are implicit and may include roles and responsibilities, audits and management of change

Context

Refers to the organization, stakeholder expectations, and scope of the management system.

Leadership

Components that focus on commitment, policy, and organizational roles and responsibilities in a management system.

Support

Composed of resources, competence, awareness, communication and documentation

Plan, Implement, Measure, Learn (PIML)

An approach used in management systems that includes planning, operational implementation, measuring performance, and learning from outcomes.

Plan

Management system objectives and planning to achieve them

Implement

Operational planning, implementation and control

Measure

Monitoring, measurement, analysis, evaluation, audit and review

Learn

Non-conformity, corrective action and continual improvement

Disruption

World Economic Forum (WEF) states that the competitive landscape is defined by one word: _______

World Economic Forum (WEF)

Has commented on the increasing volatility, uncertainty, complexity and ambiguity of the world.

Stakeholders

Are more engaged today, seeking greater transparency and accountability for managing the impact of risk while also critically evaluating leadership ability to embrace opportunities

Organisations

_______ need to be more adaptive to change. They need to think strategically about how to manage the increasing volatility, uncertainty, complexity, and ambiguity of the world, particularly at senior levels in the organisation and in the boardroom.

Strategy, Tactics, Operations, Compliance

4 areas of improvement

Management

Has overall responsibility for managing risks to the organisation, but it is important for senior management as a whole to go further and enhance the conversation with the board and stakeholders

Governance and culture; strategy and objective setting; performance; information, communications, and reporting; review and revisions

ERM frameworks supply important information for boards, so that they can define and fulfil their risk oversight responsibilities. These considerations include __________ (5)

Committee of Sponsoring Organizations (COSO)

Is a recognised body that has published guidance on risk management and internal control for some time

2004 COSO Enterprise Risk Management — Integrated Framework (COSO ERM cube), 2017 COSO ERM — Integrating Strategy and Performance

The two (2) COSO publications relevant to the risk management

To help organizations better protect and enhance stakeholder value

COSO published Enterprise Risk Management — Integrated Framework in 2004. The purpose of that publication was to _______

Internal Environment, Objective Setting, Event Identification, Risk Assessment, Risk Response, Control Activities, Information and Communication, Monitoring

8 components of the COSO ERM cube (2004)

Increasing the range of opportunities, identifying and managing risk organisation-wide, increasing positive outcomes and advantage while reducing negative surprises, reducing performance variability, improving resource deployment, enhancing enterprise resilience

COSO has stated that organisations that integrate ERM throughout the organisation can realise many benefits, including, but not limited to: (6)

Objective Setting

The board should set objectives that support the mission of the organisation that are consistent with its risk appetite. If the board is to set objectives effectively, it needs to be aware of the risks arising if different objectives are pursued.

Event Identification

The organisation must identify internal and external events that affect the achievement of its objectives. The guidance draws a distinction between events having a negative impact that represent risks and events having a positive impact that represent opportunities.

Risk Assessment

The likelihood and impact of risks are assessed as a basis for determining how to manage them.

As well as mapping the likelihood and impact of individual risks, managers also need to consider how individual risks interrelate.

Risk Response

Management selects appropriate actions to align risks with risk appetite and tolerance. This stage can be seen in terms of the four main responses – reduce, accept, transfer or avoid. The guidance stresses the importance of taking a portfolio view of risk and not treating risks in isolation.

Control Activities

Policies and procedures should operate to ensure that risk responses are effective. Once designed, the controls in place need to operate properly. The ERM cube framework is supplemented by the guidance in Internal Control – Integrated Framework (2013).

Information and Communication

Information systems should ensure that data is identified, captured and communicated in a format and timeframe that enables managers and staff to carry out their responsibilities.

The information provided to management needs to be relevant and of appropriate quality.

Monitoring

The management system should be monitored and modified if necessary. There is a distinction between regular review (ongoing monitoring) and periodic review (separate evaluation). The guidance stresses the importance of feedback and action.

Stakeholder Engagement

The process of involving individuals or groups that may be affected by or can affect the outcome of a decision.

Control Activities

Policies and procedures put in place to ensure risk responses are effective.

Risk Assessment

The process of identifying risks and evaluating their likelihood and impact on objectives.

Information and Communication

Systems that ensure timely and relevant communication of information for effective management.

Monitoring

The ongoing or periodic review of the management system to ensure its effectiveness.

Reduce, Accept, Transfer, Avoid

Four (4) main risk responses

ISO 14001

ISO for Environmental Management Systems (2015)

ISO 45001

ISO for Occupational health and safety management systems