blackbook op aud chapter 4
Studied by 0 people
Learn
Practice Test
Spaced Repetition
Match
Flashcards1/94
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced |
|---|
No study sessions yet.
95 Terms
Risk management
is not a recent phenomenon or new way of approaching the management of a busines
risk
comes from the Italian word "risicare," which means "to dare: a choice under uncertain conditions (rather than fate).
risk
The key to this deinition is the notion of uncertainty.
coso defined risk
the possibility mat events will occur and affect the achievement of a strategy and objectives.
international organization for standardization defined risk
effect of uncertainty on objectives.
risk begings with
strategy formulation and setting business objectives
risk involves uncertainty, which COSO refers to
The state of not knowing how potential events may or may not manifest.
risk
does not represent a single point estimate but rather a range of possible outcomes.
Opportunity
An action or potential action that creates or alters goals or approaches for creating, preserving or realizing value.
risks may relate to preventing bad things from happening
or failing to ensure good things happen (that is, exploiting or pursuing opportunities
risks are inherent in all aspects of life
that is, wherever uncertainty exists, one or more risks exist.
In the United States, COSO
issued for public exposure its Enterprise Risk Man‹ agement - Aligning Risk with Strategy and Performance (COSO ERM, or ERM Enterprise Risk framework) in 2016.
In the exposure draft, COSO deines ERM as:
The culture, capabilities, and practices, integrated with strategy-setting and its execution, that organizations rely on to manage risk in creating, preserving, and realizing valued
culture
relates to the people at all levels of the organization, including those who establish the mission, strategy, and business objectives, as well as all who carry out risk management practice
Capabilities
relate to the skills needed to execute the organization’s mission and vision.
applying practices
which are the procedures and tasks employed by the orga‹ nization to ensure effective risk management
integrating with strategy-setting and its execution
which involves manage‹ ment considering the implications of each strategy to the organization’s risk proile.
COSO indicates that effective integration is more likely to result
in lower costs and a greater ability to identify new opportunities to grow the business
managing risk to strategy and business objectives p
provides management and the board of directors with a reasonable expectation that they can achieve the overall strategy and business objectives
. Robust risk management practices will i
increase an organization’s conidence that strategies and business objectives will be achieved
linnking to creating, preserving, and realizing value
the success of risk management is determined by value. The suficiency of that value will be a function of the organization’s risk appetite
Mission
The entity’s core purpose, which establishes what it wants to accomplish and why it exists.
vision
the entitys aspirations for its future state or what the organization aims to achieve over time
core values
The entity’s beliefs and ideals about what is good or bad, acceptable or unacceptable, which influence the behavior of the organization.
An organization’s mission, vision, and core values tend to
to remain stable over time, but they may evolve as stakeholder expectations change
strategy
The organization’s plan to achieve its mission and vision and apply its core values"
business objectives
Those measurable steps the organization takes to achieve its strategy.
three inherent challenges that arise as part of establishing strategy and business objectives
. The possibility of strategy not aligning.
Implications from the strategy chosen.
three inherent challenges that arise as part of establishing strategy and business objectives
Risk to executing the strategy.
three inherent challenges that arise as part of establishing strategy and business objectives
COSO ERM framework consists
of ive interre‹ lated component
Risk Governance and Culture
five risk components 1.
Risk gover‹nance
sets the entity’s tone, reinforcing the importance of, and establishing oversight responsibilities for, enterprise risk management
culture
pertains to ethical values, desired behaviors, and understanding of risk in the entity.
risk, strategy and objective setting
2nd five components
Risk in Execution:
3rd out of five component
. Risk in Execution:
develops a portfolio view of the amount of risk the entity has assumed in the pursuit of its strategy and business objec‹ tives.
Risk Information, Communication, and Reporting:
4th of fivecomponent
Communication
is the continual, iterative process of obtaining information and sharing it throughout the entity.
Monitoring Enterprise Risk Management Performance:
5th of five components
board of directors
provides oversight of the strategy and carries out risk governance responsibilities to support management in achieving strategy and business objectives
management
responsible for day-to‹ day risk management responsibility
board
should be suficiently independent to objectively carry out its over‹ sight responsibility
board should ensure
organizational bias or "groupthink" is minimized to ensure effectiveness of the risk management decisions.
Establishes governance and operating model.
The organization should establish an operating model and reporting lines that support its strategies and business objectives.
Defines desired organizational behaviors.
which should align with the organization’s risk-taking philosophy. Such a philosophy can range from risk averse to risk neutral to risk aggressive. The culture and desired behaviors inluence how the ERM framework is applied throughout the organization
Management
helps to create a risk-aware culture by deining the characteristics needed to achieve the desired culture over time.
Demonstrates commitment to integrity and ethics.
Part of demonstrating their commitment to integrity and ethics is keeping communication open across the organization and ensuring reporting of integrity and ethics issues is free from retribution
Enforces accountability
The organization holds individuals at all levels accountable for ERM, and holds itself accountable for providing standards and guidance
Attracts, develops, and retains talented individuals. T
the organization is committed to building human capital in alignment with the strategy and business objectives.
risk, Strategy, and Objective-Setting_ considers risk and business context
the organization considers potential effects of business context on risk profile
Defines risk appetite.
creating, preserving, and realizing value.
risk appetite
the types and amount of risk, on a broad level, an organization is willing to accept in pursuit of value."
evaluates alternative strategies
the organization evaluates alternative strategies and impact on risk profile
Considers risk while establishing business objectives
the organization should set performance measures and targets to monitor per‹ formance and support the achievement of business objectives.
Defines acceptable variation in performance.
there are a range of possible outcomes, and it is important to define the variation in performance that is considered acceptable
acceptable variation in performance is sometimes referred to
as risk tolerance.
risk in execution
Identifies risk in execution
Assesses the severity of risk
Prioritizes risks
Identifies and selects risk responses
Develops portfolio view
Assesses risk in execution
Inherent risk
the level of risk before management’s application of direct or focused actions to alter its severity.
targeted risk
level management prefers to assume in the pursuit of strategy and business objectives.
Residual risk
represents the level of risk after management’s application of Inherent Risk actions to alter its severity.
risk can be assessed
using either quantitative and qualitative criteria
Accept
the risk at its current level and take no action to affect its severity. Such response indicates the severity is within the organization’s risk appetite.
avoid
the risk by divesting or otherwise removing it from the organization’s .This response indicates the severity maybe outside the organization’s risk appetite and there is no cost-effective response to bring it within the risk appetite
Pursue or exploit
the risk because taking on such a risk may be advantageous to the organization and may be necessary to achieve a particular business objective.
reduce
the risk through application of controls or other risk mitigation activities. Such a response indicates the impact of the risk may go beyond the organization’s risk appetite and actions are necessary to reduce the potential impact.
share or transfer the risk
which may include outsourcing, insuring, or hedging the risk. This option is best when others can manage the risk more effectively or eficiently than the organization can
Risk Information, Communication, and Reporting
Quality information is accessi‹ ble, accurate, appropriate, current, reliable, and has integrity.
periodic communications are
necessary with both the board and key stakeholders.
communication may be in the form of
Electronic messaging (for example, emails, social media, and text messages).
External/third-party materials (for example, industry or trade journals and media reports).
Informal/oral (for example, discussions and meetings), public events (for example, roadshows, town hall meetings, and professional conferences).
Training and seminars (for example, live or online training, webcasts, and workshops).
Written internal documents (for example, brieing documents, dashboards, and presentations).
monitoring ERM Performance
Monitoring substantial change.
Monitors ERM.
Board of directors.
elates to principle #1, its risk oversight responsibility.
management
is responsible for aspects of all five components of ERM. However, these responsibilities will vary, depend‹ ing on the level in the organization and the organization’s characteristics
ceo
ultimately responsible for the effectiveness and success of ERM. One of the most important aspects of this responsibility is ensuring that a positive and ethical tone is set.
senior manager
charge of the various organizational units have respon‹ sibility for managing risks related to their speciic units’ objectives.
risk officer
referred to in many organizations as a chief risk oficer (CRO| operates in a staff function working with other managers in establishing ERM in their areas of responsibility.
Financial executives.
involved in developing organizationwide budgets and plans, and tracking and analyzing performance from operations, compliance, and reporting perspectives
Internal auditors.
assists management and the board by examining, evaluating, reporting on, and recommending improvements to the adequacy and effective‹ ness of the organization’s ERM
erm is a responsibility of everyone
therefore should be an integral part of every‹ one’s job description, both explicitly and implicitly.
Independent outside auditors.
An organization’s independent outside auditors can provide both management and the board of directors an informed, independent, and objective risk management perspective that can contribute to an organization’s achievement of its external financial reporting and other objectives
Legislators and regulators
establish rules that provide the impetus for management to ensure that risk management and control systems meet certain minimum statutory and regulatory requirements.
ISO 31000
was developed to provide a globally accepted way of viewing risk management, taking into consideration principles, frameworks, mod‹ Risk (ISO 31QOO) els, and practices that were evolving around the world
iso 3100 includes three sections
principles, framework, and process
iso 3100 principles provides 11 principles
creates and protects value.
Is an integral part of all organizational processes.
Is part of decision-making.
Explicitly addresses uncertainty. \
Is systematic, structured, and timely.
Is based on the best available information.
Is tailored.
Takes human and cultural factors into account.
Is transparent and inclusive.
Is dynamic, iterative, and responsive to change.
Facilitates continual improvement of the organization.
iso 3100 framework
mandate and commitment
Design of framework for managing risk
implementing the risk management framework and process t
monitoring the framework
continually improving the framework
Mandate and Commitment
Stated expectations from the board and senior management to ensure alignment with organizational objectives and commitment of sufficient resources to enable success.
iso 3100 process
establish the context
assess the risks,
treat the risks
monitor the risks
establish a communication and consultation process
establish the context
the terms of reference against which the signiicance of a risk is evaluated." includes risk appetite, risk tolerance levels, and criteria against which risk may be assessed
entity-level controls
Controls that operate across an entire entity and as such are not bound by, or associated with, individual processes.
compensating control
An activity that, if key controls do not fully operate effectively, may help to reduce the related risks. it will not by itself reduce risk to an acceptable level.
Consulting Services
Advisory and related services, the nature and scope of which are agreed to with while customer, and intented to improve an org gov, risk man, and control
audit universe
A compilation of the subsidiaries,buss units, grps, processes or other establsihed subdividions of an org that exist to manage one or more business risk